Re: [ansible-project] --check shows changes that won't actually happen
Here's a summary: | with --diff | without --diff -- with --check| changes | changes -- without --check | no changes | no changes On Tuesday, September 9, 2014 9:42:05 AM UTC-7, Michael DeHaan wrote: > > I'm wondering if this may be because it doesn't have permission to read > them and the --diff flag has a buglet in it. > > check should be generally fine, I would suspect the diff logic could be > throwing it. > > Does it report a change w/o --diff ? > > > > On Tue, Sep 9, 2014 at 12:32 PM, Romain Richard < > romain.richar...@gmail.com > wrote: > >> Installed Ansible 1.7.1 from the ppa: >> >> $ ansible --version >> ansible 1.7.1 >> >> And I am seeing the exact same output as with the 1.6.3, the --check >> still reports the the authorized_keys files on the remote host are empty >> (the diff is still the same). >> >> On Tuesday, September 9, 2014 8:47:06 AM UTC-7, Michael DeHaan wrote: >>> >>> Ansible 1.6.3 is no longer the active released version of Ansible, and >>> since 1.6.3 there have been many updates, many security related. >>> >>> When reporting issues, it's helpful to have tested at least the latest >>> release, which is 1.7.1. >>> >>> If you see diff issues there, let us know, but seeing you reported on >>> 1.6.3 there's a good chance this is now resolved. >>> >>> Thanks! >>> >>> On Mon, Sep 8, 2014 at 7:26 PM, Romain Richard >> gmail.com> wrote: >>> >>>> Thanks for your reply, more info below. >>>> >>>> On Monday, September 8, 2014 4:01:30 PM UTC-7, Michael DeHaan wrote: >>>>> >>>>> This could be handled by having a previous task that copied a blank >>>>> file over, provided you weren't logged in as that user. >>>>> >>>> >>>> That's not a bad idea, I will look into that. >>>> >>>> >>>>> You could also keep a list of previous keys and use state=absent to >>>>> remove those. >>>>> >>>> >>>> That seems cumbersome. >>>> >>>> >>>>> I'm open to the idea of having a parameter like exclusive=yes that >>>>> removes the other keys in the file. >>>>> >>>> >>>> Would sure make my task easier. >>>> >>>> >>>>> Some ansible modules don't fully understand check mode and will report >>>>> "changed=True" automatically without running in check mode rather than >>>>> risk >>>>> making a change. >>>>> >>>> >>>> I see. >>>> >>>> >>>>> Can we see the changed lines from your ansible playbook, as well as >>>>> the output of ansible --version to confirm this is from those lines and a >>>>> recent version of Ansible? >>>>> >>>> >>>> $ ansible --version >>>> ansible 1.6.3 >>>> >>>> Not sure what you meant by "the changed lines from your ansible >>>> playbook". >>>> >>>> In this case it is showing that there would be additions from your >>>>> template that are not in the original file, so it seems that it is >>>>> returning accurately in this regard. >>>>> Or is your assertion that the diff is *also* wrong? That seems >>>>> somewhat unlikely, but somewhat resembles what may be an older bug in >>>>> Ansible -- I could be wrong. >>>>> >>>> >>>> It seems that the diff is saying the same thing as the check, so I >>>> suppose it is not wrong, but it shows differences while there are actually >>>> none (if I had run the command again without the --check, there would have >>>> been no changes). >>>> It makes me believe that what Ansible feeds to the diff is wrong, >>>> because of that --check option. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ansible-proje...@googlegroups.com. >>>> To post to this group, send email to ansible...@googlegroups.com.
