- ansible-test - Improve container runtime probe error handling. When unexpected probe output is encountered, an error with more useful debugging information is provided.
- ansible-test - Removed support for provisioning remote Windows 2012 and 2012-R2 instances.
- ansible-test - Removed the ``vyos/1.1.8`` network remote as it is no longer functional.
- ansible-test - Update ``pypi-test-container`` to version 3.1.0.
Security Fixes
--------------
- include_vars action - Ensure that result masking is correctly requested when vault-encrypted files are read. (CVE-2024-8775)
- task result processing - Ensure that action-sourced result masking (``_ansible_no_log=True``) is preserved. (CVE-2024-8775)
- user action won't allow ssh-keygen, chown and chmod to run on existing ssh public key file, avoiding traversal on existing symlinks (CVE-2024-9902).
Bugfixes
--------
- Fix ``SemanticVersion.parse()`` to store the version string so that ``__repr__`` reports it instead of ``None`` (https://github.com/ansible/ansible/pull/83831).
- runtime-metadata sanity test - do not crash on deprecations if ``galaxy.yml`` contains an empty ``version`` field (https://github.com/ansible/ansible/pull/83831).
- user action will now require O(force) to overwrite the public part of an ssh key when generating ssh keys, as was already the case for the private part.
- Fixes permission for cache json file from 600 to 644 (https://github.com/ansible/ansible/issues/82683).
- allow_duplicates - fix evaluating if the current role allows duplicates instead of using the initial value from the duplicate's cached role.
- ansible-test ansible-doc sanity test - do not remove underscores from plugin names in collections before calling ``ansible-doc`` (https://github.com/ansible/ansible/pull/82574).
- dnf5 - replace removed API calls
- unarchive modules now uses zipinfo options without relying on implementation defaults, making it more compatible with all OS/distributions.
- winrm - Do not raise another exception during cleanup when a task is timed out - https://github.com/ansible/ansible/issues/81095
- ansible-test - Add a work-around for permission denied errors when using ``pytest >= 8`` on multi-user systems with an installed version of ``ansible-test``.
Bugfixes
--------
- Fix an issue when setting a plugin name from an unsafe source resulted in ``ValueError: unmarshallable object`` (https://github.com/ansible/ansible/issues/82708)
- ANSIBLE_NO_LOG - Address issue where ANSIBLE_NO_LOG was ignored (CVE-2024-0690)
Bugfixes
--------
-``ansible-galaxy role import`` - fix using the ``role_name`` in a standalone role's ``galaxy_info`` metadata by disabling automatic removal of the ``ansible-role-`` prefix. This matches the behavior of the Galaxy UI which also no longer implicitly removes the ``ansible-role-`` prefix. Use the ``--role-name`` option or add a ``role_name`` to the ``galaxy_info`` dictionary in the role's ``meta/main.yml`` to use an alternate role name.
-``ansible-test sanity --test runtime-metadata`` - add ``action_plugin`` as a valid field for modules in the schema (https://github.com/ansible/ansible/pull/82562).
- ansible-config init will now dedupe ini entries from plugins.
- ansible-galaxy role install - normalize tarfile paths and symlinks using ``ansible.utils.path.unfrackpath`` and consider them valid as long as the realpath is in the tarfile's role directory (https://github.com/ansible/ansible/issues/81965).
- delegate_to when set to an empty or undefined variable will now give a proper error.
- unsafe data - Enable directly using ``AnsibleUnsafeText`` with Python ``pathlib`` (https://github.com/ansible/ansible/issues/82414)
- assert - Nested templating may result in an inability for the conditional to be evaluated. See the porting guide for more information.
Security Fixes
--------------
- templating - Address issues where internal templating can cause unsafe variables to lose their unsafe designation (CVE-2023-5764)
Bugfixes
--------
- ansible-pull now will expand relative paths for the ``-d|--directory`` option is now expanded before use.
- flush_handlers - properly handle a handler failure in a nested block when ``force_handlers`` is set (http://github.com/ansible/ansible/issues/81532)
- module no_log will no longer affect top level booleans, for example ``no_log_module_parameter='a'`` will no longer hide ``changed=False`` as a 'no log value' (matches 'a').
- modules/user.py - Add check for valid directory when creating new user homedir (allows /dev/null as skeleton) (https://github.com/ansible/ansible/issues/75063)
- role params now have higher precedence than host facts again, matching documentation, this had unintentionally changed in 2.15.
- wait_for should not handle 'non mmapable files' again.
- ansible-test - Windows 2012 and 2012-R2 instances are now requested from Azure instead of AWS.
Bugfixes
--------
- Fix ``run_once`` being incorrectly interpreted on handlers (https://github.com/ansible/ansible/issues/81666)
- Plugin loader does not dedupe nor cache filter/test plugins by file basename, but full path name.
- Properly template tags in parent blocks (https://github.com/ansible/ansible/issues/81053)
- Restoring the ability of filters/tests can have same file base name but different tests/filters defined inside.
-``import_role`` reverts to previous behavior of exporting vars at compile time.
- ansible-galaxy - Provide a better error message when using a requirements file with an invalid format - https://github.com/ansible/ansible/issues/81901
- ansible-inventory - index available_hosts for major performance boost when dumping large inventories
- ansible-test - Fix parsing of cgroup entries which contain a ``:`` in the path (https://github.com/ansible/ansible/issues/81977).
