How to exclude filesystems with ansible

Question

I'm writing a playbook the change file and folders permissions on a Linux server. Until know it is working and looks like this:

-
  name: Playbook to change file and directory permissions
  hosts: all
  become: yes
  vars:
    DIR: '{{ target_dir }}'
    FILE: '{{ target_file }}'
    PERMISSIONS: '{{ number }}'
    OWNER: '{{ target_owner }}'
    GROUP: '{{ target_group }}'

  tasks:

    - name: Checking if the directory exists
      stat:
        path: '{{ DIR }}'
      register: dir_status

    - name: Checking if the file exists
      stat:
        path: '{{ FILE }}'
      register: file_status

    - name: Report if directory exists
      debug:
        msg: "Directory {{ DIR }} is present on the server"
      when: dir_status.stat.exists and dir_status.stat.isdir

    - name: Report if file exists
      debug:
        msg: "File {{ FILE }} is present on the server"
      when: file_status.stat.exists

    - name: Applying new permissions
      file:
          path: '{{ DIR }}/{{ FILE }}'
          state: file
          mode: '0{{ PERMISSIONS }}'
          owner: '{{ OWNER }}'
          group: '{{ GROUP }}'

But what I need is if the user that gonna execute the playbook in rundeck wanna change permissions on the (/boot /var /etc /tmp /usr) directories tell ansible to not try doing that and throw an error message.

How can I do that?

I'm not sure I understand what you're asking ... the title suggests that you don't want to allow ansible to change certain directories/files. In the text it sounds as if you're asking how to change them, anyway. That said: please give us the **exact** error message. *something like* isn't really a good basis for an analysis. — tink, Oct 29 '21 at 20:20
Hi ! Sorry if I'm not being clear. What I want is that when the playbook is executed if one of those directories (/ boot, / etc, / usr) is passed by parameter it stops sending an error message saying that permissions cannot be changed on system directories — Fede Berbara, Oct 29 '21 at 20:24
Still unclear. Do you want the change to happen (**bad idea!!**) or do you want ansible to not try doing that? Or do you just want to suppress the error messages? P.S.: Please edit the question with the clearer request(s) rather than answering in the comments. Here at [so] a question is supposed to be clear, rather than demanding that one read a whole thread to understand what you really want. — tink, Oct 29 '21 at 20:29
I want ansible to not try that and throw and error message to the user — Fede Berbara, Oct 29 '21 at 20:32
@tink I have already corrected the question, I hope that now it is understood — Fede Berbara, Oct 29 '21 at 20:43

U880D · Accepted Answer · 2021-11-03T11:07:41.473

I understand your question that you like to fail with custom message when a variable DIR contains one of the values /boot, /var, /etc, /tmp or /usr.

To do so you may use

- name: You can't work on {{ DIR }}
  fail:
    msg: The system may not work on {{ DIR }} according ...
   when: '"/boot" or "/var" or "/etc" or "/tmp" or "/usr" in DIR'

There is also a meta_module which can end_play when condition are met.

  tasks:
  - meta: end_play
    when: '"/boot" or "/var" or "/etc" or "/tmp" or "/usr" in DIR'

Both, fail and end_play, you can combine with different variables for certain use cases.

when: "'download' or 'unpack' in ansible_run_tags"
when: ( "DMZ" not in group_names )

Thanks to

Please take note that you are constructing the full path by concatenating {{ DIR }}/{{ FILE }} at the end. The above mentioned simple approach will not handle an empty DIR and FILEname with path included. Test cases could be

DIR: ""
FILE "/tmp/test"

DIR: "/"
FILE: "tmp/test"

Maybe you like to perform the test on the full filepath or test what a variable begins with.

In respect to the comments from Zeitounator and seshadri-c you may also try the approach of the assert_module

- name: Check for allowed directories
  assert:
    that:
      -  DIR in ["/boot", "/etc", "/var", "/tmp", "/usr"]
    quiet: true
    fail_msg: "The system may not work on {{ DIR }} according ..."
    success_msg: "Path is OK."

One more module (and the best suited one in this scenario IMO) is [`assert`](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/assert_module.html) — Zeitounator, Oct 30 '21 at 09:10
Also, I'd have the `when` condition as `when: DIR in ["/boot", "/etc", "/var", "/usr"]` — seshadri_c, Oct 30 '21 at 11:46
Thank you so much for your explanation ! It was really helpful — Fede Berbara, Nov 24 '21 at 03:31

How to exclude filesystems with ansible

1 Answers1