We Keep Coding

Ansible: how to change/replace a port number in a configuration file

I am a newbie in the ansible world and one of the first thing I want to do is to change the default port in a configuration file: /etc/xrdp/xrdp.ini
Every time where value 3389 is found, I would like to replace it by a new value given by the variable xrdp_port
vars:
xrdp_port: 3391
I thought that something like the following declaration would work but unfortunately it doesn't
- name: tune /etc/xrdp/xrdp.ini
replace:
path: "/etc/xrdp/xrdp.ini"
regexp: '(.*)3389(.*)'
replace: '\1{{ xrdp_port }}\2'
I would strongly appreciate any help
Thank you

Q: "Where value 3389 is found replace it with a new value given by the variable xrdp_port."
A: Given the file xrdp.ini for testing
shell> cat xrdp.ini
port=3389
the task below does the job
- replace:
path: xrdp.ini
regexp: '^(\s*)port(\s*)=(\s*)3389(\s*?)$'
replace: '\1port={{ xrdp_port }}'
vars:
xrdp_port: 3391
Running the play with options --check --diff will display the difference
TASK [replace] ********************************************************
--- before: xrdp.ini
+++ after: xrdp.ini
## -1 +1 ##
-port=3389
+port=3391
changed: [localhost]
When the port is not set to default
shell> cat xrdp.ini
port=3999
the task will do nothing
TASK [replace] *****************************************************
ok: [localhost]
But, the limitation of replacing '3389' only doesn't make sense. '3389' is the default. No 'port' configuration or 'port=3389' is the same. It would make sense to add 'port={{ xrdp_port }}' always, e.g.
- replace:
path: xrdp.ini
regexp: '^(\s*)port(\s*)=(.*?)$'
replace: '\1port={{ xrdp_port }}'
vars:
xrdp_port: 3391
will replace any port's value by the value of xrdp_port
TASK [replace] *****************************************************
--- before: xrdp.ini
+++ after: xrdp.ini
## -1 +1 ##
-port=3999
+port=3391
changed: [localhost]
But, the line won't be added if the 'port' option is missing, e.g.
shell> cat xrdp.ini
security_layer=tls
the task will do nothing
TASK [replace] *****************************************************
ok: [localhost]
It would be better to use the module lineinfile instead of replace, e.g.
- lineinfile:
path: xrdp.ini
regexp: '^(\s*)port(\s*)=(.*)$'
line: 'port={{ xrdp_port }}'
vars:
xrdp_port: 3391
will add the line
TASK [lineinfile] **************************************************
--- before: xrdp.ini (content)
+++ after: xrdp.ini (content)
## -1 +1,2 ##
security_layer=tls
+port=3391
changed: [localhost]
If the option 'port' is present in the file the same task will also replace any port's value by the value of xrdp_port
shell> cat xrdp.ini
port=3999
TASK [lineinfile] **************************************************
--- before: xrdp.ini (content)
+++ after: xrdp.ini (content)
## -1 +1 ##
-port=3999
+port=3391
changed: [localhost]

Ansible regex_search stdout not working, but works in regex101.com

I've read a thousand of the Ansible regex_search questions on here and have not found a satisfying answer.
Here's the test playbook. backup_stdout is set identically to what I get from the backup utility:
---
- hosts: localhost
connection: local
gather_facts: no
vars:
backup_stdout: |-
Saving active configuration...
/var/local/ucs/f5-apm-1625-081021.ucs is saved.
tasks:
- name: Get the backup name
ansible.builtin.set_fact:
backup_name: "{{ backup_stdout | regex_search(stdout_regex, multiline=True) }}"
vars:
stdout_regex: '"\/var.*ucs\b"gm'
failed_when: backup_name == ''
- debug:
var: backup_name
I can't get the regex_search to produce a match. Here's the same code on regex101, which shows that it does match. I've tried the following:
with/without the multiline
with/without the trailing '\\1' in the expression
with/without passing the result to the | first filter
using ^\/var.*ucs instead of the word boundary (also matches on regex101)
So far, no matter what I've tried, I can't get the Ansible to match. Any help appreciated.