- ansible-galaxy dependency resolution messages have changed the unexplained 'virtual' collection for the specific type ('scm', 'dir', etc) that is more user friendly
Security Fixes
--------------
- ansible-galaxy - Prevent roles from using symlinks to overwrite files outside of the installation directory (CVE-2023-5115)
Bugfixes
--------
- Allow for searching handler subdir for included task via include_role (https://github.com/ansible/ansible/issues/81722)
-``ansible.module_utils.service`` - ensure binary data transmission in ``daemonize()``
-``ansible.module_utils.service`` - fix inter-process communication in ``daemonize()``
- ansible-galaxy - started allowing the use of pre-releases for collections that do not have any stable versions published. (https://github.com/ansible/ansible/pull/81606)
- ansible-galaxy - started allowing the use of pre-releases for dependencies on any level of the dependency tree that specifically demand exact pre-release versions of collections and not version ranges. (https://github.com/ansible/ansible/pull/81606)
- ansible-galaxy error on dependency resolution will not error itself due to 'virtual' collections not having a name/namespace.
- ansible-galaxy info - fix reporting no role found when lookup_role_by_name returns None.
- role deduplication - don't deduplicate before a role has had a task run for that particular host (https://github.com/ansible/ansible/issues/81486).
- uri/urls - Add compat function to handle the ability to parse the filename from a Content-Disposition header (https://github.com/ansible/ansible/issues/81806)
- winrm - Better handle send input failures when communicating with hosts under load
- vault and unfault filters - the undocumented ``vaultid`` parameter is deprecated and will be removed in ansible-core 2.20. Use ``vault_id`` instead.
Bugfixes
--------
- PowerShell - Remove some code which is no longer valid for dotnet 5+
- Prompting - add a short sleep between polling for user input to reduce CPU consumption (https://github.com/ansible/ansible/issues/81516).
- ansible-galaxy - Enabled the ``data`` tarfile filter during role installation for Python versions that support it. A probing mechanism is used to avoid Python versions with a broken implementation.
- ansible-test - Always use ansible-test managed entry points for ansible-core CLI tools when not running from source. This fixes issues where CLI entry points created during install are not compatible with ansible-test.
- first found lookup has been updated to use the normalized argument parsing (pythonic) matching the documented examples.
- handlers - the ``listen`` keyword can affect only one handler with the same name, the last one defined as it is a case with the ``notify`` keyword (https://github.com/ansible/ansible/issues/81013)
- include_role - expose variables from parent roles to role's handlers (https://github.com/ansible/ansible/issues/80459)
- tarfile - handle data filter deprecation warning message for extract and extractall (https://github.com/ansible/ansible/issues/80832).
- vault and unvault filters now properly take ``vault_id`` parameter.
- Removed ``exclude`` and ``recursive-exclude`` commands for generated files from the ``MANIFEST.in`` file. These excludes were unnecessary since releases are expected to be built with a clean worktree.
- Removed ``exclude`` commands for sanity test files from the ``MANIFEST.in`` file. These tests were previously excluded because they did not pass when run from an sdist. However, sanity tests are not expected to pass from an sdist, so excluding some (but not all) of the failing tests makes little sense.
- Removed redundant ``include`` commands from the ``MANIFEST.in`` file. These includes either duplicated default behavior or another command.
- The ``ansible-core`` sdist no longer contains pre-generated man pages. Instead, a ``packaging/cli-doc/build.py`` script is included in the sdist. This script can generate man pages and standalone RST documentation for ``ansible-core`` CLI programs.
- The ``docs`` and ``examples`` directories are no longer included in the ``ansible-core`` sdist. These directories have been moved to the https://github.com/ansible/ansible-documentation repository.
- Use ``include`` where ``recursive-include`` is unnecessary in the ``MANIFEST.in`` file.
- ansible-test - Update the logic used to detect when ``ansible-test`` is running from source.
- ansible-test - Updated the CloudStack test container to version 1.6.1.
Bugfixes
--------
- Exclude internal options from man pages and docs.
- Fix ``ansible-config init`` man page option indentation.
- The ``ansible-config init`` command now has a documentation description.
- The ``ansible-galaxy collection download`` command now has a documentation description.
- The ``ansible-galaxy collection install`` command documentation is now visible (previously hidden by a decorator).
- The ``ansible-galaxy collection verify`` command now has a documentation description.
- The ``ansible-galaxy role install`` command documentation is now visible (previously hidden by a decorator).
- The ``ansible-inventory`` command command now has a documentation description (previously used as the epilog).
- Update module_utils.urls unit test to work with cryptography >= 41.0.0.
- When generating man pages, use ``func`` to find the command function instead of looking it up by the command name.
-``ansible-galaxy`` now considers all collection paths when identifying which collection requirements are already installed. Use the ``COLLECTIONS_PATHS`` and ``COLLECTIONS_SCAN_SYS_PATHS`` config options to modify these. Previously only the install path was considered when resolving the candidates. The install path will remain the only one potentially modified. (https://github.com/ansible/ansible/issues/79767, https://github.com/ansible/ansible/issues/81163)
- ansible-test - Fix several possible tracebacks when using the ``-e`` option with sanity tests.
- ansible-test - Pre-build a PyYAML wheel before installing requirements to avoid a potential Cython build failure.
- ansible-test - Remove redundant warning about missing programs before attempting to execute them.
- core will now also look at the connection plugin to force 'local' interpreter for networking path compatibility as just ansible_network_os could be misleading.
- man page build - Sub commands of ``ansible-galaxy role`` and ``ansible-galaxy collection`` are now documented.
