So, I’m running into an issue with variable precedence. I’d appreciate any feedback. Apologies for how long this is, I’m trying to make sure everything is clear.
First, I set hash_behavior=merge in my ansible.cfg file. This lets me avoid having to repeat configuration across hosts, roles, and the all group. (DRY)
For example:
group_vars/all.yml
foo:
bar1: ‘me’host_vars/node1.yml
foo:
bar2: ‘you’
Instead of what I’d have to do with hash_behavior=replace:
group_vars/all.yml
foo:
bar1: ‘me’host_vars/node1.yml
foo:
bar1: ‘me’
bar2: ‘you’
The issue that I’m running into is what happens when you throw groups other than all into the mix.
group_vars/alpha.yml
foo:
bar5: ‘myself’group_vars/beta.yml
foo:
bar9: ‘I’
Now, this works just fine, I get all foobars.
hosts:
- all
But if I go:
hosts:
- beta
I get
group_vars/all.yml
foo:
bar1: ‘me’
bar2: ‘you’
bar9: ‘I’
When I want bar5 from group_vars/alpha.yml in there as well.
Basically, if you limit your hosts by group, only the vars in the all group, the specific groups you select, and your host_vars are applied. (From these variable sources, I’m ignoring -e, and vars: and vars_files:.)
The issues I see are:
-
How do you determine which group has precedence when the var names are the same?
-
I think this is why Ansible works the way it currently does. I can’t think of any way to figure precidence out from groups without having the user create some kind map.
-
What if the reason I’m using a group is to avoid any other vars getting in the way?
-
Is it really a good idea to load all the vars, all the time?
-
From a processing standpoint.
The only (somewhat) DRY solution I can think of is to just ignore groups other than all. That leaves me copying any config that doesn’t apply to every node, into the host_vars files every node to which it does apply. Which is kinda annoying when you need to change that config…
For a more concrete example:
I have a role that applies iptables rules, and a role that manages Monit probes. On the servers in my apache group, I want to open 80 and 443, and watch the apache process to make sure it doesn’t go down. On the servers in my mysql group, I want to open port 3306, and to watch the mysql process. Some of my servers are in both groups, and if I just call the mysql group, then only 3306 is opened, while 80 and 443 are closed, and only the mysql process is watched, while the apache process is ignored. When what I want, is for the iptables and Monit roles to pull the vars from both mysql and apache groups, even when I’m not calling both groups.
Anyway, any suggestions? How can I avoid repeating myself? How can I make groups actually useful to me?