Hello,
I've googled high and low for an answer but keep going down rabbit holes
with no obvious solution. This seems like the right place to ask. I'm
guessing this behavior is a "feature" of ansible and there's not a
work-around?
I have the following playbook excerpt:
---
- name: Harden Linux Hosts
gather_facts: True
hosts: Harden
sudo: yes
remote_user: "{{ remote_user }}"
roles:
- { role: myRole.hardenLinux }
In the role's main.yml are series of tasks like
---
- name: "V-38653 The snmpd service must not use a default password."
tags:
- snmpd
- severity_high
include: V-38653.yml
And in that playbook
---
# Presence of the default SNMP password enables querying of different
# system aspects and could result in unauthorized knowledge of the system.
- name: "Check for the existence of the snmp.conf file"
stat: path="snmpd_conf_{{ ansible_distribution }}"
register: snmpd_st
- name: "Replace any instances where the community string is 'public'"
replace: dest="snmpd_conf_{{ ansible_distribution }}"
regexp='(^com2sec.*)public$' replace='\1{{ snmp_community }}' backup=yes
when: not logonly and snmpd_st.stat.exists
When included in my playbook I'll see logged to stdout
PLAY [Harden Linux Hosts]
*****************************************************
GATHERING FACTS
***************************************************************
ok: [1.2.3.4]
TASK: [myRole.hardenLinux | Check for the existence of the snmp.conf file]
*****
ok: [1.2.3.4]
TASK: [myRole.hardenLinux | Replace any instances where the community
string is 'public'] ***
skipping: [1.2.3.4]
PLAY RECAP
********************************************************************
1.2.3.4 : ok=2 changed=0 unreachable=0 failed=0
at no point is it logging *"V-38653 The snmpd service must not use a
default password."*
You can probably see where this becomes difficult to troubleshoot tell
where it's at in the execution of the main.yml. I had the logging I wanted
when this was a playbook, where it would log
PLAY [ V-38653 The snmpd service must not use a default password ]
but role behavior is obviously different. The tags are working right so it
doesn't seem to be directly syntax related. Am I just abusing roles in a
way I shouldn't be? Why would
Thanks in advance!
Kevin
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/6eddcec9-5219-48b3-972c-08458034d49d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
