Open trombik opened 7 years ago
it appears include_role
is not mature yet. see https://github.com/ansible/ansible/issues?utf8=%E2%9C%93&q=is%3Aissue%20is%3Aopen%20include_role
platform | ansible version |
status | symptom | |
---|---|---|---|---|
CentOS 7.3 | 2.3.1.0 | successful | n/a | |
FreeBSD 10.3 | 2.3.1.0 | failed | depended role included but the tasks are not executed, saying "Conditional result was False" | |
OpenBSD 6.0 | 2.1.0.0 | failed | include_role is not implemented |
"ERROR! no action detected in task. This often indicates a misspelled module name, or incorrect module path." |
OpenBSD 6.1 | 2.2.1.0 | failed | depended role included but the tasks are not executed, saying "Conditional check failed" | |
Ubuntu 14.04 | 2.3.0.0 | failed | depended role included but the tasks are not executed, saying "Conditional result was False" | |
Ubuntu 16.04 | 2.3.0.0 | failed | depended role included but the tasks are not executed, saying "Conditional result was False" |
the diff
diff --git a/.kitchen.yml b/.kitchen.yml
index 54f1760..e7e3dbf 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -106,6 +106,3 @@ suites:
verifier:
name: shell
command: rspec -c -f d -I tests/serverspec tests/serverspec/remote_control_with_variables_spec.rb
- # as this test case is platform-independant, running on a single platform
- # is enough.
- includes: centos-7.3-x86_64
diff --git a/defaults/main.yml b/defaults/main.yml
index 159a5a1..4a0abf7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -12,3 +12,4 @@ nsd_flags: ""
nsd_remote_setup: false
# master and slave
nsd_zones: {}
+nsd_x509_certificate_enable: no
diff --git a/tasks/main.yml b/tasks/main.yml
index 8cea78a..ddff269 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -5,6 +5,11 @@
- include: "install-{{ ansible_os_family }}.yml"
+- name: Include x509-certificate
+ include_role:
+ name: reallyenglish.x509-certificate
+ when: nsd_x509_certificate_enable
+
- name: Create db directory
file:
path: "{{ nsd_db_dir }}"
diff --git a/tests/serverspec/remote_control_with_variables.yml b/tests/serverspec/remote_control_with_variables.yml
index f54943a..1ecc269 100644
--- a/tests/serverspec/remote_control_with_variables.yml
+++ b/tests/serverspec/remote_control_with_variables.yml
@@ -1,21 +1,19 @@
- hosts: localhost
roles:
- reallyenglish.redhat-repo
- - reallyenglish.x509-certificate
- ansible-role-nsd
vars:
- x509_certificate_additional_packages: "{% if ansible_os_family == 'OpenBSD' %}[]{% else %}nsd{% endif %}"
- # XXX nsd_conf_dir_pre == nsd_conf_dir
- # when x509-certificate is applied to the host, `nsd_conf_dir` is not
- # included yet.
