Support specifying an absolute path (typically /etc/crontab) rather than
a path relative to /etc/cron.d, to allow modifying the main system crontab.
Particularly useful for target systems that have /etc/crontab but no
/etc/cron.d.
Since use_unsafe_shell is suspicious from a security point
of view (or it wouldn't be unsafe), the less we have, the less
code we have to toroughly inspect for a security audit.
In this case, the '&&' can be replaced by doing 2 calls to run_command.
Starting in Django 1.7, the createcachetable command looks for cache
table names in the CACHES settings dictionary, so cache_table is no
longer required, but is still allowed.
Otherwise CDN (Akamai) downloads file without the headers. The sequence
is following:
1. Ansible uploads file to CF.
2. Akamai downloads the file and caches it in CDN.
3. Ansible sets headers.
As a result Akamai serves file without headers.
This is backwards incompatible change, because headers keys are not
prefixed with `x-object-meta-`. Which allows user to set headers like
`Access-Control-Allow-Origin`.
The command `hg up -C` by default moves to the latest revision on the
current branch. The `discard` function was trying to update to a
different branch, in case it was provided, by passing a `-r REVISION`
argument. Not only is this not the intended effect of the `discard`
function, but this also could update to a different branch that hasn't
been pulled yet, which is how we were experiencing trouble.
Instead, we unconditionally do `hg up -C -r .` to "update" to the
current revision (i.e. to "."), while `-C/--clean`ing the current
directory. This is similar to `hg revert --all`, except that it also
undoes the merge state of the working directory, in case there was
any.
Previously the logging module hard coded the default logging driver. This means
if the docker daemon is started with a different logging driver, the ansible
module would continually restart it when run.
This fix adds a call to docker.Client.info(), which is inspected if a logging
driver is not supplied in the playbook, and the container only restarted if
the logging driver applied differs from the configured default.
In usage, this has solved issues with using alternative logging drivers.
Fixes require ssl in combination with grant option
Refactoring: code cleanup to make it easier to understand
Code rewritten inspired by @willthames
Added WITH GRANT OPTION as exception; when only REQUIRESSL and/or GRANT are specified we have to add USAGE
Without this change, some trouble may occur when "deb" parameter
is used as env vars controlling dpkg are not set. For example,
installing a package that requires user input will never end since
DEBIAN_FRONTEND=noninteractive is not set.
So export env vars in APT_ENV_VARS before run dpkg, like in cases
using apt-get/aptitude.
Now module will assume that if the argument is a string it is already formated as json
and will only try to convert non strings into json string.
Also removed unused 'msg' var declarations and the ifs that set them
fixes#2009
Since we now have several exceptions to the assumption that the
result of the pull would be on the last status line returned by
docker-py's pull(), I've changed the function so that it looks
through the status lines and returns what if finds on it.
Despite the repeated `break`s, the code seems simpler and a little
more coherent like this. From what I've checked using
`https://github.com/jlafon/ansible-profile`, the execution time is
mostly the same.
If this parameter was not of the right type, the module would fail with a
traceback, with a "AttributeError: 'str' object has no attribute 'get'"
exception.
It now gives a proper error message on type errors.
Update a document file for win_get_url.ps1.
Update add a prefix proxy_ for this variables
Update a document file for win_get_url.ps1.
Update win_get_url.ps1 20150907
Before this patch:
- Command was matched if 'Command' field of docker-py
representation of Docker container ends with 'command' passed
to Ansible docker module by user.
- That can give false positives and false negatives.
- For example:
a) If 'command' was set up with more than one spaces,
like 'command=sleep 123', it would be never matched again
with a container(s) launched by this task.
Because after launching, command would be normalized and
appear, in docker-py API call, just as 'sleep 123' - with one
space. This is false negative case.
b) If 'entrypoint + command = command', for example
'sleep + 123 = sleep 123', module would give false positive
match.
This patch fixes it, by making matching more explicit - against
'Config'->Cmd' field of 'docker inspect' output, provided by docker-py
API and with proper normalization of user input by splitting it to
tokens with 'shlex.split()'.
nics is a great flexible parameter, but it's wordy. Shade now supports
a simple parameter too, which is just "network" and takes a name or id.
