it is strange to force people to remove past tags but thanks for the help!
--
https://twitter.com/nusenu_
https://mastodon.social/@nusenu
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop
A user reported the following issue:
downloading role 'relayor', owned by nusenu
[WARNING]: - nusenu.relayor was NOT installed successfully: Unable to compare
role versions (v18.1.1, 0.1.0, v18.0.0, v0.3.0, v19.1.4, v19.1.0, v19.1.3,
0.2.0-rc, 0.1.0-alpha, v0.3.1, v0.3.3, v0.2.1, v19.1.2
- CentOS
- Fedora
thanks!
nusenu
[1]
https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/facts/network/linux.py
[2] https://github.com/nusenu/ansible-relayor
--
https://mastodon.social/@nusenu
twitter: @nusenu_
--
You received this message because you are subscribed
Hi,
I'm in the process of migrating from "include" to import_* and include_* 's.
During that the following question came up:
Could I replace an include [1] with include_tasks even if the included
file makes use of notify [2]?
[1] https://github.com/nusenu/ansible-relayor/blob/ma
https://galaxy.ansible.com/nusenu/relayor/
https://github.com/nusenu/ansible-relayor
relayor helps you to deploy tor relays.
Supported operating systems:
Debian 8, Debian Testing
CentOS 7
OpenBSD 6.0
FreeBSD 10.3, 11.0
Ubuntu 16.04
Fedora 25
unfortunately I'm
Matt Martz:
> Probably with the regex_replace filter:
>
> foo|regex_replace('[^a-zA-Z0-9]', '')
thanks!
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
.ansible.com/ansible/playbooks_filters.html
thanks,
nusenu
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To
Hi,
since ansible's ip filter are broken [1] and don't look like they get
fixed anytime soon I'm wondering if there are any other easy options?
thanks,
nusenu
[1] https://github.com/ansible/ansible/issues/14829
--
You received this message because you are subscribed to the Google Groups
Brian Coca:
> The task executes once per item, I'm guessing it failed on the first one.
After further tests I've come to the conclusion that this is actually a bug.
I filed the bug report here:
https://github.com/ansible/ansible-modules-core/issues/5708
Looking forward to your comments and a
I use it in a
with_items loop:
https://github.com/nusenu/ansible-relayor/blob/master/tasks/main.yml#L43
Or am I misreading the error message?
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop recei
> "failed": true,
> "invocation": {
> "module_args": {
> "build": false,
> "name": "['tor']",
> "ports_dir": "/usr/ports",
> "state": "present"
> }
> },
> "item": [
> "tor"
> ],
> "msg": "Can't find
turns out this role commit introduced the problem,
it replaces the static string "tor" with the generic "{{ item }}".
https://github.com/nusenu/ansible-relayor/commit/06eaad05443f5282b4ac74af688a5f6e60e45b83#diff-2444ad0870f91f17ca6c2a5e96b26823
--
You received this
kg on OpenBSD targets?
(installing the tor package with the openbsd_pkg works fine)
Have there been any major changes in the package module between ansible
2.0 and 2.2?
thanks,
nusenu
https://github.com/nusenu/ansible-relayor/issues/85
[1]
https://github.com/nusenu/ansible-relayor/commit/550d65
Hi,
is there a better way for this than to use shell+register?
- name: get ansible version
shell: ansible --version|head -1|cut -d" " -f2
delegate_to: 127.0.0.1
register: ansibleversion
thanks,
nusenu
--
You received this message because you are subscribed to the Goo
nusenu:
> Is there a mailing list one can sign up to, to just get release
> announcements?
https://groups.google.com/forum/#!forum/ansible-announce
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from thi
y fix for CVE-2016-8614 - apt_key module not properly validating
> keys in some situations.
If ansible v2.2.0 fixed two vulnerabilities (CVE-2016-8628,
CVE-2016-8614) why was there no mention about that in the release
announcement?
Is there a mailing list one can sign up to, to just get release
ann
James Cammarata:
> Hi nusenu, I'll take a look at that again as we will be doing a RC3 for
> 2.1.2.
>
thank you, looking forward to a version with a fix for this regression.
nusenu
--
You received this message because you are subscribed to the Google Groups
"Ansible
Hi,
are there any plans to fix regression [1] with ansible version 2.1.2?