- password_hash - fix salt format for ``crypt`` (only used if ``passlib`` is not installed) for the ``bcrypt`` algorithm.
- urls.py - fixed cert_file and key_file parameters when running on Python 3.12 - https://github.com/ansible/ansible/issues/80490
- Utilize gpg check provided internally by the ``transaction.run`` method as oppose to calling it manually.
- ansible-test - Add Fedora 38 remote.
- ansible-test - Use a context manager to perform cleanup at exit instead of using the built-in ``atexit`` module.
- dnf5 - enable environment groups installation testing in CI as its support was added.
- dnf5 - enable now implemented ``cacheonly`` functionality
Bugfixes
--------
- From issue https://github.com/ansible/ansible/issues/80880, when notifying a handler from another handler, handler notifications must be registered immediately as the flush_handler call is not recursive.
- ansible-galaxy - Fix issue installing collections containing directories with more than 100 characters on python versions before 3.10.6
- paramiko_ssh, psrp, and ssh connection plugins - ensure that all values for options that should be strings are actually converted to strings (https://github.com/ansible/ansible/pull/81029).
- templating - In the template action and lookup, use local jinja2 environment overlay overrides instead of mutating the templars environment
Known Issues
------------
- ansible-test - The Fedora 37 remote is known to occasionally hang during boot. It is no longer routinely tested as a result. If possible, use the Fedora 38 remote instead.
- ansible-test - Allow float values for the ``--timeout`` option to the ``env`` command. This simplifies testing.
- ansible-test - Refactored ``env`` command logic and timeout handling.
- ansible-test - Use ``datetime.datetime.now`` with ``tz`` specified instead of ``datetime.datetime.utcnow``.
Bugfixes
--------
- Properly disable ``jinja2_native`` in the template module when jinja2 override is used in the template (https://github.com/ansible/ansible/issues/80605)
- ansible-galaxy - Fix variable type error when installing subdir collections (https://github.com/ansible/ansible/issues/80943)
- ansible-test - Fix a traceback that occurs when attempting to test Ansible source using a different ansible-test. A clear error message is now given when this scenario occurs.
- ansible-test - Fix handling of timeouts exceeding one day.
- ansible-test - Fix various cases where the test timeout could expire without terminating the tests.
- ansible-test local change detection - use ``git merge-base <branch> HEAD`` instead of ``git merge-base --fork-point <branch>`` (https://github.com/ansible/ansible/pull/79734).
- deb822_repository - use http-agent for receiving content (https://github.com/ansible/ansible/issues/80809).
- dnf5 - Update dnf5 module to handle API change for setting the download directory (https://github.com/ansible/ansible/issues/80887)
- man page build - Remove the dependency on the ``docs`` directory for building man pages.
- pep517 build backend - Copy symlinks when copying the source tree. This avoids tracebacks in various scenarios, such as when a venv is present in the source tree.
- uri - fix search for JSON type to include complex strings containing '+'
- ansible-test - Docker Desktop on WSL2 is now supported (additional configuration required).
- ansible-test - Docker and Podman are now supported on hosts with cgroup v2 unified. Previously only cgroup v1 and cgroup v2 hybrid were supported.
- ansible-test - Podman now works on container hosts without systemd. Previously only some containers worked, while others required rootfull or rootless Podman, but would not work with both. Some containers did not work at all.
- ansible-test - Podman on WSL2 is now supported.
- ansible-test - When additional cgroup setup is required on the container host, this will be automatically detected. Instructions on how to configure the host will be provided in the error message shown.
Minor Changes
-------------
- Add support for custom salt for vault encoding to make it deterministic (https://github.com/ansible/ansible/issues/35480).
- Added the conditional that was False if ``when`` caused a task to skip under ``false_condition``.
- Allow force deletion of a group even when it is the primary group of a user. (https://github.com/ansible/ansible/issues/77849)
- Ansible.ModuleUtils.AddType - Add support for compiling ``unsafe`` code with the ``//AllowUnsafe`` directive
- Cache field attributes list on the playbook classes
- Cleaned up unused imports in core.
- Get user input for ``pause`` and ``paramiko_ssh`` from the strategy rather than access ``sys.stdin`` in the WorkerProcess.
- Introduce ``Delegatable`` and ``Notifiable`` mixin classes for playbook objects
- Make using blocks as handlers a parser error (https://github.com/ansible/ansible/issues/79968)
- Playbook objects - Replace deprecated stacked ``@classmethod`` and ``@property``
- Raise an error when an incorrect ``isa`` type is passed to ``FieldAttribute``.
- Remove fallback code for when ``defined``/``undefined`` tests were used on objects containing nested undefined variables; due to changes in lazy evalution of Jinja2 expressions it is no longer needed.
- Remove unused Python stdlib imports from module_utils which were not present for backwards compatibility in: common.file, compat.selectors, facts.network.iscsi, facts.network.nvme, yumdnf
- Remove unused internal imports from module_utils which were not present for backwards compatibility in: common.file, common.parameters, facts.system.caps, yumdnf
- Removed ``straight.plugin`` from the build and packaging requirements.
- Removed unused imports from the following action plugins: async_status, command, pause, set_stats, uri, validate_argument_spec
- Removed unused imports from the following lookup plugins: fileglob, template
- Removed unused imports from the following modules: apt, dnf, expect, pip, slurp, user, yum
- Removed unused imports from the following set of test plugins: files
- Removed unused imports from the following strategy plugins: debug
- Removed unused imports from the following vars plugins: host_group_vars
-``AnsibleJ2Vars`` class that acts as a storage for all variables for templating purposes now uses ``collections.ChainMap`` internally.
