fix: make tasks idempotent wherever possible

b3ef69f8 · Jörg Sachse · a1dd0ed0 · b3ef69f8 · b3ef69f8 · b3ef69f8
Commit b3ef69f8 authored 2 years ago by Jörg Sachse
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -39,18 +39,18 @@
 - name: restart exim
  ansible.builtin.systemd:
    name: "exim4"
-    state: restarted
+    state: reloaded
    enabled: true
 - name: restart postfix
  ansible.builtin.service:
    name: "postfix"
-    state: restarted
+    state: reloaded
 - name: restart sshd
  ansible.builtin.systemd:
    name: "sshd"
-    state: restarted
+    state: reloaded
 - name: reload journald configuration
  ansible.builtin.systemd:
@@ -60,8 +60,9 @@
 - name: restart logrotate.service
  ansible.builtin.systemd:
    name: "logrotate.service"
-    state: restarted
+    state: reloaded
  when: ansible_os_family == "Debian"
+  changed_when: false
 - name: udev-Regel bekannt machen
  ansible.builtin.command: "udevadm control --reload"
--- a/tasks/configure_glances.yml
+++ b/tasks/configure_glances.yml
 ---
+- name: find out if Glances Service is enabled
+  ansible.builtin.command: systemctl is-enabled glances.service
+  register: glances_enabled
+  changed_when: false
+  failed_when:
+    - glances_enabled.stdout != "enabled"
+    - glances_enabled.stdout != "disabled"
+# this is idempotent
 - name: stop Glances (web-)server
  ansible.builtin.service:
-    name: "glances"
+    name: "glances.service"
    state: stopped
+  when:
+    - ansible_os_family == "Debian"
+    - glances_enabled.stdout != "disabled"
+# this is NOT idempotent, so it needs the "changed: false" stanza
+- name: disable Glances (web-)server
+  ansible.builtin.service:
+    name: "glances.service"
    enabled: false
-  when: ansible_os_family == "Debian"
+  when:
+    - ansible_os_family == "Debian"
+    - glances_enabled.stdout != "disabled"
+  changed_when: false
--- a/tasks/configure_logrotate.yml
+++ b/tasks/configure_logrotate.yml
 ---
+# copy module modifies parent directory permissions, when file or directory is copied with owner and group different than root. It is also not idempotent and changes on subsequent runs.
 - name: rollout default logrotate config
  ansible.builtin.copy:
    src: "etc/logrotate.conf"
@@ -7,6 +8,7 @@
    group: "root"
    mode: "0644"
  notify: restart logrotate.service
+  tags: [molecule-idempotence-notest]
 - name: set custom compression algorithm
  ansible.builtin.blockinfile:

--- a/tasks/configure_ntp.yml
+++ b/tasks/configure_ntp.yml
 ---
+# copy module modifies parent directory permissions, when file or directory is copied with owner and group different than root. It is also not idempotent and changes on subsequent runs.
 - name: configure NTP
  ansible.builtin.copy:
    src: "etc/ntp.conf"
@@ -6,3 +7,4 @@
    owner: "root"
    group: "root"
    mode: "0644"
+  tags: [molecule-idempotence-notest]
--- a/tasks/configure_persistent_journald_logging.yml
+++ b/tasks/configure_persistent_journald_logging.yml
 ---
-# enable persistent systemd journalctl logging
+# Documentation: https://www.freedesktop.org/software/systemd/man/journald.conf.html
-# Documentation: zless /usr/share/doc/systemd/README.Debian.gz
+- name: configure journald
- name: enable persistent systemd journalctl logging
+  ansible.builtin.blockinfile:
-  block:
+    path: "/etc/systemd/journald.conf.d/persistence.conf"
-  - name: create log directory
+    owner: "root"
-    ansible.builtin.file:
+    group: "root"
-      path: "/var/log/journal"
+    mode: "0644"
-      state: directory
+    create: "yes"
-      mode: "0644"
+    state: present
-      owner: "root"
+    block: |
-      group: "systemd-journal"
+      # If "persistent", data will be stored preferably on disk, i.e. below the /var/log/journal hierarchy (which is created if needed), with a fallback to /run/log/journal (which is created if needed), during early boot and if the disk is not writable.