You've got some weird quoting in your regular expression that is causing problems. Because you've written:
stdout_regex: '"\/var.*ucs\b"gm'
You're passing the literal value "\/var.*ucs\b"gm to regex_search. There are no quotes (nor is there a gm) in the content of backup_stdout, so this is never going to match.
I think you want:
- hosts: localhost
connection: local
gather_facts: no
vars:
backup_stdout: |-
Saving active configuration...
/var/local/ucs/f5-apm-1625-081021.ucs is saved.
tasks:
- name: Get the backup name
ansible.builtin.set_fact:
backup_name: "{{ backup_stdout | regex_search(stdout_regex, multiline=True) }}"
vars:
stdout_regex: '/var.*ucs\b'
failed_when: backup_name == ''
- debug:
var: backup_name
Which produces:
TASK [debug] *******************************************************************
ok: [localhost] => {
"backup_name": "/var/local/ucs/f5-apm-1625-081021.ucs"
}

Remove a given hostname+URL from a line containing 3, separated by commas, in any position, using Ansible playbook

Scenario: I have a configuration file for etcd, and one of the nodes in the cluster has failed. I know the name of the failed node, but not its IP address nor the names of the other two hosts in the cluster. I need to write an Ansible play to remove the failed node from a line in the etcd config file, (presumably) using the Ansible builtin replace which (I believe) uses Python as its RE engine.
I have managed to create something that works, with one caveat: If the failed host is the third one listed, the RE leaves a dangling comma at the end of the line. I'm hoping that someone smarter than I am can edit or replace my regex to cover all three positional cases.
The hostname of the failed node is passed into the playbook as a variable, so {{ failed_node }} would be substituted for the actual hostname of the failed node, let's call it app-failedhost-eeeeeeeeee.node.consul in my example.
Given a regex
((?:^ETCD_INITIAL_CLUSTER=)(?:[a-z0-9-.]{15,}=https:\/\/[0-9]+(?:\.[0-9]+){3}:2380,?){0,2})(,?{{ failed_node }}=https:\/\/[0-9]+(?:[.][0-9]+){3}:2380,?)((?:,?[a-z0-9-.]{15,}=https:\/\/[0-9]+(?:\.[0-9]+){3}:2380,?){0,2})
which when being actually run would be (if failed_node=app-failedhost-eeeeeeeeee.node.consul)
((?:^ETCD_INITIAL_CLUSTER=)(?:[a-z0-9-.]{15,}=https:\/\/[0-9]+(?:\.[0-9]+){3}:2380,?){0,2})(,?app-failedhost-eeeeeeeeee.node.consul=https:\/\/[0-9]+(?:[.][0-9]+){3}:2380,?)((?:,?[a-z0-9-.]{15,}=https:\/\/[0-9]+(?:\.[0-9]+){3}:2380,?){0,2})
if run against one of these lines,
ETCD_INITIAL_CLUSTER=app-failedhost-eeeeeeeeee.node.consul=https://192.168.18.39:2380,app-instance-de24a5c1aefb.node.consul=https://192.168.18.92:2380,app-instance-6cc297ab3cc.node.consul=https://192.168.18.11:2380
ETCD_INITIAL_CLUSTER=app-instance-de24a5c1aefb.node.consul=https://192.168.18.92:2380,app-failedhost-eeeeeeeeee.node.consul=https://192.168.18.39:2380,app-instance-6cc297ab3cc.node.consul=https://192.168.18.11:2380
ETCD_INITIAL_CLUSTER=app-instance-de24a5c1aefb.node.consul=https://192.168.18.92:2380,app-instance-6cc297ab3cc.node.consul=https://192.168.18.11:2380,app-failedhost-eeeeeeeeee.node.consul=https://192.168.18.39:2380
(which if you simplify, is ETCD_INITIAL_CLUSTER= followed by three pairs of values, comma-separated, FQDN=https://[IP address]:2380 with the failed node in position 0, 1, or 2)
and the replace: is '\1\3', you get
ETCD_INITIAL_CLUSTER=app-instance-de24a5c1aefb.node.consul=https://192.168.18.92:2380,app-instance-6cc297ab3cc.node.consul=https://192.168.18.11:2380
ETCD_INITIAL_CLUSTER=app-instance-de24a5c1aefb.node.consul=https://192.168.18.92:2380,app-instance-6cc297ab3cc.node.consul=https://192.168.18.11:2380
ETCD_INITIAL_CLUSTER=app-instance-de24a5c1aefb.node.consul=https://192.168.18.92:2380,app-instance-6cc297ab3cc.node.consul=https://192.168.18.11:2380,
That's correct for the first two cases (failed node in first or second position) but if the failed node is in the third (last) position as in the third example line, then the final comma is left behind.
https://regex101.com/r/f635Wv/1 has the same examples as above.
Playbook, in case the full situation is not clear from the regex above, called node-cleanup.yaml, is called with ansible-playbook node-cleanup.yaml --extra-vars "failed_node=app-failedhost-eeeeeeeeee.node.consul" in the above examples:
---
- name: Clean up failed etcd node
hosts: etcd
become: true
tasks:
- name: Remove failed host from ETCD_INITIAL_CLUSTER line
replace:
path: "/etc/etcd/etcd.conf"
regexp: '((?:^ETCD_INITIAL_CLUSTER=)(?:[a-z0-9-.]{15,}=https:\/\/[0-9]+(?:\.[0-9]+){3}:2380,?){0,2})(,?{{ failed_node }}=https:\/\/[0-9]+(?:[.][0-9]+){3}:2380,?)((?:,?[a-z0-9-.]{15,}=https:\/\/[0-9]+(?:\.[0-9]+){3}:2380,?){0,2})'
replace: '\1\3'
but I think that part is fine, I just need some help with that beast of a regex.
If the line in the file before is simplified as
ETCD_INITIAL_CLUSTER=host1=IP,host2=IP,host3=IP
and I pass in “host3” for {{ failed_node }}, then I want
ETCD_INITIAL_CLUSTER=host1=IP,host2=IP
to come out, but what I actually get is
ETCD_INITIAL_CLUSTER=host1=IP,host2=IP,
(note the trailing comma)

