通过 Ansible 和 with_subelements 创建用户

tag-icon tag-icon ansible
通过 Ansible 和 with_subelements 创建用户

我正在尝试编写一个 Ansible 剧本,它将允许我定义一个组列表,应用于定义的服务器列表中的用户列表。

['mike']除了正在创建的用户是文字列表值(例如)之外,它似乎已经接近工作了/etc/passwd

我如何告诉 Ansible 使用价值which_users

---
- hosts: all
  gather_facts: false
  vars:
    local_group_info:

      - name : developer group
        which_users  :
          - mike
          - george
        which_groups :
          - adm
          - www-data
        on_hosts  :
          - test.sv1.org
          - punchy.sv1.org

      - name: admin group
        which_users:
          - kelly
        which_groups:
          - sudo
        on_hosts  :
          - test.sv1.org

  tasks:
    - name: Add users to local groups if current host matches
      when: inventory_hostname in item.0.on_hosts or 'all' in item.0.on_hosts
      debug:
        msg: "user {{ item.0.which_users }} should be in group {{ item.1 }}"
      with_subelements:
        - "{{ local_group_info }}"
        - which_groups

输出:

PLAY [all] **************************************************************************************************************************

TASK [Add users to local groups if current host matches] ****************************************************************************
ok: [test.sv1.org] => (item=[{u'which_users': [u'mike', u'george'], u'name': u'developer group', u'on_hosts': [u'test.sv1.org', u'punchy.sv1.org']}, u'adm']) => {
    "msg": "user [u'mike', u'george'] should be in group adm"
}
ok: [test.sv1.org] => (item=[{u'which_users': [u'mike', u'george'], u'name': u'developer group', u'on_hosts': [u'test.sv1.org', u'punchy.sv1.org']}, u'www-data']) => {
    "msg": "user [u'mike', u'george'] should be in group www-data"
}
ok: [test.sv1.org] => (item=[{u'which_users': [u'kelly'], u'name': u'admin group', u'on_hosts': [u'test.sv1.org']}, u'sudo']) => {
    "msg": "user [u'kelly'] should be in group sudo"
}

PLAY RECAP **************************************************************************************************************************
test.sv1.org       : ok=1    changed=0    unreachable=0    failed=0

答案1

这种方式行不通,因为您需要在两个级别中循环处理三个项目(第一级中的用户类别列表、第二级中的 unix 组列表和用户列表)。这是 Ansible 往往会变得有点复杂的部分

你可以把它分成两部分:

  • 创建组中用户列表的角色
  • 您的任务是遍历用户类和 unix 组的列表。

像这样:

  1. roles/testrole/tasks/main.yml

    - name: Creating list of users in named groups
  tags: ['testing']
  debug:
      msg: "User {{ item2 }} should be in group {{ current_group }}"
  loop_control:
      loop_var: item2
  with_items:
    - "{{ current_userlist }}"

  2. your_playbook.yml

    - name:          Mimimal playbook
  hosts:         all
  tags: ['testing']

  tasks:
  - include_role:
    name:    testrole
    tags: ['testing']
    vars:
      - current_group: "{{ item.1 }}"
      - current_userlist: "{{ item.0.userlist }}"
    with_subelements:
      - "{{ userclass }}"
      - grouplist

以及以下变量定义:

userclass:
    - name: Testgroup 1
      userlist:
          - homer
          - bart
      grouplist:
          - adm
    - name: Testgroup 2
      userlist:
          - lisa
          - maggie
          - marge
      grouplist:
          - exec
          - board

结果如下:

PLAY [Mimimal playbook] ***********************************************************************************************************************************************************

TASK [include_role : testrole] ****************************************************************************************************************************************************

TASK [testrole : Creating list of users in named groups] **************************************************************************************************************************
ok: [ansible.example.com] => (item=homer) => {
    "msg": "User homer should be in group adm"
}
ok: [ansible.example.com] => (item=bart) => {
    "msg": "User bart should be in group adm"
}

TASK [testrole : Creating list of users in named groups] **************************************************************************************************************************
ok: [ansible.example.com] => (item=lisa) => {
    "msg": "User lisa should be in group exec"
}
ok: [ansible.example.com] => (item=maggie) => {
    "msg": "User maggie should be in group exec"
}
ok: [ansible.example.com] => (item=marge) => {
    "msg": "User marge should be in group exec"
}

TASK [testrole : Creating list of users in named groups] **************************************************************************************************************************
ok: [ansible.example.com] => (item=lisa) => {
    "msg": "User lisa should be in group board"
}
ok: [ansible.example.com] => (item=maggie) => {
    "msg": "User maggie should be in group board"
}
ok: [ansible.example.com] => (item=marge) => {
    "msg": "User marge should be in group board"
}

PLAY RECAP ************************************************************************************************************************************************************************
ansible.example.com         : ok=3    changed=0    unreachable=0    failed=0

还存在其他变体。您可以迭代剧中的用户类,然后重写角色以用于with_nested用户和 unix 组。

答案2

您可以创建一个映射(首先过滤local_group_info在中指定的主机列表,然后连接每个过滤元素的和的when笛卡尔积)并对其进行迭代:which_userswhich_groups

- name: Create user to group mapping
  set_fact:
    user_group_mapping: "{{ user_group_mapping | default([]) + item.which_users | product(item.which_groups) | list }}"
  loop: "{{ local_group_info | json_query(query) }}"
  vars:
    query: "@[?contains(on_hosts, `{{ inventory_hostname }}`) || contains(on_hosts, `all`)].{which_users: which_users, which_groups: which_groups}"

- name: Add users to local groups if current host matches
  debug:
    msg: "user {{ item.0 }} should be in group {{ item.1 }}"
  loop: "{{ user_group_mapping }}"

根据您的目标(是否要继续或因数据不完整而失败),您可能会或可能不会向和添加default({})过滤器。item.which_usersitem.which_groups

相关内容