- add parameter ``numeric`` to the iptables module to disable dns lookups when running list -action internally (https://github.com/ansible/ansible/issues/78793).
- allow user to set ansible specific env vars for selecting pager and editor, but still fall back to commonly used defaults.
- ansible-doc - support role extension for semantic markup spec so that ``O()`` and ``RV()`` referring to role entrypoints are rendered more readable (https://github.com/ansible/ansible/pull/80305).
- ansible-doc - support semantic markup in text output (https://github.com/ansible/ansible/pull/80242).
- ansible-doc text output - support ``seealso`` plugin record that was added for filter and test plugin documentation (https://github.com/ansible/ansible/pull/80212).
- ansible-galaxy - Add ability to specify collection versions on the CLI without the need for a colon. Such as ``namespace.name==1.2.3`` vs ``namespace.name:1.2.3``.
- ansible-galaxy - Use Python's native ``raise ... from`` instead of ``six.raise_from``.
- ansible-galaxy - support ``resolvelib >= 0.5.3, < 0.10.0``.
- ansible-galaxy - support ``resolvelib >= 0.5.3, < 1.1.0``.
- ansible-inventory now supports the limit command line options.
- ansible-test - A new ``audit`` option is available when running custom containers. This option can be used to indicate whether a container requires the AUDIT_WRITE capability. The default is ``required``, which most containers will need when using Podman. If necessary, the ``none`` option can be used to opt-out of the capability. This has no effect on Docker, which always provides the capability.
- ansible-test - A new ``cgroup`` option is available when running custom containers. This option can be used to indicate a container requires cgroup v1 or that it does not use cgroup. The default behavior assumes the container works with cgroup v2 (as well as v1).
- ansible-test - Add Alpine 3.17 remote.
- ansible-test - Add Fedora 37 container.
- ansible-test - Add Fedora 37 remote.
- ansible-test - Add FreeBSD 12.4 remote.
- ansible-test - Add RHEL 8.7 remote.
- ansible-test - Add RHEL 9.1 remote.
- ansible-test - Add macOS 13.2 remote.
- ansible-test - Additional log details are shown when containers fail to start or SSH connections to containers fail.
- ansible-test - Connection failures to remote provisioned hosts now show failure details as a warning.
- ansible-test - Containers included with ansible-test no longer disable seccomp by default.
- ansible-test - Disabled the ``ansible-format-automatic-specification`` rule from the ``pylint`` sanity test, now that Python 2.6 is no longer supported.
- ansible-test - Enable the ``trailing-comma-tuple`` rule in the ``pylint`` sanity test.
- ansible-test - Enable the ``unused-import`` rule for the ``pylint`` sanity test for collections.
- ansible-test - Failure to connect to a container over SSH now results in a clear error. Previously tests would be attempted even after initial connection attempts failed.
- ansible-test - Improve consistency of executed ``pylint`` commands by making the plugins ordered.
- ansible-test - Improve consistency of version specific documentation links.
- ansible-test - Integration tests can be excluded from retries triggered by the ``--retry-on-error`` option by adding the ``retry/never`` alias. This is useful for tests that cannot pass on a retry or are too slow to make retries useful.
- ansible-test - Minor cleanup and package updates in distro containers.
- ansible-test - More details are provided about an instance when provisioning fails.
- ansible-test - Moved git handling out of the validate-modules sanity test and into ansible-test.
- ansible-test - Reduce the polling limit for SSHD startup in containers from 60 retries to 10. The one second delay between retries remains in place.
- ansible-test - Removed test containers: fedora36
- ansible-test - Removed the ``--keep-git`` sanity test option, which was limited to testing ansible-core itself.
- ansible-test - SSH connections from OpenSSH 8.8+ to CentOS 6 containers now work without additional configuration. However, clients older than OpenSSH 7.0 can no longer connect to CentOS 6 containers as a result. The container must have ``centos6`` in the image name for this work-around to be applied.
- ansible-test - SSH shell connections from OpenSSH 8.8+ to ansible-test provisioned network instances now work without additional configuration. However, clients older than OpenSSH 7.0 can no longer open shell sessions for ansible-test provisioned network instances as a result.
- ansible-test - Specify the configuration file location required by test plugins when the config file is not found. This resolves issue: https://github.com/ansible/ansible/issues/79411
- ansible-test - The ``ansible-test env`` command now detects and reports the container ID if running in a container.
- ansible-test - The ``pep8`` sanity test rule ``E203`` is now disabled since it is not PEP 8 compliant. This provides compatibility with output generated by the ``black`` code formatter.
- ansible-test - The ``validate-modules`` sanity test no longer limits the ``__future__`` imports that can be used. Other sanity tests that check ``__future__`` imports remain unchanged. As a result, the error code ``illegal-future-imports`` is no longer used.
- ansible-test - Unit tests now support network disconnect by default when running under Podman. Previously this feature only worked by default under Docker.
- ansible-test - Update Alpine 3 container to 3.17.
- ansible-test - Update Python requirements used for sanity tests.
- ansible-test - Update ``base`` and ``default`` containers to include Python 3.11.0.
- ansible-test - Update ``default`` containers to include new ``docs-build`` sanity test requirements.
- ansible-test - Update error handling code to use Python 3.x constructs, avoiding direct use of ``errno``.