Given the file
shell> cat test.conf
ETCD_INITIAL_CLUSTER=host1=IP,host2=IP,host3=IP
and the variable
failed_node: host3
Get the line from the configuration file. There are many options depending on the file is local or remote, e.g.
- shell: cat test.conf | grep ETCD_INITIAL_CLUSTER
register: result
check_mode: false
- set_fact:
eic: "{{ result.stdout }}"
gives
eic: ETCD_INITIAL_CLUSTER=host1=IP,host2=IP,host3=IP
Split the key/value pair and create a new value by rejecting the failed node
- set_fact:
_value: "{{ eic|regex_replace('^(.*?)=(.*)$', '\\2') }}"
_key: "{{ eic|regex_replace('^(.*?)=(.*)$', '\\1') }}"
- set_fact:
_new_value: "{{ _hip|reject('search', failed_node) }}"
vars:
_hip: "{{ _value.split(',') }}"
gives
_new_value:
- host1=IP
- host2=IP
Now update the key in the configuration file, e.g.
- replace:
path: test.conf
regexp: '{{ _key }}\s*=\s*{{ _value }}'
replace: '{{ _key }}={{ _new_value|join(",") }}'
running the playbook in the check mode (--check --diff) gives
+++ after: test.conf
## -1 +1 ##
-ETCD_INITIAL_CLUSTER=host1=IP,host2=IP,host3=IP
+ETCD_INITIAL_CLUSTER=host1=IP,host2=IP
The procedure can be optimized. The tasks below do the same job
- shell: cat test.conf | grep ETCD_INITIAL_CLUSTER
register: result
check_mode: false
- replace:
path: test.conf
regexp: '{{ _key }}\s*=\s*{{ _value }}'
replace: '{{ _key }}={{ _new_value|join(",") }}'
vars:
_key: "{{ result.stdout|regex_replace('^(.*?)=(.*)$', '\\1') }}"
_value: "{{ result.stdout|regex_replace('^(.*?)=(.*)$', '\\2') }}"
_new_value: "{{ _value.split(',')|reject('search', failed_node) }}"
There are other options on how to get the line from the configuration file. For example, if the file is local, the Ansible way would be lookup plugin, e.g.
- debug:
msg: "{{ lookup('ini', 'ETCD_INITIAL_CLUSTER type=properties file=test.conf') }}"
gives the value of ETCD_INITIAL_CLUSTER
msg: host1=IP,host2=IP,host3=IP
This would further reduce the job to a single task
- replace:
path: test.conf
regexp: '{{ _key }}\s*=\s*{{ _value }}'
replace: '{{ _key }}={{ _new_value|join(",") }}'
vars:
_key: ETCD_INITIAL_CLUSTER
_value: "{{ lookup('ini', _key ~ ' type=properties file=test.conf') }}"
_new_value: "{{ _value.split(',')|reject('search', failed_node) }}"

