防火墙策略配置错误后如何防止远程计算机被切断

Question

解决方案是使用at实用程序将在超时后完全禁用防火墙。如果剧本成功完成，则命令将被取消。

下面的例子使用联邦水务局，但它可以适应任何其他服务。

- name: Install package ufw
  apt:
    name: [at, ufw]
    state: present

- block:
  - name: Make sure to disable the firewall later if something goes wrong
    ansible.posix.at:
      command: "{{ firewall_disable_ufw }}"
      count: 3
      units: minutes
    changed_when: false

  # All tasks that modify the firewall go in here.

  - name: Cancel the above safety firewall disable command
    ansible.posix.at:
      command: "{{ firewall_disable_ufw }}"
      state: absent
    changed_when: false

  rescue:
    - fail:
        msg: >-
          WARNING: Task '{{ ansible_failed_task.name }}' failed.
          Firewall will be disabled soon by an `at` command
          `{{ firewall_disable_ufw }}`
  vars:
    firewall_disable_ufw: "systemctl disable --now ufw.service"

使用block:/rescue:并不是真正必要的，但它可以为整个块提供良好的视觉划分，并且在剧本失败时提供更好的错误消息。

Answer 1

解决方案是使用at实用程序将在超时后完全禁用防火墙。如果剧本成功完成，则命令将被取消。

下面的例子使用联邦水务局，但它可以适应任何其他服务。

- name: Install package ufw
  apt:
    name: [at, ufw]
    state: present

- block:
  - name: Make sure to disable the firewall later if something goes wrong
    ansible.posix.at:
      command: "{{ firewall_disable_ufw }}"
      count: 3
      units: minutes
    changed_when: false

  # All tasks that modify the firewall go in here.

  - name: Cancel the above safety firewall disable command
    ansible.posix.at:
      command: "{{ firewall_disable_ufw }}"
      state: absent
    changed_when: false

  rescue:
    - fail:
        msg: >-
          WARNING: Task '{{ ansible_failed_task.name }}' failed.
          Firewall will be disabled soon by an `at` command
          `{{ firewall_disable_ufw }}`
  vars:
    firewall_disable_ufw: "systemctl disable --now ufw.service"

使用block:/rescue:并不是真正必要的，但它可以为整个块提供良好的视觉划分，并且在剧本失败时提供更好的错误消息。

防火墙策略配置错误后如何防止远程计算机被切断

答案1

相关内容