New release v2.18.7 (#85483)

Fixed case in which listing modules for docs failed to get sidecar


(cherry picked from commit 7e495f4b20)

Co-authored-by: Abhijeet Kasurde <akasurde@redhat.com>

.azure-pipelines/azure-pipelines.yml

@@ -90,6 +90,8 @@ stages:
               test: rhel/9.4@3.9
             - name: RHEL 9.4 py312
               test: rhel/9.4@3.12
+            - name: RHEL 10.0
+              test: rhel/10.0
             - name: FreeBSD 13.3
               test: freebsd/13.3
             - name: FreeBSD 14.1
@@ -104,6 +106,8 @@ stages:
               test: macos/14.3
             - name: RHEL 9.4
               test: rhel/9.4
+            - name: RHEL 10.0
+              test: rhel/10.0
             - name: FreeBSD 13.3
               test: freebsd/13.3
             - name: FreeBSD 14.1
@@ -121,6 +125,8 @@ stages:
               test: fedora/40
             - name: RHEL 9.4
               test: rhel/9.4
+            - name: RHEL 10.0
+              test: rhel/10.0
             - name: Ubuntu 24.04
               test: ubuntu/24.04
           groups:
@@ -198,15 +204,6 @@ stages:
               test: 2022/psrp/http
             - name: 2022 SSH Key
               test: 2022/ssh/key
-  - stage: Incidental
-    dependsOn: []
-    jobs:
-      - template: templates/matrix.yml
-        parameters:
-          testFormat: i/{0}/1
-          targets:
-            - name: IOS Python
-              test: ios/csr1000v/
   - stage: Summary
     condition: succeededOrFailed()
     dependsOn:
@@ -218,6 +215,5 @@ stages:
       - Galaxy
       - Generic
       - Incidental_Windows
-      - Incidental
     jobs:
       - template: templates/coverage.yml

changelogs/CHANGELOG-v2.18.rst

@@ -0,0 +1,428 @@
+==================================================
+ansible-core 2.18 "Fool in the Rain" Release Notes
+==================================================
+
+.. contents:: Topics
+
+v2.18.7
+=======
+
+Release Summary
+---------------
+
+| Release Date: 2025-07-15
+| `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+Minor Changes
+-------------
+
+- ansible-test - Add RHEL 10.0 as a remote platform for testing.
+
+Bugfixes
+--------
+
+- ansible-doc will no longer ignore docs for modules without an extension (https://github.com/ansible/ansible/issues/85279).
+- ansible-pull change detection will now work independently of callback or result format settings.
+- ansible-test - Fix Python relative import resolution from ``__init__.py`` files when using change detection.
+- dnf5 - handle all libdnf5 specific exceptions (https://github.com/ansible/ansible/issues/84634)
+- meta - avoid traceback when retrieving the meta task name (https://github.com/ansible/ansible/issues/85367).
+- password lookup - fix acquiring the lock when human-readable FileExistsError error message is not English.
+- user - Set timeout for passphrase interaction.
+- user - Update prompt for SSH key passphrase (https://github.com/ansible/ansible/issues/84484).
+
+v2.18.6
+=======
+
+Release Summary
+---------------
+
+| Release Date: 2025-05-19
+| `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+Minor Changes
+-------------
+
+- ansible-test - Use the ``-t`` option to set the stop timeout when stopping a container. This avoids use of the ``--time`` option which was deprecated in Docker v28.0.
+
+Bugfixes
+--------
+
+- Ansible will now ensure predictable permissions on remote artifacts, until now it only ensured executable and relied on system masks for the rest.
+- ansible-doc - fix indentation for first line of descriptions of suboptions and sub-return values (https://github.com/ansible/ansible/pull/84690).
+- ansible-doc - fix line wrapping for first line of description of options and return values (https://github.com/ansible/ansible/pull/84690).
+- dnf5 - avoid generating excessive transaction entries in the dnf5 history (https://github.com/ansible/ansible/issues/85046)
+- dnf5 - when ``bugfix`` and/or ``security`` is specified, skip packages that do not have any such updates, even for new versions of libdnf5 where this functionality changed and it is considered failure
+- script - Fix up become support for Windows scripts when become was set through host variables and not on the task directly - https://github.com/ansible/ansible/issues/85076
+
+v2.18.5
+=======
+
+Release Summary
+---------------
+
+| Release Date: 2025-04-21
+| `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+Bugfixes
+--------
+
+- build - Pin ``wheel`` in ``pyproject.toml`` to ensure compatibility with supported ``setuptools`` versions.
+- dnf5 - Handle forwarded exceptions from dnf5-5.2.13 where a generic ``RuntimeError`` was previously raised
+- find - skip ENOENT error code while recursively enumerating files. find module will now be tolerant to race conditions that remove files or directories from the target it is currently inspecting. (https://github.com/ansible/ansible/issues/84873).
+- gather_facts action, will now add setup when 'smart' appears with other modules in the FACTS_MODULES setting (#84750).
+- uri - Form location correctly when the server returns a relative redirect (https://github.com/ansible/ansible/issues/84540)
+
+v2.18.4
+=======
+
+Release Summary
+---------------
+
+| Release Date: 2025-03-25
+| `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+Bugfixes
+--------
+
+- Windows - add support for running on system where WDAC is in audit mode with ``Dynamic Code Security`` enabled.
+- dnf5 - fix ``is_installed`` check for packages that are not installed but listed as provided by an installed package (https://github.com/ansible/ansible/issues/84578)
+- dnf5 - libdnf5 - use ``conf.pkg_gpgcheck`` instead of deprecated ``conf.gpgcheck`` which is used only as a fallback
+- facts - gather pagesize and calculate respective values depending upon architecture (https://github.com/ansible/ansible/issues/84773).
+- module respawn - limit to supported Python versions
+
+v2.18.3
+=======
+
+Release Summary
+---------------
+
+| Release Date: 2025-02-24
+| `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+Minor Changes
+-------------
+
+- ansible-test - Automatically retry HTTP GET/PUT/DELETE requests on exceptions.
+- ansible-test - Use Python's ``urllib`` instead of ``curl`` for HTTP requests.
+
+Bugfixes
+--------
+
+- include_vars - fixed erroneous warning if an unreserved variable name contains a single character that matches a reserved variable. (https://github.com/ansible/ansible/issues/84623)
+- linear strategy - fix executing ``end_role`` meta tasks for each host, instead of handling these as implicit run_once tasks (https://github.com/ansible/ansible/issues/84660).
+
+v2.18.2
+=======
+
+Release Summary
+---------------
+
+| Release Date: 2025-01-27
+| `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+Bugfixes
+--------
+
+- Ansible will now also warn when reserved keywords are set via a module (set_fact, include_vars, etc).
+- Ansible.Basic - Fix ``required_if`` check when the option value to check is unset or set to null.
+- Use consistent multiprocessing context for action write locks
+- ansible-test - Fix up coverage reporting to properly translate the temporary path of integration test modules to the expected static test module path.
+- ansible-vault will now correctly handle `--prompt`, previously it would issue an error about stdin if no 2nd argument was passed
+- copy action now prevents user from setting internal options.
+- gather_facts action now defaults to `ansible.legacy.setup` if `smart` was set, no network OS was found and no other alias for `setup` was present.
+- gather_facts action will now issues errors and warnings as appropriate if a network OS is detected but no facts modules are defined for it.
+- ssh - Improve the logic for parsing CLIXML data in stderr when working with Windows host. This fixes issues when the raw stderr contains invalid UTF-8 byte sequences and improves embedded CLIXML sequences.
+- ssh - connection options were incorrectly templated during ``reset_connection`` tasks (https://github.com/ansible/ansible/pull/84238).
+
+v2.18.1
+=======
+
+Release Summary
+---------------
+
+| Release Date: 2024-12-02
+| `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+Minor Changes
+-------------
+
+- ansible-test - When detection of the current container network fails, a warning is now issued and execution continues. This simplifies usage in cases where the current container cannot be inspected, such as when running in GitHub Codespaces.
+
+Security Fixes
+--------------
+
+- Templating will not prefer AnsibleUnsafe when a variable is referenced via hostvars - CVE-2024-11079
+
+Bugfixes
+--------
+
+- Fix returning 'unreachable' for the overall task result. This prevents false positives when a looped task has unignored unreachable items (https://github.com/ansible/ansible/issues/84019).
+- ansible-test - Fix traceback that occurs after an interactive command fails.
+- dnf5 - fix installing a package using ``state=latest`` when a binary of the same name as the package is already installed (https://github.com/ansible/ansible/issues/84259)
+- dnf5 - matching on a binary can be achieved only by specifying a full path (https://github.com/ansible/ansible/issues/84334)
+- runas become - Fix up become logic to still get the SYSTEM token with the most privileges when running as SYSTEM.