link task depending on content

I have 3 tasks..
first task checks if a file contains <ip> <hostname> pattern
second task adds a line if the sought after string is not present.
third task corrects the line if it is bad.
the 3 tasks run well independently but I want to run them together somehow linked.
I have the following playbook using as model /etc/hosts.
---
- name: check hosts playbook
hosts: centos
tasks:
- name: check whether a line in the form of '<ip> <hostname>' exists
lineinfile:
path: /var/tmp/hosts
regexp: '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s\w+'
state: absent
check_mode: true
register: line_exists
- name: append_host_file
lineinfile:
path: /var/tmp/hosts
insertafter: '^(127\.0\.0\.1|)(?:\d{1,3}\.){3}\d{1,3}'
line: '{{ ansible_default_ipv4.address }} {{ansible_hostname }}'
backup: yes
when: not line_exists.changed
- name: correct_hosts_file
lineinfile:
path: /var/tmp/hosts
regexp: '^(?!{{ ansible_default_ipv4.address }}\s{{ ansible_hostname }})(?:\d{1,3}\.){3}\d{1,3}\s\w+'
line: '{{ ansible_default_ipv4.address }} {{ansible_hostname }}'
when: line_exists.changed
the issue i have is the correct task is running when the line is correct.. so i need to use some other sort of criteria to prevent it from running when the line in the file is correct...if the line in the file is wrong it work because it replaces it.

It's a common problem with lineinfile, it's not that useful as it looks.
My advice: load file content into variable (- command: cat /etc/hosts), register it (register: old_hosts) than iterate over each line of that variable in a template.
- name: get hosts
command: cat /etc/hosts
register: old_hosts
- name: write hosts
template:
src: hosts.j2
dest: /etc/hosts
hosts.j2:
{% for line in old_hosts.stdout_lines %}
{% if line (....) %}
...
{% endif %}
{% endfor %}

adding an fstab option using Ansible

I am trying to add nodev to my /etc/fstab file. I am using the Ansible command below but with no luck. My issue lies with the regular expression, I'm not a pro at regex.
- name: Add nodev to /etc/fstab
lineinfile:
dest=/etc/fstab
backup=yes
backrefs=yes
state=present
regexp='(^/dev[\w/_-]+(\s+(?!nodev)[\w,]+)*)'
line='\1,nodev'
One of the lines from /etc/fstab that I am trying to add nodev is:
/dev/mapper/ex_sys-ex_home /home /ext4 rw,exec,auto,nouser,sync 1 2

While this may not be the most elegant answer, it worked for me.
- name: Ensure fstab uses nodev
mount:
name: "{{ item.mount }}"
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
opts: "{{ item.options }},nodev"
state: present
with_items: ansible_mounts
when: item.options.find(",") >= 0 and item.options.find("nodev") == -1