[1] https://github.com/ansible/ansible/issues/14829
thanks,
nusenu
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this grou
a
fix merged and released within the next two months?
thanks,
nusenu
[1] https://github.com/ansible/ansible/issues/14829
[2] https://galaxy.ansible.com/nusenu/relayor/
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubs
Hi,
ansible-relayor is an ansible role for tor relay operators.
Whether you setup/operate a single or many relays, ansible-relayor can
help you automate all steps including secure offline key [2] generation,
multi-instance setup and MyFamily management.
https://galaxy.ansible.com/nusenu/relayor
avior:
The loop should not fail even if the host has no IPv6 IPs
(it used to work fine with v1.9.4)
Is this a bug/regression or an expected behavior change?
[1]
https://github.com/nusenu/ansible-relayor/blob/61a4057895a1c98e8b895e75bc1df30033af502a/tasks/ip-list.yml#L3
--
You received this message
> thanks!
>
> https://github.com/ansible/ansible/issues/12062
> https://github.com/ansible/ansible/commit/b2bfe3502b1bb73927d08ea0fcf964a508129267
Since this bug blocks a feature in my role [1], I'm also happy if there
are any known workarounds.
Thanks!
[1]
https://github.com
> sorry, did not test, surprised it does not take a list, maybe it has to be
> quoted ?
I'm not able to get this to work, if anyone is, please let me know.
There is no documentations about lookup('together', ..) on
https://docs.ansible.com/ansible/playbooks_lookups.html
I made a request for
Hi,
I'm running ansible 1.9.4 (released in Oct 2015) and am hitting a bug
that has been fixed in August 2015, but the fix is apparently in ansible
2.0 only.
Manually applying the fix to my 1.9.4 installation resolves the problem.
Will this bugfix be backported?
thanks!
Sascha Andres:
> When switching to root it works, using a user having sudo rights with
> NOPASSWD it does not work
did you specify 'become: yes' (for the sudo case)?
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from
> similar to a question from about a year ago [1], I'm looking for the
> best way to loop over 3 lists:
>
> - {{ ansible_all_ipv4_addresses }}
> - {{ ansible_all_ipv6_addresses | ipv6('public') }}
> - tcpports
>
>
> ipv4 and ipv6 IPs should iterate in parallel (I'll check that their list
>
> with_items:
> - {{ ansible_all_ipv4_addresses }}
> - {{ ansible_all_ipv6_addresses | ipv6('public') }}
> - tcpports
>
>
> ^ will flatten to single list
>
> or you can use union to get unique single list:
>
> with_items: "{{
>
Brian Coca:
> ah, misunderstood the question, you wan to combine the nested and together
> lookups (possible example):
>
> with_nested:
> - "{{tcpports}}"
> - "{{lookup('together', [ansible_all_ipv4_addresses,
> ansible_all_ipv6_addresses | ipv6('public')] }}"
Since I certainly will need
Chris Houseknecht:
> Task runner infrastructure upgraded. Hopefully we'll see better
> performance.
thanks.
> Added Ubuntu Wily.
Does one has to use the codename? "15.10" does not seem to work still.
--
You received this message because you are subscribed to the Google Groups
"Ansible
Hi,
similar to a question from about a year ago [1], I'm looking for the
best way to loop over 3 lists:
- {{ ansible_all_ipv4_addresses }}
- {{ ansible_all_ipv6_addresses | ipv6('public') }}
- tcpports
ipv4 and ipv6 IPs should iterate in parallel (I'll check that their list
lengths are
Hi,
an hour after importing a new role [1] it still says:
Waiting to start..."
in "View Role Import Details".
How long does it usually take to import a role?
thanks!
[1] nusenu/ansible-relayor
--
You received this message because you are subscribed to the Google Groups
&
Chris Houseknecht:
> The task runner that handles imports has been restarted and the task queue
> cleared. If you click the 're-import' button now, it should now start right
> away. We're having some challenges with the task runner and planning to
> make some adjustments this evening.
Hi,
when logging in into galaxy.ansible.com,
galaxy asks for write access to repositories, why is that?