+
+v2.18.0
+=======
+
+Release Summary
+---------------
+
+| Release Date: 2024-11-04
+| `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+Minor Changes
+-------------
+
+- Add ``gid_min``, ``gid_max`` to the group plugin to overwrite the defaults provided by the ``/etc/login.defs`` file (https://github.com/ansible/ansible/pull/81770).
+- Add ``python3.13`` to the default ``INTERPRETER_PYTHON_FALLBACK`` list.
+- Add ``uid_min``, ``uid_max`` to the user plugin to overwrite the defaults provided by the ``/etc/login.defs`` file (https://github.com/ansible/ansible/pull/81770).
+- Add a new meta task ``end_role`` (https://github.com/ansible/ansible/issues/22286)
+- Add a new mount_facts module to support gathering information about mounts that are excluded by default fact gathering.
+- Introducing COLOR_INCLUDED parameter. This can set a specific color for "included" events.
+- Removed the shell ``environment`` config entry as this is already covered by the play/task directives documentation and the value itself is not used in the shell plugins. This should remove any confusion around how people set the environment for a task.
+- Suppress cryptography deprecation warnings for Blowfish and TripleDES when the ``paramiko`` Python module is installed.
+- The minimum supported Python version on targets is now Python 3.8.
+- ``ansible-galaxy collection publish`` - add configuration options for the initial poll interval and the exponential when checking the import status of a collection, since the default is relatively slow.
+- ansible-config has new 'validate' option to find mispelled/forgein configurations in ini file or environment variables.
+- ansible-doc - show examples in role entrypoint argument specs (https://github.com/ansible/ansible/pull/82671).
+- ansible-galaxy - Handle authentication errors and token expiration
+- ansible-test - Add Ubuntu 24.04 remote.
+- ansible-test - Add support for Python 3.13.
+- ansible-test - An ``ansible_core.egg-info`` directory is no longer generated when running tests.
+- ansible-test - Connection options can be set for ansible-test managed remote Windows instances.
+- ansible-test - Default to Python 3.13 in the ``base`` and ``default`` containers.
+- ansible-test - Disable the ``deprecated-`` prefixed ``pylint`` rules as their results vary by Python version.
+- ansible-test - Improve container runtime probe error handling. When unexpected probe output is encountered, an error with more useful debugging information is provided.
+- ansible-test - Improve the error message shown when an unknown ``--remote`` or ``--docker`` option is given.
+- ansible-test - Remove Python 2.7 compatibility imports.
+- ansible-test - Removed the ``vyos/1.1.8`` network remote as it is no longer functional.
+- ansible-test - Replace Alpine 3.19 container and remote with Alpine 3.20.
+- ansible-test - Replace Fedora 39 container and remote with Fedora 40.
+- ansible-test - Replace FreeBSD 14.0 remote with FreeBSD 14.1.
+- ansible-test - Replace RHEL 9.3 remote with RHEL 9.4.
+- ansible-test - Replace Ubuntu 20.04 container with Ubuntu 24.04 container.
+- ansible-test - The ``empty-init`` sanity test no longer applies to ``module_utils`` packages.
+- ansible-test - Update ``ansible-test-utility-container`` to version 3.1.0.
+- ansible-test - Update ``base`` and ``default`` containers to omit Python 3.7.
+- ansible-test - Update ``coverage`` to version 7.6.1.
+- ansible-test - Update ``http-test-container`` to version 3.0.0.
+- ansible-test - Update ``nios-test-container`` to version 5.0.0.
+- ansible-test - Update ``pylint`` sanity test to use version 3.3.1.
+- ansible-test - Update ``pypi-test-container`` to version 3.2.0.
+- ansible-test - Update the ``base`` and ``default`` containers.
+- ansible-test - Updated the frozen requirements for all sanity tests.
+- ansible-test - Upgrade ``pip`` used in ansible-test managed virtual environments from version 24.0 to 24.2.
+- ansible-test - Virtual environments created by ansible-test no longer include the ``wheel`` or ``setuptools`` packages.
+- ansible-test - update HTTP test container to 3.2.0 (https://github.com/ansible/ansible/pull/83469).
+- ansible.log now also shows log severity field
+- distribution.py - Added SL-Micro in Suse OS Family. (https://github.com/ansible/ansible/pull/83541)
+- dnf - minor internal changes in how the errors from the dnf API are handled; rely solely on the exceptions rather than inspecting text embedded in them
+- dnf - remove legacy code for unsupported dnf versions
+- dnf5 - implement ``enable_plugin`` and ``disable_plugin`` options
+- fact gathering - Gather /proc/sysinfo facts on s390 Linux on Z
+- facts - add systemd version and features
+- find - change the datatype of ``elements`` to ``path`` in option ``paths`` (https://github.com/ansible/ansible/pull/83575).
+- ini lookup - add new ``interpolation`` option (https://github.com/ansible/ansible/issues/83755)
+- isidentifier - remove unwanted Python 2 specific code.
+- loop_control - add a break_when option to to break out of a task loop early based on Jinja2 expressions (https://github.com/ansible/ansible/issues/83442).
+- package_facts module now supports using aliases for supported package managers, for example managers=yum or managers=dnf will resolve to using the underlying rpm.
+- plugins, deprecations and warnings concerning configuration are now displayed to the user, technical issue that prevented 'de-duplication' have been resolved.
+- psrp - Remove connection plugin extras vars lookup. This should have no affect on existing users as all options have been documented.
+- remove extraneous selinux import (https://github.com/ansible/ansible/issues/83657).
+- replace random with secrets library.
+- rpm_key - allow validation of gpg key with a subkey fingerprint
+- rpm_key - enable gpg validation that requires presence of multiple fingerprints
+- service_mgr - add support for dinit service manager (https://github.com/ansible/ansible/pull/83489).
+- task timeout now returns timedout key with frame/code that was in execution when the timeout is triggered.
+- timedout test for checking if a task result represents a 'timed out' task.
+- unarchive - Remove Python 2.7 compatibility imports.
+- validate-modules sanity test - detect if names of an option (option name + aliases) do not match between argument spec and documentation (https://github.com/ansible/ansible/issues/83598, https://github.com/ansible/ansible/pull/83599).
+- validate-modules sanity test - reject option/aliases names that are identical up to casing but belong to different options (https://github.com/ansible/ansible/pull/83530).
+- vaulted_file test filter added, to test if the provided path is an 'Ansible vaulted' file
+- yum_repository - add ``excludepkgs`` alias to the ``exclude`` option.
+
+Breaking Changes / Porting Guide
+--------------------------------
+
+- Stopped wrapping all commands sent over SSH on a Windows target with a ``powershell.exe`` executable. This results in one less process being started on each command for Windows to improve efficiency, simplify the code, and make ``raw`` an actual raw command run with the default shell configured on the Windows sshd settings. This should have no affect on most tasks except for ``raw`` which now is not guaranteed to always be running in a PowerShell shell and from having the console output codepage set to UTF-8. To avoid this issue either swap to using ``ansible.windows.win_command``, ``ansible.windows.win_shell``, ``ansible.windows.win_powershell`` or manually wrap the raw command with the shell commands needed to set the output console encoding.
+- persistent connection plugins - The ``ANSIBLE_CONNECTION_PATH`` config option no longer has any effect.
+
+Deprecated Features
+-------------------
+
+- Deprecate ``ansible.module_utils.basic.AnsibleModule.safe_eval`` and ``ansible.module_utils.common.safe_eval`` as they are no longer used.
+- persistent connection plugins - The ``ANSIBLE_CONNECTION_PATH`` config option no longer has any effect, and will be removed in a future release.
+- yum_repository - deprecate ``async`` option as it has been removed in RHEL 8 and will be removed in ansible-core 2.22.
+- yum_repository - the following options are deprecated: ``deltarpm_metadata_percentage``, ``gpgcakey``, ``http_caching``, ``keepalive``, ``metadata_expire_filter``, ``mirrorlist_expire``, ``protect``, ``ssl_check_cert_permissions``, ``ui_repoid_vars`` as they have no effect for dnf as an underlying package manager. The options will be removed in ansible-core 2.22.
+
+Removed Features (previously deprecated)
+----------------------------------------
+
+- Play - removed deprecated ``ROLE_CACHE`` property in favor of ``role_cache``.
+- Remove deprecated `VariableManager._get_delegated_vars` method (https://github.com/ansible/ansible/issues/82950)
+- Removed Python 3.10 as a supported version on the controller. Python 3.11 or newer is required.
+- Removed support for setting the ``vars`` keyword to lists of dictionaries. It is now required to be a single dictionary.
+- loader - remove deprecated non-inclusive words (https://github.com/ansible/ansible/issues/82947).
+- paramiko_ssh - removed deprecated ssh_args from the paramiko_ssh connection plugin (https://github.com/ansible/ansible/issues/82939).
+- paramiko_ssh - removed deprecated ssh_common_args from the paramiko_ssh connection plugin (https://github.com/ansible/ansible/issues/82940).
