Reputation: 2011
Check authenticity of file in ansible
I have ansible role that downloads a script file, how can i check the authenticity of the file using md5sum before executing?
- name: Add xx official repository for ubuntu/debain
get_url:
url: https://script.deb.sh
dest: /opt/script.db.sh
- name: Execute the script
script: /opt/script.db.sh
- i want to check the authenticity before downloading the file - can this be achieved in ansible?
Upvotes: 7
Views: 15679
Answers (3)
Reputation: 1026
If you're not using the get_url option, after the file is in the location, call the stat module using the get_checksum option as documented here.
- name: Get sha256 sum of script
stat:
path: /opt/script.db.sh
checksum_algorithm: sha256
get_checksum: yes
register: shell_stat
- name: Verify sha256sum of script before execution.
fail:
msg: "Failure, file is not correct."
when: shell_stat.stat.checksum != '19d6105fa1a581cf3ad38f67080b6d55cb152b5441ae8bdf194e593f292f31e9'
- name: Execute the script
script: /opt/script.db.sh
Update the sum on the when: line to match the file you expect.
Generating the checksum (sha256 in this example) vary on your operating system. On most Linux distributions use the sha256sum {filename} command, on OSX, use shasum -a 256 {filename}.
Upvotes: 14
Reputation: 1175
you can use the "checksum" parameter "get_url" module. I show you an example of a playbook that executes a "role" to download OpenJDK8 only if the md5sum is correct.
File: playbook.yml
---
- name: "Download binaries"
hosts: localhost
roles:
- openjdk
File: openjdk/tasks/main.yml
- name: "Download OpenJDK {{ openjdk_version }} binaries"
get_url:
url: https://download.java.net/openjdk/jdk8u40/ri/{{ openjdk_file }}
dest: "{{ download_destination }}"
checksum: "{{ openjdk_md5 }}"
mode: 0750
tags:
- always
File: openjdk/vars/main.yml
---
download_destination: /var/tmp
openjdk_version: "8u40-b25"
openjdk_file: "openjdk-{{ openjdk_version }}-linux-x64-10_feb_2015.tar.gz"
openjdk_md5: "md5: 4980716637f353cfb27467d57f2faf9b"
The available cryptographic algorithms in Ansible 2.7 are: sha1, sha224, sha384, sha256, sha512, md5.
It works for me, I hope for you too.
Upvotes: 2
Reputation: 1579
get_url has a checksum parameter that you could use.
- name: Add xx official repository for ubuntu/debain
get_url:
url: https://script.deb.sh
dest: /opt/script.db.sh
checksum: md5:1234
http://docs.ansible.com/ansible/latest/get_url_module.html
Upvotes: 2
Related Questions
- Is there an elegant way to check file integrity with md5 in ansible using md5 files fetched from server?
- How to check if a file exists in Ansible?
- Ansible: check, that file has changed after shell command
- Ansible test to check file exists
- How to assert a file
- Unable to calculate the checksum of the remote file persist with validate_checksum equal false/no
- Is there any way to check a Yml/Yaml file is valid ansible Playbook?
- Checking Checksum of a file from a url
- Ansible - Versionfile check
- How to validate that a file has a specific substring with Ansible?