Blog
  • Welcome to egonzalez blog
  • Software Supply Chain Security
    • Software Supply Chain Security: Why It Matters
    • Software Supply Chain Security: A Technical Deep Dive
    • SLSA and the Software Supply Chain Security: Time to Get Serious
  • Provenance
    • Understanding Provenance in Software Supply Chain Security
  • Building a secure development framework
  • Hacking
    • Index
      • Hack the box writeups
        • Dyplesher HTB writeup
        • Fatty HTB writeup
        • Oouch HTB writeup
        • Sauna HTB writeup
      • Python Vulnerabilities
        • Data Deserialization
          • Pickle
          • XML
          • YAML
      • Hacking cheatsheet
  • DevSecOps
    • Index
      • Gitlab CI minikube development environment
      • Gerrit review minikube
      • Gerrit and gitlab replication and CI job hooks on k8s
      • Vault integration with Gitlab CI
      • Gitlab CI template for DefectDojo
      • Falco real time runtime thread detection on k8s
      • Zarf - Airgap deployment in kubernetes
      • OWASP Dependency-track
      • OpenDaylight in a Docker
      • To conditional or to skip, that's the Ansible question
      • Spacewalk Red Hat Satellite v5 in a Docker container PoC
      • Ansible INI file module
  • OpenStack
    • Index
      • OpenStack tacker and service function chaining sfc with kolla
      • Deploy OpenStack designate with kolla-ansible
      • OpenStack keystone zero downtime upgrade process newton to ocata
      • Midonet integration with OpenStack Mitaka
      • OpenStack kolla deployment
      • Magnum in RDO OpenStack Liberty
      • Nova VNC flows under the hood
      • Ceph Ansible baremetal deployment
      • Rally OpenStack benchmarking with Docker
      • OpenStack affinity/anti-affinity groups
      • Migrate keystone v2.0 to keystone v3 OpenStack
      • Neutron DVR OpenStack Liberty
      • OpenStack segregation with availability zones and host aggregates
      • Nova Docker driver
      • Murano in RDO OpenStack manual installation
      • Ceph RadosGW admin Ops
      • Multiple store locations for glance images
      • List all tenants belonging an user
      • Load balancer as a service OpenStack LbaaS
      • OpenStack nova API start error
      • Delete OpenStack neutron networks
Powered by GitBook
On this page
  • To Conditional method
  • To Skip method
  • Analysis and own opinion

Was this helpful?

  1. DevSecOps
  2. Index

To conditional or to skip, that's the Ansible question

Have you ever think about if an Ansible task should be skipped with a conditional or without (hidden skip)?. | Well, this post will analyse both methods.

Let's use a example to create the same result and analyse the both methods:

In OpenStack Kolla we found that sometimes operators need to customise policy.json files. That\'s fine, but the problem is that policy.json files are installed with the services by default and we don\'t need/want to maintain policy.json files in our repository because for sure will cause bugs from outdated policy files in the future.

What\'s the proposed solution to this? Allow operators use their own policy files only when their files exists in a custom configuration folder. If custom files are not present, default policy.json files are already present as part of the software installation. ( Actually this change is under review )

To Conditional method

Code snippet:

    - name: Check if file exists
      stat:
        path: "/tmp/custom_file.json"
      register: check_custom_file_exist

    - name: Copy custom policy when exist
      template:
        src: "/tmp/custom_file.json"
        dest: "/tmp/destination_file.json"
      when: "{{ check_custom_file_exist.stat.exists }}"

The first task checks if the file is present and register the stat result.

The second task, copy the file only when the registered result of the previous task is True. (exists == True)

Outputs the following when the file is not present:

PLAY [localhost] ***************************************************************

TASK [Check if file exists] ****************************************************
ok: [localhost]

TASK [Copy custom policy when exist] *******************************************
skipping: [localhost]

PLAY RECAP *********************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0  

We can see the copy file task is skipped with a skipping message.

To Skip method

Code snippet:

    - name: Copy custom policy when exist
      template:
        src: "{{ item }}"
        dest: "/tmp/destination_file.json"
      with_first_found:
      - files:
        - custom_file.json
        skip: True

This playbook contains a single task, this task will use the first found file in a list of files. If no file is present will skip the task.

Output from this execution:

PLAY [localhost] ***************************************************************

TASK [Copy custom policy when exist] *******************************************

PLAY RECAP *********************************************************************
localhost                  : ok=0    changed=0    unreachable=0    failed=0 

We can see that no task is executed when custom files are not present, no output from the task (hidden skip).

Analysis and own opinion

Both methods do the same, both copy custom files when are present and both skip copy task when are not present. What are the differences between both methods?

To_skip method is simpler to read and unified in a single task, to_conditional is created within two tasks. To_conditional method takes longer to be executed as it has to check the existence of a file and then evaluate a conditional.

You may think that to_skip method is better than to_conditional method, that\'s right in terms of code syntax and execution times. But... As both, operator and infrastructure developer, I always use to_conditional method because when I\'m deploying something new, I want to know what is executed and what not. In to_skip method you don\'t know because there is no output provided from the task (not really true) but in to_conditional method it clearly says Skipping.

Execution times are not a problem in most use cases, as is not commonly used this kind of tasks in CM systems, only a few tasks will need this type of logic.

Regards, Eduardo Gonzalez

PreviousOpenDaylight in a DockerNextSpacewalk Red Hat Satellite v5 in a Docker container PoC

Last updated 5 years ago

Was this helpful?