+- paramiko_ssh - removed deprecated ssh_extra_args from the paramiko_ssh connection plugin (https://github.com/ansible/ansible/issues/82941).
+- play_context - remove deprecated PlayContext.verbosity property (https://github.com/ansible/ansible/issues/82945).
+- utils/listify - remove deprecated 'loader' argument from listify_lookup_plugin_terms API (https://github.com/ansible/ansible/issues/82949).
+
+Security Fixes
+--------------
+
+- include_vars action - Ensure that result masking is correctly requested when vault-encrypted files are read. (CVE-2024-8775)
+- task result processing - Ensure that action-sourced result masking (``_ansible_no_log=True``) is preserved. (CVE-2024-8775)
+- user action won't allow ssh-keygen, chown and chmod to run on existing ssh public key file, avoiding traversal on existing symlinks (CVE-2024-9902).
+
+Bugfixes
+--------
+
+- -> runas become - Generate new token for the SYSTEM token to use for become. This should result in the full SYSTEM token being used and problems starting the process that fails with ``The process creation has been blocked``.
+- Add a version ceiling constraint for pypsrp to avoid potential breaking changes in the 1.0.0 release.
+- Add descriptions for ``ansible-galaxy install --help` and ``ansible-galaxy role|collection install --help``.
+- Avoid truncating floats when casting into int, as it can lead to truncation and unexpected results. 0.99999 will be 0, not 1.
+- COLOR_SKIP will not alter "included" events color display anymore.
+- Callbacks now correctly get the resolved connection plugin name as the connection used.
+- Darwin - add unit tests for Darwin hardware fact gathering.
+- Errors now preserve stacked error messages even when YAML is involved.
+- Fix ``SemanticVersion.parse()`` to store the version string so that ``__repr__`` reports it instead of ``None`` (https://github.com/ansible/ansible/pull/83831).
+- Fix a traceback when an environment variable contains certain special characters (https://github.com/ansible/ansible/issues/83498)
+- Fix an issue when setting a plugin name from an unsafe source resulted in ``ValueError: unmarshallable object`` (https://github.com/ansible/ansible/issues/82708)
+- Fix an issue where registered variable was not available for templating in ``loop_control.label`` on skipped looped tasks (https://github.com/ansible/ansible/issues/83619)
+- Fix disabling SSL verification when installing collections and roles from git repositories. If ``--ignore-certs`` isn't provided, the value for the ``GALAXY_IGNORE_CERTS`` configuration option will be used (https://github.com/ansible/ansible/issues/83326).
+- Fix for ``meta`` tasks breaking host/fork affinity with ``host_pinned`` strategy (https://github.com/ansible/ansible/issues/83294)
+- Fix handlers not being executed in lockstep using the linear strategy in some cases (https://github.com/ansible/ansible/issues/82307)
+- Fix rapid memory usage growth when notifying handlers using the ``listen`` keyword (https://github.com/ansible/ansible/issues/83392)
+- Fix the task attribute ``resolved_action`` to show the FQCN instead of ``None`` when ``action`` or ``local_action`` is used in the playbook.
+- Fix using ``module_defaults`` with ``local_action``/``action`` (https://github.com/ansible/ansible/issues/81905).
+- Fix using the current task's directory for looking up relative paths within roles (https://github.com/ansible/ansible/issues/82695).
+- Improve performance on large inventories by reducing the number of implicit meta tasks.
+- Remove deprecated config options DEFAULT_FACT_PATH, DEFAULT_GATHER_SUBSET, and DEFAULT_GATHER_TIMEOUT in favor of setting ``fact_path``, ``gather_subset`` and ``gather_timeout`` as ``module_defaults`` for ``ansible.builtin.setup``.
+  These will apply to both the ``gather_facts`` play keyword, and any ``ansible.builtin.setup`` tasks.
+  To configure these options only for the ``gather_facts`` keyword, set these options as play keywords also.
+- Set LANGUAGE environment variable is set to a non-English locale (https://github.com/ansible/ansible/issues/83608).
+- Use the requested error message in the ansible.module_utils.facts.timeout timeout function instead of hardcoding one.
+- ``ansible-galaxy install --help`` - Fix the usage text and document that the requirements file passed to ``-r`` can include collections and roles.
+- ``ansible-galaxy role install`` - update the default timeout to download archive URLs from 20 seconds to 60 (https://github.com/ansible/ansible/issues/83521).
+- ``end_host`` - fix incorrect return code when executing ``end_host`` in the ``rescue`` section (https://github.com/ansible/ansible/issues/83447)
+- ``package``/``dnf`` action plugins - provide the reason behind the failure to gather the ``ansible_pkg_mgr`` fact to identify the package backend
+- addressed issue of trailing text been ignored, non-ASCII characters are parsed, enhance white space handling and fixed overly permissive issue of human_to_bytes filter(https://github.com/ansible/ansible/issues/82075)
+- ansible-config will now properly template defaults before dumping them.
+- ansible-doc - fixed "inicates" typo in output
+- ansible-doc - format top-level descriptions with multiple paragraphs as multiple paragraphs, instead of concatenating them (https://github.com/ansible/ansible/pull/83155).
+- ansible-doc - handle no_fail condition for role.
+- ansible-doc - make colors configurable.
+- ansible-galaxy collection install - remove old installation info when installing collections (https://github.com/ansible/ansible/issues/83182).
+- ansible-galaxy role install - fix symlinks (https://github.com/ansible/ansible/issues/82702, https://github.com/ansible/ansible/issues/81965).
+- ansible-test - Enable the ``sys.unraisablehook`` work-around for the ``pylint`` sanity test on Python 3.11. Previously the work-around was only enabled for Python 3.12 and later. However, the same issue has been discovered on Python 3.11.
+- ansible-test - The ``pylint`` sanity test now includes the controller/target context of files when grouping them. This allows the ``--py-version`` option to be passed to ``pylint`` to indicate the minimum supported Python version for each test context, preventing ``pylint`` from defaulting to the Python version used to invoke the test.
+- ansible-test action-plugin-docs - Fix to check for sidecar documentation for action plugins
+- ansible_managed restored it's 'templatability' by ensuring the possible injection routes are cut off earlier in the process.
+- apt - report changed=True when some packages are being removed (https://github.com/ansible/ansible/issues/46314).
+- apt_* - add more info messages raised while updating apt cache (https://github.com/ansible/ansible/issues/77941).
+- assemble - update argument_spec with 'decrypt' option which is required by action plugin (https://github.com/ansible/ansible/issues/80840).
+- atomic_move - fix using the setgid bit on the parent directory when creating files (https://github.com/ansible/ansible/issues/46742, https://github.com/ansible/ansible/issues/67177).
+- config, restored the ability to set module compression via a variable
+- connection plugins using the 'extras' option feature would need variables to match the plugin's loaded name, sometimes requiring fqcn, which is not the same as the documented/declared/expected variables. Now we fall back to the 'basename' of the fqcn, but plugin authors can still set the expected value directly.
+- copy - mtime/atime not updated. Fix now update mtime/atime(https://github.com/ansible/ansible/issues/83013)
+- csvfile lookup - give an error when no search term is provided using modern config syntax (https://github.com/ansible/ansible/issues/83689).
+- debconf - fix normalization of value representation for boolean vtypes in new packages (https://github.com/ansible/ansible/issues/83594)
+- debconf - set empty password values (https://github.com/ansible/ansible/issues/83214).
+- delay keyword is now a float, matching the underlying 'time' API and user expectations.
+- display - warn user about empty log filepath (https://github.com/ansible/ansible/issues/79959).
+- display now does a better job of mapping warnings/errors to the proper log severity when using ansible.log. We still use color as a fallback mapping (now prioritiezed by severity) but mostly rely on it beind directly set by warnning/errors calls.
+- distro package - update the distro package version from 1.8.0 to 1.9.0  (https://github.com/ansible/ansible/issues/82935)
+- dnf - Ensure that we are handling DownloadError properly in the dnf module
+- dnf - Substitute variables in DNF cache path (https://github.com/ansible/ansible/pull/80094).
+- dnf - fix an issue where two packages of the same ``evr`` but different arch failed to install (https://github.com/ansible/ansible/issues/83406)
+- dnf - honor installroot for ``cachedir``, ``logdir`` and ``persistdir``
+- dnf - perform variable substitutions in ``logdir`` and ``persistdir``
+- dnf, dnf5 - fix for installing a set of packages by specifying them using a wildcard character (https://github.com/ansible/ansible/issues/83373)
+- dnf5 - fix traceback when ``enable_plugins``/``disable_plugins`` is used on ``python3-libdnf5`` versions that do not support this functionality
+- dnf5 - re-introduce the ``state: installed`` alias to ``state: present`` (https://github.com/ansible/ansible/issues/83960)
+- dnf5 - replace removed API calls
+- ensure we have logger before we log when we have increased verbosity.