Is it possible to have a role on galaxy without giving galaxy write
access to github repositories?
thanks,
nusenu
--
You received this message because you are subscribed to the Google
Hi,
there seems to be a problem with galaxy displaying READMEs, see:
https://galaxy.ansible.com/nusenu/relayor/
vs
https://github.com/nusenu/ansible-relayor
especially the sections:
Requirements
Available Role Tags
--
You received this message because you are subscribed
Chris Houseknecht:
> GitHub's markdown is a little more forgiving than Galaxy. Galaxy stores the
> raw README and translates to HTML on request. Galaxy also has its own CSS
> styles, so by definition what you see on Galaxy will be a little different.
>
> We have been doing some work on the
Chris Houseknecht:
> Galaxy asks for the following scopes used to access the GitHub API:
>
> - user:email
> - public_repo
> - read:org
>
> These are defined here: https://developer.github.com/v3/oauth/#scopes
>
> The last two allow us to see the orgs you belong to and the repos you have
>
> Chris Houseknecht:
>> The task runner that handles imports has been restarted and the task queue
>> cleared. If you click the 're-import' button now, it should now start right
>> away. We're having some challenges with the task runner and planning to
>> make some adjustments this evening.
>
Brian Coca:
> Prefixing with trusted vars is still open to directory traversal.
oh that is true, thanks for pointing that out!
(example: 1.1.1.1/../foo-2.2.2.2)
> In
> most cases you can setup your systems so the variable data is set by
> the 'master' always and not derived from the target,
Brian Coca:
> Prefixing with trusted vars is still open to directory traversal.
I hope the ipv4('address') filter method is safe?
https://github.com/nusenu/ansible-relayor/commit/d2c2108a8850241369aa8867faf4ac53246171d5
--
You received this message because you are subscribed to the Goo
Hi,
are there security guidelines for ansible role creators found somewhere
that lists common security pitfalls that one should look at to avoid
things like [1][2] and other such cases?
thanks!
[1]https://github.com/nusenu/ansible-relayor/commit/09f9afe7096395cb95310b8fb454c2b640ed17d9
[2
I tried to address this security problem (which turned out to be more
severe then I initially thought, because it probably allowed a relay to
steal keys) by prefixing the fact with a var that can not be manipulated
by the target server ( inventory_hostname ).
https://github.com/nusenu/ansible
Hi,
I'd like to run a command only if at least one out of several files does
not exist, is that possible with the creates parameter of the command
module?
thanks!
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this
Hi,
similar to a previous question [1] that was answered by Brian I'm
wondering if the following example gives the remote server remote
command execution privileges on the ansible host (which obviously no one
wants):
local_action: shell cat {{ fact123 }}
Is that a bad idea?
Can the remote
thanks for your fast reply!
Brian Coca:
> No, Ansible can only protect you so much, like in normal shell, you
> really want to quote variable input:
>
> `cat "{{fact123}}"` would work the same as when running a shell script
> `cat "$MYVAR"`
So you confirm that my example gives the remote
Matt Martz:
> (ansible_pkg_mgr != 'apt')| ternary(tor_user,
> '_tor-' ~ item[0] ~ '_' ~ item.1.orport)
thanks, works!
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send
thanks for your answer!
> - the fact variables (what ansible_all_ipv4_addresses is) are
> sanitized against template injection but not verified against
> directories, most variables can legitimately return such structures.
> The attacker would have to know your exact playbook to do this, as you
>
Hi,
I consider the ansible host as trusted, the target server that is
managed with ansible is considered less trusted (it might start attacks
against the ansible host).
Does ansible's security design match that threat model in general?
Given the following fetch module example:
- fetch: src={{
' parameter. I would need a
fail_on_remotefileexists_but_different ;)
Currently one is left with
- backup=yes
or
- force=no
but both parameter won't help for the specific use-case.
Anyone else had this use-case yet and made a workaround?
thanks,
nusenu
[1] https://docs.ansible.com/ansible
d?
