Ansible evaluates the return codes of modules and commands to determine whether a task succeeded or failed. Normally, when a task fails Ansible immediately aborts the plays, skipping all subsequent tasks.
However, sometimes an administrator may want to have playbook execution continue even if a task fails. For example, it may be expected that a particular command will fail.
There are a number of Ansible features that may be used to better manage task errors:
- Ignore the failed task: By default, if a task fails, the play is aborted; however, this behavior can be overridden by skipping failed tasks. To do so, the
ignore_errorskeyword needs to be used in a task. The following snippet shows how to useignore_errorsto continue playbook execution even if the task fails. For example, if the notapkg package does not exist the yum
module will fail, but havingignore_errorsset to yes will allow execution to continue.
|
1 2 3 4 |
- yum: name: notapkg state: latest ignore_errors: yes |
- Force execution of handlers: By default, if a task that notifies a handler fails, the handler will be skipped as well. Administrators can override this behavior by using the
force_handlerskeyword in task. This forces the handler to be called even if the task fails. The following snippet shows hows to use theforce_handlerskeyword in a task to forcefully execute the handler even if the task fails:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
--- - hosts: all force_handlers: yes tasks: - yum: name: notapkg state: latest notify: restart_database handlers: - name: restart_database service: name: mariadb state: restarted |
- Override the failed state: A task itself can succeed, yet administrators may want to mark the task as failed based on specific criteria. To do so, the
failed_whenkeyword can be used with a task. This is often used with modules that execute remote commands and capture the output in a variable. For example, administrators can run a script that outputs an error message and use that message to define the failed state for the task. The following snippet shows how thefailed_whenkeyword can be used in a task:
|
1 2 3 4 5 |
tasks: - shell: cmd: /usr/local/bin/create_users.sh register: command_result failed_when: "'Password missing' in command_result.stdout" |
- Override the changed state: When a task updates a managed host, it acquires the changed state. However, if a task does not perform any change on the managed node, handlers are skipped. The
changed_whenkeyword can be used to override the default behavior of what triggers the changed state. For example, if administrators want to restart a service every time a playbook runs, thechanged_whenkeyword can be added to the task. The following snippet shows how a handler can be triggered every time by forcing the changed state:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
tasks: - shell: cmd: /usr/local/bin/upgrade-database register: command_result changed_when: "'Success' in command_result.stdout" notify: - restart_database handlers: - name: restart_database service: name: mariadb state: restarted |
Ansible blocks and error handling
In playbooks, blocks are clauses that enclose tasks. Blocks allow for logical grouping of tasks, and can be used to control how tasks are executed. For example, administrators can define a main set of tasks and a set of extra tasks that will only be executed if the first set fails. To do so, blocks in playbooks can be used with three keywords:
- block: Defines the main tasks to run.
- rescue: Defines the tasks that will be run if the tasks defined in the block clause fails.
- always: Defines the tasks that will always run independently of the success or failure of tasks defined in the block and rescue clauses.
The following example shows how to implement a block in a playbook. Even if tasks defined in the block clause fail, tasks defined in the rescue and always clause will be executed:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
tasks: - block: - shell: cmd: /usr/local/lib/upgrade-database rescue: - shell: cmd: /usr/local/lib/create-users always: - service: name: mariadb state: restarted |
Example 1. Configure Error Handling
The playbook below will copy url files from managedhosts.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
[miro@controlnode playbooks]$ cat playbook5.yml --- - hosts: localhost tasks: - name: get files get_url: url: "http://{{item}}/index.html" dest: "/tmp/{{item}}" ignore_errors: yes with_items: - managedhost1 - managedhost2 |
Ensuring that http service is at started state at both servers.
