search

Senior-Design-May1601 / config

Repository for product configuration files
0 stars 0 forks source link

consecutive notify/handler calls after each task #21

Closed dborg92 closed 8 years ago

dborg92 commented 8 years ago

Do we need these? Ansible docs state "‘notify’ actions are triggered at the end of each block of tasks in a playbook, and will only be triggered once even if notified by multiple different tasks.specifically refering to 'restart ssh' handler in lockdown ssh

nskinkel commented 8 years ago

I'm not sure what your question is here exactly.

Are you asking "do we ever need notify handlers in any roles"? In which case, the answer is yes. Check out the "lockdown-ssh" role. After updates are made to sshd_config, ssh needs to be restarted.

If you're asking "do we always need notify handlers in every role", then the answer is no. As you read in the docs, they are for actions that should run when a particular set of tasks are done. If we don't have any of those sort of tasks (e.g. restarting ssh after changes, reloading iptables after updating the rules, etc.), then there's no reason to have handlers.

Are you asking something else?

dborg92 commented 8 years ago

no, what i'm asking is, do we need to call the line 'notify: restart ssh" 9 times in the lockdown ssh role when this handler only gets called once at the end of the task block. or am i interpreting that line from ansible documentation wrong?

dborg92 commented 8 years ago

or is the whole main.yml file not a single task block?

nskinkel commented 8 years ago

No, the whole file is not a single task block. Consider the following snippet of main.yml in the lockdown-ssh role.

- name: Disable root login over SSH
  action: lineinfile dest=/etc/ssh/sshd_config regexp="^PermitRootLogin" line="PermitRootLogin no" state=present 
  notify: restart ssh

- name: Disable SSH password login
  action: lineinfile dest=/etc/ssh/sshd_config regexp="^PasswordAuthentication" line="PasswordAuthentication no" state=present
  notify: restart ssh

That snippet consists of two tasks called "Disable root login over SSH" and "Disable SSH password login". Both tasks need to have SSH restarted after execution in order to take effect on the box. By notifying the handler when both tasks are done, Ansible will do two things for us:

  1. Execute the handler and restart SSH only when both tasks are done (i.e. it won't call the handler when any of the tasks that notified the handler are still running)
  2. Execute the handler at most once (i.e. an unbounded number of tasks can notify a handler, but it will still only get executed once, when all of the associated tasks are finished)

If, say, the first task in the above snippet notified the handler but the second task didn't, Ansible could execute the handler and restart SSH before the second task completed, leaving the system in an inconsistent state.

So, to answer what I think is your main question: yes, each task that needs a handler to be run after execution must notify the handler. Ansible just guarantees for us, as you read in the docs, a particular handler will be executed at most once regardless of how many tasks notify it.

dborg92 commented 8 years ago

Thanks for clarifying that for me