+- facts - `support_discard` now returns `0` if either `discard_granularity` or `discard_max_hw_bytes` is zero; otherwise it returns the value of `discard_granularity`, as before (https://github.com/ansible/ansible/pull/83480).
+- facts - add a generic detection for VMware in product name.
+- facts - add facts about x86_64 flags to detect microarchitecture (https://github.com/ansible/ansible/issues/83331).
+- facts - skip if distribution file path is directory, instead of raising error (https://github.com/ansible/ansible/issues/84006).
+- fetch - add error message when using ``dest`` with a trailing slash that becomes a local directory - https://github.com/ansible/ansible/issues/82878
+- file - retrieve the link's full path when hard linking a soft link with follow (https://github.com/ansible/ansible/issues/33911).
+- fixed the issue of creating user directory using tilde(~) always reported "changed".(https://github.com/ansible/ansible/issues/82490)
+- fixed unit test test_borken_cowsay to address mock not been properly applied when existing unix system already have cowsay installed.
+- freebsd - refactor dmidecode fact gathering code for simplicity.
+- freebsd - update disk and slices regex for fact gathering (https://github.com/ansible/ansible/pull/82081).
+- get_url - Verify checksum using tmpsrc, not dest (https://github.com/ansible/ansible/pull/64092)
+- git - check if git version is available or not before using it for comparison (https://github.com/ansible/ansible/issues/72321).
+- include_tasks - Display location when attempting to load a task list where ``include_*`` did not specify any value - https://github.com/ansible/ansible/issues/83874
+- known_hosts - the returned module invocation now accurately reflects the module arguments.
+- linear strategy now provides a properly templated task name to the v2_runner_on_started callback event.
+- linear strategy: fix handlers included via ``include_tasks`` handler to be executed in lockstep (https://github.com/ansible/ansible/issues/83019)
+- linux - remove extraneous get_bin_path API call.
+- local - handle error while parsing values in ini files (https://github.com/ansible/ansible/issues/82717).
+- lookup - Fixed examples of csv lookup plugin (https://github.com/ansible/ansible/issues/83031).
+- module_defaults - do not display action/module deprecation warnings when using an action_group that contains a deprecated plugin (https://github.com/ansible/ansible/issues/83490).
+- module_utils atomic_move (used by most file based modules), now correctly handles permission copy and setting mtime correctly across all paths
+- package_facts - apk fix when cache is empty (https://github.com/ansible/ansible/issues/83126).
+- package_facts - no longer fails silently when the selected package manager is unable to list packages.
+- package_facts - returns the correct warning when package listing fails.
+- persistent connection plugins - The correct Ansible persistent connection helper is now always used. Previously, the wrong script could be used, depending on the value of the ``PATH`` environment variable. As a result, users were sometimes required to set ``ANSIBLE_CONNECTION_PATH`` to use the correct script.
+- powershell - Implement more robust deletion mechanism for C# code compilation temporary files. This should avoid scenarios where the underlying temporary directory may be temporarily locked by antivirus tools or other IO problems. A failure to delete one of these temporary directories will result in a warning rather than an outright failure.
+- powershell - Improve CLIXML decoding to decode all control characters and unicode characters that are encoded as surrogate pairs.
+- psrp - Fix bug when attempting to fetch a file path that contains special glob characters like ``[]``
+- replace - Updated before/after example (https://github.com/ansible/ansible/issues/83390).
+- runtime-metadata sanity test - do not crash on deprecations if ``galaxy.yml`` contains an empty ``version`` field (https://github.com/ansible/ansible/pull/83831).
+- service - fix order of CLI arguments on FreeBSD (https://github.com/ansible/ansible/pull/81377).
+- service_facts - don't crash if OpenBSD rcctl variable contains '=' character (https://github.com/ansible/ansible/issues/83457)
+- service_facts will now detect failed services more accurately across systemd implementations.
+- setup module (fact gathering), added fallbcak code path to handle mount fact gathering in linux when threading is not available
+- setup/gather_facts will skip missing ``sysctl`` instead of being a fatal error (https://github.com/ansible/ansible/pull/81297).
+- shell plugin - properly quote all needed components of shell commands (https://github.com/ansible/ansible/issues/82535)
+- ssh - Fix bug when attempting to fetch a file path with characters that should be quoted when using the ``piped`` transfer method
+- support the countme option when using yum_repository
+- systemd - extend systemctl is-enabled check to handle "enabled-runtime" (https://github.com/ansible/ansible/pull/77754).
+- systemd facts - handle AttributeError raised while gathering facts on non-systemd hosts.
+- systemd_service - handle mask operation failure (https://github.com/ansible/ansible/issues/81649).
+- templating hostvars under native jinja will not cause serialization errors anymore.
+- the raw arguments error now just displays the short names of modules instead of every possible variation
+- unarchive - Better handling of files with an invalid timestamp in zip file (https://github.com/ansible/ansible/issues/81092).
+- unarchive - trigger change when size and content differ when other properties are unchanged (https://github.com/ansible/ansible/pull/83454).
+- unsafe data - Address an incompatibility when iterating or getting a single index from ``AnsibleUnsafeBytes``
+- unsafe data - Address an incompatibility with ``AnsibleUnsafeText`` and ``AnsibleUnsafeBytes`` when pickling with ``protocol=0``
+- unsafe data - Enable directly using ``AnsibleUnsafeText`` with Python ``pathlib`` (https://github.com/ansible/ansible/issues/82414)
+- uri - deprecate 'yes' and 'no' value for 'follow_redirects' parameter.
+- user action will now require O(force) to overwrite the public part of an ssh key when generating ssh keys, as was already the case for the private part.
+- user module now avoids changing ownership of files symlinked in provided home dir skeleton
+- vault - handle vault password file value when it is directory (https://github.com/ansible/ansible/issues/42960).
+- vault.is_encrypted_file is now optimized to be called in runtime and not for being called in tests
+- vault_encrypted test documentation, name and examples have been fixed, other parts were clarified
+- winrm - Add retry after exceeding commands per user quota that can occur in loops and action plugins running multiple commands.
+
+Known Issues
+------------
+
+- ansible-test - When using ansible-test containers with Podman on a Ubuntu 24.04 host, ansible-test must be run as a non-root user to avoid permission issues caused by AppArmor.
+- ansible-test - When using the Fedora 40 container with Podman on a Ubuntu 24.04 host, the ``unix-chkpwd`` AppArmor profile must be disabled on the host to allow SSH connections to the container.
+
+New Plugins
+-----------
+
+Test
+~~~~
+
+- timedout - did the task time out
+- vaulted_file - Is this file an encrypted vault
+
+New Modules
+-----------
+
+Lib
+~~~
+
+ansible.modules
+^^^^^^^^^^^^^^^
+
+- mount_facts - Retrieve mount information.

changelogs/changelog.yaml

@@ -1,2 +1,911 @@
 ancestor: 2.17.0
-releases: {}
+releases:
+  2.18.0:
+    changes:
+      release_summary: '| Release Date: 2024-11-04
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.0_summary.yaml
+    release_date: '2024-11-04'
+  2.18.0b1:
+    changes:
+      breaking_changes:
+      - Stopped wrapping all commands sent over SSH on a Windows target with a ``powershell.exe``
+        executable. This results in one less process being started on each command
+        for Windows to improve efficiency, simplify the code, and make ``raw`` an
+        actual raw command run with the default shell configured on the Windows sshd
+        settings. This should have no affect on most tasks except for ``raw`` which
+        now is not guaranteed to always be running in a PowerShell shell and from
+        having the console output codepage set to UTF-8. To avoid this issue either
+        swap to using ``ansible.windows.win_command``, ``ansible.windows.win_shell``,
+        ``ansible.windows.win_powershell`` or manually wrap the raw command with the
+        shell commands needed to set the output console encoding.
+      - persistent connection plugins - The ``ANSIBLE_CONNECTION_PATH`` config option
+        no longer has any effect.
+      bugfixes:
+      - -> runas become - Generate new token for the SYSTEM token to use for become.
+        This should result in the full SYSTEM token being used and problems starting
+        the process that fails with ``The process creation has been blocked``.
+      - Add a version ceiling constraint for pypsrp to avoid potential breaking changes
+        in the 1.0.0 release.
+      - Add descriptions for ``ansible-galaxy install --help` and ``ansible-galaxy
+        role|collection install --help``.
+      - Avoid truncating floats when casting into int, as it can lead to truncation
+        and unexpected results. 0.99999 will be 0, not 1.
+      - COLOR_SKIP will not alter "included" events color display anymore.
+      - Callbacks now correctly get the resolved connection plugin name as the connection
+        used.
+      - Darwin - add unit tests for Darwin hardware fact gathering.
+      - Fix ``SemanticVersion.parse()`` to store the version string so that ``__repr__``
+        reports it instead of ``None`` (https://github.com/ansible/ansible/pull/83831).
