* fixes for CVE-2024-8775
* propagate truthy `_ansible_no_log` in action result (previously superseded by task-calculated value)
* always mask entire `include_vars` action result if any file loaded had a false `show_content` flag (previously used only the flag value from the last file loaded)
* update no_log tests for CVE-2024-8775
* include validation of _ansible_no_log preservation when set by actions
* replace static values with dynamic for increased robustness to logging/display/callback changes (but still using grep counts :( )
* changelog
* use ternary, coerce to bool explicitly
(cherry picked from commit c9ac477e53)
This greatly reduces run time on large inventories since meta tasks are
executed in the main process sequentially and just executing them is expensive.
This change avoids running the following implicit meta tasks:
* ``flush_handlers`` on hosts where no handlers are notified
* ``noop`` for the linear strategy's lockstep, instead hosts that are
not executing the current task are just not part of the current host loop
A playbook consiting of two simple plays both running on ~6000 hosts
runs in:
devel: 37s
this PR: 1.3s
Co-authored-by: Sloane Hertel <19572925+s-hertel@users.noreply.github.com>
Co-authored-by: Sviatoslav Sydorenko (Святослав Сидоренко) <wk.cvs.github@sydorenko.org.ua>
(cherry picked from commit d6d2251929)
* user module avoid conflicts ssh pub key (#84165)
Remove pub key if we are going to generate private
fix tests for os X
(cherry picked from commit 11e4a6a722)
* old python, no f''
* Restore test import missing from backport
---------
Co-authored-by: Matt Clay <matt@mystile.com>
The shell command sometimes prints a trailing whitespace which breaks
the tests on old RHELs. This patch is supposed to fix that.
(cherry picked from commit cd74c4bcd5)
Adds the datastore details to the parser error when attempting to
include tasks that contain include_tasks without a filename set. This
change will now display the exact location of the include_tasks that
failed like any normal syntax error.
(cherry picked from commit 1503805b70)
* fix creating file in directory with setgid bit
* add a test using the copy module's content option to create a file in a directory with setgid bit
Co-authored-by: Martin Krizek <martin.krizek@gmail.com>
(cherry picked from commit 2b91c57c85)
* ssh and psrp - Support more complex chars in fetch_file
Fixes the psrp and ssh (with piped) fetch function to work with paths
that contains glob like characters in the path. For Windows this was
needed when using paths that contain `[]` in the path. For ssh this was
a problem with FreeBSD when using the piped transfer method with similar
characters.
Also tidies up the psrp logic to not inject the paths and buffer size
in the script but pass it as an object through an argument/parameter.
* Fix sanity check
(cherry picked from commit 520fa688ba)
When releases are prepared, the upper bound on setuptools in pyproject.toml will be automatically updated
to the latest version available on PyPI. This version will then be tested by the package-data sanity test
during the release process and will be used to build the release.
This change ensures that a released version of ansible-core can be built in the future if a new setuptools
release includes breaking changes that would prevent building a functional package. If a downstream package
maintainer requires a newer setuptools version than the upper bound permits, they can patch pyproject.toml
as needed. Since ansible-core releases support specific Python versions, lack of support for new setuptools
releases will have no effect on support for future Python versions.
(cherry picked from commit 4e69d83fac)
Currently we match the load name, which can be an fqcn, but most users expect the 'naked' name
Now plugins can declare that name by setting _extras_prefix property or fallback to 'non fqcn' if no extras prefix
(cherry picked from commit 718ce13673)
* Fix broken, circumvented test for missing vault ids
* verify the command returns a non-zero exit code
Co-authored-by: Matt Clay <matt@mystile.com>
(cherry picked from commit fe7e68bfcb)
* ssh and psrp - Support more complex chars in fetch_file
Fixes the psrp and ssh (with piped) fetch function to work with paths
that contains glob like characters in the path. For Windows this was
needed when using paths that contain `[]` in the path. For ssh this was
a problem with FreeBSD when using the piped transfer method with similar
characters.
Also tidies up the psrp logic to not inject the paths and buffer size
in the script but pass it as an object through an argument/parameter.
* Fix sanity check
(cherry picked from commit 520fa688ba)
* csvfile lookup - fix giving an error when no search term is provided (#83710)
Fixes#83689
(cherry picked from commit 26c8a28d05)
* Fix csvfile test - quote file argument (#83751)
file was intended to be a string, not an undefined variable
(cherry picked from commit 97a60c1e86)
This will make stable-2.16 testing more stable as the f38 copr repo is
going away at some point. It suffices to test against the nightly repo
in stable-2.17 and devel.
* Fix task.resolved_action for callbacks when playbooks use action or local_action
* Fix using module_defaults with 'action' and 'local_action' task FA and add a test case
Fixes#81905
(cherry picked from commit f2435375a8)
Improves the Add-Type temporary directory handler to include a retry
mechanism and not fail on an error. Deleting a temporary file used in
compilation is not a critical error and should improve the reliability
of Ansible on Windows hosts.
(cherry picked from commit b8f1add983)
* Add version ceiling for pypsrp
Add a version ceiling for the pypsrp requirements. This ensures that the
future v1.0.0 release won't impact existing users who install the
library using the version range specified.
* Use constraints file
* Add changelog for this change
(cherry picked from commit 2ed6c30929)
* Add the task info for tombstoned plugins
* Fix deprecation for 'include' by removing it from BUILTIN_TASKS which skip the plugin loader lookup
* changelog
remove obsolete unit test using 'include'
* Update changelogs/fragments/improve-tombstone-error.yml
(cherry picked from commit caa86cc4df)
* dnf: fix installing a package based the file it provides (#82744)
Fixes#82461
(cherry picked from commit a28709f92d)
* dnf: utilize the API for the installed checks (#82725)
Fixes#71808Fixes#76463Fixes#81018
(cherry picked from commit f1ded0f417)
* setup_rpm_repo/create_repo: "Arch dependent binaries in noarch package" (#83108)
This fixes "Arch dependent binaries in noarch package" error cause by
including files created by make_elf function in noarch packages. While the
error only manifests itself on EL 7 and 8 it is better to use files
suitable for noarch packages to prevent the error potentially
re-occuring in the future.
(cherry picked from commit 87bead3dcf)
* Fix installing roles containing symlinks
Fix sanitizing tarfile symlinks relative to the link directory instead of the archive
For example:
role
├── handlers
│ └── utils.yml -> ../tasks/utils/suite.yml
The link ../tasks/utils/suite.yml will resolve to a path outside of the link's directory, but within the role
role/handlers/../tasks/utils/suite.yml
the resolved path relative to the role is tasks/utils/suite.yml, but if the symlink is set to that value, tarfile would extract it from role/handlers/tasks/utils/suite.yml
* Replace overly forgiving test case with tests for a symlink in a subdirectory of the archive and a symlink in the archive dir when these are not equivalent.
* Build test case from role files to make it easier to add test cases
Fixes#82702Fixes#81965Fixes#82051
(cherry picked from commit e84240db84)
* Allow check mode async task disabling check_mode
Allows running an async task with check_mode: False when the playbook is
being run in check mode.
* Add check_mode attribute to internal cleanup task
(cherry picked from commit c9086061ca)
Matt Davis