I found an issue in ansible 2.4.2.0. This may have existed in previous versions.
[defaults] callback_whitelist = timer fact_caching = jsonfile fact_caching_connection = ./.fact_cache gathering = smart host_key_checking = False inventory = ./inventories log_path = /tmp/ansible.${USER}.log roles_path = ./roles The issue revolves around the cache file not being invalidated when different parameters are used to fetch the facts. In the example below, the root_fact will not be printed and an error is raised. - hosts: example_host gather_facts: true tasks: - debug: msg: "user_fact: {{ user_fact }}" - hosts: example_host gather_facts: true become: true # fetch privileged facts tasks: - debug: msg: "root_fact: {{ root_fact }}" The reason is the first play fetched the facts and primed the cache with non-privileged results. Subsequent privileged fact lookups will use the cache file, but the privileged facts aren't in the cache. I consider this a bug. And the inverse is also true; if privileged facts are obtained first then subsequent plays will use the cache results and those subsequent plays will have access to privileged facts. In the example below, "root_fact_nonpriv" will be printed. - hosts: example_host gather_facts: true become: true # fetch privileged facts tasks: - debug: msg: "root_fact: {{ root_fact }}" - hosts: example_host gather_facts: true tasks: - debug: msg: "root_fact_nonpriv: {{ root_fact }}" I don't know whether I consider this a security bug, but it smells. In both cases, subtle bugs can be introduced that can be hard to track down. It seems to me the cache file needs to store the conditions in which it was retrieved. A simple approach would be appending 'privileged' to the cache file and using the appropriate cache file based on whether 'become=true' is set. Example: .fact_cache/example_host # non-privileged facts .fact_cache/example_host.privileged # privileged facts In summary, a fact cache file obviously needs to continue to check whether it's stale or not by comparing age of the file to the cache timeout. In addition, I would argue that ansible also needs to know whether the cache file is privileged or not when considering whether it's stale or not. BTW, using meta: clear_facts is a workaround not really a solution. Thoughts? -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/85e987d1-ceb0-498a-8296-73dc951d1f08%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.