* Detect failure in always block after rescue (#70094)
* Detect failure in always block after rescue
Fixes#70000
ci_complete
* Add more tests
(cherry picked from commit 0ed5b77377)
* add changelog
Co-authored-by: Matt Davis <mrd@redhat.com>
* Allow hostvars delegation (#70331)
* ensure hostvars are available on delegation
* also inventory_hostname must point to current host and not delegated one
* fix get_connection since it was still mixing original host vars and delegated ones
* also return connection vars for delegation and non delegation alike
* add test to ensure we have expected usage when directly assigning for non delegated host
(cherry picked from commit 84adaba6f5)
* avoid returning more data
* remove unused return vars
* Encode/Decode files in UTF-8
* Use helper function in ansible
* Add an integration test
* Use emoji in test data.
* add changelog
* Also support non-ascii chars in filepath and add tests about this.
* Also use non-ascii chars in replaced text and ensure not to break cron syntax.
* rename self.existing to self.n_existing
* rename crontab.existing to crontab.n_existing.
(cherry picked from commit 5ce47646ad)
Co-authored-by: psi / Ryo Hirafuji <ryo.hirafuji@link-u.co.jp>
* try removing name references for state=absent
Signed-off-by: Rick Elrod <rick@elrod.me>
Co-authored-by: psi / Ryo Hirafuji <ryo.hirafuji@link-u.co.jp>
Co-authored-by: Rick Elrod <rick@elrod.me>
* [stable-2.9] Change default file permissions so they are not world readable (#70221)
* Change default file permissions so they are not world readable
CVE-2020-1736
Set the default permissions for files we create with atomic_move() to 0o0660. Track
which files we create that did not exist and warn if the module supports 'mode'
and it was not specified and the module did not call set_mode_if_different(). This allows the user to take action and specify a mode rather than using the defaults.
A code audit is needed to find all instances of modules that call atomic_move()
but do not call set_mode_if_different(). The findings need to be documented in
a changelog since we are not warning. Warning in those instances would be frustrating
to the user since they have no way to change the module code.
- use a set for storing list of created files
- just check the argument spac and params rather than using another property
- improve the warning message to include the default permissions.
(cherry picked from commit 5260527c4a)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Fix jboss test
* Fix lamdba_policy test
* Fix aws_lamdba test
* Fix warning for new default permissions when mode is not specified (#70976)
Follow up to #70221
Related to #67794
CVE-2020-1736
When set_mode_if_different() is called with mode of 'None', ensure we issue
a warning about the change in default permissions.
Add integration tests to ensure the warning works properly.
* Fix tests
- actually use custom module 🤦♂️
- verify file permission on created files
- use remote_tmp_dir so we're ready for split controller
- improve test module so we can skip the call to set_fs_attributes_if_different()
- fix tests for CentOS 6
(cherry-picked from commit dc79528cc6)
* Use new category in changelog fragments
The repository names seem to have changed and no longer have the "rhui-" prefix.
(cherry picked from commit 6ac4439a6a)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* Fix missing quoting for remote_tmp in second mkdir of shell module. Issue #69577
* adding changelog
* fixing typo in changelog entry
* adding test case
Adding test case written by bmillemayhias.
* using $HOME instead of ~
* fixing commit measage
* Update 69578-shell-remote_tmp-quoting.yaml
Co-authored-by: Brian Kohles <me@briankohles.com>
(cherry picked from commit 77d0effcc5)
Co-authored-by: Brian Kohles <briankohles@users.noreply.github.com>
* [stable-2.9] unarchive - Check 'fut_gid' against 'run_gid' in addition to supplemental groups (#65666)
Add integration tests for unarchiving as unprivileged user
Break tasks into separate files for easier reading and maintenance
Create a user by specifying a default group of 'staff' for macOS.
The user module does not actually remove the user directory on macOS,
so explicitly remove it.
Put the removal tasks in an always block to ensure they always run
Co-authored-by: Philip Douglass <philip.douglass@amadeus.com>
Co-authored-by: Sam Doran <sdoran@redhat.com>.
(cherry picked from commit ac5f3f8bef)
Co-authored-by: Philip Douglass <philip@philipdouglass.com>
* [stable-2.9] Fix unstable unarchive test (#71004)
* Add mode to copy tasks
* Fix unreliable test by ignoring errors
(cherry picked from commit f99f96ceb6)
Co-authored-by: Philip Douglass <philip@philipdouglass.com>
* linux facts - return proper broadcast address
Check that the value being returned is actually a broadcast address
* Add tests
* Cleanup tests
(cherry picked from commit e6bf202738)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* rebase conflicts
* [stable-2.9] Allow single vault encrypted values to be used directly as module parameters. Fixes#68275 (#70607).
(cherry picked from commit a77dbf0866)
Co-authored-by: Matt Martz <matt@sivel.net>
- ensure we preserve the typeerror part of the exception so loop defereed error handling
can postpone those caused by undefined variables until the when check is done.
- fix tests to comply with the 'new normal'
- human_to_bytes and others can issue TypeError not only on 'non string'
but also bad string that is not convertable.