- ansible-test - Update test container to ``7.4.0`` which includes the new PSScriptAnalyzer versions
- ansible-test - Update the CloudStack test plugin to use a newer test container with CloudStack 4.18.0.
- ansible-test - Update the NIOS test plugin to use a newer multi-arch test container.
- ansible-test - Update the ``ansible-bad-import-from`` rule in the ``pylint`` sanity test to recommend ``ansible.module_utils.six.moves.collections_abc`` instead of ``ansible.module_utils.common._collections_compat``.
- ansible-test - Update the ``base`` and ``default`` test containers with the latest requirements.
- ansible-test - Updated the Azure Pipelines CI plugin to work with newer versions of git.
- ansible-test - Use ``stop --time 0`` followed by ``rm`` to remove ephemeral containers instead of ``rm -f``. This speeds up teardown of ephemeral containers.
- ansible-test - Warnings are now shown when using containers that were built with VOLUME instructions.
- ansible-test - When setting the max open files for containers, the container host's limit will be checked. If the host limit is lower than the preferred value, it will be used and a warning will be shown.
- ansible-test - When using Podman, ansible-test will detect if the loginuid used in containers is incorrect. When this occurs a warning is displayed and the container is run with the AUDIT_CONTROL capability. Previously containers would fail under this situation, with no useful warnings or errors given.
- ansible-test acme test container - update version to update used Pebble version, underlying Python and Go base containers, and Python requirements (https://github.com/ansible/ansible/pull/79783).
- ansible-test pslint - Upgrade PSScriptAnalyzer to ``1.21.0`` which enables the ``AvoidMultipleTypeAttributes``, ``AvoidSemicolonsAsLineTerminators``, and ``AvoidUsingBrokenHashAlgorithms`` rules
- ansible-test runtime-metadata sanity test - ensure that ``redirect`` entries in ``meta/runtime.yml`` contain collection names, except for ``module_utils`` plugin redirects and ``import_redirect`` redirects (https://github.com/ansible/ansible/pull/78802).
- ansible-test sanity --test ansible-doc - now also lists documentation for test and filter plugins that are documented (https://github.com/ansible/ansible/pull/77737).
- ansible-test validate-modules - Added support for validating module documentation stored in a sidecar file alongside the module (``{module}.yml`` or ``{module}.yaml``). Previously these files were ignored and documentation had to be placed in ``{module}.py``.
- ansible-test validate-modules - no longer treat falsy non-``False`` values for defaults as ``None`` (https://github.com/ansible/ansible/pull/79267).
- apt - add allow-change-held-packages option to apt remove (https://github.com/ansible/ansible/issues/78131)
- apt_repository - adds ``sources_added`` and ``sources_removed`` to the return of the module (https://github.com/ansible/ansible/issues/79306).
- apt_repository will use the trust repo directories in order of preference (more appropriate to less) as they exist on the target.
- dnf5 - Add new module for managing packages and other artifacts via the next version of DNF (https://github.com/ansible/ansible/issues/78898)
- galaxy - include ``license_file`` in the default manifest directives (https://github.com/ansible/ansible/pull-request/79420)
- optimized var loading by caching results as there is no variance in input during run.
- pycompat24 module_utils - Remove support for Python 2.5 and earlier.
- sanity tests - updates the collection-deprecated-version tests to ignore the ``prerelease`` component of the collection version ().
- strftime filter, additional docs and links to source of truth.
- updated the vendored distro library to upstream version (https://github.com/ansible/ansible/pull/79227)
- validate-modules sanity test - add support for semantic markup (https://github.com/ansible/ansible/pull/80243).
- validate-modules sanity test - if the ``check_mode`` attribute is present, check that it coincides with the ``support_check_mode`` parameter of ``AnsibleModule`` (https://github.com/ansible/ansible/pull/80090).
- validate-modules sanity test - remove support for the never implemented ``forced_action_plugin`` attribute (https://github.com/ansible/ansible/pull/79317).
- validate-modules sanity test - support the ``plugin`` see-also part of the semantic markup specification (https://github.com/ansible/ansible/pull/80244).
- ansible-test - Integration tests which depend on specific file permissions when running in an ansible-test managed host environment may require changes. Tests that require permissions other than ``755`` or ``644`` may need to be updated to set the necessary permissions as part of the test run.
- ansible-test - The ``vcenter`` test plugin now defaults to using a user-provided static configuration instead of the ``govcsim`` simulator for collections. Set the ``ANSIBLE_VCSIM_CONTAINER`` environment variable to ``govcsim`` to use the simulator. Keep in mind that the simulator is deprecated and will be removed in a future release.
- ansible-test sanity - previously plugins and modules in collections whose name started with ``_`` were treated as deprecated, even when they were not marked as deprecated in ``meta/runtime.yml``. This is no longer the case (https://github.com/ansible/ansible/pull/79362).
- ansible-test validate-modules - Removed the ``missing-python-doc`` error code in validate modules, ``missing-documentation`` is used instead for missing PowerShell module documentation.
Deprecated Features
-------------------
- The ``ConnectionBase()._new_stdin`` attribute is deprecated, use ``display.prompt_until(msg)`` instead.
- ansible-test - The ``foreman`` test plugin is now deprecated. It will be removed in a future release.
- ansible-test - The ``govcsim`` simulator in the ``vcenter`` test plugin is now deprecated. It will be removed in a future release. Users should switch to providing their own test environment through a static configuration file.