|
1 |
[miro@controlnode playbooks]$ ansible labservers -b -m service -a "name=httpd state=started" |
Now we are running playbook5:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
[miro@controlnode playbooks]$ ansible-playbook playbook5.yml PLAY [localhost] ***************************************************************************************************************** TASK [Gathering Facts] *********************************************************************************************************** ok: [localhost] TASK [get files] ***************************************************************************************************************** ok: [localhost] => (item=managedhost1) ok: [localhost] => (item=managedhost2) PLAY RECAP *********************************************************************************************************************** localhost : ok=2 changed=0 unreachable=0 failed=0 [miro@controlnode playbooks]$ cat /tmp/managedhost1 Hello World ! [miro@controlnode playbooks]$ cat /tmp/managedhost2 Hello World ! I'm back!! |
Ass you can see index.html is copied into /tmp directory
Let’s stop http service at managedhost1
|
1 |
[miro@controlnode playbooks]$ ansible managedhost1 -b -m service -a "name=httpd state=stopped" |
And remove index.html files from /tmp
|
1 |
[miro@controlnode playbooks]$ rm /tmp/managedhost* |
When we run playbook5 now we will see errors:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
[miro@controlnode playbooks]$ ansible-playbook playbook5.yml PLAY [localhost] ***************************************************************************************************************** TASK [Gathering Facts] *********************************************************************************************************** ok: [localhost] TASK [get files] ***************************************************************************************************************** failed: [localhost] (item=managedhost1) => {"changed": false, "dest": "/tmp/managedhost1", "item": "managedhost1", "msg": "Request failed: <urlopen error [Errno 111] Połączenie odrzucone>", "state": "absent", "url": "http://managedhost1/index.html"} changed: [localhost] => (item=managedhost2) ...ignoring PLAY RECAP *********************************************************************************************************************** localhost : ok=2 changed=1 unreachable=0 failed=0 |
Now we will write a playbook with error debugging::
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[miro@controlnode playbooks]$ cat playbook6.yml --- - hosts: localhost tasks: - name: get files block: - get_url: url: "http://managedhost2/index.html" dest: "/tmp/index_file" rescue: - debug: msg="The file doesn't exists!" always: - debug: msg="Play done !" |
Running the playbook:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
[miro@controlnode playbooks]$ ansible-playbook playbook6.yml PLAY [localhost] ***************************************************************************************************************** TASK [Gathering Facts] *********************************************************************************************************** ok: [localhost] TASK [get_url] ******************************************************************************************************************* changed: [localhost] TASK [debug] ********************************************************************************************************************* ok: [localhost] => { "msg": "Play done !" } PLAY RECAP *********************************************************************************************************************** localhost : ok=3 changed=1 unreachable=0 failed=0 |
Everything went well:
|
1 2 3 |
[miro@controlnode playbooks]$ cat /tmp/index_file Hello World ! I'm back!! |
Let’s stop http service at managedhost2:
|
1 |
[miro@controlnode etc]$ ansible managedhost2.example.com -b -m service -a "name=httpd state=stopped" |
And we can see the message about problems:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
[miro@controlnode playbooks]$ ansible-playbook playbook6.yml PLAY [localhost] ***************************************************************************************************************** TASK [Gathering Facts] *********************************************************************************************************** ok: [localhost] TASK [get_url] ******************************************************************************************************************* fatal: [localhost]: FAILED! => {"changed": false, "dest": "/tmp/index_file", "msg": "Request failed: <urlopen error [Errno 111] Połączenie odrzucone>", "state": "absent", "url": "http://managedhost2/index.html"} TASK [debug] ********************************************************************************************************************* ok: [localhost] => { "msg": "The file doesn't exists!" } TASK [debug] ********************************************************************************************************************* ok: [localhost] => { "msg": "Play done !" } PLAY RECAP *********************************************************************************************************************** localhost : ok=3 changed=0 unreachable=0 failed=1 |
Example 2. Handling errors
Playbook playbook.yml targets all hosts in the mailservers group. It initializes four variables: maildir_path with a value of /home/john/Maildir, maildir with a value of /home/student/Maildir, mail_package with a value of postfix, and mail_service with a value of postfix. It also has a tasks section that defines a task that uses the copy module to install a directory to the managed host. It has a second task that installs the package that the mail_package variable defines.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
--- - hosts: mailservers vars: maildir_path: /home/john/Maildir maildir: /home/student/Maildir mail_package: postfix mail_service: postfix tasks: - name: Create {{ maildir_path }} copy: src: "{{ maildir }}" dest: "{{ maildir_path }}" mode: 0755 - name: Install {{ mail_package }} package yum: name: "{{ mail_package }}" state: latest |
Run the playbook. Watch as the first task fails, resulting in the failure of the play.