Add passthrough support.
In addition to supporting booting from a pre-existing volume, nova and
shade both support the concept of booting from volume based on an image.
Pass the parameters through.
Shade supports boot-time attachment of additional volumes for OpenStack
instances. Pass through the parameter so that ansible users can also
take advantage of this.
* This keeps us from hitting bugs in repoquery/yum plugins in certain
instances (#2559).
* The previous is also a small performance boost
* Also in is_installed(), when using the yum API, return if we detect
a package name has been installed. We don't need to also check
virtual provides in that case. This is another small performance
boost.
* Sort the list of packages returned by the list parameter.
If this is not set, Ansible parses the parameter as a string.
This is fine if the parameter is not provided by the caller, but
if it is set to False or True explicitly, ec2_vol receives this as
the string 'False' or the string 'True', both of which are truthy.
Thus, without this fix, setting the parameter results in encryption
always enabled.
If the requirements contains a repos url it will always report 'Successfully
installed'; there is no difference in the output to tell apart if
anything new was pulled. Use freeze to detect if the environment changed
in any way.
Should fixansible/ansible#1705
added mysql 5.7 user password modification support with backwards compatibility
resolved mysql server version check and differences in user authentication management
explicitly state support for mysql_native_password type and no others. fixed some failing logic and updated samples
updated comment to actually match logic.
simplified conditionals and a little refactor
Since use_unsafe_shell is suspicious from a security point
of view (or it wouldn't be unsafe), the less we have, the less
code we have to toroughly inspect for a security audit.
Warning catches typos in the filename. Since the playbook is saying
"make sure this user doesn't have an entry" it makes more sense to warn
than to error.
Fixes#2619
The parameters 'diff_peek' and 'validate' are not expected to be used
by users. They are internal. To make it clear, this change adds the
comments 'Internal use only' to each of those definitions to make
it clear that they are actually used, just not by end-users.
The 'diff_peek' option isn't documented at all, and provides a
rudimentary check that the content isn't binary. Documentation is
added to explain the option.
The 'validate' option has a declaration, but isn't implemented.
Therefore it may as well be removed from the module.
Previously, the `promote` command in the `rds` module would always return OK and never actually promote an instance. This was because `promote_db_instance()` had its conditions backwards: if the instance had the `replication_source` attribute indicating that it **was** a replica, it would set `changed = False` and do nothing. If the instance **wasn't** a replica, it would attempt to run `boto.rds.promote_read_replica()`, which would always fail.
'exact_count' and 'state' are mutually exclusive options they should not be in the following examples:
- # Enforce that 5 running instances named "database" with a "dbtype" of "postgres" example and
- # Enforce that 5 instances with a tag "foo" are running
The yum module allows the 'name' parameter to be given as 'pkg', in
a similar way to some of the other package managers. This change
documents this alias.
The module's 'state' parameter has two other aliases, in line with
the 'apt' action; the 'state' parameter can take 'installed' as an
alias for 'present', and 'removed' as an alias for 'absent'. These
aliases are documented.
The min_disk and min_ram parameters were not being passed to
the shade API. They also need to be integer values. Also
updated the description of these parameters for better
clarification.
There was no db restore example. I've provided one that shows how to do the restore, then add a security group (you cannot add the security group during the restore step -- it has to be done in a modify step afterward). Also, I show how to get the endpoint.
Absent unction was not working on user with login profile
also fixed the exception handling
fixed the delete user function
now works with or without loginprofile (password)
typo
have `os_server_facts` call `list_servers` rather than `get_server`, and
treat the `server` parameter as a wildcard pattern. This permits one to
get facts on a single server:
- os_server:
server: webserver1
On mutiple servers:
- os_server:
server: webserver*
Or on all servers:
- os_server:
Introduces a `detailed` parameter to request additional server details
at the cost of additional API calls.
When this was treated as a boolean, sphinx was leaving the Default
column on http://docs.ansible.com/ansible/ec2_module.html blank,
implying it would use AWS's default. In reality, it passes False, which
overrides the defaults at AWS (it's possible to boot an instance which
AWS claims will always have EBS optimization without it because of this
silently passed False).
