Add new role, 'debops.debops_legacy'

parent 34866653
......@@ -301,6 +301,13 @@ stages:
JANE_DIFF_PATTERN: '.*/debops.debops_fact/.*'
JANE_LOG_PATTERN: '\[debops\.debops_fact\]'
'debops_legacy role':
<<: *test_role_no_deps
variables:
JANE_TEST_PLAY: '${DEBOPS_PLAYBOOKS}/service/debops_legacy.yml'
JANE_DIFF_PATTERN: '.*/debops.debops_legacy/.*'
JANE_LOG_PATTERN: '\[debops\.debops_legacy\]'
'dhcpd role':
<<: *test_role_no_deps
variables:
......
......@@ -32,6 +32,11 @@ Added
- :ref:`debops.system_groups`: configure UNIX system groups used on DebOps
hosts. The role is included in the ``common.yml`` playbook.
- :ref:`debops.debops_legacy`: clean up legacy files, directories, APT
packages or :command:`dpkg-divert` diversions created by DebOps but no
longer used. This role needs to be executed manually, it's not included in
the main playbook.
- [debops.users] Selected UNIX accounts can now be configured to linger when
not logged in via the ``item.linger`` parameter. This allows these accounts
to maintain long-running services when not logged in via their own private
......
---
- name: Clean up legacy configuration
hosts: [ 'debops_all_hosts' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: debops.debops_legacy
tags: [ 'role::debops_legacy' ]
debops.debops_legacy - Clean up legacy content using Ansible
Copyright (C) 2018 Maciej Delmanowski <drybjed@gmail.com>
Copyright (C) 2018 DebOps https://debops.org/
This Ansible role is part of DebOps.
DebOps is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License version 3, as
published by the Free Software Foundation.
DebOps is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with DebOps. If not, see https://www.gnu.org/licenses/.
---
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
# debops.debops_legacy default variables
# ======================================
# .. contents:: Sections
# :local:
# General configuration [[[
# -------------------------
# .. envvar:: debops_legacy__enabled [[[
#
# Enable or disable support for removing legacy files, packages and diversions
# managed by DebOps.
debops_legacy__enabled: True
# ]]]
# ]]]
# Diversion cleanup [[[
# ---------------------
# These lists define what diversions created by the :command:`dpkg-divert`
# command should be removed. The modified files specified here will be removed,
# and the original files which were diverted will be moved back into place.
# See :ref:`debops_legacy__ref_remove_diversions` for more details.
# .. envvar:: debops_legacy__remove_default_diversions [[[
#
# The list of diversions to remove defined by the role.
debops_legacy__remove_default_diversions: []
# ]]]
# .. envvar:: debops_legacy__remove_diversions [[[
#
# The list of diversions to remove on all hosts in the Ansible inventory.
debops_legacy__remove_diversions: []
# ]]]
# .. envvar:: debops_legacy__remove_group_diversions [[[
#
# The list of diversions to remove on hosts in a specific Ansible inventory
# group.
debops_legacy__remove_group_diversions: []
# ]]]
# .. envvar:: debops_legacy__remove_host_diversions [[[
#
# The list of diversions to remove on specific hosts in the Ansible inventory.
debops_legacy__remove_host_diversions: []
# ]]]
# .. envvar:: debops_legacy__remove_combined_diversions [[[
#
# The list which combines all of the diversion configuration variables and is
# used in the role tasks.
debops_legacy__remove_combined_diversions: '{{ debops_legacy__remove_default_diversions
+ debops_legacy__remove_diversions
+ debops_legacy__remove_group_diversions
+ debops_legacy__remove_host_diversions }}'
# ]]]
# ]]]
# APT package cleanup [[[
# -----------------------
# These lists define what APT packages should be removed on hosts managed by
# DebOps. See :ref:`debops_legacy__ref_remove_packages` for more details.
# .. envvar:: debops_legacy__remove_default_packages [[[
#
# List of APT packages to remove defined by the role.
debops_legacy__remove_default_packages: []
# ]]]
# .. envvar:: debops_legacy__remove_packages [[[
#
# List of APT packages to remove on all hosts in the Ansible inventory.
debops_legacy__remove_packages: []
# ]]]
# .. envvar:: debops_legacy__remove_group_packages [[[
#
# List of APT packages to remove on hosts in a specific Ansible inventory
# group.
debops_legacy__remove_group_packages: []
# ]]]
# .. envvar:: debops_legacy__remove_host_packages [[[
#
# List of APT packages to remove on specific hosts in the Ansible inventory.
debops_legacy__remove_host_packages: []
# ]]]
# .. envvar:: debops_legacy__remove_combined_packages [[[
#
# The list which combines all of the APT package lists and is used in the role
# tasks.
debops_legacy__remove_combined_packages: '{{ debops_legacy__remove_default_packages
+ debops_legacy__remove_packages
+ debops_legacy__remove_group_packages
+ debops_legacy__remove_host_packages }}'