|
1 2 3 4 5 6 7 8 |
[student@workstation demo-failures]$ ansible-playbook playbook.yml ... Output omitted ... TASK [Create /home/john/Maildir] *********************************************** fatal: [servera.lab.example.com]: FAILED! => {"changed": false, "failed": true, "msg": "could not find src=/home/student/Maildir"} NO MORE HOSTS LEFT ************************************************************* to retry, use: --limit @playbook.retry ... Output omitted ... |
Update the first task by adding the ignore_errors keyword with a value of yes. The updated task should read as follows:
|
1 2 3 4 5 6 |
- name: Create {{ maildir_path }} copy: src: "{{ maildir }}" dest: "{{ maildir_path }}" mode: 0755 ignore_errors: yes |
Run the playbook and watch as the second task runs, despite the fact that the first task failed.
|
1 2 3 4 5 6 7 8 9 |
[student@workstation demo-failures]$ ansible-playbook.playbook.yml ... Output omitted ... TASK [Create /home/john/Maildir] *********************************************** fatal: [servera.lab.example.com]: FAILED! => {"changed": false, "failed": true, "msg": "could not find src=/home/student/Maildir"} ...ignoring TASK [Install postfix package] ************************************************* changed: [servera.lab.example.com] .... Output omitted ... |
Create a block in the tasks section and nest the tasks into it. Remove the line ignore_errors: yes for the first task.
Move the task that installs the postfix package into the rescue clause. Update the task to also install the dovecot package.
Add an always clause. It should create a task to start both the postfix and dovecot services. Register the output of the command in the command_result variable.
Add a debug task outside the block that outputs the command_result variable.
The playbook should now read as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
--- - hosts: mailservers vars: maildir_path: /home/john/Maildir maildir: /home/student/Maildir mail_package: postfix mail_service: postfix tasks: - block: - name: Create {{ maildir_path }} copy: src: "{{ maildir }}" dest: "{{ maildir_path }}" mode: 0755 rescue: - name: Install mail packages yum: name: "{{ item }}" state: latest with_items: - "{{ mail_package }}" - dovecot always: - name: Start mail services service: name: "{{ item }}" state: started with_items: - "{{ mail_service }}" - dovecot register: command_result - debug: var: command_result |
Run the playbook, and watch as the rescue and always clauses run despite the fact that the first task failed.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
[student@workstation demo-failures]$ ansible-playbook.playbook.yml ... Output omitted ... TASK [Create /home/john/Maildir] *********************************************** fatal: [servera.lab.example.com]: FAILED! => {"changed": false, "failed": true, "msg": "could not find src=/home/student/Maildir"} TASK [Install mail packages] *************************************************** changed: [servera.lab.example.com] => (item=[u'postfix', u'dovecot']) TASK [Start mail services] ***************************************************** changed: [servera.lab.example.com] => (item=postfix) changed: [servera.lab.example.com] => (item=dovecot) TASK [debug] ******************************************************************* ok: [servera.lab.example.com] => { "command_result": { "changed": true, "msg": "All items completed", "results": [ { ... Output omitted ... |
To restart the two services every time, the changed_when keyword can be used. To do so, capture the output of the first task into a variable; the variable will be used to force the state of the task that installs the packages. A handlers section will be added to the playbook.
Update the task in the block section by saving the output of the command into the command_output variable.
Update the task in the rescue section by adding a changed_when condition as well as a notify section for the restart_dovecot handler. The condition will read the command_output variable to forcefully mark the task as changed.
Update the task in the always section to restart the service defined by the mail_service variable.
Append a handlers section to restart the dovecot service.