- password_hash - deprecate using passlib.hash.hashtype if hashtype isn't in the list of documented choices.
- vars - Specifying a list of dictionaries for ``vars:`` is deprecated in favor of specifying a dictionary.
- AnsibleModule.run_command - Only use selectors when needed, and rely on Python stdlib subprocess for the simple task of collecting stdout/stderr when prompt matching is not required.
- BSD network facts - Do not assume column indexes, look for ``netmask`` and ``broadcast`` for determining the correct columns when parsing ``inet`` line (https://github.com/ansible/ansible/issues/79117)
- Correctly count rescued tasks in play recap (https://github.com/ansible/ansible/issues/79711)
- Display - Defensively configure writing to stdout and stderr with a custom encoding error handler that will replace invalid characters while providing a deprecation warning that non-utf8 text will result in an error in a future version.
- Do not crash when templating an expression with a test or filter that is not a valid Ansible filter name (https://github.com/ansible/ansible/issues/78912, https://github.com/ansible/ansible/pull/78913).
- Fix ``MANIFEST.in`` to exclude unwanted files in the ``packaging/`` directory.
- Fix ``MANIFEST.in`` to include ``*.md`` files in the ``test/support/`` directory.
- Fix a traceback occuring when a task is named ``meta`` (https://github.com/ansible/ansible/issues/79459)
- Fix an issue where the value of ``become`` was ignored when used on a role used as a dependency in ``main/meta.yml`` (https://github.com/ansible/ansible/issues/79777)
- Fix bug in `vars` applied to roles, they were being incorrectly exported among others while only vars/main.yml was meant to be. Also adjusted the precedence to act the same as inline params.
- Fix conditionally notifying ``include_tasks` handlers when ``force_handlers`` is used (https://github.com/ansible/ansible/issues/79776)
- Fix reusing a connection in a task loop that uses a redirected or aliased name - https://github.com/ansible/ansible/issues/78425
- Fix setting become activation in a task loop - https://github.com/ansible/ansible/issues/78425
- Fix traceback when using the ``template`` module and running with ``ANSIBLE_DEBUG=1`` (https://github.com/ansible/ansible/issues/79763)
- Fix using ``GALAXY_IGNORE_CERTS`` in conjunction with collections in requirements files which specify a specific ``source`` that isn't in the configured servers.
- Fix using ``GALAXY_IGNORE_CERTS`` when downloading tarballs from Galaxy servers (https://github.com/ansible/ansible/issues/79557).
- Fixes leftover _valid_attrs usage.
- Fixes the password lookup to not rewrite files if they are not changed when using the "encrypt" parameter (#79430).
- Module and role argument validation - include the valid suboption choices in the error when an invalid suboption is provided.
- Perform type check on data passed to Display.display to enforce the requirement of being given a python3 unicode string
- TaskExecutor - don't ignore templated _raw_params that k=v parser failed to parse (https://github.com/ansible/ansible/issues/79862)
- Windows - Display a warning if the module failed to cleanup any temporary files rather than failing the task. The warning contains a brief description of what failed to be deleted.
- Windows - Ensure the module temp directory contains more unique values to avoid conflicts with concurrent runs - https://github.com/ansible/ansible/issues/80294
- Windows - Improve temporary file cleanup used by modules. Will use a more reliable delete operation on Windows Server 2016 and newer to delete files that might still be open by other software like Anti Virus scanners. There are still scenarios where a file or directory cannot be deleted but the new method should work in more scenarios.
-``ansible-galaxy search rolename`` - give a warning instead of non-zero return code when search results are empty. This is similar to the behavior when listing roles, which gives a warning if a role cannot be found and exits with a return code of ``0``.
-``ansible_eval_concat`` - avoid redundant unsafe wrapping of templated strings converted to Python types
- ansible-config limit shorthand format to assigned values
- ansible-doc - stop generating wrong module URLs for module see-alsos. The URLs for modules in ansible.builtin do now work, and URLs for modules outside ansible.builtin are no longer added (https://github.com/ansible/ansible/pull/80280).
- ansible-doc now will correctly display short descriptions on listing filters/tests no matter the directory sorting.
- ansible-galaxy - Improve retries for collection installs, to properly retry, and extend retry logic to common URL related connection errors (https://github.com/ansible/ansible/issues/80170 https://github.com/ansible/ansible/issues/80174)
- ansible-galaxy - fix installing collections in git repositories/directories which contain a MANIFEST.json file (https://github.com/ansible/ansible/issues/79796).
- ansible-galaxy collection install - respect symlinks when installing from source or local repository (https://github.com/ansible/ansible/issues/78442)
- ansible-galaxy role info - fix unhandled AttributeError by catching the correct exception.
- ansible-inventory will no longer duplicate host entries if they were part of a group's childrens tree.
- ansible-inventory will not explicitly sort groups/hosts anymore, giving a chance (depending on output format) to match the order in the input sources.
- ansible-playbook -K breaks when passwords have quotes (https://github.com/ansible/ansible/issues/79836).
- ansible-test - Add ``wheel < 0.38.0`` constraint for Python 3.6 and earlier.
- ansible-test - Add support for ``pytest`` assertion rewriting when running unit tests on Python 3.5 and later. Resolves issue https://github.com/ansible/ansible/issues/68032
- ansible-test - Added a work-around for a traceback under Python 3.11 when completing certain command line options.
- ansible-test - Allow disabled, unsupported, unstable and destructive integration test targets to be selected using their respective prefixes.
