I tried asking the IRC channel but I didn’t get any responses so I figure that the mailing list might be better suited to this question. I’m trying to build an extensible iptables template. All of my hosts will need some amount of custom rules to be added so I feel that extending a template would be a great way to achieve this. My base template looks like this:
#roles/common/templates/iptables.j2
{% block nat %}
{% endblock nat %}
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
SSH
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
{% block role_rules %}
{% endblock role_rules %}
Drop All
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
So then I created a template for another host to add it’s role specific information in. This template looks like this:
{% extends “roles/common/templates/iptables.j2” %}
{% block role_rules %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9000 -j ACCEPT
{% endblock role_rules %}
This was working until I moved my playbooks into a folder to organize them. Now I can’t seem to fix the path to make the template extends tag work. I even tried an absolute path.
Here’s my directory structure:
ansible/
ansible.cfg
hosts/
dev
qa
groupvars/
dev
qa
playbooks/
roles/
common.yml
roleA.yml
roleB.yml
roles/
common/
templates/
iptables.j2
tasks/
main.yml
roleA/
templates/
iptables.j2
tasks/
main.yml
I keep getting this error when I get to the play that templates the iptables file:
{‘msg’: ‘AnsibleError: file: /path/to/ansible/roles/vickyvale/templates/iptables.j2, error: Cannot find/not allowed to load (include) template /path/to/ansible/roles/common/templates/iptables.j2’, ‘failed’: True}
Is there somewhere that documents what paths are searched when inside a template or in include calls from within a template? I can’t find much information about this at all.
So is there no way of including or extending templates from other roles? It would seem that this is a really powerful feature of the templating language that would make many configurations more versatile and powerful. Is what I’m trying to do not possible with Ansible?
I’ve tried that but I can’t seem to get it to work. Here are the paths I’ve tried so far:
common/templates/iptables.j2
…/common/templates/iptables.j2
…/…/common/templates/iptables.j2
…/…/…/common/templates/iptables.j2
/absolute/path/to/common/templates/iptables.j2
After some more playing, I found that if I move my roles/ directory into the folder with the playbooks, things work like they used to work. However, if I move to roles/ directory anywhere higher in the hierarchy than the playbook, it seems that the path can not be resolved inside the template.
I have decided to again reorganize my code/configs so that I can put the roles/ directory parallel to all the playbooks. It’s slightly less ideal as the number of playbooks grow, but it maintains all needed functionality. If there’s a better suggestion, I would be all for it.
Can you point me to the comparable file in the v2 tree? If you think you would approve a similar logic change, I'll work on making it. Or, maybe this issue is already addressed in v2?
I would think that it would actually do a lot of good merging this change into the current tree whether or not it gets released. It can always be run from a git checkout if the feature is critical. When the template engine gets reworked for v2, these changes or considerations would be more visible to whoever makes the code change. Just my 2 cents, but I hope it helps.
v2 is not open for submissions just yet, plugins are in progress – we anticipate this should be ready in about a month or so for helping testing and development. There will be an analogous file in the action_plugins tree, called template.py, and be pretty similar, just a bit nicer.
The main parts are cleaning up the other pieces of code that it uses and touches it.