Inspired by Joe's answer I made this version which will add a single option to a specific line in /etc/fstab if it isn't there already. This will also keep any other options the line already had.
main.yml
- import_tasks: fstab-opt-present.yml point=/home opt=nodev
fstab-opt-present.yml
- name: '/etc/fstab: Set opt "{{ opt }}" for mount point {{ point }}'
lineinfile:
path: /etc/fstab
backup: yes
backrefs: yes
regexp: '^(\S+\s+{{ point }}\s+\S+\s+)(?!(?:\S*,)?{{ opt }}(?:,\S*)?\s+)(\S+)(\s+.+)$'
line: '\1{{ opt }},\2\3'
register: fstab
- name: 'If {{ point }} changed, remount'
command: 'mount {{ point }} -o remount'
when: fstab.changed
https://regex101.com/ is a really helpful tool for building and testing these kind of regexps. Just enable the "multiline" option there and open the "Substitution" panel and you can even paste in your /etc/fstab and see which lines your regex will match and what it will do to them. Just remember to use real values instead of the Ansible variables {{ point }} etc. when testing there

We've developed a 3rd-party ansible module to add, set or remove mount options. Check it out!
- mountopts:
name: /
option: nodev
https://github.com/Uberspace/ansible-mountopts

I wanted to state that there seems to be a new ansible module which covers all this much more easily:
https://docs.ansible.com/ansible/latest/modules/mount_module.html

Tested & works fine
- name: Set nodev option
replace:
path: /etc/fstab
backup: yes
regexp: '^(\S+\s+)(\/\S+)(\s+)((?:ext4|xfs)\s+)(?!(?:\S*,)?nodev(?:,\S*)?\s+)(\S+)(\s+.+)$'
replace: '\1\2 \4 \5,nodev \6'
It excludes adding nodev to /(root), sets only to ext4 and xfs filesystem. doesn't add to temp filesystems.
Note: while you test regexp101, make sure to select python

Landed here looking for an answer, wound up rolling my own for my use case:
main.yml
- include: fstab-opts.yml point=/tmp opts=noexec,nodev,nosuid,noatime
- include: fstab-opts.yml point=/backup opts=noatime
fstab-opts.yml
---
- name: 'Ensure {{ point }} flags'
lineinfile:
path: /etc/fstab
# uses "(not-spaces spaces /tmp spaces )(not-spaces)(the rest)" pattern to match column content and capture args
regexp: '^([^ ]+[ ]+\{{ point }}[ ]+[^ ]+[ ]+)([^ ]+)(.*)'
line: '\1{{ opts }}\3'
backrefs: yes
register: fstab
- name: 'If {{ point }} changed, remount'
command: mount -o remount {{ point }}
when: fstab.changed

i have added the noexec,nodev,nosuid option in /etc/fstab for the /var/tmp mount point.
Requirement is:
Ensure noexec option set on /var/tmp partition
Ensure nodev option set on /var/tmp partition
Ensure nosuid option set on /var/tmp partition
if required install ansible.posix.mount module using below command .
# ansible-galaxy collection install ansible.posix
Playbook:
---
- name: "STEP 1: Get /var/tmp mounted SRC device"
shell: mount | grep -E '\s/var/tmp\s' | awk '{print $1}'
register: "vartmpsrc"
- debug:
msg: "Validated the /var/tmp mount output: {{ vartmpsrc.stdout }}"
- name: "Add mount noexec,nodev,nosuid options for /var/tmp"
mount:
path: "/var/tmp"
src: "{{ vartmpsrc.stdout }}"
fstype: "tmpfs"
opts: "nosuid,nodev,noexec"
state: "present"
when: vartmpsrc.stdout == "/var/tmp"
- name: Remount /var/tmp mounted volume with mount options noexec,nodev,nosuid
ansible.posix.mount:
path: /var/tmp
state: remounted
when: vartmpsrc.stdout == "/var/tmp"
- name: 'STEP 2: Validate noexec,nodev,nosuid option set on /var/tmp partition'
shell: mount | grep -E '\s/var/tmp\s' | grep -v {{ item }}
loop:
- noexec
- nodev
- nosuid
register: vartmp_exists
ignore_errors: yes
when: vartmpsrc.stdout == "/var/tmp"