The pysphere VIVirtualMachine.clone() method supports specifying a VM
folder to place the VM in after the clone has completed. This exposes
that functionality to playbooks.
Also documents that creating VMs could always place VMs in a specific
folder.
Closes#1189.
This will cause the settings in Ansible to override the system settings.
That will have no effect except on systems that have an out-of-Ansible
configuration that disables automatic installation of recommended
packages. Previously, ansible would use the OS default whenever
install_recommends wasn't part of the playbook. This change will cause
the Ansible default configuration setting of installing recommended
packages to override the configuration files set on the OS for things
installed through ansible, even when there is no install_recommends
specified in the playbook. Because the OS default matches the Ansible
default, this shouldn't have wide impact.
Give user a course of action in the case where the suggestions do not
work. This will hopefully allow us to work through any further issues
much faster.
Check commit enables using tls when using the docker_image module. It
also removes the default for docker_url which doesn't allow us to check
for DOCKER_HOST which is a more sane default. This allows you to use
docker_image on OSX but more documentation is needed.
* reading from a socket that gave some data we weren't looking for and
then closed.
* read from a socket that stays open and never sends data.
* reading from a socket that sends data but not the data we're looking
for.
Fixes#2051
with this commit, the `security_groups` attribute for `os_port` will
accept either a common-delimited string or ` YAML list. That is, either
this:
- os_port:
[...]
security_groups: group1,group2
Or this:
- os_port:
[...]
security_groups:
- group1
- group2
This commit allows the `security_groups` parameter of the `os_server`
module to be either a YAML list or a common-delimited string (much like
the `nics` attribute). E.g., this:
- os_nova_server:
[...]
security_groups:
- default
- webserver
Or this:
- os_nova_server:
[...]
security_groups: default,webserver
The `os_security_group` module would fail if there was no `description:`
attribute:
localhost | FAILED! => {
"changed": false,
"failed": true,
"msg": "Error creating security group larstest: Invalid input for
description. Reason: 'None' is not a valid string."
}
This commit makes the default description `''` rather than `None`.
The `os_network` module was incorrectly returning changed=False whether
or not the network was created. This commit makes the changed return
value useful.
make os_subnet behave like os_network in terms of returning information
about the created resource. With this commit, os_subnet will return the
created subnet in `subnet` and the subnet id in `id`.
Specifically, the stat module now has a checksum_algorithm parameter.
This lets the module utilize one of the hash algorithms available on the host
to return the checksum of the file.
This change is backwards compatible. The checksum_algorithm defaults to
sha1 and still returns its result to the stat.checksum property.
Allow the 'interfaces' attribute to represent internal router
interfaces, composed of subnet names, and the 'external_fixed_ips'
attribute to represent external interface subnet/IP.
This commit adds some unit tests for the `cloud.openstack.os_server`
module. These tests exercise `_network_args` thoroughly and
`_create_server` lightly.
These tests will **fail** until #2275 lands.
To run the tests:
pip install -r test-requirements.txt
PYTHONPATH=$PWD py.test
The existing code was receiving a list of strings and erroneously
assuming it was being given a list of dictionaries, leading it to fail
with:
AttributeError: 'str' object has no attribute 'get'
This commit corrects the list handling code to check the type of each
item and handle it appropriately. Also, based on bcoca's comment
in #2253, thie code removes the special case for a string-only argument.
By transforming string arguments into dicts and then handling them like
any other dict argument, this also permits arguments of the form:
nics: net-name=mynet
Or:
nics: port-name=mynet
Previous versions of this code only supported `net-id` and `port-id` in
string specifications.
There was a parameter in the docs called 'public_ip' that didn't
actually exist. Additionally, auto_floating_ip is not consistent with
the underlying parameter which is auto_ip - for no good reason.
Add auto_ip as the real parameter, and then make public_ip and
auto_floating_ip as aliases for it for backwards compatability.
Fixes#2301
This patch adds support to setting metadata key/value through a string
argument. Variables can now be used for both the metadata key and
value.
example:
meta: "{{ var1 }}:SomeValue,key:{{ var2 }}"
Changed=true now reported on new volume.