When updated, the tasks and handlers sections should read as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
tasks: - block: - name: Create {{ maildir_path }} copy: src: "{{ maildir }}" dest: "{{ maildir_path }}" mode: 0755 register: command_output rescue: - name: Install mail packages yum: name: "{{ item }}" state: latest with_items: - "{{ mail_package }}" - dovecot changed_when: "'not find' in command_output.msg" notify: restart_dovecot always: - name: Start mail services service: name: "{{ mail_service }}" state: restarted register: command_result - debug: var: command_result handlers: - name: restart_dovecot service: name: dovecot state: restarted |
Run the playbook. Watch as the handler is called, despite the fact that the dovecot package is already installed:
|
1 2 3 4 5 6 7 8 |
[student@workstation demo-failures]$ ansible-playbook playbook.yml ... Output omitted ... TASK [Install mail packages] *************************************************** changed: [servera.lab.example.com] => (item=[u'postfix', u'dovecot']) ... Output omitted ... RUNNING HANDLER [restart_dovecot] ********************************************** changed: [servera.lab.example.com] ... Output omitted ... |
Example 3.
Create the playbook.yml playbook. Initialize three variables: web_package with a value of http, db_package with a value of mariadb-server and db_service with a value of mariadb. The variables will be used to install the required packages and start the server. The http value is an intentional error in the package name. Define two tasks that use the yum module and the two variables, web_package and db_package. The task will install the required packages. The file should read as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
--- - hosts: databases vars: web_package: http db_package: mariadb-server db_service: mariadb tasks: - name: Install {{ web_package }} package yum: name: "{{ web_package }}" state: latest - name: Install {{ db_package }} package yum: name: "{{ db_package }}" state: latest |
Run the playbook and watch the output of the play.
|
1 2 3 4 5 6 7 |
[student@workstation dev-failures]$ ansible-playbook playbook.yml ... Output omitted ... TASK [Install http package] **************************************************** fatal: [servera.lab.example.com]: FAILED! => {"changed": false, "failed": true, "msg": "No Package matching 'http' found available, installed or updated", "rc": 0, "results": []} ... Output omitted ... |
The task failed because there is no existing package called http. Because the first task failed, the second task was skipped. Update the first task to ignore any errors by adding the ignore_errors keyword. The file should read as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
--- - hosts: databases vars: web_package: http db_package: mariadb-server db_service: mariadb tasks: - name: Install {{ web_package }} package yum: name: "{{ web_package }}" state: latest ignore_errors: yes - name: Install {{ db_package }} package yum: name: "{{ db_package }}" state: latest |
Run the playbook another time and watch the output of the play.
|
1 2 3 4 5 6 7 8 9 10 |
[student@workstation dev-failures]$ ansible-playbook playbook.yml ... Output omitted ... TASK [Install http package] **************************************************** fatal: [servera.lab.example.com]: FAILED! => {"changed": false, "failed": true, "msg": "No Package matching 'http' found available, installed or updated", "rc": 0, "results": []} ...ignoring TASK [Install mariadb-server package] ****************************************** ok: [servera.lab.example.com] ... Output omitted ... |
Despite the fact that the first task failed, Ansible executed the second one.
Insert a new task at the beginning of the playbook. The task will execute a remote command and capture the output. The output of the command is used by the task that installs the mariadb-server package to override what Ansible considers as a failure.
