试图在Ansible中包含剧本中的任务列表
我的文件夹结构: 首先,我会给你这个,这样你可以看到它是如何布置的,并在阅读以下内容时参考它:试图在Ansible中包含剧本中的任务列表,ansible,ansible-2.x,Ansible,Ansible 2.x,我的文件夹结构: 首先,我会给你这个,这样你可以看到它是如何布置的,并在阅读以下内容时参考它: /environments /development hosts // Inventory file /group_vars proxies.yml /custom_tasks firewall_rules.yml // File I'm trying to bring in playbook.yml // Root playbook, just
/environments
/development
hosts // Inventory file
/group_vars
proxies.yml
/custom_tasks
firewall_rules.yml // File I'm trying to bring in
playbook.yml // Root playbook, just brings in the plays
rev-proxy.yml // Reverse-proxy playbook, included by playbook.yml
playbook.yml:
---
- include: webserver.yml
- include: rev-proxy.yml
proxies.yml只包含firewall\u custom\u include\u文件:custom\u tasks/firewall\u rules.yml
防火墙规则.yml:
tasks:
- name: "Allowing traffic from webservers on 80"
ufw: src=10.10.10.3, port=80, direction=in, rule=allow
- name: "Allowing traffic all on 443"
ufw: port=443, rule=allow
最后是rev proxy.yml
play:
---
- hosts: proxies
become: yes
roles:
- { role: firewall }
- { role: geerlingguy.nginx }
pre_tasks:
# jessie-backports for nginx-extras 1.10
- name: "Adding jessie-backports repo"
copy: content="deb http://ftp.debian.org/debian jessie-backports main" dest="/etc/apt/sources.list.d/jessie-backports.list"
- name: Updating apt-cache.
apt: update_cache="yes"
- name: "Installing htop"
apt:
name: htop
state: present
- name: "Coopying SSL certificates"
copy: src=/vagrant/ansible/files/ssl/ dest=/etc/ssl/certs force=no
tasks:
- name: "Including custom firewall rules."
include: "{{ inventory_dir }}/{{ firewall_custom_include_file }}.yml"
when: firewall_custom_include_file is defined
vars_files:
- ./vars/nginx/common.yml
- ./vars/nginx/proxy.yml
我想做什么:
使用Ansible 2.2.1.0
我试图包含一个任务列表,如果设置了变量firewall\u custom\u include\u file
,这些任务将运行。通过执行“{{inventory\u dir}}/{{firewall\u custom\u include\u file}}}.yml”
,该列表相对于清单目录被包括在内-在本例中,其结果是/vagrant/ansible/environments/development/custom\u tasks/firewall\u rules.yml
基本上,这里的想法是,我需要根据我所处的环境和配置的主机执行不同的防火墙规则
举一个简单的例子:我可能希望在生产Web服务器上,但不在反向代理上,也不在我的开发框中,将数据库服务器IP列为白名单
问题:
每当我像上面那样包括firewall\u rules.yml
时,它就会告诉我:
TASK [Including custom firewall rules.] ****************************************
fatal: [proxy-1]: FAILED! => {"failed": true, "reason": "included task files must contain a list of tasks"}
我不确定它期望的是什么,我尝试取出文件开头的任务:
,使其:
- name: "Allowing traffic from webservers on 80"
ufw: src=10.10.10.3, port=80, direction=in, rule=allow
- name: "Allowing traffic all on 443"
ufw: port=443, rule=allow
但它给了我一个错误:
root@ansible-control:/vagrant/ansible# ansible-playbook -i environments/development playbook.yml
ERROR! Attempted to execute "/vagrant/ansible/environments/development/custom_tasks/firewall_rules.yml" as inventory script: problem running /vagrant/ansible/environments/development/custom_tasks/firewall_rules.yml --list ([Errno 8] Exec format error)
Attempted to read "/vagrant/ansible/environments/development/custom_tasks/firewall_rules.yml" as YAML: 'AnsibleSequence' object has no attribute 'keys'
Attempted to read "/vagrant/ansible/environments/development/custom_tasks/firewall_rules.yml" as ini file: /vagrant/ansible/environments/development/custom_tasks/firewall_rules.yml:2: Expected key=value host variable assignment, got: name:
此时,我不确定它在包含的文件中寻找什么,而且我似乎也找不到关于这个问题的清晰文档,或者其他有这个问题的人 尝试使用
-i environments/development/hosts
而不是目录执行
但我敢打赌,将任务文件存储在库存中远远不是最佳做法
您可能希望将自定义规则列表定义为库存变量,例如:
custom_rules:
- src: 10.10.10.3
port: 80
direction: in
rule: allow
- port: 443
rule: allow
而不是包含任务,制作如下内容:
- ufw:
port: "{{ item.port | default(omit) }}"
rule: "{{ item.rule | default(omit) }}"
direction: "{{ item.direction | default(omit) }}"
src: "{{ item.src | default(omit) }}"
with_items: "{{ custom_rules }}"
尝试使用
-i environments/development/hosts
而不是目录执行
但我敢打赌,将任务文件存储在库存中远远不是最佳做法
您可能希望将自定义规则列表定义为库存变量,例如:
custom_rules:
- src: 10.10.10.3
port: 80
direction: in
rule: allow
- port: 443
rule: allow
而不是包含任务,制作如下内容:
- ufw:
port: "{{ item.port | default(omit) }}"
rule: "{{ item.rule | default(omit) }}"
direction: "{{ item.direction | default(omit) }}"
src: "{{ item.src | default(omit) }}"
with_items: "{{ custom_rules }}"
首先,直接在主机上运行是有效的。我没有想到这一点,谢谢:)其次-我没有意识到有一个
默认值(省略)
-这实际上是我开始这么做时的初始目标。首先,这使得它与模块无关(不管它是UFW还是纯iptables,你都可以这样做),其次,它是在group_vars中明确定义的,而不是随机浮动文件。我会把它换成新的方法。再次感谢:)第一次直接对主机运行有效。我没有想到这一点,谢谢:)其次-我没有意识到有一个默认值(省略)
-这实际上是我开始这么做时的初始目标。首先,这使得它与模块无关(不管它是UFW还是纯iptables,你都可以这样做),其次,它是在group_vars中明确定义的,而不是随机浮动文件。我会把它换成新的方法。再次感谢:)