+      - Fix a traceback when an environment variable contains certain special characters
+        (https://github.com/ansible/ansible/issues/83498)
+      - 'Fix an issue when setting a plugin name from an unsafe source resulted in
+        ``ValueError: unmarshallable object`` (https://github.com/ansible/ansible/issues/82708)'
+      - Fix an issue where registered variable was not available for templating in
+        ``loop_control.label`` on skipped looped tasks (https://github.com/ansible/ansible/issues/83619)
+      - Fix for ``meta`` tasks breaking host/fork affinity with ``host_pinned`` strategy
+        (https://github.com/ansible/ansible/issues/83294)
+      - Fix handlers not being executed in lockstep using the linear strategy in some
+        cases (https://github.com/ansible/ansible/issues/82307)
+      - Fix rapid memory usage growth when notifying handlers using the ``listen``
+        keyword (https://github.com/ansible/ansible/issues/83392)
+      - Fix the task attribute ``resolved_action`` to show the FQCN instead of ``None``
+        when ``action`` or ``local_action`` is used in the playbook.
+      - Fix using ``module_defaults`` with ``local_action``/``action`` (https://github.com/ansible/ansible/issues/81905).
+      - Fix using the current task's directory for looking up relative paths within
+        roles (https://github.com/ansible/ansible/issues/82695).
+      - 'Remove deprecated config options DEFAULT_FACT_PATH, DEFAULT_GATHER_SUBSET,
+        and DEFAULT_GATHER_TIMEOUT in favor of setting ``fact_path``, ``gather_subset``
+        and ``gather_timeout`` as ``module_defaults`` for ``ansible.builtin.setup``.
+
+        These will apply to both the ``gather_facts`` play keyword, and any ``ansible.builtin.setup``
+        tasks.
+
+        To configure these options only for the ``gather_facts`` keyword, set these
+        options as play keywords also.'
+      - Set LANGUAGE environment variable is set to a non-English locale (https://github.com/ansible/ansible/issues/83608).
+      - '``ansible-galaxy install --help`` - Fix the usage text and document that
+        the requirements file passed to ``-r`` can include collections and roles.'
+      - '``ansible-galaxy role install`` - update the default timeout to download
+        archive URLs from 20 seconds to 60 (https://github.com/ansible/ansible/issues/83521).'
+      - '``end_host`` - fix incorrect return code when executing ``end_host`` in the
+        ``rescue`` section (https://github.com/ansible/ansible/issues/83447)'
+      - addressed issue of trailing text been ignored, non-ASCII characters are parsed,
+        enhance white space handling and fixed overly permissive issue of human_to_bytes
+        filter(https://github.com/ansible/ansible/issues/82075)
+      - ansible-config will now properly template defaults before dumping them.
+      - ansible-doc - fixed "inicates" typo in output
+      - ansible-doc - format top-level descriptions with multiple paragraphs as multiple
+        paragraphs, instead of concatenating them (https://github.com/ansible/ansible/pull/83155).
+      - ansible-doc - handle no_fail condition for role.
+      - ansible-doc - make colors configurable.
+      - ansible-galaxy collection install - remove old installation info when installing
+        collections (https://github.com/ansible/ansible/issues/83182).
+      - ansible-galaxy role install - fix symlinks (https://github.com/ansible/ansible/issues/82702,
+        https://github.com/ansible/ansible/issues/81965).
+      - ansible-test - The ``pylint`` sanity test now includes the controller/target
+        context of files when grouping them. This allows the ``--py-version`` option
+        to be passed to ``pylint`` to indicate the minimum supported Python version
+        for each test context, preventing ``pylint`` from defaulting to the Python
+        version used to invoke the test.
+      - ansible-test action-plugin-docs - Fix to check for sidecar documentation for
+        action plugins
+      - ansible_managed restored it's 'templatability' by ensuring the possible injection
+        routes are cut off earlier in the process.
+      - apt - report changed=True when some packages are being removed (https://github.com/ansible/ansible/issues/46314).
+      - apt_* - add more info messages raised while updating apt cache (https://github.com/ansible/ansible/issues/77941).
+      - assemble - update argument_spec with 'decrypt' option which is required by
+        action plugin (https://github.com/ansible/ansible/issues/80840).
+      - atomic_move - fix using the setgid bit on the parent directory when creating
+        files (https://github.com/ansible/ansible/issues/46742, https://github.com/ansible/ansible/issues/67177).
+      - config, restored the ability to set module compression via a variable
+      - connection plugins using the 'extras' option feature would need variables
+        to match the plugin's loaded name, sometimes requiring fqcn, which is not
+        the same as the documented/declared/expected variables. Now we fall back to
+        the 'basename' of the fqcn, but plugin authors can still set the expected
+        value directly.
+      - copy - mtime/atime not updated. Fix now update mtime/atime(https://github.com/ansible/ansible/issues/83013)
+      - csvfile lookup - give an error when no search term is provided using modern
+        config syntax (https://github.com/ansible/ansible/issues/83689).
+      - debconf - fix normalization of value representation for boolean vtypes in
+        new packages (https://github.com/ansible/ansible/issues/83594)
+      - delay keyword is now a float, matching the underlying 'time' API and user
+        expectations.
+      - display - warn user about empty log filepath (https://github.com/ansible/ansible/issues/79959).
+      - display now does a better job of mapping warnings/errors to the proper log
+        severity when using ansible.log. We still use color as a fallback mapping
+        (now prioritiezed by severity) but mostly rely on it beind directly set by
+        warnning/errors calls.
+      - distro package - update the distro package version from 1.8.0 to 1.9.0  (https://github.com/ansible/ansible/issues/82935)
+      - dnf - Ensure that we are handling DownloadError properly in the dnf module
+      - dnf - Substitute variables in DNF cache path (https://github.com/ansible/ansible/pull/80094).
+      - dnf - fix an issue where two packages of the same ``evr`` but different arch
+        failed to install (https://github.com/ansible/ansible/issues/83406)
+      - dnf - honor installroot for ``cachedir``, ``logdir`` and ``persistdir``
+      - dnf - perform variable substitutions in ``logdir`` and ``persistdir``
+      - dnf, dnf5 - fix for installing a set of packages by specifying them using
+        a wildcard character (https://github.com/ansible/ansible/issues/83373)
+      - 'dnf5 - re-introduce the ``state: installed`` alias to ``state: present``
+        (https://github.com/ansible/ansible/issues/83960)'
+      - dnf5 - replace removed API calls
+      - ensure we have logger before we log when we have increased verbosity.
+      - facts - `support_discard` now returns `0` if either `discard_granularity`
+        or `discard_max_hw_bytes` is zero; otherwise it returns the value of `discard_granularity`,
+        as before (https://github.com/ansible/ansible/pull/83480).
+      - facts - add a generic detection for VMware in product name.
+      - facts - add facts about x86_64 flags to detect microarchitecture (https://github.com/ansible/ansible/issues/83331).
+      - fetch - add error message when using ``dest`` with a trailing slash that becomes
+        a local directory - https://github.com/ansible/ansible/issues/82878
+      - file - retrieve the link's full path when hard linking a soft link with follow
+        (https://github.com/ansible/ansible/issues/33911).
+      - fixed the issue of creating user directory using tilde(~) always reported
+        "changed".(https://github.com/ansible/ansible/issues/82490)
+      - fixed unit test test_borken_cowsay to address mock not been properly applied
+        when existing unix system already have cowsay installed.
+      - freebsd - refactor dmidecode fact gathering code for simplicity.
+      - freebsd - update disk and slices regex for fact gathering (https://github.com/ansible/ansible/pull/82081).
+      - get_url - Verify checksum using tmpsrc, not dest (https://github.com/ansible/ansible/pull/64092)
+      - git - check if git version is available or not before using it for comparison
+        (https://github.com/ansible/ansible/issues/72321).
+      - include_tasks - Display location when attempting to load a task list where
+        ``include_*`` did not specify any value - https://github.com/ansible/ansible/issues/83874
+      - known_hosts - the returned module invocation now accurately reflects the module
+        arguments.
+      - linear strategy now provides a properly templated task name to the v2_runner_on_started
+        callback event.
+      - 'linear strategy: fix handlers included via ``include_tasks`` handler to be
+        executed in lockstep (https://github.com/ansible/ansible/issues/83019)'
+      - linux - remove extraneous get_bin_path API call.
+      - local - handle error while parsing values in ini files (https://github.com/ansible/ansible/issues/82717).
+      - lookup - Fixed examples of csv lookup plugin (https://github.com/ansible/ansible/issues/83031).
+      - module_defaults - do not display action/module deprecation warnings when using
+        an action_group that contains a deprecated plugin (https://github.com/ansible/ansible/issues/83490).
+      - module_utils atomic_move (used by most file based modules), now correctly
+        handles permission copy and setting mtime correctly across all paths
+      - package_facts - apk fix when cache is empty (https://github.com/ansible/ansible/issues/83126).
+      - package_facts - no longer fails silently when the selected package manager
+        is unable to list packages.
+      - package_facts - returns the correct warning when package listing fails.
