cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
ansible/docs/docsite/rst/porting_guides/porting_guide_base_2.11.rst
Sandra McCann b9a406f890
Docs [2.10] Backportapalooza 6 (#71129) 
* Misc typo fixes (#71089)

(cherry picked from commit 504ef607f3)

* Add some documentation for the format of meta/runtime.yml (#71035)

* Document the format of meta/runtime.yml

* Document multiple Ansible versions

Clarify difference between deprecation and tombstone fields

* add note

(cherry picked from commit a9eb8b0488)

* add note to uninstall older versions of ansible for pip (#71023)

* add note to uninstall older versions of ansible for pip

* combine with the other PR

(cherry picked from commit 72d3d44163)

* VMware: Inventory scenario guide for hostnames (#71055)

Added a scenario guide for ``hostnames`` parameter
for vmware_vm_inventory.

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
(cherry picked from commit 0055673c70)

* Document string tests a bit more (#71049)

- Explain how `regex` differs from `match` and `search`.
- Document `multiline` and `ignorecase`.

Signed-off-by: Rick Elrod <rick@elrod.me>
(cherry picked from commit 701c638757)

* docs: Add a note about package requirements for fact gathering (#70796)

Fixes: #26148

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
(cherry picked from commit a6725d6e2a)

* added note about fakeroot (#71018)

see #70895

(cherry picked from commit 11a31e99e6)

* Update documentation of httpapi's handle_httperror method for clarity (#70991)

(cherry picked from commit a0523e5b8a)

* DOCS: add 2.10 collections roadmap (#70975)

* draft of 2.10 collections roadmap

* incorporates feedback from felixfontein

* gundalow and samccann feedback, fix link

Co-authored-by: Alicia Cozine <acozine@users.noreply.github.com>
(cherry picked from commit 9879da8e23)

* updates changelog types; some updates for easier translation (#71027)

Co-authored-by: Alicia Cozine <acozine@users.noreply.github.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit 4f4436c124)

* Document common return values with examples (#71046)

* adding return value examples
* shift to console code blocks
* cleaning up whitespace and shortening invocation example
* reordering diff section

(cherry picked from commit 864573a38d)

* Update intro_getting_started.rst (#71039)

Added two additional learning resources in the See also: section- forgot closing backticks

(cherry picked from commit 9850915bd6)

* Guide users to use ansible-runner (#71063)

Update the docs to guide users to use `ansible-runner` instead of using Python API directly. In many use cases, executing Ansible playbooks are sufficient. In those use cases, `ansible-runner` is easier and much stable to use comparing with Python API, but there is no mention of it.

(cherry picked from commit 0c855dc70b)

* Porting guides for ansible-base 2.10 and ansible 2.10 (#70891)

* Fix changelog link title.

* Rename Ansible 2.10 and 2.11 porting guides to Ansible-base porting guides.

* Add stub for automatically generated 2.10 porting guide.

* Move things that should not be in the ansible-base porting guide to the ansible porting guide.

* Apply changes to base porting guides.

* Add remark that ansible-base is mainly for developers.

* Ansible Base -> Ansible-base

* Fix link in base porting guide.

* Add generated porting guide.

* Use same header signs as antsibull-changelog's RST builder.

* Update generated porting guide.

(cherry picked from commit 61b36c6f30)

* Update network platform guides with FQCN (#70699)

* fqcn all the docs things!

(cherry picked from commit 54bee7152b)

* Document how to upgrade to ansible with pip (#70768)

Fixes #70348

(cherry picked from commit 5019335660)

* document how to migrate between collections (#70243)

* document how to migrate between collections
* Apply suggestions from code review

Co-authored-by: John R Barker <john@johnrbarker.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
(cherry picked from commit 58145dff9c)

* remove github link from plugins (#70951)

(cherry picked from commit e28b20d729)

* Add latest rc from ansible-base (#70974)

* Add latest rc from ansible-base

(cherry picked from commit d62dffafb3)

* Document to_json will convert to ASCII strings by default (#70954)

... as reported in issue #68702

(cherry picked from commit 8c48366f1c)

* Update the porting guide for ansible-2.10.0a8 (#71141)

(cherry picked from commit 0a9638ce4b)

Co-authored-by: Abhijeet Kasurde <akasurde@redhat.com>
Co-authored-by: Sloane Hertel <shertel@redhat.com>
Co-authored-by: Rick Elrod <rick@elrod.me>
Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>
Co-authored-by: Nathaniel Case <ncase@redhat.com>
Co-authored-by: Alicia Cozine <879121+acozine@users.noreply.github.com>
Co-authored-by: Terciero <terciero@users.noreply.github.com>
Co-authored-by: Brendon O'Sullivan <49501251+bjosullivan@users.noreply.github.com>
Co-authored-by: EthanHur <ethan0311@gmail.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Baptiste Mille-Mathias <baptiste.millemathias@gmail.com>
Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>
2020-08-07 16:04:19 -05:00

