- name: Check if postgres is already allowed via IPv4
   shell: grep '^-A\ INPUT\ -s\ {{roundcube_host}}\ -p\ tcp\ -m\ state\
--state\ NEW\ -m\ tcp\ --dport\ 5432\ -j\ ACCEPT' /etc/sysconfig/iptables
/dev/null 2>&1
   ignore_errors: true
   register: result

- name: Allow incoming IPv4 PostGreSQL connections through iptables
   lineinfile: dest=/etc/sysconfig/iptables
               regexp='^-A\ INPUT\ -s\ {{roundcube_host}}\ -p\ tcp\ -m\
state\ --state\ NEW\ -m\ tcp\ --dport\ 5432\ -j\ ACCEPT'
               insertbefore='^-A\ INPUT\ -j\ LOGGING'
               line="-A INPUT -s {{roundcube_host}} -p tcp -m state --state
NEW -m tcp --dport 5432 -j ACCEPT"
   when: result|failed
   notify: Restart iptables


My test will always fail because I'm sure it's trying to evaluate the
{{roundcube_host}} variable without escaping the periods in the IP address.

I could write a sed recipe that will read out {{roundcube_host}}, insert
backslashes before dots, and write that to a new variable. But has this
wheel already been invented? I can assume the presence of tools like sed
on the target host, but not on the host that's running the playbook. And
it's possible that the playbook might be run from either a GNU or BSD
system, and a recipe I write for one might not work with the other. It
seems a little messy to send this to the remote host for operations and
bring the result back :-)

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4fef3e9b-75f2-40e0-8fe8-801a248993ec%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

  • Dan Vaida at Jan 3, 2015 at 5:23 pm
    When you say you're sure, is that because you tried 'debug: var=result'?

    Furthermore, are you doing something else with Postgres' port in your
    iptables rule? If not, simply remove the first task and then in the second
    task, remove everything before '-p\ tcp...' from the regexp and you should
    be fine.
    Regardless, you should be fine with only the lineinfile task. You can
    achieve true idempotence with a proper regexp.

    Personally, I would set the rules through an Ansible template.
    On Tuesday, 25 November 2014 18:02:56 UTC+1, John Oliver wrote:

    - name: Check if postgres is already allowed via IPv4
    shell: grep '^-A\ INPUT\ -s\ {{roundcube_host}}\ -p\ tcp\ -m\ state\
    --state\ NEW\ -m\ tcp\ --dport\ 5432\ -j\ ACCEPT' /etc/sysconfig/iptables
    /dev/null 2>&1
    ignore_errors: true
    register: result

    - name: Allow incoming IPv4 PostGreSQL connections through iptables
    lineinfile: dest=/etc/sysconfig/iptables
    regexp='^-A\ INPUT\ -s\ {{roundcube_host}}\ -p\ tcp\ -m\
    state\ --state\ NEW\ -m\ tcp\ --dport\ 5432\ -j\ ACCEPT'
    insertbefore='^-A\ INPUT\ -j\ LOGGING'
    line="-A INPUT -s {{roundcube_host}} -p tcp -m state --state
    NEW -m tcp --dport 5432 -j ACCEPT"
    when: result|failed
    notify: Restart iptables


    My test will always fail because I'm sure it's trying to evaluate the
    {{roundcube_host}} variable without escaping the periods in the IP address.

    I could write a sed recipe that will read out {{roundcube_host}}, insert
    backslashes before dots, and write that to a new variable. But has this
    wheel already been invented? I can assume the presence of tools like sed
    on the target host, but not on the host that's running the playbook. And
    it's possible that the playbook might be run from either a GNU or BSD
    system, and a recipe I write for one might not work with the other. It
    seems a little messy to send this to the remote host for operations and
    bring the result back :-)
    --
    You received this message because you are subscribed to the Google Groups "Ansible Project" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
    To post to this group, send email to ansible-project@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d5aa09fc-3795-4767-873c-8198411150f9%40googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Tom Bamford at Jan 3, 2015 at 6:46 pm
    Hi John

    Python has the re.escape() method but I don't know if Ansible exposes this
    in the form of a Jinja2 filter (seemingly not, looking at
    https://github.com/ansible/ansible/blob/devel/lib/ansible/runner/filter_plugins/core.py
    ).

    I'm curious, why both the check with grep *and* the regexp option to
    lineinfile?

    Regards
    Tom

    On 25 November 2014 at 19:02, John Oliver wrote:

    - name: Check if postgres is already allowed via IPv4
    shell: grep '^-A\ INPUT\ -s\ {{roundcube_host}}\ -p\ tcp\ -m\ state\
    --state\ NEW\ -m\ tcp\ --dport\ 5432\ -j\ ACCEPT' /etc/sysconfig/iptables
    /dev/null 2>&1
    ignore_errors: true
    register: result

    - name: Allow incoming IPv4 PostGreSQL connections through iptables
    lineinfile: dest=/etc/sysconfig/iptables
    regexp='^-A\ INPUT\ -s\ {{roundcube_host}}\ -p\ tcp\ -m\
    state\ --state\ NEW\ -m\ tcp\ --dport\ 5432\ -j\ ACCEPT'
    insertbefore='^-A\ INPUT\ -j\ LOGGING'
    line="-A INPUT -s {{roundcube_host}} -p tcp -m state --state
    NEW -m tcp --dport 5432 -j ACCEPT"
    when: result|failed
    notify: Restart iptables


    My test will always fail because I'm sure it's trying to evaluate the
    {{roundcube_host}} variable without escaping the periods in the IP address.

    I could write a sed recipe that will read out {{roundcube_host}}, insert
    backslashes before dots, and write that to a new variable. But has this
    wheel already been invented? I can assume the presence of tools like sed
    on the target host, but not on the host that's running the playbook. And
    it's possible that the playbook might be run from either a GNU or BSD
    system, and a recipe I write for one might not work with the other. It
    seems a little messy to send this to the remote host for operations and
    bring the result back :-)

    --
    You received this message because you are subscribed to the Google Groups
    "Ansible Project" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to ansible-project+unsubscribe@googlegroups.com.
    To post to this group, send email to ansible-project@googlegroups.com.
    To view this discussion on the web visit
    https://groups.google.com/d/msgid/ansible-project/4fef3e9b-75f2-40e0-8fe8-801a248993ec%40googlegroups.com
    <https://groups.google.com/d/msgid/ansible-project/4fef3e9b-75f2-40e0-8fe8-801a248993ec%40googlegroups.com?utm_medium=email&utm_source=footer>
    .
    For more options, visit https://groups.google.com/d/optout.
    --
    You received this message because you are subscribed to the Google Groups "Ansible Project" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
    To post to this group, send email to ansible-project@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAAnNz0OVW9fWimyvaY9sXTYZ3ti5cDMJ83zwg4RHQT_chFMseQ%40mail.gmail.com.
    For more options, visit https://groups.google.com/d/optout.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupansible-project @
postedNov 25, '14 at 5:02p
activeJan 3, '15 at 6:46p
posts3
users3

People

Translate

site design / logo © 2022 Grokbase