- nsd_conf_dir_pre: "{% if ansible_os_family == 'OpenBSD' %}/var/nsd/etc{% elif ansible_os_family == 'FreeBSD' %}/usr/local/etc/nsd{% else %}/etc/nsd{% endif %}"
+ nsd_x509_certificate_enable: yes
+
+ # XXX NEVER set this to yes in production
+ x509_certificate_debug_log: yes
x509_certificate:
- name: nsd_control
state: present
public:
- path: "{{ nsd_conf_dir_pre }}/nsd_control.pem"
- owner: "{% if ansible_os_family == 'OpenBSD' %}_nsd{% else %}nsd{% endif %}"
- group: "{% if ansible_os_family == 'OpenBSD' %}_nsd{% else %}nsd{% endif %}"
+ path: "{{ nsd_conf_dir }}/nsd_control.pem"
+ owner: "{{ nsd_user }}"
+ group: "{{ nsd_group }}"
mode: "0644"
key: |
-----BEGIN CERTIFICATE-----
@@ -41,9 +39,9 @@
aIV491QzoOfbuVD5/n31wwAX/BU=
-----END CERTIFICATE-----
secret:
- path: "{{ nsd_conf_dir_pre }}/nsd_control.key"
- owner: "{% if ansible_os_family == 'OpenBSD' %}_nsd{% else %}nsd{% endif %}"
- group: "{% if ansible_os_family == 'OpenBSD' %}_nsd{% else %}nsd{% endif %}"
+ path: "{{ nsd_conf_dir }}/nsd_control.key"
+ owner: "{{ nsd_user }}"
+ group: "{{ nsd_group }}"
mode: "0600"
key: |
-----BEGIN RSA PRIVATE KEY-----
@@ -88,9 +86,9 @@
- name: nsd_server
state: present
public:
- path: "{{ nsd_conf_dir_pre }}/nsd_server.pem"
- owner: "{% if ansible_os_family == 'OpenBSD' %}_nsd{% else %}nsd{% endif %}"
- group: "{% if ansible_os_family == 'OpenBSD' %}_nsd{% else %}nsd{% endif %}"
+ path: "{{ nsd_conf_dir }}/nsd_server.pem"
+ owner: "{{ nsd_user }}"
+ group: "{{ nsd_group }}"
mode: "0644"
key: |
-----BEGIN CERTIFICATE-----
@@ -116,9 +114,9 @@
N49rbR5hkqy9SVm7
-----END CERTIFICATE-----
secret:
- path: "{{ nsd_conf_dir_pre }}/nsd_server.key"
- owner: "{% if ansible_os_family == 'OpenBSD' %}_nsd{% else %}nsd{% endif %}"
- group: "{% if ansible_os_family == 'OpenBSD' %}_nsd{% else %}nsd{% endif %}"
+ path: "{{ nsd_conf_dir }}/nsd_server.key"
+ owner: "{{ nsd_user }}"
+ group: "{{ nsd_group }}"
mode: "0600"
key: |
-----BEGIN RSA PRIVATE KEY-----
not sure why the play with 2.3.1.0 on CentOS is successful, but not on FreeBSD.
the RPM has a patch, which just requires jinja2 >= 2.6
.
jinja version is py27-Jinja2-2.9.5
on FreeBSD and python-jinja2-2.7.2-2.el7.noarch
on CentOS.
the following sources are same. https://dl.fedoraproject.org/pub/epel/7Server/SRPMS/a/ansible-2.3.1.0-1.el7.src.rpm http://releases.ansible.com/ansible/ansible-2.3.1.0.tar.gz
rpm2cpio ../ansible-2.3.1.0-1.el7.src.rpm | cpio -idmv
x509
test suite.in https://github.com/reallyenglish/ansible-role-uchiwa/pull/11, it is confirmed that freebsd-10.3-amd64
box works with include_role
. the cause of the failure might be specific to the role.
the issue is caused by https://github.com/ansible/ansible/issues/25136.
the fix: https://github.com/ansible/ansible/commit/eeaa67657750005b5ff9c287b1883fc08692814d
a workaround is:
meta/main.yml
roles:
in the test case
ISSUE TYPE
ROLE VERSION
CONFIGURATION
n/a or see the unit test.
OS / ENVIRONMENT
n/a
SUMMARY
it is PITA to configure certificate and key.
in
tests/serverspec/remote_control_with_variables.yml
,x509_certificate_additional_packages
andnsd_conf_dir_pre
are necessary evil because, whenx509-certificate
is executed, usernsd
does not exist andnsd_conf_dir
is not included and expanded.ansible
has a module,include_role
, which executes a role from inside of another role. it should be possible to remove these necessary evils by using it.STEPS TO REPRODUCE
n/a
EXPECTED RESULTS
the ugly variables are removed.
ACTUAL RESULTS
they are there.