156 lines
11 KiB
ReStructuredText
Raw Blame History

.. _porting_2.11_guide_base:
*******************************
Ansible-base 2.11 Porting Guide
*******************************
This section discusses the behavioral changes between Ansible-base 2.10 and Ansible-base 2.11.
It is intended to assist in updating your playbooks, plugins and other parts of your Ansible infrastructure so they will work with this version of Ansible-base.
We suggest you read this page along with the `Ansible-base Changelog for 2.11 <https://github.com/ansible/ansible/blob/stable-2.11/changelogs/CHANGELOG-v2.11.rst>`_ to understand what updates you may need to make.
Ansible-base is mainly of interest for developers and users who only want to use a small, controlled subset of the available collections. Regular users should install ansible.
The complete list of porting guides can be found at :ref:`porting guides <porting_guides>`.
.. contents::
Playbook
========
* Fixed a bug on boolean keywords that made random strings return 'False', now they should return an error if they are not a proper boolean
Example: `diff: yes-` was returning `False`.
* A new fact, ``ansible_processor_nproc`` reflects the number of vcpus
available to processes (falls back to the number of vcpus available to
the scheduler).
Command Line
============
No notable changes
Deprecated
==========
* Windows Server 2008 and 2008 R2 will no longer be supported or tested in the next Ansible release, see :ref:`windows_faq_server2008`.
Modules
=======
Change to Default File Permissions
----------------------------------
To address CVE-2020-1736, the default permissions for certain files created by Ansible using ``atomic_move()`` were changed from ``0o666`` to ``0o600``. The default permissions value was only used for the temporary file before it was moved into its place or newly created files. If the file existed when the new temporary file was moved into place, Ansible would use the permissions of the existing file. If there was no existing file, Ansible would retain the default file permissions, combined with the system ``umask``, of the temporary file.
Most modules that call ``atomic_move()`` also call ``set_fs_attributes_if_different()`` or ``set_mode_if_different()``, which will set the permissions of the file to what is specified in the task.
A new warning will be displayed when all of the following conditions are true:
- The file at the final destination, not the temporary file, does not exist
- A module supports setting ``mode`` but it was not specified for the task
- The module calls ``atomic_move()`` but does not later call ``set_fs_attributes_if_different()`` or ``set_mode_if_different()`` with a ``mode`` specified
The following modules call ``atomic_move()`` but do not call ``set_fs_attributes_if_different()`` or ``set_mode_if_different()`` and do not support setting ``mode``. This means for files they create, the default permissions have changed and there is no indication:
- M(known_hosts)
- M(service)
Code Audit
~~~~~~~~~~
The code was audited for modules that use ``atomic_move()`` but **do not** later call ``set_fs_attributes_if_different()`` or ``set_mode_if_different()``. Modules that provide no means for specifying the ``mode`` will not display a warning message since there is no way for the playbook author to remove the warning. The behavior of each module with regards to the default permissions of temporary files and the permissions of newly created files is explained below.
known_hosts
^^^^^^^^^^^
The M(known_hosts) module uses ``atomic_move()`` to operate on the ``known_hosts`` file specified by the ``path`` parameter in the module. It creates a temporary file using ``tempfile.NamedTemporaryFile()`` which creates a temporary file that is readable and writable only by the creating user ID.
service
^^^^^^^
The M(service) module uses ``atomic_move()`` to operate on the default rc file, which is the first found of ``/etc/rc.conf``, ``/etc/rc.conf.local``, and ``/usr/local/etc/rc.conf``. Since these files almost always exist on the target system, they will not be created and the existing permissions of the file will be used.
**The following modules were included in Ansible <= 2.9. They have moved to collections but are documented here for completeness.**
authorized_key
^^^^^^^^^^^^^^
The M(authorized_key) module uses ``atomic_move()`` to operate on the the ``authorized_key`` file. A temporary file is created with ``tempfile.mkstemp()`` before being moved into place. The temporary file is readable and writable only by the creating user ID. The M(authorized_key) module manages the permissions of the the ``.ssh`` direcotry and ``authorized_keys`` files if ``managed_dirs`` is set to ``True``, which is the default. The module sets the ``ssh`` directory owner and group to the ``uid`` and ``gid`` of the user specified in the ``user`` parameter and directory permissions to ``700``. The module sets the ``authorized_key`` file owner and group to the ``uid`` and ``gid`` of the user specified in the ``user`` parameter and file permissions to ``600``. These values cannot be controlled by module parameters.
interfaces_file
^^^^^^^^^^^^^^^
The M(interfaces_file) module uses ``atomic_move()`` to operate on ``/etc/network/serivces`` or the ``dest`` specified by the module. A temporary file is created with ``tempfile.mkstemp()`` before being moved into place. The temporary file is readable and writable only by the creating user ID. If the file specified by ``path`` does not exist it will retain the permissions of the temporary file once moved into place.