+      - persistent connection plugins - The correct Ansible persistent connection
+        helper is now always used. Previously, the wrong script could be used, depending
+        on the value of the ``PATH`` environment variable. As a result, users were
+        sometimes required to set ``ANSIBLE_CONNECTION_PATH`` to use the correct script.
+      - powershell - Implement more robust deletion mechanism for C# code compilation
+        temporary files. This should avoid scenarios where the underlying temporary
+        directory may be temporarily locked by antivirus tools or other IO problems.
+        A failure to delete one of these temporary directories will result in a warning
+        rather than an outright failure.
+      - powershell - Improve CLIXML decoding to decode all control characters and
+        unicode characters that are encoded as surrogate pairs.
+      - psrp - Fix bug when attempting to fetch a file path that contains special
+        glob characters like ``[]``
+      - replace - Updated before/after example (https://github.com/ansible/ansible/issues/83390).
+      - runtime-metadata sanity test - do not crash on deprecations if ``galaxy.yml``
+        contains an empty ``version`` field (https://github.com/ansible/ansible/pull/83831).
+      - service - fix order of CLI arguments on FreeBSD (https://github.com/ansible/ansible/pull/81377).
+      - service_facts - don't crash if OpenBSD rcctl variable contains '=' character
+        (https://github.com/ansible/ansible/issues/83457)
+      - service_facts will now detect failed services more accurately across systemd
+        implementations.
+      - setup module (fact gathering), added fallbcak code path to handle mount fact
+        gathering in linux when threading is not available
+      - setup/gather_facts will skip missing ``sysctl`` instead of being a fatal error
+        (https://github.com/ansible/ansible/pull/81297).
+      - shell plugin - properly quote all needed components of shell commands (https://github.com/ansible/ansible/issues/82535)
+      - ssh - Fix bug when attempting to fetch a file path with characters that should
+        be quoted when using the ``piped`` transfer method
+      - support the countme option when using yum_repository
+      - systemd - extend systemctl is-enabled check to handle "enabled-runtime" (https://github.com/ansible/ansible/pull/77754).
+      - systemd facts - handle AttributeError raised while gathering facts on non-systemd
+        hosts.
+      - systemd_service - handle mask operation failure (https://github.com/ansible/ansible/issues/81649).
+      - templating hostvars under native jinja will not cause serialization errors
+        anymore.
+      - the raw arguments error now just displays the short names of modules instead
+        of every possible variation
+      - unarchive - Better handling of files with an invalid timestamp in zip file
+        (https://github.com/ansible/ansible/issues/81092).
+      - unarchive - trigger change when size and content differ when other properties
+        are unchanged (https://github.com/ansible/ansible/pull/83454).
+      - unsafe data - Address an incompatibility when iterating or getting a single
+        index from ``AnsibleUnsafeBytes``
+      - unsafe data - Address an incompatibility with ``AnsibleUnsafeText`` and ``AnsibleUnsafeBytes``
+        when pickling with ``protocol=0``
+      - unsafe data - Enable directly using ``AnsibleUnsafeText`` with Python ``pathlib``
+        (https://github.com/ansible/ansible/issues/82414)
+      - uri - deprecate 'yes' and 'no' value for 'follow_redirects' parameter.
+      - vault - handle vault password file value when it is directory (https://github.com/ansible/ansible/issues/42960).
+      - vault.is_encrypted_file is now optimized to be called in runtime and not for
+        being called in tests
+      - vault_encrypted test documentation, name and examples have been fixed, other
+        parts were clarified
+      - winrm - Add retry after exceeding commands per user quota that can occur in
+        loops and action plugins running multiple commands.
+      deprecated_features:
+      - Deprecate ``ansible.module_utils.basic.AnsibleModule.safe_eval`` and ``ansible.module_utils.common.safe_eval``
+        as they are no longer used.
+      - persistent connection plugins - The ``ANSIBLE_CONNECTION_PATH`` config option
+        no longer has any effect, and will be removed in a future release.
+      - yum_repository - deprecate ``async`` option as it has been removed in RHEL
+        8 and will be removed in ansible-core 2.22.
+      - 'yum_repository - the following options are deprecated: ``deltarpm_metadata_percentage``,
+        ``gpgcakey``, ``http_caching``, ``keepalive``, ``metadata_expire_filter``,
+        ``mirrorlist_expire``, ``protect``, ``ssl_check_cert_permissions``, ``ui_repoid_vars``
+        as they have no effect for dnf as an underlying package manager. The options
+        will be removed in ansible-core 2.22.'
+      known_issues:
+      - ansible-test - When using ansible-test containers with Podman on a Ubuntu
+        24.04 host, ansible-test must be run as a non-root user to avoid permission
+        issues caused by AppArmor.
+      - ansible-test - When using the Fedora 40 container with Podman on a Ubuntu
+        24.04 host, the ``unix-chkpwd`` AppArmor profile must be disabled on the host
+        to allow SSH connections to the container.
+      minor_changes:
+      - Add ``gid_min``, ``gid_max`` to the group plugin to overwrite the defaults
+        provided by the ``/etc/login.defs`` file (https://github.com/ansible/ansible/pull/81770).
+      - Add ``python3.13`` to the default ``INTERPRETER_PYTHON_FALLBACK`` list.
+      - Add ``uid_min``, ``uid_max`` to the user plugin to overwrite the defaults
+        provided by the ``/etc/login.defs`` file (https://github.com/ansible/ansible/pull/81770).
+      - Add a new meta task ``end_role`` (https://github.com/ansible/ansible/issues/22286)
+      - Add a new mount_facts module to support gathering information about mounts
+        that are excluded by default fact gathering.
+      - Introducing COLOR_INCLUDED parameter. This can set a specific color for "included"
+        events.
+      - Removed the shell ``environment`` config entry as this is already covered
+        by the play/task directives documentation and the value itself is not used
+        in the shell plugins. This should remove any confusion around how people set
+        the environment for a task.
+      - Suppress cryptography deprecation warnings for Blowfish and TripleDES when
+        the ``paramiko`` Python module is installed.
+      - The minimum supported Python version on targets is now Python 3.8.
+      - '``ansible-galaxy collection publish`` - add configuration options for the
+        initial poll interval and the exponential when checking the import status
+        of a collection, since the default is relatively slow.'
+      - ansible-config has new 'validate' option to find mispelled/forgein configurations
+        in ini file or environment variables.
+      - ansible-doc - show examples in role entrypoint argument specs (https://github.com/ansible/ansible/pull/82671).
+      - ansible-galaxy - Handle authentication errors and token expiration
+      - ansible-test - Add Ubuntu 24.04 remote.
+      - ansible-test - Add support for Python 3.13.
+      - ansible-test - An ``ansible_core.egg-info`` directory is no longer generated
+        when running tests.
+      - ansible-test - Connection options can be set for ansible-test managed remote
+        Windows instances.
+      - ansible-test - Improve the error message shown when an unknown ``--remote``
+        or ``--docker`` option is given.
+      - ansible-test - Remove Python 2.7 compatibility imports.
+      - ansible-test - Removed the ``vyos/1.1.8`` network remote as it is no longer
+        functional.
+      - ansible-test - Replace Alpine 3.19 container and remote with Alpine 3.20.
+      - ansible-test - Replace Fedora 39 container and remote with Fedora 40.
+      - ansible-test - Replace FreeBSD 14.0 remote with FreeBSD 14.1.
+      - ansible-test - Replace RHEL 9.3 remote with RHEL 9.4.
+      - ansible-test - Replace Ubuntu 20.04 container with Ubuntu 24.04 container.
+      - ansible-test - The ``empty-init`` sanity test no longer applies to ``module_utils``
+        packages.
+      - ansible-test - Update ``ansible-test-utility-container`` to version 3.1.0.
+      - ansible-test - Update ``base`` and ``default`` containers to omit Python 3.7.
+      - ansible-test - Update ``coverage`` to version 7.6.1.
+      - ansible-test - Update ``http-test-container`` to version 3.0.0.
+      - ansible-test - Update ``nios-test-container`` to version 5.0.0.
+      - ansible-test - Update ``pypi-test-container`` to version 3.2.0.
+      - ansible-test - Updated the frozen requirements for all sanity tests.
+      - ansible-test - Upgrade ``pip`` used in ansible-test managed virtual environments
+        from version 24.0 to 24.2.
+      - ansible-test - Virtual environments created by ansible-test no longer include
+        the ``wheel`` or ``setuptools`` packages.
+      - ansible-test - update HTTP test container to 3.2.0 (https://github.com/ansible/ansible/pull/83469).