- ansible-test - Allow unstable tests to run when targeted changes are made and the ``--allow-unstable-changed`` option is specified (resolves https://github.com/ansible/ansible/issues/74213).
- ansible-test - Always indicate the Python version being used before installing requirements. Resolves issue https://github.com/ansible/ansible/issues/72855
- ansible-test - Avoid using ``exec`` after container startup when possible. This improves container startup performance and avoids intermittent startup issues with some old containers.
- ansible-test - Connection attempts to managed remote instances no longer abort on ``Permission denied`` errors.
- ansible-test - Detection for running in a Podman or Docker container has been fixed to detect more scenarios. The new detection relies on ``/proc/self/mountinfo`` instead of ``/proc/self/cpuset``. Detection now works with custom cgroups and private cgroup namespaces.
- ansible-test - Fix broken documentation link for ``aws`` test plugin error messages.
- ansible-test - Fix validate-modules error when retrieving PowerShell argspec when retrieved inside a Cmdlet
- ansible-test - Handle server errors when executing the ``docker info`` command.
- ansible-test - Integration test target prefixes defined in a ``tests/integration/target-prefixes.{group}`` file can now contain an underscore (``_``) character. Resolves issue https://github.com/ansible/ansible/issues/79225
- ansible-test - Multiple containers now work under Podman without specifying the ``--docker-network`` option.
- ansible-test - Pass the ``XDG_RUNTIME_DIR`` environment variable through to container commands.
- ansible-test - Perform PyPI proxy configuration after instances are ready and bootstrapping has been completed. Only target instances are affected, as controller instances were already handled this way. This avoids proxy configuration errors when target instances are not yet ready for use.
- ansible-test - Prevent concurrent / repeat inspections of the same container image.
- ansible-test - Prevent concurrent / repeat pulls of the same container image.
- ansible-test - Prevent concurrent execution of cached methods.
- ansible-test - Removed pointless comparison in diff evaluation logic.
- ansible-test - Set ``PYLINTHOME`` for the ``pylint`` sanity test to prevent failures due to ``pylint`` checking for the existence of an obsolete home directory.
- ansible-test - Show the exception type when reporting errors during instance provisioning.
- ansible-test - Support Podman 4.4.0+ by adding the ``SYS_CHROOT`` capability when running containers.
- ansible-test - Support loading of vendored Python packages from ansible-core.
- ansible-test - The ``validate-modules`` sanity test now properly enforces documentation before imports for plugins. Previously this was only enforced for modules due to a coding error.
- ansible-test - Update the ``pylint`` sanity test requirements to resolve crashes on Python 3.11. (https://github.com/ansible/ansible/issues/78882)
- ansible-test - Update the ``pylint`` sanity test to use version 2.15.4.
- ansible-test - Update the ``pylint`` sanity test to use version 2.15.5.
- ansible-test - Use consistent file permissions when delegating tests to a container or remote host. Files with any execute bit set will use permissions ``755``. All other files will use permissions ``644``. (Resolves issue https://github.com/ansible/ansible/issues/75079)
- ansible-test - fix warning message about failing to run an image to include the image name
- ansible-test runtime-metadata sanity test - do not crash on YAML parsing errors without a context mark (https://github.com/ansible/ansible/pull/78802).
- ansible-vault encrypt_string - started appending a line feed at the end of the encrypted string output. Missing newline character caused problems identifying where the string ends in some shells (like bash) or accidentally copying an extra trailing terminator symbol (e.g., zsh prints out a ``%`` sign to signal where the original output stops) (https://github.com/ansible/ansible/issues/78932).
- ansible_facts.hardware - Define all processor facts on s390x (https://github.com/ansible/ansible/issues/19755)
- apt - set locale to fix updating the cache (https://github.com/ansible/ansible/issues/79523).
- apt module should not traceback on invalid type given as package. issue 78663.
- apt_repository will no longer fail to detect key when unrelated errors/warnings are issued by apt-key.
- argument spec validation - again report deprecated parameters for Python-based modules. This was accidentally removed in ansible-core 2.11 when argument spec validation was refactored (https://github.com/ansible/ansible/issues/79680, https://github.com/ansible/ansible/pull/79681).
- argument spec validation - ensure that deprecated aliases in suboptions are also reported (https://github.com/ansible/ansible/pull/79740).
- argument spec validation - fix warning message when two aliases of the same option are used for suboptions to also mention the option's name they are in (https://github.com/ansible/ansible/pull/79740).
- basic.py module_utils - Perform Python version check much earlier to ensure it runs before other errors occur.
- connection local now avoids traceback on invalid user being used to execuet ansible (valid in host, but not in container).
- copy - fix creating the dest directory in check mode with remote_src=True (https://github.com/ansible/ansible/issues/78611).
- copy - fix reporting changes to file attributes in check mode with remote_src=True (https://github.com/ansible/ansible/issues/77957).
- copy module will no longer move 'non files' set as src when remote_src=true.
- copy remote_src=true - fix copying subdirs recursively when the dest exists and the src and dest have multiple common subdirectories in a common directory (https://github.com/ansible/ansible/issues/74536).
- file - touch action in check mode was always returning ok. Fix now evaluates the different conditions and returns the appropriate changed status. (https://github.com/ansible/ansible/issues/79360)
- file lookup now handles missing files more gracefully.
- file lookup now plays nice with generic lookup ``errors`` option.
