Unsafe writes - why you need it.
As a former Oracle DBA, I'm totally against anything marked as "unsafe." Today I have learned why RedHat Ansible has unsafe_writes clause for some commands.
Here is a real-life scenario. Let say you have Oracle EM Agent installed on the target machines, and you want to prevent automatic agent startup. The easiest way to do it comment out agent entry in the file /etc/oragchomelist. I have made a task which comments out the agent entry in this file.
- name: Disable OEM Agent
lineinfile:
path: /etc/oragchomelist
regexp: "(.*{{ old_agent_inst }}$)"
line: '#\1'
backrefs: yes
The syntax is 100% correct, but it fails; As oracle user, you have full access to the file, but you can't write into /etc/ folder. Ansible does safe writes by default. It creates a copy of the original file and performs all required modifications. On success, updated copy replaces the original file. To make it work, we go unsafe:
- name: Disable OEM Agent
lineinfile:
path: /etc/oragchomelist
regexp: "(.*{{ old_agent_inst }}$)"
line: '#\1'
backrefs: yes
unsafe_writes: yes
Now the task updates file in place with no permission issues.
Image by John Hain from Pixabay