Trouble using with_items and when: stdout == 0

Archives Ansible Project
1

Hi,

I'm trying to do two simple things:
- check if a user is present in sshd_config AllowUsers
- if not, add the user to the AllowUsers line

Sounds simple enough yet my Ansible foo is still lacking severly. The problem is that the last task is always skipped.

vars:

allowusers:
   - testuser
   - patrick

tasks:

- name: Check if build user is in ssh AllowUsers
   shell: grep -i -m1 -c {{ item }} /etc/ssh/sshd_config
   with_items: allowusers
   ignore_errors: True
   register: check_allowusers

- debug: var=check_allowusers

- name: Add user to AllowUsers
   shell: "sed -i 's|^AllowUsers |AllowUsers {{ item }} |' /etc/ssh/sshd_config"
   with_items: check_allowusers.results
   when: item.stdout == 0

Here is the output from debug: var=check_allowusers:

TASK: [builder | debug var=check_allowusers] ****
ok: [test.local] => {
     "check_allowusers": {
         "changed": true,
         "failed": true,
         "msg": "One or more items failed.",
         "results": [
             {
                 "changed": true,
                 "cmd": "grep -i -m1 -c testuser /etc/ssh/sshd_config",
                 "delta": "0:00:00.005375",
                 "end": "2014-09-13 20:03:37.564863",
                 "invocation": {
                     "module_args": "grep -i -m1 -c testuser /etc/ssh/sshd_config",
                     "module_name": "shell"
                 },
                 "item": "testuser",
                 "rc": 1,
                 "start": "2014-09-13 20:03:37.559488",
                 "stderr": "",
                 "stdout": "0"
             },
             {
                 "changed": true,
                 "cmd": "grep -i -m1 -c patrick /etc/ssh/sshd_config",
                 "delta": "0:00:01.005767",
                 "end": "2014-09-13 20:03:38.671370",
                 "invocation": {
                     "module_args": "grep -i -m1 -c patrick /etc/ssh/sshd_config",
                     "module_name": "shell"
                 },
                 "item": "patrick",
                 "rc": 0,
                 "start": "2014-09-13 20:03:37.665603",
                 "stderr": "",
                 "stdout": "1"
             }
         ]
     }
}

If there isn't a better best practice way to do this then how do I make this work?

Thanks,
Patrick

2

The stdout in one case is “0” and another is “1” so this seems to be working as designed.

As such, I think this would be the way your system is setup (aka it works correctly) or your grep needs modification.

Ansible appears to be doing what you want.

3

Hi Michael,

Thank you for your feedback.

The stdout in one case is "0" and another is "1" so this seems to be
working as designed.

As such, I think this would be the way your system is setup (aka it
works correctly) or your grep needs modification.

Ansible *appears* to be doing what you want.

Tried more stuff and got a useful error. It appears that Ansible does not pass in the *name* from the 'allowuser' list as item in the sed command but instead throws in *all* the 'results' text:

"cmd": "sed -i 's|^AllowUsers |AllowUsers {u'changed': True, ...

Obviously that will make sed fail. So what do I need to change to make it use just the name from the 'allowuser' list?

Full error:

TASK: [builder | builder | Add user to AllowUsers]

4

Yeah you will have to do “item.something” to not get the full hash result, like item.rc or item.stdout or item.cmd, as appropriate…

5

Thanks Michael. That put me on the right track. Here's what gave the expected results:

- name: builder | Add user to AllowUsers
   shell: "sed -i 's|^AllowUsers |AllowUsers {{ item.item }} |' /etc/ssh/sshd_config"
   with_items: check_allowusers.results
   when: item.stdout == "0"
   notify: restart sshd

Cheers,
Patrick