我的剧本在根据register值和条件when执行条件检查时失败。
以下游戏是ansible角色的一部分:
---
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/profile 1/2)
shell: tail -1 /etc/profile | grep "umask 027"
register: umask_grep
changed_when: false
failed_when: false
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/profile 2/2)
shell: echo umask 027 >> /etc/profile
when: umask_grep[ "rc" ] != 0
become: yes
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/bashrc 1/2)
shell: tail -1 /etc/bashrc | grep "umask 027"
register: umask_grep
changed_when: false
failed_when: false
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/bashrc 2/2)
shell: echo umask 027 >> /etc/bashrc
when: umask_grep[ "rc" ] != 0
become: yes
在执行此操作时,出现以下错误。
fatal: [xx.xx.xx.xx]: FAILED! => {
"msg": "The conditional check 'umask_grep[ \"rc\" ] != 0' failed. The error was: error while evaluating conditional (umask_grep[ \"rc\" ] != 0): 'dict object' has no attribute 'rc'\n\nThe error appears to be in 'umask_is_027_or_more_restrictive.yml': line 8, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/profile 2/2)\n ^ here\n"
}
即使我尝试将when: umask_grep[ "rc" ] != 0更改为when: umask_grep.rc != 0,但甚至收到相同的消息。
在此方面的任何帮助将不胜感激。
可用2.9.10
skipping: [xx.xx.xx.xx] => {
"changed": false,
"invocation": {
"module_args": {
"_raw_params": "tail -1 /etc/profile | grep \"umask 027\"",
"_uses_shell": true,
"argv": null,
"chdir": null,
"creates": null,
"executable": null,
"removes": null,
"stdin": null,
"stdin_add_newline": true,
"strip_empty_ends": true,
"warn": true
}
},
"msg": "skipped, running in check mode"
}
答案 0 :(得分:2)
在检查模式下运行时,Ansible将不会执行shell或command任务。由于“检查umask”任务中的Shell脚本未运行,因此您在umask_grep中注册的相应结果没有rc属性。这就是错误的根源。
最简单的解决方案可能是在rc属性不可用时设置默认值:
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/profile 2/2)
shell: echo umask 027 >> /etc/profile
when: umask_grep.rc|default(0) != 0
become: yes
您还可以修改剧本,以便您的grep任务可以在检查模式下运行:
- hosts: localhost
gather_facts: false
tasks:
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/profile 1/2)
check_mode: false
shell: tail -1 /etc/profile | grep "umask 027"
register: umask_grep
changed_when: umask_grep.rc != 0
failed_when: false
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/profile 2/2)
shell: echo umask 027 >> /etc/profile
when: umask_grep is changed
become: yes
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/bashrc 1/2)
check_mode: false
shell: tail -1 /etc/bashrc | grep "umask 027"
register: umask_grep
changed_when: umask_grep.rc != 0
failed_when: false
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/bashrc 2/2)
shell: echo umask 027 >> /etc/bashrc
when: umask_grep is changed
become: yes
在此模型中,进行更改的任务不需要显式检查rc属性,因为我们在grep任务中使用该属性来设置任务的“已更改”状态。