From 7ec60657b3ff9d46404424a401c6541ae3e43077 Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 21 Jan 2020 04:05:45 -0500 Subject: [PATCH 01/17] Validate 2 input vars for munin/tasks/main.yml --- roles/munin/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/munin/tasks/main.yml b/roles/munin/tasks/main.yml index 8812ddf01..7aba3803d 100644 --- a/roles/munin/tasks/main.yml +++ b/roles/munin/tasks/main.yml @@ -1,3 +1,11 @@ +- assert: + that: munin_install is defined and munin_install is sameas true + success_msg: munin_install is defined and munin_install is sameas true + +- assert: + that: munin_enabled is defined and munin_enabled | type_debug == 'bool' + success_msg: munin_enabled is defined and munin_enabled | type_debug == 'bool' + - name: Install Munin if 'munin_installed' is not defined in {{ iiab_state_file }} # /etc/iiab/iiab_state.yml include_tasks: install.yml when: munin_installed is undefined From 639e335442a06682798947f222cf0ec02874f95d Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 21 Jan 2020 04:05:51 -0500 Subject: [PATCH 02/17] Validate 2 input vars for wordpress/tasks/main.yml --- roles/wordpress/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/wordpress/tasks/main.yml b/roles/wordpress/tasks/main.yml index 89029c7a7..a508d0d49 100644 --- a/roles/wordpress/tasks/main.yml +++ b/roles/wordpress/tasks/main.yml @@ -1,5 +1,13 @@ # SEE "emergency" REINSTALL INSTRUCTIONS IN roles/wordpress/tasks/install.yml +- assert: + that: wordpress_install is defined and wordpress_install is sameas true + success_msg: wordpress_install is defined and wordpress_install is sameas true + +- assert: + that: wordpress_enabled is defined and wordpress_enabled | type_debug == 'bool' + success_msg: wordpress_enabled is defined and wordpress_enabled | type_debug == 'bool' + - name: Provision MySQL DB for WordPress, if 'wordpress_installed' is not defined in {{ iiab_state_file }} # /etc/iiab/iiab_state.yml include_tasks: setup.yml when: wordpress_installed is undefined # and not installing From 14549cfabb4867ef87958f579381e642f80090af Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 21 Jan 2020 11:39:11 -0500 Subject: [PATCH 03/17] Mark idmgr as UNMAINTAINED --- roles/5-xo-services/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/5-xo-services/tasks/main.yml b/roles/5-xo-services/tasks/main.yml index 0ab041970..a00f6fc0b 100644 --- a/roles/5-xo-services/tasks/main.yml +++ b/roles/5-xo-services/tasks/main.yml @@ -15,6 +15,7 @@ when: ejabberd_xs_install | bool #tags: olpc, ejabberd-xs +# UNMAINTAINED - name: IDMGR include_role: name: idmgr From cf4109da4ffe4789a3ca1d7d17f65803954964dc Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 21 Jan 2020 11:54:33 -0500 Subject: [PATCH 04/17] Clean default_vars.yml --- vars/default_vars.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/vars/default_vars.yml b/vars/default_vars.yml index d7ab97ae0..8746126fc 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -91,6 +91,7 @@ host_wifi_mode: g host_channel: 6 hostapd_secure: False hostapd_password: changeme +hostapd_install: True # 2020-01-21: do not rely on this var for now (might be implemented in future) hostapd_enabled: True # Above is forcibly set to False (in roles/network/tasks/main.yml) if IIAB is # being WiFi-installed (run "iiab-hotspot-on" AFTER ./iiab-install completes @@ -102,7 +103,7 @@ reboot_to_AP: False # Gateway mode iiab_lan_enabled: True iiab_wan_enabled: True -ssh_port: 22 +ssh_port: 22 # SEE sshd_* vars below. # Ties in what the user populated in the GUI for static WAN IP address info: gui_wan: True adm_cons_force_ssl: False @@ -165,7 +166,7 @@ bluetooth_term_enabled: False # (prior to IIAB 6.7, this had used https://github.com/iiab/iiab-menu) js_menu_install: True -# Unmaintained as of October 2017: https://github.com/iiab/iiab/pull/382 +# UNMAINTAINED as of October 2017: https://github.com/iiab/iiab/pull/382 wondershaper_install: False wondershaper_enabled: False @@ -195,6 +196,8 @@ wan_try_dhcp_before_static_ip: True # Facilitate field updates w/ cablemodems # 1-PREP +# SEE ssh_port var above. +sshd_install: True # 2020-01-21: do not rely on this var for now (might be implemented in future) sshd_enabled: True # roles/iiab-admin runs here @@ -323,9 +326,10 @@ activity_server_enabled: False ejabberd_xs_install: False ejabberd_xs_enabled: False +# UNMAINTAINED since about 2012-2017 # Change calibre_port from 8080 to 8010 below, if you enable idmgr idmgr_install: False -idmgr_enables: False +idmgr_enabled: False # 6-GENERIC-APPS @@ -342,7 +346,7 @@ azuracast_https_port: 10443 # being reserved for AzuraCast: azuracast_port_range_prefix: 10 -# Unmaintained as of January 2020: https://github.com/iiab/iiab/issues/2056 +# UNMAINTAINED as of January 2020: https://github.com/iiab/iiab/issues/2056 dokuwiki_install: False dokuwiki_enabled: False dokuwiki_url: /dokuwiki @@ -350,7 +354,7 @@ dokuwiki_url: /dokuwiki mediawiki_install: False mediawiki_enabled: False -# Unmaintained as of November 2019 +# UNMAINTAINED as of November 2019 ejabberd_install: False ejabberd_enabled: False From 3495d0ea5a1d34734fad589e2c15e5ae59a0d1c5 Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 21 Jan 2020 11:55:15 -0500 Subject: [PATCH 05/17] Mark idmgr as UNMAINTAINED in local_vars_min.yml --- vars/local_vars_min.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index e9dd20c1f..af6a9f0cc 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -199,6 +199,7 @@ iiab_usb_lib_show_all: True # ejabberd_xs_install: False # ejabberd_xs_enabled: False +# UNMAINTAINED since about 2012-2017 # Change calibre_port from 8080 to 8010 below, if you enable idmgr # idmgr_install: False # idmgr_enabled: False From 962f8205e2c34a9804243c94290b22cd0f05a080 Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 21 Jan 2020 11:55:27 -0500 Subject: [PATCH 06/17] Mark idmgr as UNMAINTAINED in local_vars_medium.yml --- vars/local_vars_medium.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index d7259d7d8..84adcec5a 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -199,6 +199,7 @@ iiab_usb_lib_show_all: True # ejabberd_xs_install: False # ejabberd_xs_enabled: False +# UNMAINTAINED since about 2012-2017 # Change calibre_port from 8080 to 8010 below, if you enable idmgr # idmgr_install: False # idmgr_enabled: False From cc939c90a5ff55dcfced90028ec71fe7d9c3a4f0 Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 21 Jan 2020 11:55:40 -0500 Subject: [PATCH 07/17] Mark idmgr as UNMAINTAINED in local_vars_big.yml --- vars/local_vars_big.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index 330e25c4c..569b508dc 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -199,6 +199,7 @@ iiab_usb_lib_show_all: True # ejabberd_xs_install: False # ejabberd_xs_enabled: False +# UNMAINTAINED since about 2012-2017 # Change calibre_port from 8080 to 8010 below, if you enable idmgr # idmgr_install: False # idmgr_enabled: False From 83f31e56ae0fefc2a806fbd5be23a42fab11ed9c Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 21 Jan 2020 12:02:52 -0500 Subject: [PATCH 08/17] Update default_vars.yml --- vars/default_vars.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/vars/default_vars.yml b/vars/default_vars.yml index 8746126fc..ad699544d 100644 --- a/vars/default_vars.yml +++ b/vars/default_vars.yml @@ -351,9 +351,6 @@ dokuwiki_install: False dokuwiki_enabled: False dokuwiki_url: /dokuwiki -mediawiki_install: False -mediawiki_enabled: False - # UNMAINTAINED as of November 2019 ejabberd_install: False ejabberd_enabled: False @@ -373,6 +370,9 @@ gitea_port: 61734 lokole_install: False lokole_enabled: False +mediawiki_install: False +mediawiki_enabled: False + # MQTT pub-sub broker for IoT on Raspberry Pi etc mosquitto_install: False mosquitto_enabled: False From c39ad42c71b741b5bb096e206d0346938575cc00 Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 21 Jan 2020 12:02:56 -0500 Subject: [PATCH 09/17] Update local_vars_min.yml --- vars/local_vars_min.