Ansible 示例:过滤用户组,只保留存在的组
在 Ansible 中创建用户时,你可能想将他们分配到一组组中,但并非所有组在每个系统上都存在。为避免错误,你可以过滤组列表,只包含实际存在的组。
以下是一个最小示例 playbook,演示如何做到这一点:
filter_user_groups.yml
---
- name: Create user with filtered groups
hosts: all
become: true
vars:
# 某些组可能并非在所有系统上都存在!
user_groups: "adm,sudo,sambashare,tss,docker,realtime,versatile,libvirt,libvirt-qemu,libvirt-dnsmasq,boinc,kvm,video,plugdev,users,render,video"
tasks:
- name: Get existing groups
ansible.builtin.getent:
database: group
register: existing_groups
- name: Filter user_groups to only existing groups
set_fact:
filtered_user_groups: >-
{{
user_groups.split(',') | select('in', (existing_groups.ansible_facts.getent_group.keys() | list)) | list
}}
- name: Create user deleteme
user:
name: "deleteme"
password: "abc123"
comment: "Please delete me"
shell: /bin/bash
createhome: no
state: present
groups: "{{ filtered_user_groups }}"工作原理:
getent模块收集系统上的所有组。set_fact任务将逗号分隔的user_groups字符串拆分为列表,并过滤为只包含系统组数据库中存在的组。user模块然后只用有效的组创建用户。
此方法可防止 Ansible 在列表中的组在目标系统上不存在时失败。
Check out similar posts by category:
Ansible
If this post helped you, please consider buying me a coffee or donating via PayPal to support research & publishing of new posts on TechOverflow