In the playbook, insert a task at the beginning of the playbook that executes a remote command and saves the output in the command_result variable. The play should also continue if the task fails; to do so, add the ignore_errors keyword. The playbook should read as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
--- - hosts: databases vars: web_package: http db_package: mariadb-server db_service: mariadb tasks: - name: Check {{ web_package }} installation status command: yum list installed "{{ web_package }}" register: command_result ignore_errors: yes - name: Install {{ web_package }} package yum: name: "{{ web_package }}" state: latest ignore_errors: yes - name: Install {{ db_package }} package yum: name: "{{ db_package }}" state: latest |
Run the playbook to ensure the first two tasks are skipped.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
[student@workstation dev-failures]$ ansible-playbook playbook.yml ... Output omitted ... TASK [Check http installation status] ****************************************** fatal: [servera.lab.example.com]: FAILED! => {"changed": true, "cmd": ["yum", "list", "installed", "http"], "delta": "0:00:00.269811", "end": "2016-05-18 07:10:18.446872", "failed": true, "rc": 1, "start": "2016-05-18 07:10:18.177061", "stderr": "Error: No matching Packages to list", "stdout": "Loaded plugins: langpacks, search-disabled-repos", "stdout_lines": ["Loaded plugins: langpacks, search-disabled-repos"], "warnings": ["Consider using yum module rather than running yum"]} ...ignoring TASK [Install http package] **************************************************** fatal: [servera.lab.example.com]: FAILED! => {"changed": false, "failed": true, "msg": "No Package matching 'http' found available, installed or updated", "rc": 0, "results": []} ...ignoring ... Output omitted ... |
Update the task that installs the mariadb-server package. Add a condition that indicates that the task should be considered as failed if the keyword Error is present in the variable command_result. The playbook should read as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
--- - hosts: databases vars: web_package: http db_package: mariadb-server db_service: mariadb tasks: - name: Check {{ web_package }} installation status command: yum list installed "{{ web_package }}" register: command_result ignore_errors: yes - name: Install {{ web_package }} package yum: name: "{{ web_package }}" state: latest ignore_errors: yes - name: Install {{ db_package }} package yum: name: "{{ db_package }}" state: latest when: "'Error' in command_result.stdout" |
Before running the playbook, run an ad hoc command to remove the mariadb-server package from the databases managed hosts.
|
1 2 3 4 5 6 |
[student@workstation dev-failures]$ ansible databases -a 'yum -y remove mariadbserver' servera.lab.example.com | SUCCESS | rc=0 >> ... Output omitted ... Removed: mariadb-server.x86_64 1:5.5.44-2.el7 ... Output omitted ... |
Run the playbook and watch how the latest task is skipped as well.
|
1 2 3 4 5 |
[student@workstation dev-failures]$ ansible-playbook playbook.yml ... Output omitted ... TASK [Install mariadb-server package] ****************************************** skipping: [servera.lab.example.com] ... Output omitted ... |
Update the task that installs the mariadb-server package by overriding what triggers the changed state. To do so, use the return code saved in the command_result.rc variable.
Update the last task by commenting out the when condition and adding a
changed_when condition in order to override the changed state for the task. The condition will use the return code the registered variable contains. The playbook should read as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
--- - hosts: databases vars: web_package: http db_package: mariadb-server db_service: mariadb tasks: - name: Check {{ web_package }} installation status command: yum list installed "{{ web_package }}" register: command_result ignore_errors: yes - name: Install {{ web_package }} package yum: name: "{{ web_package }}" state: latest ignore_errors: yes - name: Install {{ db_package }} package yum: name: "{{ db_package }}" state: latest # when: "'Error' in command_result.stdout" changed_when: "command_result.rc == 1" |
Execute the playbook twice; the first execution will reinstall the mariadb-server package. The following output shows the result of the second execution; as you can see, the task is marked as changed despite the fact that the mariadb-server package has already been installed:
|
1 2 3 4 5 |
... Output omitted ... TASK [Install mariadb-server package] ****************************************** changed: [servera.lab.example.com] PLAY RECAP ********************************************************************* servera.lab.example.com : ok=4 changed=1 unreachable=0 failed=0 |
Update the playbook by nesting the first two tasks in a block cause. Remove the lines that use the ignore_errors conditional.
Nest the task that installs the mariadb-server package in a rescue clause and remove the conditional that overrides the changed result. The task will be executed even if the previous tasks fail.
Finally, add an always clause that will start the database server upon installation using the service module.