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/vars/local_vars_min.yml b/vars/local_vars_min.yml index af6a9f0cc..6f709a265 100644 --- a/vars/local_vars_min.yml +++ b/vars/local_vars_min.yml @@ -214,9 +214,6 @@ azuracast_enabled: False dokuwiki_install: False dokuwiki_enabled: False -mediawiki_install: False -mediawiki_enabled: False - # Unmaintained as of November 2019 ejabberd_install: False ejabberd_enabled: False @@ -232,6 +229,9 @@ gitea_enabled: False lokole_install: False lokole_enabled: False +mediawiki_install: False +mediawiki_enabled: False + # MQTT pub-sub broker for IoT on Raspberry Pi etc mosquitto_install: False mosquitto_enabled: False From 33eeec488ddd7467c21c542fb52979de25fd0551 Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 21 Jan 2020 12:03:02 -0500 Subject: [PATCH 10/17] Update local_vars_medium.yml --- vars/local_vars_medium.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/vars/local_vars_medium.yml b/vars/local_vars_medium.yml index 84adcec5a..1a6591d5f 100644 --- a/vars/local_vars_medium.yml +++ b/vars/local_vars_medium.yml @@ -214,9 +214,6 @@ azuracast_enabled: False dokuwiki_install: False dokuwiki_enabled: False -mediawiki_install: False -mediawiki_enabled: False - # Unmaintained as of November 2019 ejabberd_install: False ejabberd_enabled: False @@ -232,6 +229,9 @@ gitea_enabled: False lokole_install: False lokole_enabled: False +mediawiki_install: False +mediawiki_enabled: False + # MQTT pub-sub broker for IoT on Raspberry Pi etc mosquitto_install: False mosquitto_enabled: False From 6422282f754f44fe5c860ac370ffa1b0824863f3 Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 21 Jan 2020 12:03:06 -0500 Subject: [PATCH 11/17] Update local_vars_big.yml --- vars/local_vars_big.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/vars/local_vars_big.yml b/vars/local_vars_big.yml index 569b508dc..c0a2c2b4a 100644 --- a/vars/local_vars_big.yml +++ b/vars/local_vars_big.yml @@ -214,9 +214,6 @@ azuracast_enabled: False dokuwiki_install: False dokuwiki_enabled: False -mediawiki_install: True -mediawiki_enabled: True - # Unmaintained as of November 2019 ejabberd_install: False ejabberd_enabled: False @@ -232,6 +229,9 @@ gitea_enabled: True lokole_install: True lokole_enabled: True +mediawiki_install: True +mediawiki_enabled: True + # MQTT pub-sub broker for IoT on Raspberry Pi etc mosquitto_install: True mosquitto_enabled: True From 65003acf8f65878e65e2331ea467f30049d61942 Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 21 Jan 2020 12:03:54 -0500 Subject: [PATCH 12/17] Update network/defaults/main.yml --- roles/network/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/network/defaults/main.yml b/roles/network/defaults/main.yml index 8b9f5d060..cf450bb59 100644 --- a/roles/network/defaults/main.yml +++ b/roles/network/defaults/main.yml @@ -23,6 +23,7 @@ # hostapd_secure: False # hostapd_password: changeme # +# hostapd_install: True # 2020-01-21: do not rely on this var for now (might be implemented in future) # hostapd_enabled: True # Above is forcibly set to False (in roles/network/tasks/main.yml) if IIAB is # being WiFi-installed (run "iiab-hotspot-on" AFTER ./iiab-install completes From c90b1ae185603756e8f241e975312b6f8f0a440f Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 21 Jan 2020 16:01:52 -0500 Subject: [PATCH 13/17] Create 0-init/tasks/validate_vars.yml --- roles/0-init/tasks/validate_vars.yml | 117 +++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 roles/0-init/tasks/validate_vars.yml diff --git a/roles/0-init/tasks/validate_vars.yml b/roles/0-init/tasks/validate_vars.yml new file mode 100644 index 000000000..7605dd8b7 --- /dev/null +++ b/roles/0-init/tasks/validate_vars.yml @@ -0,0 +1,117 @@ +# 2020-01-21: Ansible Input Validation (basic sanity checking for now) to check +# that /etc/iiab/local_vars.yml *_install and *_enabled variables appear +# coherent (i.e. defined, have type boolean & with plausible values!) Stricter +# validation is needed when roles/playbooks/tasks are later invoked. Risks +# abound, but Ansible's inverting logic when boolean vars are accidentally +# declared as strings is especially dangerous, so it's the main focus below. + +# "Ansible 2.8+ ADVISORY: avoid warnings by using 'when: var | bool' for +# top-level BARE vars (in case they're strings, instead of boolean)" +# https://github.com/iiab/iiab/issues/1632 + +# "How Exactly Does Ansible Parse Boolean Variables?" +# https://stackoverflow.com/questions/47877464/how-exactly-does-ansible-parse-boolean-variables/47877502#47877502 +# ...is very helpful but has it slightly wrong, as Ansible implements only ~18 +# of YAML's 22 definitions of boolean (https://yaml.org/type/bool.html). +# i.e. Ansible fails to implement y|Y|n|N, only allowing ~18 boolean values: +# +# yes|Yes|YES|no|No|NO +# |true|True|TRUE|false|False|FALSE +# |on|On|ON|off|Off|OFF +# +# Otherwise 'var != (var | bool)' is dangerously common, e.g. (1) when a var +# is not one of the above ~18 words (forcing it to become a string) or (2) when +# a var is accidentally set using quotes (forcing it to become a string) these +# ~18 words too WILL FAIL as strings (as will any non-empty string...so beware +# casting strings to boolean later on...can make the situation worse!) +# https://docs.ansible.com/ansible/latest/porting_guides/porting_guide_2.8.html#bare-variables-in-conditionals + +# "How do i fail a task in Ansible if the variable contains a boolean value? +# I want to perform input validation for Ansible playbooks" +# https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499 + +- name: Set vars_checklist for 46 + 46 vars ("XYZ_install" + "XYZ_enabled") to be checked + set_fact: + vars_checklist: + - hostapd + - dhcpd + - named + - dnsmasq + - captiveportal + - bluetooth + - wondershaper + - sshd + - openvpn + - nginx + - apache + - mysql + - squid + - dansguardian + - postgresql + - cups + - samba + - idmgr + - azuracast + - dokuwiki + - ejabberd + - elgg + - gitea + - lokole + - mediawiki + - mosquitto + - nodered + - nextcloud + - pbx + - wordpress + - kalite + - kolibri + - kiwix + - moodle + - mongodb + - sugarizer + - transmission + - awstats + - monit + - munin + - phpmyadmin + - vnstat + - internetarchive + - minetest + - calibre + - calibreweb + +- name: Assert that 46 "XYZ_install" vars are defined + assert: + that: "{{ item }}_install is defined" + quiet: yes + loop: "{{ vars_checklist }}" + #register: install_vars_defined + +- name: Assert that 46 "XYZ_enabled" vars are defined + assert: + that: "{{ item }}_enabled is defined" + quiet: yes + loop: "{{ vars_checklist }}" + #register: enabled_vars_defined + +- name: Assert that 46 "XYZ_install" vars are type boolean (not type string, which can invert logic!) + assert: + that: "{{ item }}_install | type_debug == 'bool'" + quiet: yes + loop: "{{ vars_checklist }}" + #register: install_vars_boolean + +- name: Assert that 46 "XYZ_enabled" vars are type boolean (not type string, which can invert logic!) + assert: + that: "{{ item }}_enabled | type_debug == 'bool'" + quiet: yes + loop: "{{ vars_checklist }}" + #register: enabled_vars_boolean + +- name: 'DISALLOW "XYZ_install: False" WITH "XYZ_enabled: True" for 46 var pairs' + assert: + that: "{{ item }}_install or not {{ item }}_enabled" + #fail_msg: '{{ item }}_install or not {{ item }}_enabled {{ item }}_install is {{ {{ item }}_install }} {{ item }}_enabled is {{ {{ item }}_enabled }}' # Is there a way to output var values ? + quiet: yes + loop: "{{ vars_checklist }}" + #register: var_pairs_validation From 31de9459bc7af6790fa0a3f6804eb617aca921ba Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 21 Jan 2020 16:01:57 -0500 Subject: [PATCH 14/17] include_tasks: validate_vars.yml in 0-init/tasks/main.yml --- roles/0-init/tasks/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/0-init/tasks/main.yml b/roles/0-init/tasks/main.yml index 6337297ad..9b0778ffe 100644 --- a/roles/0-init/tasks/main.yml +++ b/roles/0-init/tasks/main.yml @@ -33,6 +33,9 @@ setup: filter: ansible_local +# Check that ~46+46 XYZ_install+XYZ_enabled vars are defined, bool & plausible! +- include_tasks: validate_vars.yml + - name: Set top-level variables from local_facts for convenience set_fact: xo_model: "{{ ansible_local.local_facts.xo_model }}" From 6aaa335b996fb860ebde3ef55653607308cd7c6c Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 21 Jan 2020 16:21:40 -0500 Subject: [PATCH 15/17] Update munin/tasks/main.yml --- roles/munin/tasks/main.yml | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/roles/munin/tasks/main.yml b/roles/munin/tasks/main.yml index 7aba3803d..9270e666d 100644 --- a/roles/munin/tasks/main.yml +++ b/roles/munin/tasks/main.yml @@ -1,10 +1,24 @@ -- assert: - that: munin_install is defined and munin_install is sameas true - success_msg: munin_install is defined and munin_install is sameas true +# "How do i fail a task in Ansible if the variable contains a boolean value? +# I want to perform input validation for Ansible playbooks" +# https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499 -- assert: - that: munin_enabled is defined and munin_enabled | type_debug == 'bool' - success_msg: munin_enabled is defined and munin_enabled | type_debug == 'bool' +# If 0-init/tasks/validate_vars.yml has DEFINITELY been run (?) perhaps no need +# to re-check whether vars are defined here. As Ansible vars cannot be unset: +# https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible + +- name: Assert that "munin_install is sameas true" (boolean not string etc) + assert: + that: munin_install is sameas true + quiet: yes + #that: munin_install is defined and munin_install is sameas true + #success_msg: munin_install is defined and munin_install is sameas true + +- name: Assert that "munin_enabled | type_debug == 'bool'" (boolean not string etc) + assert: + that: munin_enabled | type_debug == 'bool' + quiet: yes + #that: munin_enabled is defined and munin_enabled | type_debug == 'bool' + #success_msg: munin_enabled is defined and munin_enabled | type_debug == 'bool' - name: Install Munin if 'munin_installed' is not defined in {{ iiab_state_file }} # /etc/iiab/iiab_state.yml include_tasks: install.yml From 94b465d4675895839494029cdd84e24601f62527 Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 21 Jan 2020 16:22:01 -0500 Subject: [PATCH 16/17] Update wordpress/tasks/main.yml --- roles/wordpress/tasks/main.yml | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/roles/wordpress/tasks/main.yml b/roles/wordpress/tasks/main.yml index a508d0d49..6061d6781 100644 --- a/roles/wordpress/tasks/main.yml +++ b/roles/wordpress/tasks/main.yml @@ -1,12 +1,26 @@ # SEE "emergency" REINSTALL INSTRUCTIONS IN roles/wordpress/tasks/install.yml -- assert: - that: wordpress_install is defined and wordpress_install is sameas true - success_msg: wordpress_install is defined and wordpress_install is sameas true +# "How do i fail a task in Ansible if the variable contains a boolean value? +# I want to perform input validation for Ansible playbooks" +# https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499 -- assert: - that: wordpress_enabled