Ansible "file" module and attributes in 2.3.1.0

[Dan Linder]

I've got a set of systems that have a configuration file with the "immutable" flag set on them by a previous setup process.  The "lsattr /etc/security/access.conf" on a RHEL 6 system shows the "i" flag set.  Manually doing a "chattr -i /etc/security/access.conf" removes the flag, but I'd like to have Ansible remove this flag if found on a few of these files.

I setup a playbook with this play:

- name: "Remove immutable flag"
  file:
    path: /etc/security/access.conf
    attributes: "-i"

The documentation isn't clear on what "attributes" can be but the file module call chattr with the "=" precursor before the attributes.  For my case, I can just send "e" as the attribute (which effectively removes "i", the only attribute on this file usually), but it doesn't make it easy to enforce a single change without knowing and setting all attributes.  (Admittedly that would be more idempotent.)

Can someone update the the documentation, to add this note on the usage?

Or, can the command line fed to chattr be updated to remove the "=" before the attributes when a +/- is present in the attributes line?  That makes it easy to use "-i" to remove immutable, or "+i" to add immutable flag, though I haven't thought through the ramifications and idempotent features...

Thanks,

Dan

[Kai Stian Olstad]

On 21.07.2017 17:34, Dan Linder wrote:
> I setup a playbook with this play:
>
> - name: "Remove immutable flag"
> file:
> path: /etc/security/access.conf
> attributes: "-i"
>
> The documentation isn't clear on what "attributes" can be but the file
> module call chattr with the "=" precursor before the attributes. For
> my
> case, I can just send "e" as the attribute (which effectively removes
> "i",
> the only attribute on this file usually), but it doesn't make it easy
> to
> enforce a single change without knowing and setting all attributes.
> (Admittedly that would be more idempotent.)

It only require an additional task to only remove the attribute without
touching the other ones.

- stat:
path: /etc/security/access.conf
register: result

- file:
path: /etc/security/access.conf
attr: '{{ result.stat.attr_flags | regex_replace('i', '') }}

> Can someone update the the documentation, to add this note on the
> usage?
>
> Or, can the command line fed to chattr be updated to remove the "="
> before
> the attributes when a +/- is present in the attributes line? That
> makes it
> easy to use "-i" to remove immutable, or "+i" to add immutable flag,
> though
> I haven't thought through the ramifications and idempotent features...

You can always make a feature request on Github
https://github.com/ansible/ansible/issues

--
Kai Stian Olstad

[Dan Linder]

Thanks Kai, hadn't thought about using the attr_flags field - I'll give it a shot when I get back to that issue.

Dan

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/fxAuuqq55AE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7ba61192d6bb5712f80354d9e6949825%40olstad.com.

For more options, visit https://groups.google.com/d/optout.

--

***************** ************* *********** ******* ***** *** **

"If you wish to make an apple pie from scratch, 

  you must first invent the universe."

  -- Carl Sagan

"Quis custodiet ipsos custodes?"

    (Who can watch the watchmen?)
    -- from the Satires of Juvenal

"I do not fear computers, I fear the lack of them."
    -- Isaac Asimov (Author)
** *** ***** ******* *********** ************* *****************