'Only run Ansible seport when ports are not yet configured. Preferably not through shell or command module using semanage

I have a role setup to install the iTOP application on LAMP/Rhel 8 with Ansible 2.9

I am trying to find a way to make the seport module only run when the needed ports are not yet configured. (make it idempotent)
I probably could use the command or shell module to run semanage and register a fact which i would use in a when condition.

What i was wondering is if there's a proper Ansible way to do this, without using semanage through command or shell module.

I had a look into the underneath link but its not what i'm looking for. Ansible: configure nginx role to use custom port read from variable

I did not find any examples or alternatives for this on Google.
In case anyone has any tips or hints, I would be most thankful.

ansibleansible-2.x


Solution 1:[1]

Unfortunately, there is no "proper" way of doing this in ansible. If you'll check code for seport module (as of today), you can see here:

https://github.com/ansible-collections/community.general/blob/2f980e89fea8290cb57883d40e13c54a2e410259/plugins/modules/system/seport.py#L296

    if state == 'present':
        result['changed'] = semanage_port_add(module, ports, proto, setype, do_reload)
    elif state == 'absent':
        result['changed'] = semanage_port_del(module, ports, proto, setype, do_reload)
    else:
        module.fail_json(msg='Invalid value of argument "state": {0}'.format(state))

So this module is certainly not idempotent, since it will return changed every time. You may try creating an issue, and someone might fix it

It seems that semanage cli is not idempotent too, semanage port --add will throw ValueError: Port PROTO/PORT already defined, and will take a lot of time. You have multiple options:

  1. reimplement part of seport module with shell, but define changed criteria:
    - name: semanage add port
      shell: LANG=C semanage port --add -t zookeeper_election_port_t -p tcp 38888
      register: result
      failed_when: result.rc != 0 and "already defined" not in result.stderr
      changed_when:
        - result.rc == 0
  1. Parse output of semanage port -l | tr -s ' ' | grep 'port_type' and match it with your condition, then call seport module

At first i wanted to point that 1st variant is kinda slow due to semanage implementation, but due to connection overhead it might be negligible difference in your case

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Andrew

Related Questions