- get_url - Ensure we are passing ciphers to all url_get calls (https://github.com/ansible/ansible/issues/79717)
- get_url module - Added a documentation reference to ``hashlib`` regarding algorithms, as well as a note about ``md5`` support on systems running in FIPS compliant mode.
- get_url module - Removed out-of-date documentation stating that ``hashlib`` is a third-party library.
- handlers - fix an issue where the ``flush_handlers`` meta task could not be used with FQCN: ``ansible.builtin.meta`` (https://github.com/ansible/ansible/issues/79023)
- include_role - Inherit from role parents beyond a depth of 3 (https://github.com/ansible/ansible/issues/47023).
- jinja2_native - fix intermittent 'could not find job' failures when a value of ``ansible_job_id`` from a result of an async task was inadvertently changed during execution; to prevent this a format of ``ansible_job_id`` was changed.
- jinja2_native: preserve quotes in strings (https://github.com/ansible/ansible/issues/79083)
- keyword inheritance - Ensure that we do not squash keywords in validate (https://github.com/ansible/ansible/issues/79021)
- known_hosts - do not return changed status when a non-existing key is removed (https://github.com/ansible/ansible/issues/78598)
- list-tags now shows the 'never' tag, which was being excluded by default. To list all tasks you still need to add `--list-tasks --tags never,all`.
- loops/delegate_to - Do not double calculate the values of loops and ``delegate_to`` (https://github.com/ansible/ansible/issues/80038)
- module responses - Ensure that module responses are utf-8 adhereing to JSON RFC and expectations of the core code.
- module/role argument spec - validate the type for options that are None when the option is required or has a non-None default (https://github.com/ansible/ansible/issues/79656).
- module_utils/basic.py - Fix detection of available hashing algorithms on Python 3.x. All supported algorithms are now available instead of being limited to a hard-coded list. This affects modules such as ``get_url`` which accept an arbitrary checksum algorithm.
- normal action plugin - remove obsolete ``if`` (https://github.com/ansible/ansible/pull/79690).
- omit on keywords was resetting to default value, ignoring inheritance.
- paramiko - Add a new option to allow paramiko >= 2.9 to easily work with all devices now that rsa-sha2 support was added to paramiko, which prevented communication with numerous platforms. (https://github.com/ansible/ansible/issues/76737)
- paramiko - Add back support for ``ssh_args``, ``ssh_common_args``, and ``ssh_extra_args`` for parsing the ``ProxyCommand`` (https://github.com/ansible/ansible/issues/78750)
- paramiko connection was still using outdated playcontext, this should bring it up to date to use the 'correct' data for each task/loop.
- password lookup now correctly reads stored ident fields.
- password_hash - handle errors using unknown passlib hashtypes more gracefully (https://github.com/ansible/ansible/issues/45392).
- plugin loader, fix detection for existing configuration before initializing for a plugin
- role deduplication - Always create new role object, regardless of deduplication. Deduplication will only affect whether a duplicate call to a role will execute, as opposed to re-using the same object. (https://github.com/ansible/ansible/pull/78661)
- roles - Fix templating ``public``, ``allow_duplicates`` and ``rolespec_validate`` (https://github.com/ansible/ansible/issues/80304).
- service_facts - Use python re to parse service output instead of grep (https://github.com/ansible/ansible/issues/78541)
- strategy plugins now correctly identify bad registered variables, even on skip.
- strategy plugins: get the correctly templated and validated run_once value on strategy linear (https://github.com/ansible/ansible/issues/78492)
- syntax check - Limit ``--syntax-check`` to ``ansible-playbook`` only, as that is the only CLI affected by this argument (https://github.com/ansible/ansible/issues/80506)
- validate-modules sanity test - replace semantic markup parsing and validating code with the code from `antsibull-docs-parser 0.2.0 <https://github.com/ansible-community/antsibull-docs-parser/releases/tag/0.2.0>`__ (https://github.com/ansible/ansible/pull/80406).
- vault - show filename additionally if missing secrets prevents decryption (https://github.com/ansible/ansible/issues/79723)
- winrm - Increase the read timeout to 10 seconds later than the operation timeout reducing the chances of a false read timeout
Known Issues
------------
- ansible-test - Additional configuration may be required for certain container host and container combinations. Further details are available in the testing documentation.
- ansible-test - Custom containers with ``VOLUME`` instructions may be unable to start, when previously the containers started correctly. Remove the ``VOLUME`` instructions to resolve the issue. Containers with this condition will cause ``ansible-test`` to emit a warning.
- ansible-test - Systems with Podman networking issues may be unable to run containers, when previously the issue went unreported. Correct the networking issues to continue using ``ansible-test`` with Podman.
- ansible-test - Unit tests for collections do not support ``pytest`` assertion rewriting on Python 2.7.
- ansible-test - Using Docker on systems with SELinux may require setting SELinux to permissive mode. Podman should work with SELinux in enforcing mode.
- dnf5 - The DNF5 package manager currently does not provide all functionality to ensure feature parity between the existing ``dnf`` and the new ``dnf5`` module. As a result the following ``dnf5`` options are effectively a no-op: ``cacheonly``, ``enable_plugin``, ``disable_plugin`` and ``lock_timeout``.
New Plugins
-----------
Filter
~~~~~~
- commonpath - gets the common path
- normpath - Normalize a pathname
New Modules
-----------
Lib
~~~
ansible.modules
^^^^^^^^^^^^^^^
- deb822_repository - Add and remove deb822 formatted repositories
- dnf5 - Manages packages with the I(dnf5) package manager