+      Storage=persistent
-  - name: find out if journald is already logging to a persistent location
+      # If enabled (the default), data objects that shall be stored in the journal and are larger than the default threshold of 512 bytes are compressed before they are written to the file system.
-    ansible.builtin.shell: "systemd-tmpfiles --cat-config | grep '/var/log/journal'"
+      Compress=true
-    register: jd_persist
-    changed_when: false
-  - name: link directory name to systemd
+      # Controls how much disk space the journal may use up at most. (default: 10%)
-    ansible.builtin.command: systemd-tmpfiles --create --prefix /var/log/journal
+      SystemMaxUse=1G
-    when: jd_persist.rc == 0
-  # Documentation: https://www.freedesktop.org/software/systemd/man/journald.conf.html
+      # Controls how much disk space systemd-journald shall leave free for other uses. (default: 15%)
-  - name: configure journald
+      # THIS DOES NOT WORK, HOWEVER: SystemKeepFree=15%
-    ansible.builtin.blockinfile:
+      SystemKeepFree=350M
-      path: "/etc/systemd/journald.conf.d/persistence.conf"
+  notify:
-      owner: "root"
+    - reload journald configuration
-      group: "root"
-      mode: "0644"
-      create: "yes"
-      state: present
-      block: |
-        # If "persistent", data will be stored preferably on disk, i.e. below the /var/log/journal hierarchy (which is created if needed), with a fallback to /run/log/journal (which is created if needed), during early boot and if the disk is not writable.
-        Storage=persistent
-        # If enabled (the default), data objects that shall be stored in the journal and are larger than the default threshold of 512 bytes are compressed before they are written to the file system.
-        Compress=true
-        # Controls how much disk space the journal may use up at most. (default: 10%)
-        SystemMaxUse=1G
-        # Controls how much disk space systemd-journald shall leave free for other uses. (default: 15%)
-        # THIS DOES NOT WORK, HOWEVER: SystemKeepFree=15%
-        SystemKeepFree=350M
-    notify:
-      - reload journald configuration
  when: ansible_facts.service_mgr == "systemd"
--- a/tasks/configure_swap.yml
+++ b/tasks/configure_swap.yml
 ---
+- name: check if swap is active
+  ansible.builtin.command: swapon -s
+  register: swap_active
+  changed_when: false
 # https://docs.ansible.com/ansible/latest/user_guide/playbooks_tests.html#testing-strings
 - name: switch off swap (immediate result for running server, not reboot persistent)
-  ansible.builtin.command: swapoff -a
+  ansible.builtin.command: swapoff -va
-  when: ansible_hostname is not search("validate")
+  when:
+    - ansible_hostname is not search("validate")
+    - swap_active.stdout == ""
+  register: disable_swap
+  changed_when: disable_swap.stdout not in "swapoff LABEL=swap"
 - name: switch off swap (no result for running server, reboot persistent)
  ansible.posix.mount:
    path: "none"
    fstype: "swap"
    state: "absent"
-  when: ansible_hostname is not search("validate")
+  when:
+    - ansible_hostname is not search("validate")
+    - swap_active.stdout == ""
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -17,9 +17,11 @@
 #   import_tasks: configure-network.yml
 #   tags: [network,dns]
+# We don't test for idempotence because these tasks can never be idempotent.
+# They are meant to copy fresh Backups of the SSH keys every time they are run.
 - name: Server-SSH-Schlüssel sichern
  import_tasks: backup_ssh_hostkeys.yml
-  tags: [ssh]
+  tags: [ssh, molecule-idempotence-notest]
 - name: SLUB-lokales Debian-Repository hinzufügen
  import_tasks: configure_package_repositories.yml
@@ -147,6 +149,7 @@
  when: ansible_os_family == "RedHat"
  tags: [ntp]
+# there's no way to get this task to become idempotent, so we have to skip the test
 - name: Flush handlers am Ende der Rolle
  ansible.builtin.meta: flush_handlers
-  tags: [always]
+  tags: [always, molecule-idempotence-notest]