Handling unreachable hosts

[Kenady Inampudi]

I have a playbook to lock a user this works as expected but fails when  any of the server in the inventory is unreachable 

lock_user.yml

-----------------

---
- name: Lock Users
  hosts: "{{ target }}"
  gather_facts: no
  ignore_unreachable: yes
  any_errors_fatal: false
  vars:
    - ansible_python_interpreter: /usr/bin/python
    - myusers: ['sapadm', 'root', 'oracle']
  tasks:
    - name: Warn about generic accounts
      debug:
        msg: "{{ user }} is a generic account. DO NOT ATTEMPT TO LOCK THIS ACCOUNT!"
      when: user in myusers

    - name: Check if the user exists {{ user }}
      shell: id -u {{ user }}
      register: user_exists
      ignore_errors: true

    - name: Locking {{ user }} Linux
      shell: "passwd -l {{ user }}"
      when: "user_exists.rc == 0 and inventory_hostname in groups['linux'] and user not in myusers"

    - name: Locking {{ user }} AIX
      shell: "chuser account_locked=true {{ user }}"
      when: "user_exists.rc == 0 and inventory_hostname in groups['aix'] and user not in myusers"

    - name: User does not exist
      debug:
        msg: "{{ user }} doesnot exist"
      when: user_exists.rc != 0

Failure messages at 

check_users task

fatal: [server1]: FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: /etc/profile.d/lang.sh: line 19: warning: setlocale: LC_CTYPE: cannot change locale (C.UTF-8)\\r\\n"}
...ignoring
fatal: [server2]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh: connect to host 10.65.112.84 port 22: Connection timed out", "skip_reason": "Host server2 is unreachable", "unreachable": true}
...ignoring

lock_user task

fatal: [server1]: FAILED! => {"msg": "The conditional check 'user_exists.rc == 0 and inventory_hostname in groups['linux'] and user not in myusers' failed. The error was: error while evaluating conditional (user_exists.rc == 0 and inventory_hostname in groups['linux'] and user not in myusers): 'dict object' has no attribute 'rc'\\n\\nThe error appears to be in '/runner/project/lock_user.yml': line 20, column 7, but may\\nbe elsewhere in the file depending on the exact syntax problem.\\n\\nThe offending line appears to be:\\n\\n\\n    - name: Locking {{ user }} Linux\\n      ^ here\\nWe could be wrong, but this one looks like it might be an issue with\\nmissing quotes. Always quote template expression brackets when they\\nstart a value. For instance:\\n\\n    with_items:\\n      - {{ foo }}\\n\\nShould be written as:\\n\\n    with_items:\\n      - \\"{{ foo }}\\"\\n"}
fatal: [server2]: FAILED! => {"msg": "The conditional check 'user_exists.rc == 0 and inventory_hostname in groups['linux'] and user not in myusers' failed. The error was: error while evaluating conditional (user_exists.rc == 0 and inventory_hostname in groups['linux'] and user not in myusers): 'dict object' has no attribute 'rc'\\n\\nThe error appears to be in '/runner/project/lock_user.yml': line 20, column 7, but may\\nbe elsewhere in the file depending on the exact syntax problem.\\n\\nThe offending line appears to be:\\n\\n\\n    - name: Locking {{ user }} Linux\\n      ^ here\\nWe could be wrong, but this one looks like it might be an issue with\\nmissing quotes. Always quote template expression brackets when they\\nstart a value. For instance:\\n\\n    with_items:\\n      - {{ foo }}\\n\\nShould be written as:\\n\\n    with_items:\\n      - \\"{{ foo }}\\"\\n"}

how can i fix this?

[Pierre TOURON]

Hi,

Error is not about hosts being unreachable per say, but about a undefined variable (user_exists.rc here) that is still being evaluated for each host, whether it is reachable or not.

I'm not sure on how to change this behavior, but you should be able to circumvent the issue by checking whether var is defined before evaluating it :

when: "user_exists.rc is defined and user_exists.rc == 0 and inventory_hostname in groups['linux'] and user not in myusers"

Or setting a default value, here with 'default' jinja filter, though you can also initialize somewhere else :

when: "user_exists.rc|d() == 0 and inventory_hostname in groups['linux'] and user not in myusers"

On a side note, you should probably use more specific modules than shell / command when you can help it, though I don't know much of your context. Here you could use 'ansible.builtin.user' module :).