Co-authored-by: Sloane Hertel <shertel@redhat.com>
Co-authored-by: Sloane Hertel <shertel@redhat.com>
(cherry picked from commit cf89ca8a03)
* Do not pass decrypt parameter to assemble module
* Add integration tests where decrypt=True
* Add changelog #70465
(cherry picked from commit 71c378e139)
* Make sure ansible_become treated as a boolean (#70484)
* Make sure ansible_become treated as a boolean
(cherry picked from commit 8aca464b8b)
* Update test/integration/targets/inventory_ini/aliases
Co-authored-by: Sam Doran <sdoran@redhat.com>
Co-authored-by: Sam Doran <sdoran@redhat.com>
Fixes#70168
ci_complete
Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>
Co-authored-by: Matt Clay <matt@mystile.com>
(cherry picked from commit b05e00e99a)
A recent updated to psutil, which is a dependency of ansible-runner, fails
to install on older versions of pip.
Commit with the breaking change:
135628639b
(cherry picked from commit 9d27d7c8b1)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* galaxy - preserve symlinks on build/install (#69959)
* galaxy - preserve symlinks on build/install
* Handle directory symlinks
* py2 compat change
* Updated changelog fragment
(cherry picked from commit d30fc6c0b3)
* Fix integration test
* ansible-galaxy - fix collection installation with trailing slashes (#70016)
If we fail to find a member when extracting a directory, try adding a trailing
slash to the member name. In certain cases, the member in the tarfile will
contain a trailing slash but the file name in FILES.json will never contain
the trailing slash.
If unable to find the member, handle the KeyError and print a nicer error.
Also check if a directory exists before creating it since it may have been
extracted from the archive.
Fixes#70009
* Add unit tests
* Use loop for trying to get members
(cherry picked from commit d45cb01b84)
Co-authored-by: Sam Doran <sdoran@redhat.com>
* added changelog fragment
* added quick and basic test
* Revert "added quick and basic test"
* This reverts commit 75f4141656.
* added better tests
* now also creating files to copy on the remote
* removed tests for recursive copying which is not supported by remote_src
Fixes: #47050
(cherry picked from commit 79dfae9624)
Co-authored-by: Moritz Grimm <memo42@users.noreply.github.com>
* Allow tasks to notify a fqcn handler name
* Add tests. Fixes#68181
* Add changelog fragment
* Add test to ensure handlers are deduped properly with fqcn, role, and just handler names
* Add some docs about new special vars
(cherry picked from commit 087be1da50)
Co-authored-by: Matt Martz <matt@sivel.net>
In the case of a free style strategy, it is possible to end up with
multiple hosts trying to include from the same role, however the tasks
being included may be different with the use of tasks_from. Previously
if you had two hosts that were included the same role when the
process_include_results function tries to determine if a included needs
to be run on a specific host, it would end up merging two different
tasks into which ever one was processed first.
This change updates the equality check to also check if the task uuid
associated with the IncludedFile is the same. The previous check only
checked if the task's parent uuid was the same. This breaks down when
both includes have the same parent.
- hosts: all
strategy: free
gather_facts: false
tasks:
- include_role:
name: random_sleep
- block:
- name: set a fact (1)
include_role:
name: set_a_fact
tasks_from: fact1.yml
- name: set a fact (2)
include_role:
name: set_a_fact
tasks_from: fact2.yml
- name: include didn't run
fail:
msg: >
set_a_fact didn't run
fact1: {{ fact1 | default('not defined')}}
fact2: {{ fact2 | default('not defined') }}"
when: (fact1 is not defined or fact2 is not defined)
Closes#69521
(cherry picked from commit 247e43b252)
* Support removed_at_date in ansible-doc
Signed-off-by: NilashishC <nilashishchakraborty8@gmail.com>
Changes:
* ansible-doc does not support `removed_at_date` and assumes that
deprecated dict will either have `removed_in` or `version`. This
results in ansible-doc (and hence "sanity --test=ansible-doc")
failing for modules having only `removed_at_date`.
* This patch adds support for `removed_at_date` and also gives it
precedence over `removed_in` or `version`.
* Add tests and changelog
Signed-off-by: NilashishC <nilashishchakraborty8@gmail.com>
(cherry picked from commit 9d6b0f2b03)
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
Co-authored-by: Nilashish Chakraborty <nilashishchakraborty8@gmail.com>
When mixed with the free strategy (or any custom strategy that does not behave in
a lock-step manner), the linear methodology of _wait_on_handler_results may cause
race conditions with regular task result processing if the strategy uses
_process_pending_results directly. This patch addresses that by splitting the queues
used for results and adding a flag to _process_pending_results to determine which
queue to check.
Fixes#69457
(cherry picked from commit a4072ad0e9)
Co-authored-by: James Cammarata <jimi@sngx.net>
podman_image module uses 'podman push' command with wrong
flag '--remove_signatures' instead of '--remove-signatures'
This patch fixes the given typo.
Fixes: ansible/ansible#67965
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* Prevent Ansible 2.9 to choke on collections using deprecation by date or collection_name for deprecation calls.
* Add changelog fragment.
* Fix YAML.
* Improve C# compatibility.
* Add tests for AnsibleModule.
* Fix var name.
* Fix type.
* Update C# code.
* Show deprecation warning if removed_at_date is used for Python modules.
* Update changelogs/fragments/69935-2.10-deprecation-support.yml
Co-authored-by: Alicia Cozine <879121+acozine@users.noreply.github.com>
* Prevent crash of validate-modules if 'removed_in' is not in 'deprecated'.
Co-authored-by: Alicia Cozine <879121+acozine@users.noreply.github.com>
Abhijeet Kasurde