sysctl module and removal of entry

Archives Ansible Project
1

Hi,

I’ve come across a situation where the sysctl module is not removing an entry if the value matches even if the state is set to ‘absent’.

e.g,

  • The following does not remove the sysctl entry if the value below matches that in the sysctl file;

  • name: Test removal of sysctl key

sysctl: name={{ item }} value=0 state=absent reload=no
with_items:

  • net.bridge.bridge-nf-call-ip6tables

  • net.bridge.bridge-nf-call-iptables

  • net.bridge.bridge-nf-call-arptables

  • If the value is different, it does remove the key.

  • name: Test removal of sysctl key
    sysctl: name={{ item }} value=1 state=absent reload=no
    with_items:

  • net.bridge.bridge-nf-call-ip6tables

  • net.bridge.bridge-nf-call-iptables

  • net.bridge.bridge-nf-call-arptables

  • If the value is omitted, it does remove the key.

  • name: Test removal of sysctl key

sysctl: name={{ item }} state=absent reload=no
with_items:

  • net.bridge.bridge-nf-call-ip6tables
  • net.bridge.bridge-nf-call-iptables
  • net.bridge.bridge-nf-call-arptables

ansible --version = ansible 1.7.1

Remote machine=CentOS6.5

In debug, it shows the state is set to absent even though it appears to ignore it;

PLAY [XX.XX.XX.XX] **********************************************************

GATHERING FACTS ***************************************************************
<XX.XX.XX.XX> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO XX.XX.XX.XX
<XX.XX.XX.XX> REMOTE_MODULE setup
<XX.XX.XX.XX> EXEC /bin/sh -c ‘mkdir -p $HOME/.ansible/tmp/ansible-tmp-1412781537.17-34022334345500 && echo $HOME/.ansible/tmp/ansible-tmp-1412781537.17-34022334345500’
<XX.XX.XX.XX> PUT /tmp/tmpit9iZw TO /root/.ansible/tmp/ansible-tmp-1412781537.17-34022334345500/setup
<XX.XX.XX.XX> EXEC /bin/sh -c ‘LANG=C LC_CTYPE=C /usr/bin/python /root/.ansible/tmp/ansible-tmp-1412781537.17-34022334345500/setup; rm -rf /root/.ansible/tmp/ansible-tmp-1412781537.17-34022334345500/ >/dev/null 2>&1’
ok: [XX.XX.XX.XX]

TASK: [Test removal of sysctl key] ********************************************
<XX.XX.XX.XX> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO XX.XX.XX.XX
<XX.XX.XX.XX> REMOTE_MODULE sysctl name=net.bridge.bridge-nf-call-ip6tables value=0 state=absent reload=no
<XX.XX.XX.XX> EXEC /bin/sh -c ‘mkdir -p $HOME/.ansible/tmp/ansible-tmp-1412781537.7-197935696377092 && echo $HOME/.ansible/tmp/ansible-tmp-1412781537.7-197935696377092’
<XX.XX.XX.XX> PUT /tmp/tmpj3GFfR TO /root/.ansible/tmp/ansible-tmp-1412781537.7-197935696377092/sysctl
<XX.XX.XX.XX> EXEC /bin/sh -c ‘LANG=C LC_CTYPE=C /usr/bin/python /root/.ansible/tmp/ansible-tmp-1412781537.7-197935696377092/sysctl; rm -rf /root/.ansible/tmp/ansible-tmp-1412781537.7-197935696377092/ >/dev/null 2>&1’
ok: [XX.XX.XX.XX] => (item=net.bridge.bridge-nf-call-ip6tables) => {“changed”: false, “item”: “net.bridge.bridge-nf-call-ip6tables”}
<XX.XX.XX.XX> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO XX.XX.XX.XX
<XX.XX.XX.XX> REMOTE_MODULE sysctl name=net.bridge.bridge-nf-call-iptables value=0 state=absent reload=no
<XX.XX.XX.XX> EXEC /bin/sh -c ‘mkdir -p $HOME/.ansible/tmp/ansible-tmp-1412781538.12-44471411742706 && echo $HOME/.ansible/tmp/ansible-tmp-1412781538.12-44471411742706’
<XX.XX.XX.XX> PUT /tmp/tmpWbVgcA TO /root/.ansible/tmp/ansible-tmp-1412781538.12-44471411742706/sysctl
<XX.XX.XX.XX> EXEC /bin/sh -c ‘LANG=C LC_CTYPE=C /usr/bin/python /root/.ansible/tmp/ansible-tmp-1412781538.12-44471411742706/sysctl; rm -rf /root/.ansible/tmp/ansible-tmp-1412781538.12-44471411742706/ >/dev/null 2>&1’
ok: [XX.XX.XX.XX] => (item=net.bridge.bridge-nf-call-iptables) => {“changed”: false, “item”: “net.bridge.bridge-nf-call-iptables”}
<XX.XX.XX.XX> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO XX.XX.XX.XX
<XX.XX.XX.XX> REMOTE_MODULE sysctl name=net.bridge.bridge-nf-call-arptables value=0 state=absent reload=no
<XX.XX.XX.XX> EXEC /bin/sh -c ‘mkdir -p $HOME/.ansible/tmp/ansible-tmp-1412781538.55-56695379779771 && echo $HOME/.ansible/tmp/ansible-tmp-1412781538.55-56695379779771’
<XX.XX.XX.XX> PUT /tmp/tmpaq_Q5s TO /root/.ansible/tmp/ansible-tmp-1412781538.55-56695379779771/sysctl
<XX.XX.XX.XX> EXEC /bin/sh -c ‘LANG=C LC_CTYPE=C /usr/bin/python /root/.ansible/tmp/ansible-tmp-1412781538.55-56695379779771/sysctl; rm -rf /root/.ansible/tmp/ansible-tmp-1412781538.55-56695379779771/ >/dev/null 2>&1’
ok: [XX.XX.XX.XX] => (item=net.bridge.bridge-nf-call-arptables) => {“changed”: false, “item”: “net.bridge.bridge-nf-call-arptables”}

PLAY RECAP ********************************************************************
XX.XX.XX.XX : ok=2 changed=0 unreachable=0 failed=0

and the entry definitely exists on the remote host;

grep bridge /etc/sysctl.conf

Disable netfilter on bridges.

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

Is this known/expected behavior (I would expect an ‘absent’ state to remove the entry when it matches the name and value)?