+      - ansible.log now also shows log severity field
+      - distribution.py - Added SL-Micro in Suse OS Family. (https://github.com/ansible/ansible/pull/83541)
+      - dnf - minor internal changes in how the errors from the dnf API are handled;
+        rely solely on the exceptions rather than inspecting text embedded in them
+      - dnf - remove legacy code for unsupported dnf versions
+      - dnf5 - implement ``enable_plugin`` and ``disable_plugin`` options
+      - fact gathering - Gather /proc/sysinfo facts on s390 Linux on Z
+      - facts - add systemd version and features
+      - find - change the datatype of ``elements`` to ``path`` in option ``paths``
+        (https://github.com/ansible/ansible/pull/83575).
+      - ini lookup - add new ``interpolation`` option (https://github.com/ansible/ansible/issues/83755)
+      - isidentifier - remove unwanted Python 2 specific code.
+      - loop_control - add a break_when option to to break out of a task loop early
+        based on Jinja2 expressions (https://github.com/ansible/ansible/issues/83442).
+      - package_facts module now supports using aliases for supported package managers,
+        for example managers=yum or managers=dnf will resolve to using the underlying
+        rpm.
+      - plugins, deprecations and warnings concerning configuration are now displayed
+        to the user, technical issue that prevented 'de-duplication' have been resolved.
+      - psrp - Remove connection plugin extras vars lookup. This should have no affect
+        on existing users as all options have been documented.
+      - remove extraneous selinux import (https://github.com/ansible/ansible/issues/83657).
+      - replace random with secrets library.
+      - rpm_key - allow validation of gpg key with a subkey fingerprint
+      - rpm_key - enable gpg validation that requires presence of multiple fingerprints
+      - service_mgr - add support for dinit service manager (https://github.com/ansible/ansible/pull/83489).
+      - task timeout now returns timedout key with frame/code that was in execution
+        when the timeout is triggered.
+      - timedout test for checking if a task result represents a 'timed out' task.
+      - unarchive - Remove Python 2.7 compatibility imports.
+      - validate-modules sanity test - detect if names of an option (option name +
+        aliases) do not match between argument spec and documentation (https://github.com/ansible/ansible/issues/83598,
+        https://github.com/ansible/ansible/pull/83599).
+      - validate-modules sanity test - reject option/aliases names that are identical
+        up to casing but belong to different options (https://github.com/ansible/ansible/pull/83530).
+      - vaulted_file test filter added, to test if the provided path is an 'Ansible
+        vaulted' file
+      - yum_repository - add ``excludepkgs`` alias to the ``exclude`` option.
+      release_summary: '| Release Date: 2024-09-24
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+      removed_features:
+      - Play - removed deprecated ``ROLE_CACHE`` property in favor of ``role_cache``.
+      - Remove deprecated `VariableManager._get_delegated_vars` method (https://github.com/ansible/ansible/issues/82950)
+      - Removed Python 3.10 as a supported version on the controller. Python 3.11
+        or newer is required.
+      - Removed support for setting the ``vars`` keyword to lists of dictionaries.
+        It is now required to be a single dictionary.
+      - loader - remove deprecated non-inclusive words (https://github.com/ansible/ansible/issues/82947).
+      - paramiko_ssh - removed deprecated ssh_args from the paramiko_ssh connection
+        plugin (https://github.com/ansible/ansible/issues/82939).
+      - paramiko_ssh - removed deprecated ssh_common_args from the paramiko_ssh connection
+        plugin (https://github.com/ansible/ansible/issues/82940).
+      - paramiko_ssh - removed deprecated ssh_extra_args from the paramiko_ssh connection
+        plugin (https://github.com/ansible/ansible/issues/82941).
+      - play_context - remove deprecated PlayContext.verbosity property (https://github.com/ansible/ansible/issues/82945).
+      - utils/listify - remove deprecated 'loader' argument from listify_lookup_plugin_terms
+        API (https://github.com/ansible/ansible/issues/82949).
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.0b1_summary.yaml
+    - 42960_vault_password.yml
+    - 46314.yml
+    - 46742-atomic_move-fix-setgid.yml
+    - 62151-loop_control-until.yml
+    - 64092-get_url_verify_tmpsrc_checksum.yml
+    - 72321_git.yml
+    - 81770-add-uid-guid-minmax-keys.yml
+    - 82075.yml
+    - 82307-handlers-lockstep-linear-fix.yml
+    - 82490_creating_user_dir_using_tilde_always_reports_changed.yml
+    - 82535-properly-quote-shell.yml
+    - 82671-ansible-doc-role-examples.yml
+    - 82708-unsafe-plugin-name-error.yml
+    - 82831_countme_yum_repository.yml
+    - 82878-fetch-dest-is-dir.yml
+    - 82941.yml
+    - 82946.yml
+    - 82947.yml
+    - 83019-linear-handlers-lockstep-fix.yml
+    - 83031.yml
+    - 83155-ansible-doc-paragraphs.yml
+    - 83235-copy-module-update-mtime.yml
+    - 83294-meta-host_pinned-affinity.yml
+    - 83327.yml
+    - 83331.yml
+    - 83373-dnf5-wildcard.yml
+    - 83392-fix-memory-issues-handlers.yml
+    - 83406-dnf-fix-arch-cmp.yml
+    - 83447-end_host-rescue-rc.yml
+    - 83457-service_facts-openbsd-dont-crash-in-equals.yml
+    - 83469-http-test-container.yml
+    - 83480-fix-support-discard.yml
+    - 83498-command-tb-env.yml
+    - 83508_mount_facts.yml
+    - 83530-validate-modules-casing.yml
+    - 83540-update_disto_version.yml
+    - 83541-add-sl-micro-suse-family.yaml
+    - 83575-fix-sanity-ignore-for-find.yml
+    - 83599-validate-modules-aliases.yml
+    - 83601-debconf-normalize-bools.yml
+    - 83619-loop-label-register.yml
+    - 83716-enable-subkey-fingerprint-validation-in-rpm-key-module.yml
+    - 83755-ini-new-interpolation-option.yml
+    - 83803-collection-import-poll-interval.yml
+    - 83831-runtime-metadata-fix.yml
+    - 83874-include-parse-error-location.yml
+    - 83960-dnf5-state-installed-fix.yml
+    - PowerShell-AddType-temp.yml
+    - action-plugin-docs-sidecar.yml
+    - add_systemd_facts.yml
+    - ansible-config-validate.yml
+    - ansible-doc-color.yml
+    - ansible-doc-inicate.yml
+    - ansible-doc.yml
+    - ansible-drop-python-3.7.yml
+    - ansible-galaxy-install-archive-url-timeout.yml
+    - ansible-galaxy-install-help.yml
+    - ansible-galaxy-role-install-symlink.yml
+    - ansible-test-container-update.yml
+    - ansible-test-coverage-update.yml
+    - ansible-test-error-message-improvement.yml
+    - ansible-test-http-test-container-update.yml
+    - ansible-test-nios-container.yml
+    - ansible-test-no-egg-info.yml
+    - ansible-test-platform-updates.yml
+    - ansible-test-pylint-py-version.yml
+    - ansible-test-pypi-test-container-update.yml
+    - ansible-test-sanity-empty-init.yml
+    - ansible-test-sanity-test-requirements.yml
+    - ansible-test-utility-container-update.yml
+    - ansible-test-venv-bootstrap.yml
+    - ansible-test-vyos.yml
+    - ansible-test-windows-remote.yml
+    - ansible_connection_path.yml
+    - ansible_managed_restore.yml
+    - apk_package_facts.yml
+    - apt_cache.yml
+    - assemble.yml
+    - atomic_update_perms_time.yml
+    - become-runas-system.yml
+    - cleanup-outdated-galaxy-install-info.yml
+    - colors_for_included_events.yml
+    - config_init_fix.yml
+    - correct-callback-fqcn-old-style-action-invocation.yml
+    - correct_connection_callback.yml
+    - darwin_facts.yml
+    - delay_type.yml
+    - deprecate-safe-evals.yml
+    - dinit.yml
+    - display_fix_log_severity.yml
+    - dnf-exceptions-vs-text.yml
+    - dnf-installroot-substitutions.yml
+    - dnf-remove-legacy-code.yml
+    - dnf5-api-breaks.yml
+    - dnf5-enable-disable-plugins.yml
+    - dnf_cache_path.yml
+    - dnf_handle_downloaderror.yml
+    - dwim_is_role_fix_task_relative.yml
+    - empty_log_path.yml
+    - enabled_runtime.yml
+    - end_role.yml
+    - extras_fix.yml
+    - fetch-filename.yml
+    - file_hardlink.yml
+    - fix-inconsistent-csvfile-missing-search-error.yml
+    - fix-module-defaults-deprecations.yml
+    - fix_floating_ints.yml
+    - fix_log_verbosity.yml
+    - freebsd_disk_regex.yml
+    - freebsd_facts_refactor.yml
+    - freebsd_service.yml
+    - galaxy-reauth-error-handling.yml
+    - gather-s390-sysinfo.yml
+    - gather_facts_single.yml
+    - getoffmylawn.yml
+    - hostvars_fix.yml
+    - isidentifier.yml
+    - known_hosts_module_args.yml
+    - language.yml
+    - linear_started_name.yml
+    - linux_network_get.yml
+    - listify.yml
+    - local_facts_d.yml
+    - mask_me.yml
+    - mc_fix.yml
+    - package_facts_aliases.yml
+    - package_facts_warnings.yml
+    - powershell-clixml.yml
+    - psrp-extras.yml
+    - psrp-version-req.yml
+    - python-3.13.yml
+    - raw_clean_msg.yml
+    - remove-deprecated-gather-facts-config.yml
+    - remove-deprecated-get_delegated_vars.yml
+    - remove-deprecated-role-cache.yml
+    - remove-deprecated-vars-syntax.yml
+    - remove-python-2-compat.yml
+    - remove-python3.10-controller-support.yml
+    - replace_regex.yml
+    - secrets.yml
+    - selinux_import.yml
+    - service_facts_systemd_fix.yml
+    - shell-environment.yml
+    - ssh-windows.yml
+    - suppress-paramiko-warnings.yml
+    - sysctl_fact_fix.yml
+    - systemd_facts.yml
+    - timedout_test.yml
+    - timeout_show_frame.yml
+    - unarchive_differs.yml
+    - unarchive_timestamp.yml
+    - unsafe-fixes-2.yml
+    - unsafe-intern.yml
+    - uri_follow_redirect.yml
+    - v2.18.0-initial-commit.yaml
+    - vaulted_file_and_fixes.yml
+    - vmware_facts.yml
+    - winrm-quota.yml
+    - yum_repository.yml
+    modules:
+    - description: Retrieve mount information.
