Ansible "rc" 条件检查因 when 条件而失败
Ansible "rc" conditional check failed with the when condition
我的剧本在根据 register 值执行条件检查时失败。= when 条件。
下面Play是ansible角色的一部分:
我的剧本
---
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/profile 1/2)
shell: tail -1 /etc/profile | grep "umask 027"
register: umask_grep
changed_when: false
failed_when: false
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/profile 2/2)
shell: echo umask 027 >> /etc/profile
when: umask_grep[ "rc" ] != 0
become: yes
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/bashrc 1/2)
shell: tail -1 /etc/bashrc | grep "umask 027"
register: umask_grep
changed_when: false
failed_when: false
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/bashrc 2/2)
shell: echo umask 027 >> /etc/bashrc
when: umask_grep[ "rc" ] != 0
become: yes
当我执行它时出现以下错误..
错误:
fatal: [xx.xx.xx.xx]: FAILED! => {
"msg": "The conditional check 'umask_grep[ \"rc\" ] != 0' failed. The error was: error while evaluating conditional (umask_grep[ \"rc\" ] != 0): 'dict object' has no attribute 'rc'\n\nThe error appears to be in 'umask_is_027_or_more_restrictive.yml': line 8, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/profile 2/2)\n ^ here\n"
}
我什至尝试将 when: umask_grep[ "rc" ] != 0 更改为 when: umask_grep.rc != 0,但甚至收到相同的消息。
如有任何帮助,我们将不胜感激。
我的 Ansible 版本
ansible 2.9.10
调试信息
skipping: [xx.xx.xx.xx] => {
"changed": false,
"invocation": {
"module_args": {
"_raw_params": "tail -1 /etc/profile | grep \"umask 027\"",
"_uses_shell": true,
"argv": null,
"chdir": null,
"creates": null,
"executable": null,
"removes": null,
"stdin": null,
"stdin_add_newline": true,
"strip_empty_ends": true,
"warn": true
}
},
"msg": "skipped, running in check mode"
}
当运行处于检查模式时,Ansible 将不会执行shell 或command 任务。由于“检查 umask”任务中的 shell 脚本没有 运行,因此您在 umask_grep 中注册的相应结果没有 rc 属性。那是你错误的根源。
最简单的解决方案可能是在 rc 属性不可用时设置默认值:
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/profile 2/2)
shell: echo umask 027 >> /etc/profile
when: umask_grep.rc|default(0) != 0
become: yes
您还可以修改您的剧本,以便您的 grep 任务在检查模式下执行 运行:
- hosts: localhost
gather_facts: false
tasks:
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/profile 1/2)
check_mode: false
shell: tail -1 /etc/profile | grep "umask 027"
register: umask_grep
changed_when: umask_grep.rc != 0
failed_when: false
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/profile 2/2)
shell: echo umask 027 >> /etc/profile
when: umask_grep is changed
become: yes
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/bashrc 1/2)
check_mode: false
shell: tail -1 /etc/bashrc | grep "umask 027"
register: umask_grep
changed_when: umask_grep.rc != 0
failed_when: false
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/bashrc 2/2)
shell: echo umask 027 >> /etc/bashrc
when: umask_grep is changed
become: yes
在此模型中,进行更改的任务不需要显式检查 rc 属性,因为我们在 grep 任务中使用它来设置任务的“已更改”状态。
我的剧本在根据 register 值执行条件检查时失败。= when 条件。
下面Play是ansible角色的一部分:
我的剧本
---
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/profile 1/2)
shell: tail -1 /etc/profile | grep "umask 027"
register: umask_grep
changed_when: false
failed_when: false
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/profile 2/2)
shell: echo umask 027 >> /etc/profile
when: umask_grep[ "rc" ] != 0
become: yes
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/bashrc 1/2)
shell: tail -1 /etc/bashrc | grep "umask 027"
register: umask_grep
changed_when: false
failed_when: false
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/bashrc 2/2)
shell: echo umask 027 >> /etc/bashrc
when: umask_grep[ "rc" ] != 0
become: yes
当我执行它时出现以下错误..
错误:
fatal: [xx.xx.xx.xx]: FAILED! => {
"msg": "The conditional check 'umask_grep[ \"rc\" ] != 0' failed. The error was: error while evaluating conditional (umask_grep[ \"rc\" ] != 0): 'dict object' has no attribute 'rc'\n\nThe error appears to be in 'umask_is_027_or_more_restrictive.yml': line 8, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/profile 2/2)\n ^ here\n"
}
我什至尝试将 when: umask_grep[ "rc" ] != 0 更改为 when: umask_grep.rc != 0,但甚至收到相同的消息。
如有任何帮助,我们将不胜感激。
我的 Ansible 版本
ansible 2.9.10
调试信息
skipping: [xx.xx.xx.xx] => {
"changed": false,
"invocation": {
"module_args": {
"_raw_params": "tail -1 /etc/profile | grep \"umask 027\"",
"_uses_shell": true,
"argv": null,
"chdir": null,
"creates": null,
"executable": null,
"removes": null,
"stdin": null,
"stdin_add_newline": true,
"strip_empty_ends": true,
"warn": true
}
},
"msg": "skipped, running in check mode"
}
当运行处于检查模式时,Ansible 将不会执行shell 或command 任务。由于“检查 umask”任务中的 shell 脚本没有 运行,因此您在 umask_grep 中注册的相应结果没有 rc 属性。那是你错误的根源。
最简单的解决方案可能是在 rc 属性不可用时设置默认值:
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/profile 2/2)
shell: echo umask 027 >> /etc/profile
when: umask_grep.rc|default(0) != 0
become: yes
您还可以修改您的剧本,以便您的 grep 任务在检查模式下执行 运行:
- hosts: localhost
gather_facts: false
tasks:
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/profile 1/2)
check_mode: false
shell: tail -1 /etc/profile | grep "umask 027"
register: umask_grep
changed_when: umask_grep.rc != 0
failed_when: false
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/profile 2/2)
shell: echo umask 027 >> /etc/profile
when: umask_grep is changed
become: yes
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/bashrc 1/2)
check_mode: false
shell: tail -1 /etc/bashrc | grep "umask 027"
register: umask_grep
changed_when: umask_grep.rc != 0
failed_when: false
- name: CIS 5.4.4 Ensure default user umask is 027 or more restrictive (/etc/bashrc 2/2)
shell: echo umask 027 >> /etc/bashrc
when: umask_grep is changed
become: yes
在此模型中,进行更改的任务不需要显式检查 rc 属性,因为我们在 grep 任务中使用它来设置任务的“已更改”状态。