'lineinfile' module - possible bug?

Archives Ansible Project
1

Hi all,

I have a playbook used for setting up new servers here, that among other things, ensures both NTP and NIS (yes, we still use NIS here…) are installed and are running. The problem I am seeing is that when the playbook executes the notify action for restarting the ntpd service, it is failing because the ‘ntp’ user is no longer in /etc/passwd. I believe the problem is occurring when I run tasks in the playbook that call the ‘lineinfile’ module to ensure I have a certain entry needed for NIS logins at the bottom of /etc/passwd, which seems to be overwriting the then-last-line which is the ‘ntp’ user one.

Here is the tasks that make sure NTPD is installed and running…

[…]

  • name: DEBFAM | Ensure NTP package is installed
    apt: pkg=ntp state=present
    tags: ntp

  • name: DEBFAM | Ensure NTP configured correctly
    template: src=ntp.conf.j2 dest=/etc/ntp.conf
    notify:

  • restart deb-ntpd
    tags: ntp

  • name: DEBFAM | Ensure NTP is running and enabled
    service: name=ntp state=running enabled=yes
    tags: ntp

[…]

Right after these steps are run, I can cat /etc/password and notice that the ‘ntp’ user entry is there, and happens to be the last entry…

[…]
rtkit:x:116:124:RealtimeKit,:/proc:/bin/false
saned:x:117:125::/home/saned:/bin/false
whoopsie:x:118:126::/nonexistent:/bin/false
speech-dispatcher:x:119:29:Speech Dispatcher,:/var/run/speech-dispatcher:/bin/sh
hplip:x:120:7:HPLIP system user,:/var/run/hplip:/bin/false
ntp:x:121:127::/home/ntp:/bin/false

Then the playbook runs the tasks I have set up to ensure NIS is installed and running…

[…]

  • name: DEBFAM | Ensure NIS package is installed
    apt: pkg=nis
    tags: nis

  • name: DEBFAM | Ensure /etc/yp.conf configured correctly for NIS
    template: src=yp.conf.j2 dest=/etc/yp.conf
    notify:

  • restart nis
    tags: nis

  • name: DEBFAM | Ensure /etc/defaultdomain configured correctly for NIS
    template: src=etc-defaultdomain.j2 dest=/etc/defaultdomain
    notify:

  • restart nis
    tags: nis

  • name: DEBFAM | Ensure /etc/nsswitch.conf configured correctly for NIS
    template: src=nsswitch.conf.j2 dest=/etc/nsswitch.conf
    tags: nis

  • name: DEBFAM | Erase old /etc/passwd entry for NIS users
    lineinfile: dest=/etc/passwd
    regexp=‘::::::+’
    state=absent
    tags: nis

  • name: DEBFAM | Erase old /etc/shadow entry for NIS users
    lineinfile: dest=/etc/shadow
    regexp=‘::::::::+’
    state=absent
    tags: nis

  • name: DEBFAM | Ensure NIS is running and enabled
    service: name=ypbind state=restarted enabled=yes
    notify:

  • restart autofs
    tags: nis

  • name: DEBFAM | Ensure /etc/passwd has correct entry for NIS users
    lineinfile: dest=/etc/passwd
    regexp=‘’
    insertafter=EOF
    line=‘::::::+’
    notify:

  • restart nis
    tags: nis

  • name: DEBFAM | Ensure /etc/shadow has correct entry for NIS users
    lineinfile: dest=/etc/shadow
    regexp=‘’
    insertafter=EOF
    line=‘::::::::+’
    notify:

  • restart nis
    tags: nis

[…]

(I’m running the lineinfile module once on /etc/passwd and /etc/shadow to remove any old existing entries for the ‘+::::…’ patterns, and then running them again on those files to ensure they are present and at the end of those respective files.)

However, when the playbook is ending and running the accumulated notifies, when it hits the ‘restart deb-ntpd’ action, this fails, complaining that the ‘ntp’ user is not there –

NOTIFIED: [common | restart deb-ntpd] *****************************************
failed: [dhcp-207-150] => {“failed”: true}
msg: * Stopping NTP server ntpd
…done.

  • Starting NTP server ntpd
  • user “ntp” does not exist

FATAL: all hosts have already failed – aborting

If I then cat /etc/passwd, I notice that the entry for the ‘ntp’ user is gone, and seemingly overwritten by the NIS entry:

[…]
rtkit:x:116:124:RealtimeKit,:/proc:/bin/false
saned:x:117:125::/home/saned:/bin/false
whoopsie:x:118:126::/nonexistent:/bin/false
speech-dispatcher:x:119:29:Speech Dispatcher,:/var/run/speech-dispatcher:/bin/sh
hplip:x:120:7:HPLIP system user,:/var/run/hplip:/bin/false
::::::+

This has happened a number of times to me, enough that I believe I’m hitting a bug (or am using the ‘lineinfile’ module incorrectly somehow??) so I thought I’d post it to this list and ask for help with debugging this…

Thanks,
Will

2

lineinfile is tricky and I don’t have bandwidth to debug this one right now, but maybe some other folks would like to help?

Most of the time, I strongly recommend just templating the file, that way you are centrally very sure of the state of everything that’s in there.

3

Also, is there any reason you’re not using the user module to manage entries in your passwd/shadow files?

4

Sorry, other work took me away from pursuing this issue until now… Thanks for your attention, Michael & James!

In any case, it seems the entry I need is actually “+::::::” in /etc/passwd, per this webpage: http://www.linux-nis.org/nis-howto/HOWTO/settingup_client.html (and not “::::::+” as I’ve been using, which is weird, because NIS logins are working with that… but I digress…)

I can’t really template the /etc/passwd and /etc/shadow files, as the users can install software that enters new users that my Ansible playbooks wouldn’t know about… And I’m pretty sure I can’t use the “user” module; I don’t want to create an actual local user (and homedir etc.), just add the literal line “+::::::” at the bottom of /etc/passwd to create the needed entry to incorporate the NIS users…

I also had an instance today where my playbook worked perfectly (i.e., lineinfile did NOT overwrite the then-last entry for the ‘ntp’ user…) so looks like it’s also an intermittent problem.

Just wanted to report a seeming problem, and see if there was a solution…

Thanks,
Will

5

Can you let us know why the user module won’t work for you in this case? It should not be needed to edit those files directly, and if there’s a missing feature I’d like to see it exposed in the user module.

Thanks!

6

Hi Michael,

Sorry for the much-delayed response (again…)

This is kind of an edge-case, but for a NIS client (with ‘compat’ in the /etc/nsswitch.conf for passwd, which is at least the default in Ubuntu), you must add a special entry in to “pick up” the NIS users (again, see section 7.2 in http://www.linux-nis.org/nis-howto/HOWTO/settingup_client.html for the different options.)

I believe the ‘user’ module has the paradigm of adding actual users to the system, and can not just add needed entries to /etc/passwd (and /etc/shadow) to handle as case as the above… Or did I misread the docs on the user module?

I found that one can “get around” the need for such an entry in /etc/passwd if you specify the following in nsswitch.conf:

passwd: files nis

i.e., try the local /etc/passwd first, then if not found, try NIS – this is what we were doing, so we found the entry of ‘+::::::’ was actually not necessary in /etc/passwd (and why the incorrect ‘::::::+’ we had been putting in there didn’t matter, and why NIS worked anyways)

Best,
Will