Hello,
I've googled high and low for an answer but keep going down rabbit holes
with no obvious solution. This seems like the right place to ask. I'm
guessing this behavior is a "feature" of ansible and there's not a
work-around?
I have the following playbook excerpt:
---
- name: Harden Linux Hosts
gather_facts: True
hosts: Harden
sudo: yes
remote_user: "{{ remote_user }}"
roles:
- { role: myRole.hardenLinux }
In the role's main.yml are series of tasks like
---
- name: "V-38653 The snmpd service must not use a default password."
tags:
- snmpd
- severity_high
include: V-38653.yml
And in that playbook
---
# Presence of the default SNMP password enables querying of different
# system aspects and could result in unauthorized knowledge of the system.
- name: "Check for the existence of the snmp.conf file"
stat: path="snmpd_conf_{{ ansible_distribution }}"
register: snmpd_st
- name: "Replace any instances where the community string is 'public'"
replace: dest="snmpd_conf_{{ ansible_distribution }}"
regexp='(^com2sec.*)public$' replace='\1{{ snmp_community }}' backup=yes
when: not logonly and snmpd_st.stat.exists
When included in my playbook I'll see logged to stdout
PLAY [Harden Linux Hosts]
*****************************************************
GATHERING FACTS
***************************************************************
ok: [1.2.3.4]
TASK: [myRole.hardenLinux | Check for the existence of the snmp.conf file]
*****
ok: [1.2.3.4]
TASK: [myRole.hardenLinux | Replace any instances where the community
string is 'public'] ***
skipping: [1.2.3.4]
PLAY RECAP
********************************************************************
1.2.3.4 : ok=2 changed=0 unreachable=0 failed=0
at no point is it logging *"V-38653 The snmpd service must not use a
default password."*
You can probably see where this becomes difficult to troubleshoot tell
where it's at in the execution of the main.yml. I had the logging I wanted
when this was a playbook, where it would log
PLAY [ V-38653 The snmpd service must not use a default password ]
but role behavior is obviously different. The tags are working right so it
doesn't seem to be directly syntax related. Am I just abusing roles in a
way I shouldn't be? Why would
Thanks in advance!
Kevin
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/6eddcec9-5219-48b3-972c-08458034d49d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