pam_limits
^^^^^^^^^^
The M(pam_limits) module uses ``atomic_move()`` to operate on ``/etc/security/limits.conf`` or the value of ``dest``. A temporary file is created using ``tempfile.NamedTemporaryFile()``, which is only readable and writable by the creating user ID. The temporary file will inherit the permissions of the file specified by ``dest``, or it will retain the permissions that only allow the creating user ID to read and write the file.
pamd
^^^^
The M(pamd) module uses ``atomic_move()`` to operate on a file in ``/etc/pam.d``. The path and the file can be specified by setting the ``path`` and ``name`` parameters. A temporary file is created using ``tempfile.NamedTemporaryFile()``, which is only readable and writable by the creating user ID. The temporary file will inherit the permissions of the file located at ``[dest]/[name]``, or it will retain the permissions of the temporary file that only allow the creating user ID to read and write the file.
redhat_subscription
^^^^^^^^^^^^^^^^^^^
The M(redhat_subscription) module uses ``atomic_move()`` to operate on ``/etc/yum/pluginconf.d/rhnplugin.conf`` and ``/etc/yum/pluginconf.d/subscription-manager.conf``. A temporary file is created with ``tempfile.mkstemp()`` before being moved into place. The temporary file is readable and writable only by the creating user ID and the temporary file will inherit the permissions of the existing file once it is moved in to place.
selinux
^^^^^^^
The M(selinux) module uses ``atomic_move()`` to operate on ``/etc/selinux/config`` on the value specified by ``configfile``. The module will fail if ``configfile`` does not exist before any temporary data is written to disk. A temporary file is created with ``tempfile.mkstemp()`` before being moved into place. The temporary file is readable and writable only by the creating user ID. Since the file specified by ``configfile`` must exist, the temporary file will inherit the permissions of that file once it is moved in to place.
sysctl
^^^^^^
The M(sysctl) module uses ``atomic_move()`` to operate on ``/etc/sysctl.conf`` or the value specified by ``sysctl_file``. The module will fail if ``sysctl_file`` does not exist before any temporary data is written to disk. A temporary file is created with ``tempfile.mkstemp()`` before being moved into place. The temporary file is readable and writable only by the creating user ID. Since the file specified by ``sysctl_file`` must exist, the temporary file will inherit the permissions of that file once it is moved in to place.
.. warning::
Links on this page may not point to the most recent versions of modules. We will update them when we can.
Noteworthy module changes
-------------------------
* Ansible modules created with ``add_file_common_args=True`` added a number of undocumented arguments which were mostly there to ease implementing certain action plugins. The undocumented arguments ``src``, ``follow``, ``force``, ``content``, ``backup``, ``remote_src``, ``regexp``, ``delimiter``, and ``directory_mode`` are now no longer added. Modules relying on these options to be added need to specify them by themselves.
* Ansible no longer looks for Python modules in the current working directory (typically the ``remote_user``'s home directory) when an Ansible module is run. This is to fix becoming an unprivileged user on OpenBSD and to mitigate any attack vector if the current working directory is writable by a malicious user. Install any Python modules needed to run the Ansible modules on the managed node in a system-wide location or in another directory which is in the ``remote_user``'s ``$PYTHONPATH`` and readable by the ``become_user``.
Plugins
=======
Lookup plugin names case-sensitivity
------------------------------------
* Prior to Ansible ``2.10`` lookup plugin names passed in as an argument to the ``lookup()`` function were treated as case-insensitive as opposed to lookups invoked via ``with_<lookup_name>``. ``2.10`` brings consistency to ``lookup()`` and ``with_`` to be both case-sensitive.
Noteworthy plugin changes
-------------------------
* Cache plugins in collections can be used to cache data from inventory plugins. Previously, cache plugins in collections could only be used for fact caching.
* Some undocumented arguments from ``FILE_COMMON_ARGUMENTS`` have been removed; plugins using these, in particular action plugins, need to be adjusted. The undocumented arguments which were removed are ``src``, ``follow``, ``force``, ``content``, ``backup``, ``remote_src``, ``regexp``, ``delimiter``, and ``directory_mode``.
Action plugins which execute modules should use fully-qualified module names
----------------------------------------------------------------------------
* Action plugins that call modules should pass explicit, fully-qualified module names to ``_execute_module()`` whenever possible (eg, ``ansible.builtin.file`` rather than ``file``). This ensures that the task's collection search order is not consulted to resolve the module. Otherwise, a module from a collection earlier in the search path could be used when not intended.
Porting custom scripts
======================
No notable changes
Networking
==========
No notable changes
Reference in a new issue View git blame Copy permalink