My workaround procedure is [1]:
1) copy with force=no
2) fetch
3) compare files locally via shell (sha1sum)
4) fail if fingerprints do not match
If there is a less dirty solution let me know ;)
[1]
https://github.com/nusenu/ansible-relayor/commit/b2462b6b8b4ed3b1351ff167c6dd5f7ed3263e
solution:
https://docs.ansible.com/ansible/playbooks_delegation.html#delegation
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
2.2.2.2_80
2.2.2.2_443
3.3.3.3_80
4.4.4.4_80
Is that possible?
thanks,
nusenu
[1]
https://github.com/nusenu/ansible-relayor/blob/master/tasks/configure.yml#L3
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this grou
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
open a bug, first I'm not sure rpm_key should be used on fedora 22
as it has switched to dnf as it's default package manager, 2nd the
rpm_key should fallback to the gpg2 name if gpg is not found.
for those interested in Fedora 22 as well, these
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Unfortunately, It's not useful for multiple keys
to quote the documentation again:
*Multiple* keys can be specified in a single key string value by
separating them by newlines.
-BEGIN PGP SIGNATURE-
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
But, when I decide to remove user2_key, It still persists in
authorized_key file! It's unacceptable!
maybe you find the
'exclusive' parameter useful?
http://docs.ansible.com/ansible/authorized_key_module.html
Whether to remove all other
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
The rpm_key module fails on Fedora 22 due to missing gpg binary.
Fedora 22 has no gpg executable but only gpg2.
Is it my responsibility to provide a link gpg - gpg2 or should the
module cover this out of the box?
-BEGIN PGP SIGNATURE-
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
I'd like to get 'dnf' as an answer when asking a F22 system for
ansible_pkg_mgr.
What do you think about it?
thanks,
nusenu
-BEGIN PGP SIGNATURE-
iQIcBAEBCgAGBQJVsmaDAAoJEFv7XvVCELh0gNcP/0dUIMs8AsijvaUbtQpusPOn
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
I'd like to get 'dnf' as an answer when asking a F22 system for
ansible_pkg_mgr.
What do you think about it?
Since the ansible module 'yum' fails on F22 (even after 'dnf install
yum'), I'm even considering this a bug:
as soon as one host fails the 'gathering facts' phase?
(something better than manual ctrl-c?)
thanks,
nusenu
-BEGIN PGP SIGNATURE-
iQIcBAEBCgAGBQJVfz8JAAoJEFv7XvVCELh0EhwQAINC9lwVS/BytVogD0G4SqLV
NxcXac3zbQl9NvB2OoyJ6tIPL2quiESUx4UBRqnb3SnarjZ25HmMqPwMJtTylWHC
R5xMcNXjShdjD9KT1dgnN21YdhkMuN7/P
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Brian Coca:
you might want to play with serial and max fails.
http://docs.ansible.com/playbooks_delegation.html
thank you, I'll go with
max_fail_percentage: 1
serial: 1
to abort on the first failed host.
-BEGIN PGP SIGNATURE-
a
numeric value?
If I invert the check
stdout 2
it actually runs even though 7030 is not greater than 2.
Is '' non-numeric?
thanks!
[1]
https://github.com/nusenu/ansible-relayor/blob/master/tasks/openbsd_install.yml#L22
-BEGIN PGP SIGNATURE-
iQIcBAEBCgAGBQJVfXMcAAoJEFv7XvVCELh0NiQP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Try this when: currentlimits.stdout|int 2
that fixed it,
thank you!
-BEGIN PGP SIGNATURE-
iQIcBAEBCgAGBQJVfeczAAoJEFv7XvVCELh0F1kP/j4tJmIMIOG6ku7gW/kpfeSK
6LczntIwU6cSK3jhHkFJKheUTtqesvd+1dltIzHbtlnKLFb7F4uujibPF8ufhZKB
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Brian Coca:
I was not thinking of a specific ticket, but there should be many
instances of this being requested via the maliing lists and IRC
and even as comments in other tag related tickets.
ok sounds like one should create an issue for it:
' (which includes tasks
tagged as freebsd,install - results in lot of skipping again), is
there a way to say run only 'debian' *AND* 'install' tagged tasks?
thanks!
nusenu
-BEGIN PGP SIGNATURE-
iQIcBAEBCgAGBQJVcK1HAAoJEFv7XvVCELh0sZwP/j+/YvS3+jXD3OPGFZNTwdSp
7EvZ15583hP5/fCm1I30ZlTBl31K4xVYiOA
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Brian Coca:
not currently, a feature request we have is that tags get 'host
expressions', so this would look like;
tag1:tag2
but there is currently no code that does this
thanks for the prompt reply.
