Global hooks/tasks

Hi,

I’ve had a look around for solutions to this problem, but surprisingly I’m starting to think it’s not something supported out of the box with ansible.

I would like to define a play or series of plays which are called exactly once on a given group of hosts for each ansible run, at the very start and very end of that run, regardless of which role or roles are being executed. Optionally, the set of tasks at the end could only run if any of the other tasks run changed something (a sort of global_changed state), but this isn’t essential. Using ro

The use-case is to run etckeeper before and after each run of ansible, to provide a definitive record of what changed on the server (at least as far as the configuration files in /etc go).

Does anyone have any suggestions on how I might accomplish this? Would a new feature request be appropriate if it’s not already achievable? Note that I wouldn’t want to have to modify every playbook and/or role to achieve this, since that would inevitably lead to missed commits and default the point of having a complete changelog.

Just in case it isn’t obvious: yes, I am managing the ansible playbooks in git already, but etckeeper provides a deeper view of what actually changed on the server and can be very helpful for looking back to figure out when/how something was misconfigured.

I would be interested to hear other solutions to this.

Cheers,
Dominic.

We had this discussion over lunch, i.e., we pondered how we could get ansible to trigger etckeeper on each host at the conclusion of the playbook. We excluded handlers because handlers are not executed once a playbook fails.

Did you find a way to cleanly create a hook like this with having to append this to each playbook individually?

–Tobias

i would just have something like incron on the target that triggers etckeeper

That would evidently work to track file changes locally. Our main use case however was to track on the target system (1) which team member changed a file (and who deleted a file, like a suddenly missing firewall rule, which precludes just using SVN keywords in the file header) and (2) using which playbook. This is to establish a reverse map from system to playbook and ansible user.

So somehow we need to trigger etckeeper et al. from Ansible itself. Preferably during the runtime so we do not have to load the inventory again, which takes up to 20 seconds, depending on Ansible version and local performance patches.

I assume this cannot be achieved cleanly in a callback plugin?

–Tobias

I would recommend a custom callback plugin.