replace module works different in version 2.1.2?
56 views
Skip to first unread message
mto...@go2uti.com
Nov 14, 2016, 5:07:05 PM11/14/16
to Ansible Project
I wrote the below to ensure certain options are set in a server's /etc/fstab file for CIS compliance:
- name: Describe file system options
set_fact:
filesystems:
- fs: /tmp
options:
- nodev
- nosuid
- fs: /home
options:
- nodev
- fs: /dev/shm
options:
- nodev
- nosuid
- noexec
- name: CIS - Set options for file systems
replace: dest=/etc/fstab
regexp='(^[/\-\w]*\s+{{item.0.fs}}\s+\w+\s+(?!.*\b{{item.1}}\b))([\w,]+)(\s+[0-9]\s+[0-9])$'
replace='\1\2,{{item.1}}\3'
with_subelements:
- "{{filesystems}}"
- options
set_fact:
filesystems:
- fs: /tmp
options:
- nodev
- nosuid
- fs: /home
options:
- nodev
- fs: /dev/shm
options:
- nodev
- nosuid
- noexec
- name: CIS - Set options for file systems
replace: dest=/etc/fstab
regexp='(^[/\-\w]*\s+{{item.0.fs}}\s+\w+\s+(?!.*\b{{item.1}}\b))([\w,]+)(\s+[0-9]\s+[0-9])$'
replace='\1\2,{{item.1}}\3'
with_subelements:
- "{{filesystems}}"
- options
My fstab file starts out like this:
/dev/mapper/VolGroup00-root / xfs defaults 1 1
UUID=55b51f79-af10-4590-88df-8aefeeedb3fc /boot xfs defaults 0 0
/dev/mapper/VolGroup00-home /home xfs defaults 0 0
/dev/mapper/VolGroup00-tmp /tmp xfs defaults 0 0
/dev/mapper/VolGroup00-var /var xfs defaults 0 0
UUID=c56d0641-b1ef-4ef5-ba3c-1dfb983e28ce swap swap defaults 0 0
UUID=55b51f79-af10-4590-88df-8aefeeedb3fc /boot xfs defaults 0 0
/dev/mapper/VolGroup00-home /home xfs defaults 0 0
/dev/mapper/VolGroup00-tmp /tmp xfs defaults 0 0
/dev/mapper/VolGroup00-var /var xfs defaults 0 0
UUID=c56d0641-b1ef-4ef5-ba3c-1dfb983e28ce swap swap defaults 0 0
The expectation is that options listed under a given file system name will be added to the options for that file system. For example:
/dev/mapper/VolGroup00-home /home xfs defaults,nodev 0 0
/dev/mapper/VolGroup00-tmp /tmp xfs defaults,nodev,nosuid 0 0
/dev/mapper/VolGroup00-tmp /tmp xfs defaults,nodev,nosuid 0 0
This worked perfectly on Ansible version 1.9.4, but when I ported it to Ansible 2.1.2, it broke. When I run it on 2.1.2, Ansible no longer detects that the options have already been applied and applies them again. Each time the playbook is run against the servers, another set of options is added to the already existing set:
/dev/mapper/VolGroup00-home /home xfs defaults,nodev,nodev 0 0
/dev/mapper/VolGroup00-tmp /tmp xfs defaults,nodev,nosuid,nodev,nosuid 0 0
/dev/mapper/VolGroup00-tmp /tmp xfs defaults,nodev,nosuid,nodev,nosuid 0 0
What changed between Ansible versions 2.1.2 and 1.9.4?
The clients are a mix of OEL and RHEL versions 6 and 7. I get the same results regardless of the OS releases and versions.
-Mark
mto...@go2uti.com
Nov 14, 2016, 5:38:59 PM11/14/16
to Ansible Project
It is very definitely related to version 2 of Ansible. I downgraded the version of Ansible on my server to 1.9.4 and ran the playbook again. It ran perfectly and no changes were made to the target system. I upgraded to version 2.2.0 and tested again, and it added another set of options to the fstab file even though the options were already present. So something changed between Ansible versions 1.9 and 2.
-Mark
mark....@dsv.com
Nov 15, 2016, 6:48:49 PM11/15/16
to Ansible Project
It appears to be the negative lookahead assertion in the regular expression: "(?!.*\b{{item.1}}\b)". This is the part that looks to see if the string stored in {{item.1}} is present in the line being examined. If the string is present, the line should be declared a no-match and the line is skipped. If the string is not present, the line is a match and the replace should be execute. For some reason this appears to be broken in Ansible version 2.
-Mark
Reply all
Reply to author
Forward
0 new messages