--check shows changes that won't actually happen
90 views
Skip to first unread message
Romain Richard
Sep 8, 2014, 6:10:38 PM9/8/14
to ansible...@googlegroups.com
Hi,
+ssh-rsa [...]
+ssh-rsa [...]
+ssh-rsa [...]
We have a playbook to manage SSH keys on our servers (we are not using the authorized_key module because it appends users' keys without ever deleting the old ones).
For that we created a template to gather all the SSH keys based on the different roles and groups, which is working fine except when using the --check option.
When using that option, Ansible will show changes that are not going to happen when the playbook is run without the option.
As an example:
$ ansible-playbook keys.yml --limit somehost --check
[...]
somehost : ok=15 changed=4 unreachable=0 failed=0
$ ansible-playbook keys.yml --limit somehost
[...]
somehost : ok=15 changed=0 unreachable=0 failed=0
The changes concern the authorized_key file (here 4 changes because the playbook deploys 4 users).
Here's an extract of the output of the command when ran with the --diff option:
$ ansible-playbook keys.yml --limit somehost --check --diff
[...]
___________________________________________________
< TASK: keys | copy authorized key template to host >
---------------------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
--- before: ~root/.ssh/authorized_keys
+++ after: /home/romain/workspace/it_ansible/roles/keys/templates/authorized_keys.j2
@@ -0,0 +1,4 @@
+ssh-rsa [...]+ssh-rsa [...]
+ssh-rsa [...]
+ssh-rsa [...]
changed: [somehost]
[...]
The --check option is rendered useless since we can't trust it.
Any idea why this is happening? Does the --check option prevent Ansible from getting the authorized_key files from the remote hosts? What could we do to make the --check option behave as it should be?
Michael DeHaan
Sep 8, 2014, 7:01:30 PM9/8/14
to ansible...@googlegroups.com
Replies inline...
On Mon, Sep 8, 2014 at 6:10 PM, Romain Richard <romain.richar...@gmail.com> wrote:
Hi,We have a playbook to manage SSH keys on our servers (we are not using the authorized_key module because it appends users' keys without ever deleting the old ones).
This is because it's only got the key to go with.
This could be handled by having a previous task that copied a blank file over, provided you weren't logged in as that user.
You could also keep a list of previous keys and use state=absent to remove those.
I'm open to the idea of having a parameter like exclusive=yes that removes the other keys in the file.
For that we created a template to gather all the SSH keys based on the different roles and groups, which is working fine except when using the --check option.When using that option, Ansible will show changes that are not going to happen when the playbook is run without the option.
Some ansible modules don't fully understand check mode and will report "changed=True" automatically without running in check mode rather than risk making a change.
This doesn't apply to authorized_key though, it *does* support check mode.
Can we see the changed lines from your ansible playbook, as well as the output of ansible --version to confirm this is from those lines and a recent version of Ansible?
Thanks!
In this case it is showing that there would be additions from your template that are not in the original file, so it seems that it is returning accurately in this regard.
Or is your assertion that the diff is *also* wrong? That seems somewhat unlikely, but somewhat resembles what may be an older bug in Ansible -- I could be wrong.
Again, output of ansible --version would be helpful.
Romain Richard
Sep 8, 2014, 7:26:50 PM9/8/14
to ansible...@googlegroups.com
Thanks for your reply, more info below.
This could be handled by having a previous task that copied a blank file over, provided you weren't logged in as that user.
That's not a bad idea, I will look into that.
You could also keep a list of previous keys and use state=absent to remove those.
That seems cumbersome.
I'm open to the idea of having a parameter like exclusive=yes that removes the other keys in the file.
Would sure make my task easier.
Some ansible modules don't fully understand check mode and will report "changed=True" automatically without running in check mode rather than risk making a change.
I see.
Can we see the changed lines from your ansible playbook, as well as the output of ansible --version to confirm this is from those lines and a recent version of Ansible?
$ ansible --version
ansible 1.6.3
Not sure what you meant by "the changed lines from your ansible playbook".
In this case it is showing that there would be additions from your template that are not in the original file, so it seems that it is returning accurately in this regard.Or is your assertion that the diff is *also* wrong? That seems somewhat unlikely, but somewhat resembles what may be an older bug in Ansible -- I could be wrong.
It seems that the diff is saying the same thing as the check, so I suppose it is not wrong, but it shows differences while there are actually none (if I had run the command again without the --check, there would have been no changes).
It makes me believe that what Ansible feeds to the diff is wrong, because of that --check option.
Michael DeHaan
Sep 9, 2014, 11:47:06 AM9/9/14
to ansible...@googlegroups.com
Ansible 1.6.3 is no longer the active released version of Ansible, and since 1.6.3 there have been many updates, many security related.
When reporting issues, it's helpful to have tested at least the latest release, which is 1.7.1.
When reporting issues, it's helpful to have tested at least the latest release, which is 1.7.1.
If you see diff issues there, let us know, but seeing you reported on 1.6.3 there's a good chance this is now resolved.
Thanks!
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0145f866-b16c-4728-9ffa-483d2bf9e451%40googlegroups.com.
Romain Richard
Sep 9, 2014, 12:32:14 PM9/9/14
to ansible...@googlegroups.com
Installed Ansible 1.7.1 from the ppa:
$ ansible --version
ansible 1.7.1
And I am seeing the exact same output as with the 1.6.3, the --check still reports the the authorized_keys files on the remote host are empty (the diff is still the same).
Michael DeHaan
Sep 9, 2014, 12:42:05 PM9/9/14
to ansible...@googlegroups.com
I'm wondering if this may be because it doesn't have permission to read them and the --diff flag has a buglet in it.
check should be generally fine, I would suspect the diff logic could be throwing it.
Does it report a change w/o --diff ?
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6622c2e9-61d9-4af8-bf4a-ae40be65cb27%40googlegroups.com.
Romain Richard
Sep 9, 2014, 12:54:36 PM9/9/14
to ansible...@googlegroups.com
Here's a summary:
| with --diff | without --diff
----------------------------------------------
with --check | changes | changes
----------------------------------------------without --check | no changes | no changes
Michael DeHaan
Sep 9, 2014, 3:11:02 PM9/9/14
to ansible...@googlegroups.com
Ok please file a ticket and we can investigate.
Thanks!
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5d37690c-90ac-40ae-be1c-0830e3970e27%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages