If you’ve been here previously, you may know about the sudo cake I had baked and the reason I had it baked. Current events make me want to point out again how important it is to validate files you push out to machines with Ansible. Case in point is a shop which brought down a group of DNS servers by pushing out a broken configuration file.
Consider this Ansible playbook, and in particular, the template action:
validate option (also available for the copy command) specifies a
validation command which will be run when Ansible creates (i.e. copies) the
template to the target machine, but before that is moved into it’s final
_dest_ination. If this command fails (a single
%s is replaced by the
filename) the whole task fails, which is good: the _dest_ination file is not
modified. Here’s an example of the task failing:
and here is the task passing validation:
In this particular example I’m lucky because the BIND nameserver package actually has a program which can perform a validation check on its own configuration. (Just as sudo can with its visudo program, as I learned the hard way …) If that weren’t possible, I might want to create some script which does it for me and install that as an early Ansible task.
Here’s another template task with which I’ve deployed a syslog-ng configuration; it also validates the templated configuration file before installing it at its final destination.
This is just a friendly reminder.