I tried to find that feature
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
just in case other are also stumbling over this debian systemd bug,
this was my temporary workaround until debian fixes this issue:
https://github.com/nusenu/ansible-relayor/commit/efabec452f715b884528e70
a9b1e012051692acd
if you want to track
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
for the record, this is a known debian systemd bug that affects
ansible's service module:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751638
https://github.com/ansible/ansible-modules-core/issues/915
-BEGIN PGP SIGNATURE-
for the record, this is a known debian systemd bug that affects
ansible's service module:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751638
--
You received this message because you are subscribed to the Google Groups
Ansible Project group.
To unsubscribe from this group and stop
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
I'm not entirely sure whether this should be considered an ansible or
systemctl bug.
This email mainly targets of making others aware of this problem.
If you want to disable (enabled=no) a service on a systemd host which
is still using legacy
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
I asked systemd-devel about is-enabled support for legacy services:
http://lists.freedesktop.org/archives/systemd-devel/2015-April/030652.ht
ml
-BEGIN PGP SIGNATURE-
iQIcBAEBCgAGBQJVKt2bAAoJEFv7XvVCELh0u8oQAKW4BGaeGDhjKc21TeQiXuqZ
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
Hi, yes definitely test this out with either devel or 1.9.x to see
if the issue has been fixed (I know there were some fixes in
service regarding systemd). If not, definitely let us know or open
a github issue.
As I wrote [1] on 2015-04-04
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Nusenu:
Ok, the problem seems to be that ansible probably runs status on
the particular service before enabling it (to avoid unnecessary
systemctl enable commands?).
actually the service module executes [1]:
systemctl is-enabled tor@bar.service
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Can anyone confirm this bug or am I missing something?
Ok, the problem seems to be that ansible probably runs status on the
particular service before enabling it (to avoid unnecessary systemctl
enable commands?).
systemctl output for the *not*
that I could use..
2) assign unique TCP port to a service to prevent duplicate bindings
here is the ansible role where this would be useful for me:
https://github.com/nusenu/relayor/blob/master/tasks/configure.yml
thanks,
Nusenu
-BEGIN PGP SIGNATURE
Hi,
I'd say the documentation [1] for match() is not entirely clear:
‘match’ will require a complete match in the string, while ‘search’
will require a match inside of the string.
after reading this I wouldn't expect that
abc|match(a) is true.
I run this on ansible 1.8.2:
vars:
input:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Serge van Ginderachter:
On 22 February 2015 at 14:37, Nusenu nus...@openmailbox.org
wrote:
Is there a way to say loop over all hosts in scope of current
task?
The special variable 'play_hosts' is what you are looking for.
http
?
{% for host in groups['groupname'] %}
{% for item in hostvars[host]['varfoo']['results'] -%}$
{{ item.stdout }},
{%- endfor %}
{% endfor %}
thanks,
Nusenu
--
You received this message because you are subscribed to the Google Groups
Ansible Project group.
To unsubscribe
/*
---
thank you,
Nusenu
--
You received this message because you are subscribed to the Google Groups
Ansible Project group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email
tries to access user1.
Is this expected?
thanks,
Nusenu
--
You received this message because you are subscribed to the Google Groups
Ansible Project group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post
based on facts (while still
encapsulating it in a role)?
thanks!
Nusenu
--
You received this message because you are subscribed to the Google Groups
Ansible Project group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr
I got it working. I combined 'bar' and 'tra' in a dictionary and used
that in with_nested
Now I'm left with the question: How can I limit the amount of loops in
a with_nested loop?
--
You received this message because you are subscribed to the Google Groups
Ansible Project group.
To
a
certain amount of loop executions.
On a simple loop I would use 'with_indexed_items:' and check the index
against a given max value. How would that loop count limit be
implemented in the loop described above?
thanks!
Nusenu
[1] https://groups.google.com/d/msg/ansible-devel/aLrH_SC8HyY/FZPs7GanHysJ
81 matches
Mail list logo