Once updated, the task section should read as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
tasks: - block: - name: Check {{ web_package }} installation status command: yum list installed "{{ web_package }}" register: command_result - name: Install {{ web_package }} package yum: name: "{{ web_package }}" state: latest rescue: - name: Install {{ db_package }} package yum: name: "{{ db_package }}" state: latest always: - name: Start {{ db_service }} service service: name: "{{ db_service }}" state: started |
Before running the playbook, remove the mariadb-server package from the databases managed hosts.
|
1 |
[student@workstation dev-failures]$ ansible databases -a 'yum -y remove mariadbserver' |
Run the playbook, and watch as despite failure for the first two tasks, Ansible installs the mariadb-server package and starts the mariadb service.
|
1 2 3 4 5 6 7 8 |
[student@workstation dev-failures]$ ansible-playbook playbook.yml ... Output omitted ... TASK [Install mariadb-server package] ****************************************** changed: [servera.lab.example.com] TASK [Start mariadb service ] ************************************************** changed: [servera.lab.example.com] ... Output omitted ... Evaluation |
Example 4 . Implementing Task Control
In this lab, you will install the Apache web server and secure it using mod_ssl. You will use various Ansible conditionals to deploy the environment.
Defining tasks for the web server
In the top-level directory for this lab, create the install_packages.yml task
file. Start by defining the task that uses the yum module in order to install the latest version of the httpd and mod_ssl packages. For the packages, use a loop and two variables: web_package and ssl_package. The two variables will be set by the main playbook.
Add a when clause in order to install the packages only if:
1. The managed host is in the webservers group.
2. The amount of memory on the managed host is greater than the amount
the memory variable defines. For the amount of memory the system has, the Ansible fact ansible_memory_mb.real.total can be used.
Finally, add the task that starts the service defined by the web_service variable. When completed, the file should read as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
--- - name: Installs the required packages yum: name: "{{ item }}" with_items: - "{{ web_package }}" - "{{ ssl_package }}" when: - inventory_hostname in groups["webservers"] - "{{ ansible_memory_mb.real.total }} > {{ memory }}" - name: Starts the service service: name: "{{ web_service }}" state: started |
Defining tasks for the web server’s configuration
Create the configure_web.yml tasks file. Start with a task that uses the shell module to determine whether or not the httpd package is installed and register the output in a variable. Update the condition to consider the task as failed based on the return code of the command (the return code is 1 when a package is not installed). The failed_when variable will be used to override how Ansible should consider the task as failed by using the return code.
Create a block that executes only if the httpd package is installed (use the return code that has been captured in the first task). The block contains the tasks for configuring the files. Start the block with a task that uses the get_url module to retrieve the Apache SSL configuration file. Use the https_uri variable for the url and /etc/httpd/conf.d/ for the remote path on the managed host.
Define a task that creates /etc/httpd/conf.d/ssl remote ssl directory with a mode of 0755. The directory will store the SSL certificates. Define a task that creates /var/www/html/logs remote logs directory with a mode of 0755. The directory will store the SSL logs. Define a task that uses the stat module to ensure the /etc/httpd/conf.d/ssl.conf file exists. Capture the output in the ssl_file variable using the register statement.
Define a task that renames the /etc/httpd/conf.d/ssl.conf file as /etc/httpd/conf.d/ssl.conf.bak, only if the file exists. Before attempting to rename the file, the task will use previous task which will evaluate the content of the ssl_file variable.
Define another task that uses the unarchive module to retrieve the remote SSL configuration files. Use the ssl_uri variable for the source and /etc/httpd/conf.d/ssl/ as the destination. Instruct the task to notify the restart_services handler when the file has been copied.
Add the last task that creates the index.html file under /var/www/html/ on the managed host. The page should use Ansible facts and should read as follows:
|
1 |
severb.lab.example.com (172.25.250.11) has been customized by Ansible |
Use the two following Ansible facts to create the page: ansible_fqdn and
ansible_default_ipv4.address.
Finally, make sure the block only runs if the httpd package is installed. To do so, add a when clause that parses the return code contained in the rpm_check registered variable. When completed, the file should read as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
--- - shell: rpm -q httpd register: rpm_check failed_when: rpm_check.rc == 1 - block: - get_url: url: "{{ https_uri }}" dest: /etc/httpd/conf.d/ - file: path: /etc/httpd/conf.d/ssl state: directory mode: 0755 - file: path: /var/www/html/logs state: directory mode: 0755 - stat: path: /etc/httpd/conf.d/ssl.conf register: ssl_file - shell: mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak when: ssl_file.stat.exists - unarchive: src: "{{ ssl_uri }}" dest: /etc/httpd/conf.d/ssl/ copy: no notify: - restart_services - copy: content: "{{ ansible_fqdn }} ({{ ansible_default_ipv4.address }}) has been customized by Ansible\n" dest: /var/www/html/index.html when: rpm_check.rc == 0 |
Defining tasks for the firewall
Create the configure_firewall.yml task file. Define the task that uses the yum module to install the package that the fw_package variable defines (latest version of the firewall service – the variable will be set in the main playbook). Tag the task with the production tag.
