Add mode mode option to sysctl module

* Add basic file attribute options to manage sysctl_file permission * Fixes #108 Signed-off-by: Hideki Saito <saito@fgrep.org>
2026-01-11 15:15:26 +01:00 · 2021-05-28 23:21:18 +09:00 · 2021-05-28 23:21:18 +09:00 · f48c47fc1b
commit f48c47fc1b
parent 3514f9d3dc
3 changed files with 142 additions and 3 deletions
--- a/changelogs/fragments/108_sysctl_add_mode_option.yml
+++ b/changelogs/fragments/108_sysctl_add_mode_option.yml
@ -0,0 +1,3 @@
+minor_changes:
+- sysctl - add a basic file system attribute setting option to allow the sysctl module
+  to set the file attributes to ``sysctl_file`` (https://github.com/ansible-collections/ansible.posix/issues/108).
--- a/plugins/modules/sysctl.py
+++ b/plugins/modules/sysctl.py
@ -56,6 +56,13 @@ options:
            - Verify token value with the sysctl command and set with -w if necessary
        type: bool
        default: 'no'
+    unsafe_writes:
+        description:
+            - This option is not used.
+
+extends_documentation_fragment:
+  - ansible.builtin.files
+
 author:
 - David CHANIAL (@davixx)
 '''
@ -93,6 +100,22 @@ EXAMPLES = r'''
    sysctl_set: yes
    state: present
    reload: yes
+
+# Set file mode 0644 to /tmp/test_sysctl.conf
+- ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_file: /tmp/test_sysctl.conf
+    reload: no
+    mode: '0644'
+
+# Set file mode rw-r--r-- to /tmp/test_sysctl.conf
+- ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_file: /tmp/test_sysctl.conf
+    reload: no
+    mode: u=rw,g=r,o=r
 '''

 # ==============================================================
@ -185,6 +208,13 @@ class SysctlModule(object):
                self.changed = True
                self.set_proc = True

+        # Set file permissions if there are differences.
+        # - Ansible 2.9.x does not support 'path' like load_file_common_arguments (params, path=PATH).
+        #   so set 'sysctl_file' as 'path' in module.params.
+        self.module.params['path'] = self.sysctl_file
+        file_args = self.module.load_file_common_arguments(self.module.params)
+        self.changed = self.module.set_fs_attributes_if_different(file_args, self.changed)
+
        # Do the work
        if not self.module.check_mode:
            if self.set_proc:
@ -394,8 +424,9 @@ def main():
            reload=dict(default=True, type='bool'),
            sysctl_set=dict(default=False, type='bool'),
            ignoreerrors=dict(default=False, type='bool'),
-            sysctl_file=dict(default='/etc/sysctl.conf', type='path')
+            sysctl_file=dict(default='/etc/sysctl.conf', type='path'),
        ),
+        add_file_common_args=True,
        supports_check_mode=True,
        required_if=[('state', 'present', ['value'])],
    )
--- a/tests/integration/targets/sysctl/tasks/main.yml
+++ b/tests/integration/targets/sysctl/tasks/main.yml
@ -216,9 +216,15 @@

 - name: Test on RHEL VMs
  when:
-    - ansible_facts.virtualization_type != 'docker'
-    - ansible_facts.distribution == 'RedHat'
+    - ansible_facts.virtualization_type not in ['docker', 'containerd']
+    - ansible_system == 'Linux'
  block:
+    # Initialize parameter
+    - name: Remove sysctl property using module
+      sysctl:
+        name: vm.swappiness
+        state: absent
+
    # Test reload: yes
    - name: Set sysctl property using module
      sysctl:
@ -310,3 +316,102 @@
        that:
          - sysctl_invalid_set1 is failed
          - "'vm.mmap_rnd_bits' not in sysctl_invalid_conf_content.stdout"
+
+# Test file permissions for sysctl_file
+- name: Test to set file system permissions
+  block:
+    - set_fact:
+        output_dir_test: "{{ output_dir }}/test_sysctl"
+
+    - name: make sure our testing sub-directory does not exist
+      file:
+        path: "{{ output_dir_test }}"
+        state: absent
+
+    - name: create our testing sub-directory
+      file:
+        path: "{{ output_dir_test }}"
+        state: directory
+
+    - name: copy the example conf to the test dir
+      copy:
+        src: sysctl.conf
+        dest: "{{ output_dir_test }}/permission_test.conf"
+
+    - name: Create permission test file with 0666(check_mode)
+      sysctl:
+        name: net.ipv4.ip_forward
+        value: 1
+        mode: 0666
+        reload: no
+        sysctl_file: "{{ output_dir_test }}/permission_test.conf"
+      register: permission_test1_check_mode
+      check_mode: True
+
+    - name: Ensure permission test file has been created(check_mode)
+      assert:
+        that:
+          - permission_test1_check_mode is changed
+
+    - name: Create permission test file with 0666
+      sysctl:
+        name: net.ipv4.ip_forward
+        value: 1
+        mode: 0666
+        reload: no
+        sysctl_file: "{{ output_dir_test }}/permission_test.conf"
+      register: permission_test1
+
+    - name: Ensure permission test file has been created
+      assert:
+        that:
+          - permission_test1 is changed
+
+    - name: Get permission test file stat
+      stat:
+        path: "{{ output_dir_test }}/permission_test.conf"
+      register: stat_permission_test1
+
+    - name: Ensure file permission has been set 0666
+      assert:
+        that:
+          - stat_permission_test1.stat.mode == '0666'
+
+    - name: Modify file permission of permission test file to 0600(check_mode)
+      sysctl:
+        name: net.ipv4.ip_forward
+        value: 1
+        mode: u=rw,go=
+        reload: no
+        sysctl_file: "{{ output_dir_test }}/permission_test.conf"
+      register: permission_test2_check_mode
+      check_mode: True
+
+    - name: Ensure permission test file has been created(check_mode)
+      assert:
+        that:
+          - permission_test2_check_mode is changed
+
+    - name: Modify file permission of permission test file to 0600
+      sysctl:
+        name: net.ipv4.ip_forward
+        value: 1
+        mode: u=rw,go=
+        reload: no
+        sysctl_file: "{{ output_dir_test }}/permission_test.conf"
+      register: permission_test2
+
+    - name: Ensure permission test file has been created
+      assert:
+        that:
+          - permission_test2 is changed
+
+    - name: Get permission test file stat
+      stat:
+        path: "{{ output_dir_test }}/permission_test.conf"
+      register: stat_permission_test2
+
+    - name: Ensure file permission has been set 0600
+      assert:
+        that:
+          - stat_permission_test2.stat.mode == '0600'