Ansible:幂等且安全地处理临时文件
Ansible: Handling temporary file idempotently and securely
在 Ansible 中(RHEL 8,如果重要的话),我需要从包含敏感内容的模板创建一个临时文件。完成其他几项任务后,应将其删除。临时文件是安装程序的应答文件,它将 运行 作为命令。安装程序需要用户名和密码。
我不知道是否有一种方法可以在 Ansible 中轻松地做到这一点。
我正在寻找的暴力实施看起来类似于:
- name: Create answer file
template:
src: answerfile.xml.j2
dest: /somewhere/answer.xml
owner: root
group: root
mode: '0600'
- name: Install
command: /somewhere/myinstaller --answerfile /somewhere/answer.xml
creates: /somewhereelse/installedprogram
- name: Delete answerfile
file:
path: /somewhere/answer.xml
state: absent
当然,此代码不是幂等的 - 应答文件将在每个 运行.
上创建和销毁
有更好的方法吗?
我认为此解决方案可能代表了对您的解决方案的轻微改进。
使用此解决方案,如果您的目标程序已经安装,创建和删除应答文件的任务将被跳过(而不是总是 运行 和报告更改)。
我仍然不喜欢这个解决方案,因为我真的不喜欢跳过。
# Try call the installedprogram. --version is arbitrary here.
# --help, or a simple `which installedprogram` could be alternatives.
- name: Try run installedprogram
command: '/somewhereelse/installedprogram --version'
register: installedprogram_exists
ignore_errors: yes
changed_when: False
# Only create answer file if installedprogram is not installed
- name: Create answer file
template:
src: answerfile.xml.j2
dest: /somewhere/answer.xml
owner: root
group: root
mode: '0600'
when: installedprogram_exists.rc != 0
- name: Install
command: /somewhere/myinstaller --answerfile /somewhere/answer.xml
creates: /somewhereelse/installedprogram
# Only delete answer file if installedprogram is not installed
- name: Delete answerfile
file:
path: /somewhere/answer.xml
state: absent
when: installedprogram_exists.rc != 0
测试文件是否存在。如果存在则跳过该块。例如
- stat:
path: /somewhereelse/installedprogram
register: st
- block:
- name: Create answer file
template:
src: answerfile.xml.j2
dest: /somewhere/answer.xml
owner: root
group: root
mode: '0600'
- name: Install
command: /somewhere/myinstaller --answerfile /somewhere/answer.xml
- name: Delete answerfile
file:
path: /somewhere/answer.xml
state: absent
when: not st.stat.exists
(未测试)
将“删除应答文件”任务从块中取出将使代码更安全。它将始终确保凭据未存储在文件中。如果文件不存在,任务不会失败。
- stat:
path: /somewhereelse/installedprogram
register: st
- block:
- name: Create answer file
template:
src: answerfile.xml.j2
dest: /somewhere/answer.xml
owner: root
group: root
mode: '0600'
- name: Install
command: /somewhere/myinstaller --answerfile /somewhere/answer.xml
when: not st.stat.exists
- name: Delete answerfile
file:
path: /somewhere/answer.xml
state: absent
(未测试)
在 Ansible 中(RHEL 8,如果重要的话),我需要从包含敏感内容的模板创建一个临时文件。完成其他几项任务后,应将其删除。临时文件是安装程序的应答文件,它将 运行 作为命令。安装程序需要用户名和密码。
我不知道是否有一种方法可以在 Ansible 中轻松地做到这一点。
我正在寻找的暴力实施看起来类似于:
- name: Create answer file
template:
src: answerfile.xml.j2
dest: /somewhere/answer.xml
owner: root
group: root
mode: '0600'
- name: Install
command: /somewhere/myinstaller --answerfile /somewhere/answer.xml
creates: /somewhereelse/installedprogram
- name: Delete answerfile
file:
path: /somewhere/answer.xml
state: absent
当然,此代码不是幂等的 - 应答文件将在每个 运行.
上创建和销毁有更好的方法吗?
我认为此解决方案可能代表了对您的解决方案的轻微改进。
使用此解决方案,如果您的目标程序已经安装,创建和删除应答文件的任务将被跳过(而不是总是 运行 和报告更改)。
我仍然不喜欢这个解决方案,因为我真的不喜欢跳过。
# Try call the installedprogram. --version is arbitrary here.
# --help, or a simple `which installedprogram` could be alternatives.
- name: Try run installedprogram
command: '/somewhereelse/installedprogram --version'
register: installedprogram_exists
ignore_errors: yes
changed_when: False
# Only create answer file if installedprogram is not installed
- name: Create answer file
template:
src: answerfile.xml.j2
dest: /somewhere/answer.xml
owner: root
group: root
mode: '0600'
when: installedprogram_exists.rc != 0
- name: Install
command: /somewhere/myinstaller --answerfile /somewhere/answer.xml
creates: /somewhereelse/installedprogram
# Only delete answer file if installedprogram is not installed
- name: Delete answerfile
file:
path: /somewhere/answer.xml
state: absent
when: installedprogram_exists.rc != 0
测试文件是否存在。如果存在则跳过该块。例如
- stat:
path: /somewhereelse/installedprogram
register: st
- block:
- name: Create answer file
template:
src: answerfile.xml.j2
dest: /somewhere/answer.xml
owner: root
group: root
mode: '0600'
- name: Install
command: /somewhere/myinstaller --answerfile /somewhere/answer.xml
- name: Delete answerfile
file:
path: /somewhere/answer.xml
state: absent
when: not st.stat.exists
(未测试)
将“删除应答文件”任务从块中取出将使代码更安全。它将始终确保凭据未存储在文件中。如果文件不存在,任务不会失败。
- stat:
path: /somewhereelse/installedprogram
register: st
- block:
- name: Create answer file
template:
src: answerfile.xml.j2
dest: /somewhere/answer.xml
owner: root
group: root
mode: '0600'
- name: Install
command: /somewhere/myinstaller --answerfile /somewhere/answer.xml
when: not st.stat.exists
- name: Delete answerfile
file:
path: /somewhere/answer.xml
state: absent
(未测试)