Check authenticity of file in ansible

ansible stat
ansible stat multiple files
ansible stat local file
ansible get file timestamp
ansible check if symlink exists
ansible stat wildcard
ansible get_url
ansible uri module

I have ansible role that downloads a script file, how can i check the authenticity of the file using md5sum before executing?

- name: Add xx official repository for ubuntu/debain
  get_url:
     url:  https://script.deb.sh
     dest: /opt/script.db.sh

- name: Execute the script
  script: /opt/script.db.sh
  • i want to check the authenticity before downloading the file - can this be achieved in ansible?

If you're not using the get_url option, after the file is in the location, call the stat module using the get_checksum option as documented here.

- name: Get sha256 sum of script
  stat:
    path: /opt/script.db.sh
    checksum_algorithm: sha256
    get_checksum: yes
  register: shell_stat

- name: Verify sha256sum of script before execution.
  fail:
    msg: "Failure, file is not correct."
  when: shell_stat.stat.checksum != '19d6105fa1a581cf3ad38f67080b6d55cb152b5441ae8bdf194e593f292f31e9'

- name: Execute the script
  script: /opt/script.db.sh

Update the sum on the when: line to match the file you expect.

Generating the checksum (sha256 in this example) vary on your operating system. On most Linux distributions use the sha256sum {filename} command, on OSX, use shasum -a 256 {filename}.

get_url – Downloads files from HTTP, HTTPS, or FTP to node , From Ansible 2.4 when run with --check , it will do a HEAD request to validate the PEM formatted certificate chain file to be used for SSL client authentication. copy – Copy files to remote locations The official documentation on the copy module. stat – Retrieve file or file system status The official documentation on the stat module. template – Template a file out to a remote server The official documentation on the template module. win_file – Creates, touches or removes files or directories

get_url has a checksum parameter that you could use.

- name: Add xx official repository for ubuntu/debain
  get_url:
    url:  https://script.deb.sh
    dest: /opt/script.db.sh
    checksum: md5:1234

http://docs.ansible.com/ansible/latest/get_url_module.html

stat, Obtain the stats of /etc/foo.conf, and check that the file still belongs # to Note that if the path does # not exist, and we test sym.stat.islnk, it will  To get the details of a file or directory in a Linux system, we can use the Ansible stat module. It works similar to the Linux ‘stat’ command. Of course, the module provides much more detail than whether a file exists or not.

you can use the "checksum" parameter "get_url" module. I show you an example of a playbook that executes a "role" to download OpenJDK8 only if the md5sum is correct.

File: playbook.yml

---
- name: "Download binaries"
  hosts: localhost
  roles:
  - openjdk

File: openjdk/tasks/main.yml

- name: "Download OpenJDK {{ openjdk_version }} binaries"
  get_url:
    url: https://download.java.net/openjdk/jdk8u40/ri/{{ openjdk_file }}
    dest: "{{ download_destination }}"
    checksum: "{{ openjdk_md5 }}"
    mode: 0750
  tags:
    - always

File: openjdk/vars/main.yml

---
download_destination: /var/tmp
openjdk_version: "8u40-b25"
openjdk_file: "openjdk-{{ openjdk_version }}-linux-x64-10_feb_2015.tar.gz"
openjdk_md5: "md5: 4980716637f353cfb27467d57f2faf9b"

The available cryptographic algorithms in Ansible 2.7 are: sha1, sha224, sha384, sha256, sha512, md5.

It works for me, I hope for you too.

stat – Retrieve file or file system status, Algorithm to determine checksum of file. Will throw an error if the host is unable to use specified algorithm. The remote host has to support the hashing method  Finally, when you’re done editing, ansible-vault will save the file as encrypted data. Encrypting an Existing Ansible File. To encrypt an existing Ansible file, you can use the following syntax: ansible-vault encrypt credentials.yml; This will prompt you for a password that you’ll need to enter whenever you access the file credentials.yml.

Check Mode (“Dry Run”), When ansible-playbook is executed with --check it will not make any changes on remote systems. Instead, any module instrumented to support  Get file attributes using lsattr tool if present. Whether to return a checksum of the file. Use file magic and return data about the nature of the file. this uses the 'file' utility found on most Linux/Unix systems. This will add both `mime_type` and 'charset' fields to the return, if possible.

Ansible: Up and Running: Automating Configuration Management and , Let's tell Ansible to connect to the server named testserver described in the this the first time Ansible tries to connect to the server: The authenticity of host We had to type a lot of text in the inventory file to tell Ansible about our test server. This lookup returns the contents from a file on the Ansible controller’s file system. the file can be interpreted as YAML if the content is valid to the parser.

Configuring Ansible, Enter file in which to save the key (/home/ansible/.ssh/id_rsa): Created to be installed: "/home/ansible/.ssh/id_rsa.pub" The authenticity of host 'ansible@​node1.example.com'" and check to make sure that only the key(s)  After setting up the inventory file to include your servers, it’s time to check if Ansible is able to connect to these servers and run commands via SSH. For this guide, we’ll be using the Ubuntu root account because that’s typically the only account available by default on newly created servers.

Comments
  • is there any way to check the file authenticity before downloading?
  • @Swat: You will need to confirm that the file you're pushing out to your systems is the one you want. Once you know that the file is ok, then generate the checksum of it to ensure you only install that file. Remember, if the file is not in your control and someone else changes the file you're downloading in any way the checksum will change and your playbook will report the failure. This is a good thing - it forces you and your team to re-verify the file and approve the file by updating the checksum in the playbook.
  • i tried this but getting an error - command: cksum /opt/script.db.sh register: md5_value - name: checking the md5checksome get_url: url: script.deb.sh dest: /opt/script.db.sh checksum: md5:{{ md5_value }} force: true fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "msg": "The checksum parameter has to be in format <algorithm>:<checksum>"}
  • AFAIK you can't use the CRC checksum in the get_url module. md5sum will work however. You will also need to specify the algorithm in the checksum parameter (i.e. - checksum: "md5:{{ md5_value }}")