Only detach volume when instance is specified as 'None' or '' rather than whenever instance is not specified at all
Fix regression caused by 6b27cdc where by no volume is created if id or Name is not supplied
Remove unnecessary empty aliases
Corrected example to use acceptable parameter for ions
Added exception handling to get_all_instances call
Moved the attachment state validation code to attach_volume function rather than create_volume function
Refactored attach_volume and detach_volume so that changed state can be passed back to call
Created get_volume_info function so that state=present and state=list can return the same data. Also added instance_id as a returned value in attachment_set dict
Updated aws connection method so that boto profile can be used
When pulling an image using Docker 1.8, it seems the output
JSON stream has an empty dict at the very end. This causes
ansible to fail when pulling an image, as it's expecting a
status message in that dict which it uses to determine whether
it had to download the image or not. As a bit of an ugly hack
for that which remains backward compatible, try the last item
in the stream, and if it's an empty dict, take the last-but-one
item instead.
The strip() is needed as the exact value appears to be '{}/r/n';
we could just match that, but it seems like the kind of thing
where maybe it'd happen to just be '{}/n' or '{}' or something
in some cases, so let's just use strip() in case.
A recent change [1] in docker between v1.8.2 and v1.8.3 changed what
is returned in the json when inspecting an image. Five variables which
could have been expected before will now be omited when empty. Only
one of those variables is being addressed in the docker, ExposedPorts.
Unfortunately there was also no API version change on this so this
can't be easily corrected with pinning the API to the older version.
This does a get() which will return None if the variable is not in the
dict formed from the json that was returned. Everything else works the
same way.
[1] 9098628b29
Without this, «ec2: state=stopped instance_ids=…» would fail with a
traceback like this:
if inst.get_attribute('sourceDestCheck')['sourceDestCheck'] != source_dest_check:
NameError: global name 'source_dest_check' is not defined
Detached head detection seems to have broken somewhere a long the way
because git decided to change how that situation looks when doing a 'git
branch -a' which is performed by get_branches().
This is how git 1.7.1 displays this situation (which works):
shell> git branch -a
* (no branch)
master
This is the output from git 1.8.3.1 (which does not work):
shell> git branch -a
* (detached from e132711)
master
It looks like this same wording is used in the most recent version of
git (2.6.1 as of writing this).
Both `source_dest_check` and `termination_protection` variables are not
available within the scope of the startstopec2 instance method. This just
pulls them from module.params.
With shade > 0.13.0, networks can be created that are externally
accessible. This adds a parameter for that.
Also, add RETURN documentation and 'if __name__' check around call
to main().
I think in this commit 720aeffca2
There was bug introduced where the ElastiCacheManager init method has
a number of positional arguments like so.
```py
def __init__(self, module, name, engine, cache_engine_version, node_type,
num_nodes, cache_port, parameter_group, cache_subnet_group,
cache_security_groups, security_group_ids, zone, wait,
hard_modify, region, **aws_connect_kwargs):
```
But then later in the code the positional arguments are passed in
like this.
```py
elasticache_manager = ElastiCacheManager(module, name, engine,
cache_engine_version, node_type,
num_nodes, cache_port,
cache_subnet_group,
cache_security_groups,
security_group_ids, parameter_group, zone, wait,
hard_modify, region, **aws_connect_kwargs)
```
If you count, you can see that cache_subnet_group, is being passed in
where the manager expects to see parameter_group.
There can be instances during an Ansible play where the list of subnets
currently available from OpenStack is required. This update provides
subnet list functionality as a new os_subnets_facts module.
There can be instances during an Ansible play where the list of networks
currently available from OpenStack is required. This update provides
network list functionality as a new os_networks_facts module.
An attempt to make clear how privilege escalation works with respect to the src/source host and dest/destination host. One existing note was incorporated into three new ones, iterating each.
It is not documented in [the Ansible doc page][1] nor
[the BSD setfacl man entry][2] (which means it might not be compatible
with BSD) so removing it does not break the API.
On the other hand, it does not conform with POSIX 1003.1e DRAFT
STANDARD 17 according to the [Linux setfacl man entry][3] so safer to
remove.
Finally, the most important reason: in non POSIX 1003.e mode, only ACL
entries without the permissions field are accepted, so having an
optional field here is very much error-prone.
