[colug-432] Automatically Edit Configuration File
Rick Hornsby
richardjhornsby at gmail.com
Thu Nov 19 08:02:57 EST 2015
> On Nov 19, 2015, at 03:38, Mike Plemmons <mikeplemmons at gmail.com> wrote:
>
> We just replace the entire file in our roles instead of editing in place. The reasoning is that if a user removes any text in the file before or after the desired lineinfile or replaced lines you still end up with a broken config but the task still succeeds.
>
> This allows Ansible to provide a strong self healing capability.
>
I agree. Manage the whole file httpd.conf if configuration management is your objective. If you need to parameterize things in httpd.conf you can probably use .erb templates or similar (I don't know Ansible specifically.)
This prevents errors and problems from someone coming along later making changes by hand. Otherwise you can drive yourself crazy trying to set up just the exact right only-match-this-block-and-this-line rule. If httpd.conf needs to be modified later, use your configuration management. Any future modifications by hand or external process to httpd.conf should be clobbered - that's what you want to happen. It allows you to declare your configuration management - Ansible - as the authority for the contents of httpd.conf.
Second, try to keep httpd.conf as small as possible, delegating all but core/global configuration to conf.d files. I'd still recommend using Ansible to manage the conf.d files - but you don't have to.
Lastly, you're right to set aside sed/awk for this task. They're great and valuable tools, but they're also a poor substitute for more robust configuration management options like Chef, Puppet, Ansible, etc.
> On Nov 18, 2015 10:25 PM, <jep200404 at columbus.rr.com <mailto:jep200404 at columbus.rr.com>> wrote:
> How would you automate the editing of a configuration file as
> described below?
>
> I am automating the configuration of a system with Ansible.
> For /etc/httpd/conf/httpd.conf, I need to make sure that the
> <Directory /> section has a "Require all granted" line instead
> of a "Require all denied" line. "Require all" lines in other
> sections need to be left alone.
>
> original /etc/httpd/conf/httpd.conf
>
> ...
> <Directory />
> AllowOverride none
> Require all denied
> </Directory>
> ...
> <Files ".ht*">
> Require all denied
> </Files>
> ...
>
> desired /etc/httpd/conf/httpd.conf
>
> ...
> <Directory />
> AllowOverride none
> Require all granted
> </Directory>
> ...
> <Files ".ht*">
> Require all denied
> </Files>
> ...
>
> I can write an awk script or probably even a sed script to do it,
> but it is desirable to edit with a Ansible module instead of an
> external shell command, because of the way Ansible modules
> understand when something has really changed or not.
>
> I don't see how to use the lineinfile module in this situation,
> because it will only change the last line to match a regex.
> Matching "Require all" would change the line in the <Files ".ht*">,
> section instead of in the <Directory /> section.
>
> It would be easy to just replace the whole file with a new one from
> Ansible, but that is also not preferred because when some new
> version of httpd.conf arrives, the wholesale replacement would
> clobber other changes in the configuration file.
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net <mailto:colug-432 at colug.net>
> http://lists.colug.net/mailman/listinfo/colug-432 <http://lists.colug.net/mailman/listinfo/colug-432>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20151119/aa019c21/attachment-0001.html
More information about the colug-432
mailing list