is defined and wordpress_enabled | type_debug == 'bool' - success_msg: wordpress_enabled is defined and wordpress_enabled | type_debug == 'bool' +# If 0-init/tasks/validate_vars.yml has DEFINITELY been run (?) perhaps no need +# to re-check whether vars are defined here. As Ansible vars cannot be unset: +# https://serverfault.com/questions/856729/how-to-destroy-delete-unset-a-variable-value-in-ansible + +- name: Assert that "wordpress_install is sameas true" (boolean not string etc) + assert: + that: wordpress_install is sameas true + quiet: yes + #that: wordpress_install is defined and wordpress_install is sameas true + #success_msg: wordpress_install is defined and wordpress_install is sameas true + +- name: Assert that "wordpress_enabled | type_debug == 'bool'" (boolean not string etc) + assert: + that: wordpress_enabled | type_debug == 'bool' + quiet: yes + #that: wordpress_enabled is defined and wordpress_enabled | type_debug == 'bool' + #success_msg: wordpress_enabled is defined and wordpress_enabled | type_debug == 'bool' - name: Provision MySQL DB for WordPress, if 'wordpress_installed' is not defined in {{ iiab_state_file }} # /etc/iiab/iiab_state.yml include_tasks: setup.yml From ab3a070a89e2b4c16391ba1fee326d2e92ef555e Mon Sep 17 00:00:00 2001 From: A Holt Date: Tue, 21 Jan 2020 16:40:11 -0500 Subject: [PATCH 17/17] Update 0-init/tasks/validate_vars.yml --- roles/0-init/tasks/validate_vars.yml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/roles/0-init/tasks/validate_vars.yml b/roles/0-init/tasks/validate_vars.yml index 7605dd8b7..c914a5a90 100644 --- a/roles/0-init/tasks/validate_vars.yml +++ b/roles/0-init/tasks/validate_vars.yml @@ -1,15 +1,17 @@ # 2020-01-21: Ansible Input Validation (basic sanity checking for now) to check -# that /etc/iiab/local_vars.yml *_install and *_enabled variables appear -# coherent (i.e. defined, have type boolean & with plausible values!) Stricter -# validation is needed when roles/playbooks/tasks are later invoked. Risks -# abound, but Ansible's inverting logic when boolean vars are accidentally -# declared as strings is especially dangerous, so it's the main focus below. +# that *_install and *_enabled variables (as set in places like +# /etc/iiab/local_vars.yml) appear coherent i.e. (1) are confirmed defined, (2) +# have type boolean (Ansible often inverts logic when boolean vars are +# accidentally declared as strings, see below!) and (3) have plausible values. -# "Ansible 2.8+ ADVISORY: avoid warnings by using 'when: var | bool' for +# Stricter validation is needed later, when roles/playbooks/tasks are invoked +# by various scripts, possibly bypassing 0-init? Either way, risks abound :/ + +# 1. "Ansible 2.8+ ADVISORY: avoid warnings by using 'when: var | bool' for # top-level BARE vars (in case they're strings, instead of boolean)" # https://github.com/iiab/iiab/issues/1632 -# "How Exactly Does Ansible Parse Boolean Variables?" +# 2. "How Exactly Does Ansible Parse Boolean Variables?" # https://stackoverflow.com/questions/47877464/how-exactly-does-ansible-parse-boolean-variables/47877502#47877502 # ...is very helpful but has it slightly wrong, as Ansible implements only ~18 # of YAML's 22 definitions of boolean (https://yaml.org/type/bool.html). @@ -26,7 +28,7 @@ # casting strings to boolean later on...can make the situation worse!) # https://docs.ansible.com/ansible/latest/porting_guides/porting_guide_2.8.html#bare-variables-in-conditionals -# "How do i fail a task in Ansible if the variable contains a boolean value? +# 3. "How do i fail a task in Ansible if the variable contains a boolean value? # I want to perform input validation for Ansible playbooks" # https://stackoverflow.com/questions/46664127/how-do-i-fail-a-task-in-ansible-if-the-variable-contains-a-boolean-value-i-want/46667499#46667499