[1]: http://docs.ansible.com/ansible/acl_module.html
[2]: http://www.freebsd.org/cgi/man.cgi?format=html&query=setfacl(1)
[3]: http://linuxcommand.org/man_pages/setfacl1.html
This patch allows the hostname module to detect and set the hostname for a
Kali Linux 2.0 installation. Without this patch, the hostname module raises
the following error
hostname module cannot be used on platform Linux (Kali)
Kali is based off of Debian.
Fixes https://github.com/ansible/ansible/issues/11768
Test plan:
- (in a Vagrant VM) created a user 'bob' with no ssh key
- ran the following playbook in check mode:
---
- hosts: trusty
tasks:
- user: name=bob state=present generate_ssh_key=yes
- saw that ansible-playbook reported "changes=1"
- saw that /home/bob/.ssh was still absent
- ran the playbook for real
- saw that /home/bob/.ssh was created
- ran the playbook in check mode again
- saw that ansible-playbook reported no changes
- tried a variation with a different username for a user that didn't
exist: ansible-playbook --check worked correctly (no errors, reported
"changed")
PR #1651 fixed issue #1515 but the requirement for path to be defined is unecessarily strict. If the user has previously been created a path isn't necessary.
This patch properly fixes bug 1226 without introducing a breaking
change to idempotency which was introduced in PR #1358
We can properly assign permissions to databases with a '.' in the name
of the database as well as assign priviliges to all databases as
specified with '*'
While this change doesn't break the creation, it does break
idempotency. This change will convert '*.*' to '`*`.*' which is
functionally the same, however when the user_mod() function looks up
the current privileges with privileges_get() it will read '*.*'
Since '*.*' != '`*`.*' it will go through the process of updating the
privleges always resulting in a 'changed' result.
This reverts commit db9ab9b262.
- Make build_entry compatible with Python 2.4
- Re-add missing warning/comment that was forgotten while refactoring
- Replace `all()` with a good ol' for-loop Python 2.4 compatibility
- Make a condition check more explicit (when `state` is `query`)
- Make sure this module can only be run with on a Linux distribution
- Add a note about Linux-only support in the documentation
- Set the version in which recursive support was added, 2.0
By default `.get()` will return `None` on a key that doesn't exist. This
causes a `TypeError` in the `for` loop a few lines down. This change simply
returns an iterable type to avoid the error.
I have a task like this in a playbook. The ansible_ssh_user is 'root'
for this host.
- cron:
hour: 00
job: /home/backup/backup.sh
name: baserock.org data backup
user: backup
Running it gave me the following error:
TASK: [backup cron job, runs every day at midnight] ***************************
failed: [baserock-backup1] => {"failed": true}
msg: crontab: can't open '/tmp/crontabvVjoZe': Permission denied
crontab: user backup cannot read /tmp/crontabvVjoZe
The temporary file created by the 'cron' module is created with the
Python tempfile.mkstemp() function. This creates a file that is readable
only by 'root' (mode 600). The Busybox `crontab` program then checks if
the file is readable by the 'backup' user, and fails if it isn't. So we
need to make sure the file is world-readable before running `crontab`.
This was originally required to allow other methods in SourcesList to
fail, but subsequent changes rendered that unnecessary, and it's just
a cleanup now, and avoids passing in module separately to save().
1. Don't test check_mode in both the caller and in the callee.
2. Don't test HAVE_PYTHON_APT inside an if that tests HAVE_PYTHON_APT
3. Don't be irritatingly vague about why the module fails ("You may be
seeing this because…").
Note that if «apt-get -y install python-apt» succeeds with rc==0, but
for some reason python_apt is not usable afterwards, this will break
because the imports in install_python_apt aren't wrapped inside a
try/except.
In other words, we assume that install_python_apt either succeeds or
fails with a traceback. This commit doesn't affect that behaviour.
Some things cannot be updated via the API, so check for those and fail
if the user is wanting to update them. Also don't try to update ipv6
stuff, as that doesn't work and will cause a traceback.