# ]]]
# ]]]
# File cleanup [[[
# ----------------
# These lists define what files or directories will be removed by the role on
# hosts managed by DebOps. See :ref:`debops_legacy__ref_remove_files` for more
# details.
# .. envvar:: debops_legacy__remove_default_files [[[
#
# List of files or directories to remove defined by the role.
debops_legacy__remove_default_files:
# This is a legacy file that configured 'sudo' to allow members of the
# 'admins' UNIX group privileged access without password authentication.
#
# The replacement file is: '/etc/sudoers.d/system_groups-admins'.
- name: '/etc/sudoers.d/admins'
state: '{{ "absent"
if (ansible_local|d() and ansible_local.system_groups|d() and
(ansible_local.system_groups.configured|d()|bool))
else "ignore" }}'
# ]]]
# .. envvar:: debops_legacy__remove_files [[[
#
# List of files or directories to remove on all hosts in the Ansible inventory.
debops_legacy__remove_files: []
# ]]]
# .. envvar:: debops_legacy__remove_group_files [[[
#
# List of files or directories to remove on hosts in a specific Ansible
# inventory group.
debops_legacy__remove_group_files: []
# ]]]
# .. envvar:: debops_legacy__remove_host_files [[[
#
# List of files or directories to remove on specific hosts in the Ansible
# inventory.
debops_legacy__remove_host_files: []
# ]]]
# .. envvar:: debops_legacy__remove_combined_files [[[
#
# The list which combines all of the file/directory lists and is used in the
# role tasks.
debops_legacy__remove_combined_files: '{{ debops_legacy__remove_default_files
+ debops_legacy__remove_files
+ debops_legacy__remove_group_files
+ debops_legacy__remove_host_files }}'
# ]]]
# ]]]
---
dependencies:
- role: debops.ansible_plugins
galaxy_info:
author: 'Maciej Delmanowski'
description: 'Clean up legacy files, directories, packages or diversions'
company: 'DebOps'
license: 'GPL-3.0'
min_ansible_version: '2.4.0'
platforms:
- name: Ubuntu
versions:
- precise
- trusty
- xenial
- bionic
- name: Debian
versions:
- wheezy
- jessie
- stretch
- buster
categories:
- system
- legacy
- cleanup
---
- name: Check current diversions
environment:
LC_ALL: 'C'
shell: dpkg-divert --list | grep -E '^local diversion' | awk '{print $NF}'
register: debops_legacy__register_diversions
check_mode: False
changed_when: False
- name: Show what diversions will be removed in check mode
file:
path: '{{ item.name }}'
state: 'absent'
with_items: '{{ debops_legacy__remove_combined_diversions | parse_kv_items }}'
when: (debops_legacy__enabled|bool and ansible_check_mode|bool and item.state|d('present') == 'absent' and
((item.diversion | d(item.name + ".dpkg-divert")) in debops_legacy__register_diversions.stdout_lines))
- name: Remove legacy diversions
shell: rm -f {{ item.name }} ; dpkg-divert --quiet --local --rename --remove {{ item.name }}
args:
executable: '/bin/sh'
removes: '{{ item.diversion | d(item.name + ".dpkg-divert") }}'
warn: False
with_items: '{{ debops_legacy__remove_combined_diversions | parse_kv_items }}'
when: (debops_legacy__enabled|bool and item.state|d('present') == 'absent' and
((item.diversion | d(item.name + ".dpkg-divert")) in debops_legacy__register_diversions.stdout_lines))
- name: Remove legacy packages
package:
name: '{{ item.name }}'
state: 'absent'
with_items: '{{ debops_legacy__remove_combined_packages | parse_kv_items }}'
when: debops_legacy__enabled|bool and item.state|d('present') == 'absent'
- name: Remove legacy files and directories
file:
path: '{{ item.name }}'
state: 'absent'
with_items: '{{ debops_legacy__remove_combined_files | parse_kv_items }}'
when: debops_legacy__enabled|bool and item.state|d('present') == 'absent'
......@@ -217,6 +217,7 @@ packages.
- :ref:`debops.apt_mark`
- :ref:`debops.apt_preferences`
- :ref:`debops.apt_proxy`
- :ref:`debops.debops_legacy`
- :ref:`debops.unattended_upgrades`
- ``debops.reprepro``
......@@ -242,6 +243,7 @@ System configuration
- :ref:`debops.atd`
- :ref:`debops.cron`
- :ref:`debops.debops_legacy`
- :ref:`debops.environment`
- :ref:`debops.etc_services`
- :ref:`debops.etckeeper`
......
Default variable details
========================
Some of ``debops.debops_legacy`` default variables have more extensive configuration
than simple strings or lists, here you can find documentation and examples for
them.