Add the task that starts the firewall service using the fw_service variable and tag it as production.
Write the task that uses the firewalld module to add the http and https service rules to the firewall. The rules should be applied immediately as well as persistently. Use a loop for the two rules. Tag the task as production.
When completed, the file should read as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
--- - yum: name: "{{ fw_package }}" state: latest tags: production - service: name: "{{ fw_service }}" state: started tags: production - firewalld: service: "{{ item }}" immediate: true permanent: true state: enabled with_items: - http - https tags: production |
Defining the main playbook
Create the main playbook.yml and start by targeting the hosts in the webservers host group. Define a block that imports the following three task files: install_packages.yml, configure_web.yml, and configure_firewall.yml, using the include statement.
For the first include, use install_packages.yml as the name of the file to import. Define the four variables required by the file: memory with a value of 256, web_package with a value of httpd, ssl_package with a value of mod_ssl, web_service with a value of httpd.
For the task that imports the configure_web.yml file, define the following variables: https_uri with a value of http://materials.example.com/task_control/https.conf, and ssl_uri with a value of http://materials.example.com/task_control/ssl.tar.gz.
For the task that imports the configure_firewall.yml playbook, add a condition to only import the tasks tagged with the production tag. Define the fw_package and fw_service variables with a value of firewalld.
Create the rescue clause for the block that installs the latest version of the httpd package and notifies the restart_services handler upon the package installation. Add a debug statement that reads: Failed to import and run all the tasks; installing the web server manually
Add an always statement that uses the shell module to query the status of the httpd service using systemctl.
Define the restart_services handler that uses a loop to restart both the
firewalld and httpd services.
When completed, the playbook should read as follows:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
--- - hosts: webservers tasks: - block: - include: install_packages.yml vars: memory: 256 web_package: httpd ssl_package: mod_ssl web_service: httpd - include: configure_web.yml vars: https_uri: http://materials.example.com/task_control/https.conf ssl_uri: http://materials.example.com/task_control/ssl.tar.gz - include: configure_firewall.yml vars: fw_package: firewalld fw_service: firewalld tags: production rescue: - yum: name: httpd state: latest notify: - restart_services - debug: msg: "Failed to import and run all the tasks; installing the web server manually" always: - shell: cmd: "systemctl status httpd" handlers: - name: restart_services service: name: "{{ item }}" state: restarted with_items: - httpd - firewalld |
Executing the playbook.yml playbook
Run the playbook.yml playbook to set up the environment. The playbook should:
• Import and run the tasks that install the web server packages only if there is enough memory on the managed host.
• Import and run the tasks that configure SSL for the web server.
• Import and run the tasks that create the firewall rule for the web server to be
reachable.
|
1 2 3 4 5 6 7 8 9 10 |
[student@workstation lab-task-control]$ ansible-playbook playbook.yml PLAY *************************************************************************** TASK [setup] ******************************************************************* ok: [serverb.lab.example.com] ... RUNNING HANDLER [restart_services] ********************************************* changed: [serverb.lab.example.com] => (item=httpd) changed: [serverb.lab.example.com] => (item=firewalld) PLAY RECAP ********************************************************************* serverb.lab.example.com : ok=19 changed=13 unreachable=0 failed=0 |
Ensure the web server has been correctly configured by querying the home page of the web server (https://serverb.example.com) using curl with the -k option to allow insecure connections (bypass any SSL strict checking):
|
1 2 |
[student@workstation lab-task-control]$ curl -k https://serverb.lab.example.com serverb.lab.example.com (172.25.250.11) has been customized by Ansible |