--- playbooks/denyhosts.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 playbooks/denyhosts.yml
diff --git a/playbooks/denyhosts.yml b/playbooks/denyhosts.yml new file mode 100644 index 0000000..0aa44be --- /dev/null +++ b/playbooks/denyhosts.yml @@ -0,0 +1,28 @@ +# requires --extra-vars="target=somevhost ip=10.0.0.1" + +#General overview: +# host provided via ``target`` argument on the CLI +# IP provided via ``ip`` argument on the CLI +# Log onto $target +# remove $ip from /var/lib/denyhosts/* +# remove $ip from /etc/hosts.deny +# restart denyhosts + +# sop: http://infrastructure.fedoraproject.org/infra/docs/denyhosts.txt + +- name: Unban an IP from denyhosts + hosts: $target + user: root + serial: 1 + + tasks: + - name: Remove IP from /var/lib/denyhosts/* + action: command sed -si "/$ip/d" /var/lib/denyhosts/* + notify: + - restart denyhosts + + - name: Remove IP from /etc/hosts.deny + action: command sed -si "/$ip/d" /etc/hosts.deny + notify: + - restart denyhosts +
Le lundi 22 juillet 2013 à 11:59 +0200, Pierre-Yves Chibon a écrit :
playbooks/denyhosts.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 playbooks/denyhosts.yml
diff --git a/playbooks/denyhosts.yml b/playbooks/denyhosts.yml new file mode 100644 index 0000000..0aa44be --- /dev/null +++ b/playbooks/denyhosts.yml @@ -0,0 +1,28 @@ +# requires --extra-vars="target=somevhost ip=10.0.0.1"
+#General overview: +# host provided via ``target`` argument on the CLI +# IP provided via ``ip`` argument on the CLI +# Log onto $target +# remove $ip from /var/lib/denyhosts/* +# remove $ip from /etc/hosts.deny +# restart denyhosts
+# sop: http://infrastructure.fedoraproject.org/infra/docs/denyhosts.txt
+- name: Unban an IP from denyhosts
- hosts: $target
- user: root
- serial: 1
- tasks:
- name: Remove IP from /var/lib/denyhosts/*
- action: command sed -si "/$ip/d" /var/lib/denyhosts/*
- notify:
- restart denyhosts
- name: Remove IP from /etc/hosts.deny
- action: command sed -si "/$ip/d" /etc/hosts.deny
- notify:
- restart denyhosts
I would suggest to be more stringent in the regexp/glob : sed -si "/^$ip$/d", or something like this.
And since ip address use '.', that mean this should be escaped some way or have some rather unplanned consequence ( even if I cannot fina way that would bypass the ^$ proposition made earlier ) : $ cat e.txt 101.1.1.1 1.1.1.1 2.2.2.2 $ sed -s '/^1.1/d' e.txt 2.2.2.2
Even if this could be a feature to remove a whole range of ip in one go, but then I think this should be explicite in the documentation.
( and so, if the idea is to clean a ip range, then we would not be able to use $, and so we would have potential bug lurking due to usage of '.' )
On the other hand, that's just denyhosts, removing too much would not have much consequence.
Looks pretty good.
One nice addition would be if we could have a --check mode.
Lots of times someone comes in and you just want to first check that they are in denyhosts before removing them. I guess it's no biggie to just try and remove them if they aren't in there, but it might same some debugging time if we know for sure.
kevin
On Fri, 2013-07-26 at 10:14 -0600, Kevin Fenzi wrote:
Looks pretty good.
One nice addition would be if we could have a --check mode.
Lots of times someone comes in and you just want to first check that they are in denyhosts before removing them. I guess it's no biggie to just try and remove them if they aren't in there, but it might same some debugging time if we know for sure.
I'll take Michael's suggestions and your into account and will provide an updated version.
Thanks for the feed-backs, Pierre
--- playbooks/denyhosts.yml | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 playbooks/denyhosts.yml
diff --git a/playbooks/denyhosts.yml b/playbooks/denyhosts.yml new file mode 100644 index 0000000..acd80e7 --- /dev/null +++ b/playbooks/denyhosts.yml @@ -0,0 +1,45 @@ +# requires --extra-vars="target=somevhost ip=10.0.0.1 test={True,False}" + +#General overview: +# host provided via ``target`` argument on the CLI +# IP provided via ``ip`` argument on the CLI +# test provided via ``test`` argument on the CLI + +# Log onto $target +# if test is True: +# grep on /etc/hosts.deny for the provided $ip +# else: +# escape the '.' in the $ip +# remove $ip from /var/lib/denyhosts/* +# remove $ip from /etc/hosts.deny +# restart denyhosts + +# sop: http://infrastructure.fedoraproject.org/infra/docs/denyhosts.txt + +- name: Unban an IP from denyhosts + hosts: $target + user: root + gather_facts: False + + tasks: + - name: Grep for the IP in the files + action: command grep $ip /etc/hosts.deny + only_if: '$test or not is_set($test)' + + - name: Escape the '.' in the IP + action: command ${$ip//./\.} + register: ip + only_if: '$test or not is_set($test)' + + - name: Remove IP from /var/lib/denyhosts/* + action: command sed -si "/^$ip$/d" /var/lib/denyhosts/* + notify: + - restart denyhosts + only_if: 'is_set($test) and $test == False' + + - name: Remove IP from /etc/hosts.deny + action: command sed -si "/^$ip$/d" /etc/hosts.deny + notify: + - restart denyhosts + only_if: 'is_set($test) and $test == False' +
I might call it 'check' instead of 'test' ?
Otherwise it looks good to me.
kevin
infrastructure@lists.fedoraproject.org
-
Kevin Fenzi -
Michael Scherer -
Pierre-Yves Chibon