If `docker.__version__` contains non-digit characters, such as:
>>> import docker
>>> docker.__version__
'1.4.0-dev'
Then `get_docker_py_versioninfo` will fail with:
ValueError: invalid literal for int() with base 10: '0-de'
This patch corrects the parsing of the version string so that
`get_docker_py_versioninfo` in this example would return:
(1, 4, 0, '-dev')
If `password` is defined as `*` `useradd` or `usermod` returns an error:
msg: usermod: Invalid password: `*'
This works very well on Linux host to not define any password for a
user (mainly useful if your setup is only based on SSH keys for
auth). On OpenBSD this does not work, so we have to ignore the encrypted
password parameter if it defined as `*`.
Docs imply the mysql_variables is used to operate a single variable therefore
- fail before making any db connections if variable is not set
- validate chars for mysql variable name with re.match(^[a-z0-9_]+)
- use "SHOW VARIABLE WHERE Variable_name" instead of LIKE search
- getvariable() returns only the value or None if variable is not found
- the module returns only the found variable value instead of tuple for easier operation eg. as registere variable in tasks
My project is using Ansible to automate cloud build process. Ansible has a core module gce.py for managing GCE instances.
We've come across a use case that's not yet supported - when executing ansible-playbook, if a child template is included, then metadata which is defined in and propagated from the mother template is treated as string type and not parsed correctly(which instead is dictionary type), and triggers release flow failure.
We currently put some fix by explicitly casting metadata to string type in our own branch, but would like to contribute the fix to Ansible so that everyone onboarding GCE and using Ansible for release management could benefit from it, or hear owner's opinion on fixing the issue if there's a better fix in owner's mind:)
Django since version 1.7 has built-in migrations, so no need to have south installed with recent django versions. The 'migrate' command works with built-in migrations without any change, but the output is different than the output produced by south, which breaks idempotence. This commit fixes this.
This is mlosev's patch (from #1208), rebased against devel as of
2790af2. It resolves#1707, which was caused by an API incompatibility
between the docker module and server API version 1.19.
There was a catch-all `except` statement in `create_containers`:
try:
containers = do_create(count, params)
except:
self.pull_image()
containers = do_create(count, params)
This would mask a variety of errors that should be exposed, including
API compatability errors (as in #1707) and common Python exceptions (KeyError, ValueError, etc) that could result from errors in the code.
This change makes the `except` statement more specific, and only attempts to pull the image and start a container if the original create attempt failed due to a 404 error from the docker API.
The `docker` Python module only accepts `None` or `'host'` as arguments.
This makes it difficult to conditionally set the `pid` attribute using
standard Ansible syntax.
This change converts any value that evaluates as boolean `False` to
`None`, which includes empty strings:
pid:
As well as an explicit `false`:
pid: false
This permits the following to work as intended:
- hosts: localhost
tasks:
- name: starting container
docker:
docker_api_version: 1.18
image: larsks/mini-httpd
name: web
pid: "{{ container_pid|default('') }}"
If `container_pid` is set to `host` somewhere, this will create a
Docker container with `pid=host`; otherwise, this will create a
container with normal isolated pid namespace.
- Modified data type for port definition from string to integer
- Modified login_host default value for compatibilize with port definition according with MySQL Documentation (https://dev.mysql.com/doc/refman/5.0/en/connecting.html)
Port matching logic did not take into account recent shade change
to equate (None, None) to (1, 65535) when Nova is the backend.
Also, this encapsulates the port matching logic into a single function
and heavily documents the logic.
Port range min/max values are at times represented as string and
compared to int equivalents. This fix explicitly ensures all
port range values are ints for proper comparisons.
This allows the rules module to work against either nova or neutron
for handling security groups. New parameters for 'direction' and
'ethertype' are added.
Check mode is supported with this version.
Shade 0.7.0 normalized the security group data that is returned,
when using nova, to look more like neutron security group data.
This adjusts for that change.
This change is in response to issue #1515.
Original pull request #1580.
The original problem is: in authorized_key module you have no idea about users
which will be created by Ansible at first run. I can propose next two ways to
solve this problem:
1. Combine modules system/user.py and system/authorized_key.py in one module
(so you will know everything about users in that module)
2. Use small workaround: add my commit and always provide 'path' parameter
for authorized_key module during runs with --check option.
