template module thinks validation succeeded when it should have failed.

73 views
Skip to first unread message

David Reagan

unread,
Aug 20, 2018, 6:35:21 PM8/20/18
to Ansible Project
Can anyone clarify how the validate option of the template module works? I have deliberately configured apache with invalid configuration. On the command line `apache2 -t -f /etc/apache2/apache2.conf` fails with a syntax error. But the template module, configured with `validate: 'apache2 -t -f %s'` thinks it's just fine.

Also, what kind of results should be registered in a register variable for a failed validation?

I'm using ansible 2.4.4.0 on Ubuntu 18.04.

My task:

- name: "TestingConfig - Debian Family - Template main apache configuration file."
  when: ansible_os_family == 'Debian'
  template:
    dest: "{{ aspects_apache24_test_configuration_root }}/apache2.conf"
    src: "main.conf.j2"
    owner: "root"
    group: "root"
    mode: "0640"
    validate: 'apache2 -t -f %s'
  register: inprocess_validation_result
  tags:
    - aspects_apache24
    - aspects_apache24_configuration
    - aspects_apache24_config

Dick Visser

unread,
Aug 21, 2018, 12:01:41 AM8/21/18
to ansible...@googlegroups.com
The template module does the validation using the *new* configuration file.
This takes places *before* the file is put into its final place, so it’s specifically *not* /etc/apache2/apache2.conf, but rather a temporary file.
The location of this tempfile is part of the registered results:

TASK [Gathering Facts] ****************************************************************************************************************************************
ok: [bionic]

TASK [test template module] ***********************************************************************************************************************************
changed: [bionic]

TASK [debug] **************************************************************************************************************************************************
ok: [bionic] => {
    "results": {
        "changed": true, 
        "checksum": "9ef49cb61d96783deb22dd7ba23f42d48303a840", 
        "dest": "/etc/apache2/apache2.conf", 
        "diff": [], 
        "failed": false, 
        "gid": 0, 
        "group": "root", 
        "md5sum": "04f23d5d3f10c6f65eb3ec754d4ce73c", 
        "mode": "0644", 
        "owner": "root", 
        "size": 7250, 
        "src": "/home/vagrant/.ansible/tmp/ansible-tmp-1534823379.24-1117512573422/source", 
        "state": "file", 
        "uid": 0
    }
}

PLAY RECAP ****************************************************************************************************************************************************
bionic                     : ok=3    changed=1    unreachable=0    failed=0   



From you question it's not clear whether you manually ran 'apache2 -t -f /etc/apache2/apache2.conf' on the target host *after* the template module has run, or before that?
And it's also not clear if the template module changed something when "thinks it's just fine".

Either way, debugging output (-v) should reveal more.


Dick


--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e47d44ef-32ec-49fd-9648-936ffb0328da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

David Reagan

unread,
Aug 21, 2018, 3:52:54 PM8/21/18
to Ansible Project
Well, I think there were quite a few issues in my role that manifested in the template validation not working correctly. With fresh eyes, and inspired to think things through better, I was able to get it fixed. I hope.

So, thanks!

To anyone experiencing something similar, double check your conditionals. If you have a main conf file that includes other templated conf files from elsewhere on the system, make sure your main file is really pulling in those files, and that the main file gets changed so that the validation command is triggered.


- David
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages