0

开发者社区您好!

这是我在这里的第一篇文章 :-) 我对 Ansible 比较陌生,希望获得以下方面的帮助。我正在尝试创建一些脚本来管理 Citrix NetScaler VPX 上的功能。在这种特定情况下,我想部署一个包含已定义 SSL 密码的 SSL 密码组。我在 YAML 文件中定义了以下数据结构:

nsapp_sslciphergroup:
  - ciphergroupname:                   "TEST_1"
    sslcipher:
      - ciphername:                    "TLS1.3-AES256-GCM-SHA384"
        cipherpriority:                "1"
      - ciphername:                    "TLS1.3-CHACHA20-POLY1305-SHA256"
        cipherpriority:                "2"
      - ciphername:                    "TLS1.3-AES128-GCM-SHA256"
        cipherpriority:                "3"

  - ciphergroupname:                   "TEST_2"
    sslcipher:
      - ciphername:                    "TLS1.2-ECDHE-RSA-AES256-GCM-SHA384"
        cipherpriority:                "1"
      - ciphername:                    "TLS1.2-ECDHE-RSA-AES128-GCM-SHA256"
        cipherpriority:                "2"
      - ciphername:                    "TLS1.2-ECDHE-ECDSA-AES256-GCM-SHA384"
        cipherpriority:                "3"

这样的 NetScaler 不允许再次将相同的密码绑定到给定的密码组中,因此在进行任何更改之前,我需要以某种方式检查密码组及其绑定是否已经存在。所以第一次运行是可以的,但是任何连续的运行都会失败,因为给定的密码名已经绑定到密码组。当前代码如下:

- name: "Add SSL ciphergroup binding(s)"
  netscaler_nitro_request:
    <<: *nitro_login
    operation: add
    resource: sslcipher_sslciphersuite_binding
    name: ""
    attributes:
          ciphergroupname: "{{ item.0.ciphergroupname }}"
          ciphername: "{{ item.1.ciphername }}"
          cipherpriority: "{{ item.1.cipherpriority }}"
  register: add_sslcipher_sslciphersuite_binding_result
  with_subelements:
    - "{{ nsapp_sslciphergroup }}"
    - "sslcipher"
    - skip_missing: true

为了在再次运行脚本之前检查当前配置是什么,我有以下代码:

- name: "Check if SSL ciphergroup binding(s) are already defined"
  netscaler_nitro_request:
    <<: *nitro_login
    operation: get
    resource: sslcipher_sslciphersuite_binding
    name: "{{ item.ciphergroupname }}"
    attributes:
          ciphergroupname: "{{ item.ciphergroupname }}"
  register: get_sslcipher_sslciphersuite_binding_result
  with_items: "{{ nsapp_sslciphergroup }}"

如果密码组已使用其绑定定义(并且对于“TEST_2”组也具有类似的输出,也具有各自的绑定),则此代码会产生以下结果(在“get_sslcipher_sslciphersuite_binding_result”变量中注册):

"nitro_object": [
    {
        "ciphergroupname": "TEST_1", 
        "ciphername": "TLS1.3-AES256-GCM-SHA384", 
        "cipherpriority": "1", 
        "description": "TLSv1.3 Kx=any      Au=any  Enc=AES-GCM(256) Mac=AEAD   HexCode=0x1302", 
        "peflags": "4", 
        "stateflag": "512"
    }, 
    {
        "ciphergroupname": "TEST_1", 
        "ciphername": "TLS1.3-CHACHA20-POLY1305-SHA256", 
        "cipherpriority": "2", 
        "description": "TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD   HexCode=0x1303", 
        "peflags": "4", 
        "stateflag": "512"
    }, 
    {
        "ciphergroupname": "TEST_1", 
        "ciphername": "TLS1.3-AES128-GCM-SHA256", 
        "cipherpriority": "3", 
        "description": "TLSv1.3 Kx=any      Au=any  Enc=AES-GCM(128) Mac=AEAD   HexCode=0x1301", 
        "peflags": "4", 
        "stateflag": "512"
    }
],

我正在尝试在“with_subelements”部分之后添加一个“when”子句,但脚本的 add 部分总是想要运行。

有人可以建议检查“get_sslcipher_sslciphersuite_binding_result”变量是否包含给定密码组的给定密码名的正确方法是什么?