.. contents::
:local:
:depth: 1
.. _debops_legacy__ref_remove_diversions:
debops_legacy__remove_diversions
--------------------------------
The ``debops_legacy__remove_*_diversions`` variables define the
:command:`dpkg-divert` diversions that will be removed by the role. The
existing files will be deleted and the original files diverted by DebOps will
be moved back into place.
The variables are list with YAML dictionaries, each dictionary defines one file
with specific parameters:
``name``
Required. Absolute path of the file that will be reverted. This parameter is
used as a key for merging different configuration entries together.
``diversion``
Optional. Absolute path of the diverted file to revert into its original
place. If not specified, the filename is defined as:
.. code-block:: none
{{ item.name }}.dpkg-divert
``state``
Optional. If not specified or ``present``, the existing diversion will be
kept in place. If ``absent``, the diversion will be removed.
If ``ignore``, a given configuration entry will not be evaluated by the role
during execution, allowing conditional activation of the tasks.
Examples
~~~~~~~~
Remove existing diversion of a configuration file:
.. code-block:: yaml
debops_legacy__remove_diversions:
- name: '/etc/default/application'
state: 'absent'
.. _debops_legacy__ref_remove_packages:
debops_legacy__remove_packages
------------------------------
The ``debops_legacy__remove_*_packages`` variables define the
APT packages which should be removed by the role. The variables are list of
YAML entries, each entry defines one APT package to remove using specific
parameters:
``name``
Required. Name of the APT package to remove.
``state``
Optional. If not specified or ``present``, the existing APT package will be
kept in place, or installed if it's not present. If ``absent``, existing APT
package will be removed.
If ``ignore``, a given configuration entry will not be evaluated by the role
during execution, allowing conditional activation of the task.
Examples
~~~~~~~~
Remove existing package conditionally, else leave the existing state
(installed/uninstalled) as is:
.. code-block:: yaml
debops_legacy__remove_packages:
- name: 'application'
state: '{{ "absent"
if (ansible_hostname == "example")
else "ignore" }}'
.. _debops_legacy__ref_remove_files:
debops_legacy__remove_files
---------------------------
The ``debops_legacy__remove_*_files`` variables define the files or directories
which should be removed by the role. The variables are list of YAML entries,
each entry defines one file or directory to remove using specific parameters:
``name``
Required. Absolute path of the file or directory to remove.
``state``
Optional. If not specified or ``present``, the existing file will be left in
place. Non-existent files or directories will result in an error. If
``absent``, existing file or directory will be removed.
If ``ignore``, a given configuration entry will not be evaluated by the role
during execution, allowing conditional activation of the task.
Examples
~~~~~~~~
Remove existing file conditionally based on Ansible facts:
.. code-block:: yaml
debops_legacy__remove_files:
- name: '/etc/default/application'
state: '{{ "absent"
if (ansible_hostname == "example")
else "ignore" }}'
Getting started
===============
.. contents::
:local:
Example inventory
-----------------
The ``debops.debops_legacy`` role doesn't need to be enabled in Ansible
inventory, since its playbook by default works against the hosts in the
``[debops_all_hosts]`` Ansible inventory group. However the role is not
included in the ``site.yml`` playbook and needs to be executed specifically by
the system administrator to perform work.
Example playbook
----------------
If you are using this role without DebOps, here's an example Ansible playbook
that uses the ``debops.debops_legacy`` role:
.. literalinclude:: ../../../../ansible/playbooks/service/debops_legacy.yml
:language: yaml
Ansible tags
------------
You can use Ansible ``--tags`` or ``--skip-tags`` parameters to limit what
tasks are performed during Ansible run. This can be used after a host was first
configured to speed up playbook execution, when you are sure that most of the
configuration is already in the desired state.
Available role tags:
``role::debops_legacy``
Main role tag, should be used in the playbook to execute all of the role
tasks as well as role dependencies.
.. _debops.debops_legacy:
debops.debops_legacy
====================
The ``debops.debops_legacy`` Ansible role can be used to clean up legacy files,
directories, APT packages or :command:`dpkg-divert` diversions created by
DebOps but no longer used.
The role is not included in the main DebOps playbook to not cause data
destruction by mistake. You are advised to use it with caution - it will
destroy data on your DebOps hosts. To check the changes that will be done
before implementing them, you can run the role against DebOps hosts with:
.. code-block:: console
debops service/debops_legacy -l <host> --diff --check
Any changes that the role will create on the hosts can be overridden via the
Ansible inventory if needed.
.. toctree::
:maxdepth: 2
getting-started
defaults
defaults-detailed
Copyright
---------
.. literalinclude:: ../../../../ansible/roles/debops.debops_legacy/COPYRIGHT
..
Local Variables:
mode: rst
ispell-local-dictionary: "american"
End:
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment