delphix / ansible-target-host Goto Github PK

The role currently configures fairly permissive sudo permissions, with full access to any of the command set. For example, the Oracle documentation gives the following example:

Defaults:delphix_os !requiretty
delphix_os ALL=(root) NOPASSWD: \
/bin/mount  *        /oracle/*, \
/bin/umount *        /oracle/*, \
/bin/umount          /oracle/*, \
/bin/umount -lf      /oracle/*, \
/bin/ps

We could use these more restrictive permissions to only allow mounts within the delphix mount point, for example.

We should configure a Travis CI build to at least sanity test the role on the supported Travis platforms.

Each database type has a slightly different set of sudo privileges required. Today, we configure the target host for use by any DB type by specifying the superset of all privileges. We could create variables, such as delphix_type_oracle, that would control including just those privileges. We'd likely want a default delphix_type_all for ease of use.

Is your feature request related to a problem? Please describe.
It's surprisingly difficult to parse inventory.xml with Ansible.
The "xml" module has a requirement on the remote host for lxml, which could be difficult to get in customer situations.
Slurping and using "xml" module as a local task ("delegate 127.0.0.1") ran into OSX issues: a change to sudoers was needed and even after "pip install xml" I encoutered issues like cmprescott/ansible-xml#51

A solution would look something like this:

- name: Slurp inventory
  slurp:
    src: "{{ oraInst.stdout }}/ContentsXML/inventory.xml"
  register: existing_dbhome

- debug:
    msg: "{{ existing_dbhome['content'] | b64decode }}"
    verbosity: 2

- name: Parse inventory
  xml:
#    path: /u01/app/oraInventory/ContentsXML/inventory.xml
    xmlstring: "{{ existing_dbhome['content'] | b64decode }}"
    xpath: /INVENTORY/HOME_LIST/HOME
    content: attribute
  delegate_to: 127.0.0.1  #Avoid issues where the remote host doesn't have lxml module and it's difficult to modify the server in that way
  register: existing_dbhome

- debug: var=existing_dbhome.matches

To workaround these issues, the current code uses a complex shell command. This feels fragile:

- name: Parse inventory
  shell: cat "{{ oraInst.stdout }}/ContentsXML/inventory.xml" |grep "HOME NAME" | grep -vi "CRS=" | grep -vi "REMOVED=" | awk '{print $3}' | awk -F"=" '{print $2}'  | tr -d '"'
  register: existing_dbhome

Describe the solution you'd like
For the common scenario of Delphix Targets used for Oracle VDBs, delphix_os needs the primary and secondary groups to match Oracle. Automatically handle this requirement for oracle installs.