提前谢谢了!

4

2 回答 2

0

解决方法是让模块报故障,测试errorcode

failed_when: 
  - add_sslcipher_sslciphersuite_binding_result.nitro_errorcode != 0
  - add_sslcipher_sslciphersuite_binding_result.nitro_errorcode != 3741

鉴于模块在成功更新资源时返回“0”,可能有可能使其具有幂等性

changed_when:
  - add_sslcipher_sslciphersuite_binding_result.nitro_errorcode == 0

不是幂等的。

问:NetScaler 本身不允许将相同的密码再次绑定到给定的密码组中,因此在进行任何更改之前,我需要以某种方式检查密码组及其绑定是否已经存在。所以第一次运行是可以的,但是任何连续的运行都会失败,因为给定的密码名已经绑定到密码组。当前代码如下:

- name: "Add SSL ciphergroup binding(s)"
  netscaler_nitro_request:
    <<: *nitro_login
    operation: add
    resource: sslcipher_sslciphersuite_binding
    name: ""
    attributes:
          ciphergroupname: "{{ item.0.ciphergroupname }}"
          ciphername: "{{ item.1.ciphername }}"
          cipherpriority: "{{ item.1.cipherpriority }}"
  register: add_sslcipher_sslciphersuite_binding_result
  with_subelements:
    - "{{ nsapp_sslciphergroup }}"
    - "sslcipher"
    - skip_missing: true

大多数 NetScaler REST API 查询都以这种方式工作,根本没有幂等性。

答:幂等性是 Ansible 的关键特性。从词汇表中引用

幂等性:一个操作是幂等的,如果执行一次的结果与重复执行的结果完全相同,没有任何干预动作。

文档中没有迹象表明模块netscaler_nitro_request可能不是幂等的。

于 2019-09-01T12:24:05.327 回答
0

刚刚破解它:-)“指定密码已绑定更高优先级”的 NS 错误代码是3741。只需将其添加到 failed_when 条件中。

- name: "Add SSL ciphergroup binding(s) if they do *NOT* exist"
  netscaler_nitro_request:
    <<: *nitro_login
    operation: add
    resource: sslcipher_sslciphersuite_binding
    name: ""
    attributes:
          ciphergroupname: "{{ item.0.ciphergroupname }}"
          ciphername: "{{ item.1.ciphername }}"
          cipherpriority: "{{ item.1.cipherpriority }}"
  register: add_sslcipher_sslciphersuite_binding_result
  until: ( add_sslcipher_sslciphersuite_binding_result is succeeded )
  retries: 6
  delay: 5
  with_subelements:
    - "{{ nsapp_sslciphergroup }}"
    - "sslcipher"
    - skip_missing: true
  failed_when: ( (add_sslcipher_sslciphersuite_binding_result.nitro_errorcode != 0) and (add_sslcipher_sslciphersuite_binding_result.nitro_errorcode != 3741) )
- debug: 
    var: add_sslcipher_sslciphersuite_binding_result
  tags: [ never, debug ]
- assert:
    that: ( (add_sslcipher_sslciphersuite_binding_result.results[{{ item }}].nitro_errorcode == 0) or (add_sslcipher_sslciphersuite_binding_result.results[{{ item }}].nitro_errorcode == 3741) )
    fail_msg: "[ERROR] Operation failed!"
    success_msg: "[OK] Operation successful." 
  loop: "{{ nsapp_sslciphergroup }}" 
  loop_control:
    index_var: item
于 2019-09-01T17:49:50.687 回答