Re: [ansible-project] --check shows changes that won't actually happen
Installed Ansible 1.7.1 from the ppa: $ ansible --version ansible 1.7.1 And I am seeing the exact same output as with the 1.6.3, the --check still reports the the authorized_keys files on the remote host are empty (the diff is still the same). On Tuesday, September 9, 2014 8:47:06 AM UTC-7, Michael DeHaan wrote: > > Ansible 1.6.3 is no longer the active released version of Ansible, and > since 1.6.3 there have been many updates, many security related. > > When reporting issues, it's helpful to have tested at least the latest > release, which is 1.7.1. > > If you see diff issues there, let us know, but seeing you reported on > 1.6.3 there's a good chance this is now resolved. > > Thanks! > > On Mon, Sep 8, 2014 at 7:26 PM, Romain Richard > wrote: > >> Thanks for your reply, more info below. >> >> On Monday, September 8, 2014 4:01:30 PM UTC-7, Michael DeHaan wrote: >>> >>> This could be handled by having a previous task that copied a blank file >>> over, provided you weren't logged in as that user. >>> >> >> That's not a bad idea, I will look into that. >> >> >>> You could also keep a list of previous keys and use state=absent to >>> remove those. >>> >> >> That seems cumbersome. >> >> >>> I'm open to the idea of having a parameter like exclusive=yes that >>> removes the other keys in the file. >>> >> >> Would sure make my task easier. >> >> >>> Some ansible modules don't fully understand check mode and will report >>> "changed=True" automatically without running in check mode rather than risk >>> making a change. >>> >> >> I see. >> >> >>> Can we see the changed lines from your ansible playbook, as well as the >>> output of ansible --version to confirm this is from those lines and a >>> recent version of Ansible? >>> >> >> $ ansible --version >> ansible 1.6.3 >> >> Not sure what you meant by "the changed lines from your ansible playbook". >> >> In this case it is showing that there would be additions from your >>> template that are not in the original file, so it seems that it is >>> returning accurately in this regard. >>> Or is your assertion that the diff is *also* wrong? That seems somewhat >>> unlikely, but somewhat resembles what may be an older bug in Ansible -- I >>> could be wrong. >>> >> >> It seems that the diff is saying the same thing as the check, so I >> suppose it is not wrong, but it shows differences while there are actually >> none (if I had run the command again without the --check, there would have >> been no changes). >> It makes me believe that what Ansible feeds to the diff is wrong, because >> of that --check option. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ansible-proje...@googlegroups.com . >> To post to this group, send email to ansible...@googlegroups.com >> . >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/0145f866-b16c-4728-9ffa-483d2bf9e451%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/0145f866-b16c-4728-9ffa-483d2bf9e451%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6622c2e9-61d9-4af8-bf4a-ae40be65cb27%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] --check shows changes that won't actually happen
Thanks for your reply, more info below. On Monday, September 8, 2014 4:01:30 PM UTC-7, Michael DeHaan wrote: > > This could be handled by having a previous task that copied a blank file > over, provided you weren't logged in as that user. > That's not a bad idea, I will look into that. > You could also keep a list of previous keys and use state=absent to remove > those. > That seems cumbersome. > I'm open to the idea of having a parameter like exclusive=yes that removes > the other keys in the file. > Would sure make my task easier. > Some ansible modules don't fully understand check mode and will report > "changed=True" automatically without running in check mode rather than risk > making a change. > I see. > Can we see the changed lines from your ansible playbook, as well as the > output of ansible --version to confirm this is from those lines and a > recent version of Ansible? > $ ansible --version ansible 1.6.3 Not sure what you meant by "the changed lines from your ansible playbook". In this case it is showing that there would be additions from your template > that are not in the original file, so it seems that it is returning > accurately in this regard. > Or is your assertion that the diff is *also* wrong? That seems somewhat > unlikely, but somewhat resembles what may be an older bug in Ansible -- I > could be wrong. > It seems that the diff is saying the same thing as the check, so I suppose it is not wrong, but it shows differences while there are actually none (if I had run the command again without the --check, there would have been no changes). It makes me believe that what Ansible feeds to the diff is wrong, because of that --check option. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0145f866-b16c-4728-9ffa-483d2bf9e451%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ansible-project] --check shows changes that won't actually happen
Hi, We have a playbook to manage SSH keys on our servers (we are not using the authorized_key module because it appends users' keys without ever deleting the old ones). For that we created a template to gather all the SSH keys based on the different roles and groups, which is working fine except when using the --check option. When using that option, Ansible will show changes that are not going to happen when the playbook is run without the option. As an example: $ ansible-playbook keys.yml --limit somehost --check [...] somehost : ok=15 changed=4unreachable=0failed=0 $ ansible-playbook keys.yml --limit somehost [...] somehost : ok=15 changed=0unreachable=0failed=0 The changes concern the authorized_key file (here 4 changes because the playbook deploys 4 users). Here's an extract of the output of the command when ran with the --diff option: $ ansible-playbook keys.yml --limit somehost --check --diff [...] ___ < TASK: keys | copy authorized key template to host > --- \ ^__^ \ (oo)\___ (__)\ )\/\ ||w | || || --- before: ~root/.ssh/authorized_keys +++ after: /home/romain/workspace/it_ansible/roles/keys/templates/authorized_keys.j2 @@ -0,0 +1,4 @@ +ssh-rsa [...] +ssh-rsa [...] +ssh-rsa [...] +ssh-rsa [...] changed: [somehost] [...] The --check option is rendered useless since we can't trust it. Any idea why this is happening? Does the --check option prevent Ansible from getting the authorized_key files from the remote hosts? What could we do to make the --check option behave as it should be? -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9309612c-53a7-4f2b-8023-dd01f5a4d9f5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
