Unsafe writes - why you need it.

As a former Oracle DBA, I'm totally against anything marked as "unsafe." Today I have learned why RedHat Ansible has unsafe_writes clause for some commands.

Here is a real-life scenario. Let say you have Oracle EM Agent installed on the target machines, and you want to prevent automatic agent startup. The easiest way to do it comment out agent entry in the file /etc/oragchomelist. I have made a task which comments out the agent entry in this file.

- name: Disable OEM Agent
  lineinfile:
    path: /etc/oragchomelist
    regexp: "(.*{{ old_agent_inst }}$)"
    line: '#\1'
    backrefs: yes

The syntax is 100% correct, but it fails; As oracle user, you have full access to the file, but you can't write into /etc/ folder. Ansible does safe writes by default. It creates a copy of the original file and performs all required modifications. On success, updated copy replaces the original file. To make it work, we go unsafe:

- name: Disable OEM Agent
  lineinfile:
    path: /etc/oragchomelist
    regexp: "(.*{{ old_agent_inst }}$)"
    line: '#\1'
    backrefs: yes
    unsafe_writes: yes

Now the task updates file in place with no permission issues.

Image by John Hain from Pixabay

Unsafe writes - why you need it.

Michael Mikhailidi

Michael Mikhailidi

AAP: Code Compatibility

Ansible: Date and Time

Ansible: Dynamic Inventory

Ansible host in different groups and group_vars

I want to be a ...