Ansible
使用 ansible 模板化 firewalld 區域 - xml 或 vars 問題
使用 ansible 模板化 firewalld 區域 - xml 操作問題 我對規則係列有點困惑。
我的CORRECTED vars 文件中有什麼內容:
firewalld_zones: - name: public short: "Public" description: "Public Zone" service: - { name: ssh } - { name: dhcpv6-client } port: - { protocol: tcp, port: 8000 } - { protocol: tcp, port: 8089 } - { protocol: udp, port: 52311 } - { protocol: udp, port: 514 } - { protocol: tcp, port: 8191 } - { protocol: tcp, port: 8888 } masquerade: true forward-port: - { to-port: 8000, protocol: tcp, port: 443 } rule: - family: ipv4 source: - address: "172.18.0.0/16" - action: accept - family: ipv4 source: - address: "172.17.0.0/16" - action: accept
我得到更正的變數和模板:
<?xml version="1.0" encoding="utf-8"?> <zone> <short>PUBLIC</short> <description>Public Zone</description> <service name="ssh"/> <service name="dhcpv6-client"/> <port protocol="tcp" port="8000"/> <port protocol="tcp" port="8089"/> <port protocol="udp" port="52311"/> <port protocol="udp" port="514"/> <port protocol="tcp" port="8191"/> <port protocol="tcp" port="8888"/> <masquerade/> <forward-port to-port="8000" protocol="tcp" port="443"/> <rule family="ipv4"> <source address="172.18.0.0/16"/> <accept/> </rule> <rule family="ipv4"> <source address="172.17.0.0/16"/> <accept/> </rule> </zone>
您能否提供一個範例變數來將規則與規則族混合?我嘗試了無數次迭代,但沒有運氣。:(
我的更正模板文件的內容:
<?xml version="1.0" encoding="utf-8"?> <zone{% if item.target is defined %} target="{{ item.target }}"{% endif %}> <short>{{ item.short|default(item.name)|upper }}</short> {% if item.description is defined %} <description>{{ item.description }}</description> {% endif %} {% for tag in item %} {# Settings which can be used several times #} {% if tag in ['interface','source','service','port','protocol','icmp-block','forward-port','source-port'] %} {% for subtag in item[tag] %} <{{ tag }}{% for name,value in subtag.items() %} {{ name }}="{{ value }}"{% endfor %}/> {% endfor %} {# Settings which can be used once #} {% elif tag in ['icmp-block-inversion','masquerade'] and item[tag] == True %} <{{ tag }}/> {% endif %} {% endfor %} {% for rule in item.rule|default([]) %} <rule{% if rule.family is defined %} family="{{ rule.family }}"{% endif %}> {% for tag in rule %} {% if tag in ['source','destination','service','port','icmp-block','icmp-type','masquerade','forward-port','protocol'] %} {% for subtag in rule[tag] %} {% for name,value in subtag.items() %} {% if name in ['action'] %} <{{ value }}/> {% else %} <{{ tag }} {{ name }}="{{ value }}"/> {% endif %} {% endfor %} {% endfor %} {% endif %} {% endfor %} </rule> {% endfor %} </zone>
在花了一些時間查看模板文件並玩了一下之後,發現模板文件中存在間距/縮進問題以及我的 vars 文件存在結構問題。
我將使用更正的版本更新我的問題,以便可以看到差異。
修改後的模板文件:
<?xml version="1.0" encoding="utf-8"?> <zone{% if item.target is defined %} target="{{ item.target }}"{% endif %}> <short>{{ item.short|default(item.name)|upper }}</short> {% if item.description is defined %} <description>{{ item.description }}</description> {% endif %} {% for tag in item %} {# Settings which can be used several times #} {% if tag in ['interface','source','service','port','protocol','icmp-block','forward-port','source-port'] %} {% for subtag in item[tag] %} <{{ tag }}{% for name,value in subtag.items() %} {{ name }}="{{ value }}"{% endfor %}/> {% endfor %} {# Settings which can be used once #} {% elif tag in ['icmp-block-inversion','masquerade'] and item[tag] == True %} <{{ tag }}/> {% endif %} {% endfor %} {% for rule in item.rule|default([]) %} <rule{% if rule.family is defined %} family="{{ rule.family }}"{% endif %}> {% for tag in rule %} {% if tag in ['source','destination','service','port','icmp-block','icmp-type','masquerade','forward-port','protocol'] %} {% for subtag in rule[tag] %} {% for name,value in subtag.items() %} {% if name in ['action'] %} <{{ value }}/> {% else %} <{{ tag }} {{ name }}="{{ value }}"/> {% endif %} {% endfor %} {% endfor %} {% endif %} {% endfor %} </rule> {% endfor %} </zone>
修改後的 vars 結構:
firewalld_zones: - name: public short: "Public" description: "Public Zone" service: - { name: ssh } - { name: dhcpv6-client } port: - { protocol: tcp, port: 8000 } - { protocol: tcp, port: 8089 } - { protocol: udp, port: 52311 } - { protocol: udp, port: 514 } - { protocol: tcp, port: 8191 } - { protocol: tcp, port: 8888 } masquerade: true forward-port: - { to-port: 8000, protocol: tcp, port: 443 } rule: - family: ipv4 source: - address: "172.18.0.0/16" - action: accept - family: ipv4 source: - address: "172.17.0.0/16" - action: accept
編譯文件的輸出:
# cat public.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>PUBLIC</short> <description>Public Zone</description> <service name="ssh"/> <service name="dhcpv6-client"/> <port protocol="tcp" port="8000"/> <port protocol="tcp" port="8089"/> <port protocol="udp" port="52311"/> <port protocol="udp" port="514"/> <port protocol="tcp" port="8191"/> <port protocol="tcp" port="8888"/> <masquerade/> <forward-port to-port="8000" protocol="tcp" port="443"/> <rule family="ipv4"> <source address="172.18.0.0/16"/> <accept/> </rule> <rule family="ipv4"> <source address="172.17.0.0/16"/> <accept/> </rule> </zone>
該模板是預期的
source
,但您鍵入了source address
. 我有點驚訝 Ansible 沒有抱怨這一點,因為這顯然是一個錯誤。它應該看起來像這樣:
rule: - {family: ipv4, source: {address: 172.18.0.0/16}, action: accept} - {family: ipv4, source: {address: 172.17.0.0/16}, action: accept}