+      name: mount_facts
+      namespace: lib.ansible.modules
+    plugins:
+      test:
+      - description: did the task time out
+        name: timedout
+        namespace: null
+      - description: Is this file an encrypted vault
+        name: vaulted_file
+        namespace: null
+    release_date: '2024-09-24'
+  2.18.0rc1:
+    changes:
+      bugfixes:
+      - Errors now preserve stacked error messages even when YAML is involved.
+      - Fix disabling SSL verification when installing collections and roles from
+        git repositories. If ``--ignore-certs`` isn't provided, the value for the
+        ``GALAXY_IGNORE_CERTS`` configuration option will be used (https://github.com/ansible/ansible/issues/83326).
+      - Improve performance on large inventories by reducing the number of implicit
+        meta tasks.
+      - Use the requested error message in the ansible.module_utils.facts.timeout
+        timeout function instead of hardcoding one.
+      - '``package``/``dnf`` action plugins - provide the reason behind the failure
+        to gather the ``ansible_pkg_mgr`` fact to identify the package backend'
+      - ansible-test - Enable the ``sys.unraisablehook`` work-around for the ``pylint``
+        sanity test on Python 3.11. Previously the work-around was only enabled for
+        Python 3.12 and later. However, the same issue has been discovered on Python
+        3.11.
+      - debconf - set empty password values (https://github.com/ansible/ansible/issues/83214).
+      - dnf5 - fix traceback when ``enable_plugins``/``disable_plugins`` is used on
+        ``python3-libdnf5`` versions that do not support this functionality
+      - facts - skip if distribution file path is directory, instead of raising error
+        (https://github.com/ansible/ansible/issues/84006).
+      - user module now avoids changing ownership of files symlinked in provided home
+        dir skeleton
+      minor_changes:
+      - ansible-test - Default to Python 3.13 in the ``base`` and ``default`` containers.
+      - ansible-test - Disable the ``deprecated-`` prefixed ``pylint`` rules as their
+        results vary by Python version.
+      - ansible-test - Improve container runtime probe error handling. When unexpected
+        probe output is encountered, an error with more useful debugging information
+        is provided.
+      - ansible-test - Update ``pylint`` sanity test to use version 3.3.1.
+      - ansible-test - Update the ``base`` and ``default`` containers.
+      release_summary: '| Release Date: 2024-10-14
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.0rc1_summary.yaml
+    - ansible-test-probe-error-handling.yml
+    - ansible-test-pylint-fix.yml
+    - ansible-test-update.yml
+    - debconf_empty_password.yml
+    - dnf5-plugins-compat.yml
+    - fix-ansible-galaxy-ignore-certs.yml
+    - fix-module-utils-facts-timeout.yml
+    - fix_errors.yml
+    - os_family.yml
+    - package-dnf-action-plugins-facts-fail-msg.yml
+    - skip-implicit-flush_handlers-no-notify.yml
+    - user_action_fix.yml
+    release_date: '2024-10-14'
+  2.18.0rc2:
+    changes:
+      bugfixes:
+      - user action will now require O(force) to overwrite the public part of an ssh
+        key when generating ssh keys, as was already the case for the private part.
+      release_summary: '| Release Date: 2024-10-29
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+      security_fixes:
+      - include_vars action - Ensure that result masking is correctly requested when
+        vault-encrypted files are read. (CVE-2024-8775)
+      - task result processing - Ensure that action-sourced result masking (``_ansible_no_log=True``)
+        is preserved. (CVE-2024-8775)
+      - user action won't allow ssh-keygen, chown and chmod to run on existing ssh
+        public key file, avoiding traversal on existing symlinks (CVE-2024-9902).
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.0rc2_summary.yaml
+    - cve-2024-8775.yml
+    - user_ssh_fix.yml
+    release_date: '2024-10-29'
+  2.18.1:
+    changes:
+      release_summary: '| Release Date: 2024-12-02
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.1_summary.yaml
+    release_date: '2024-12-02'
+  2.18.1rc1:
+    changes:
+      bugfixes:
+      - Fix returning 'unreachable' for the overall task result. This prevents false
+        positives when a looped task has unignored unreachable items (https://github.com/ansible/ansible/issues/84019).
+      - ansible-test - Fix traceback that occurs after an interactive command fails.
+      - dnf5 - fix installing a package using ``state=latest`` when a binary of the
+        same name as the package is already installed (https://github.com/ansible/ansible/issues/84259)
+      - dnf5 - matching on a binary can be achieved only by specifying a full path
+        (https://github.com/ansible/ansible/issues/84334)
+      - runas become - Fix up become logic to still get the SYSTEM token with the
+        most privileges when running as SYSTEM.
+      minor_changes:
+      - ansible-test - When detection of the current container network fails, a warning
+        is now issued and execution continues. This simplifies usage in cases where
+        the current container cannot be inspected, such as when running in GitHub
+        Codespaces.
+      release_summary: '| Release Date: 2024-11-25
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+      security_fixes:
+      - Templating will not prefer AnsibleUnsafe when a variable is referenced via
+        hostvars - CVE-2024-11079
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.1rc1_summary.yaml
+    - 84019-ignore_unreachable-loop.yml
+    - 84259-dnf5-latest-fix.yml
+    - 84334-dnf5-consolidate-settings.yml
+    - ansible-test-fix-command-traceback.yml
+    - ansible-test-network-detection.yml
+    - become-runas-system-deux.yml
+    - unsafe_hostvars_fix.yml
+    release_date: '2024-11-25'
+  2.18.2:
+    changes:
+      release_summary: '| Release Date: 2025-01-27
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.2_summary.yaml
+    release_date: '2025-01-27'
+  2.18.2rc1:
+    changes:
+      bugfixes:
+      - Ansible will now also warn when reserved keywords are set via a module (set_fact,
+        include_vars, etc).
+      - Ansible.Basic - Fix ``required_if`` check when the option value to check is
+        unset or set to null.
+      - Use consistent multiprocessing context for action write locks
+      - ansible-test - Fix up coverage reporting to properly translate the temporary
+        path of integration test modules to the expected static test module path.
+      - ansible-vault will now correctly handle `--prompt`, previously it would issue
+        an error about stdin if no 2nd argument was passed
+      - copy action now prevents user from setting internal options.
+      - gather_facts action now defaults to `ansible.legacy.setup` if `smart` was
+        set, no network OS was found and no other alias for `setup` was present.
+      - gather_facts action will now issues errors and warnings as appropriate if
+        a network OS is detected but no facts modules are defined for it.
+      - ssh - Improve the logic for parsing CLIXML data in stderr when working with
+        Windows host. This fixes issues when the raw stderr contains invalid UTF-8
+        byte sequences and improves embedded CLIXML sequences.
+      - ssh - connection options were incorrectly templated during ``reset_connection``
+        tasks (https://github.com/ansible/ansible/pull/84238).
+      release_summary: '| Release Date: 2025-01-20
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.2rc1_summary.yaml
+    - 84238-fix-reset_connection-ssh_executable-templated.yml
+    - Ansible.Basic-required_if-null.yml
+    - ansible-test-coverage-test-files.yml
+    - copy_validate_input.yml
+    - gather_facts_netos_fixes.yml
+    - macos-correct-lock.yml
+    - reserved_module_chekc.yml
+    - ssh-clixml.yml
+    - vault_cli_fix.yml
+    release_date: '2025-01-20'
+  2.18.3:
+    changes:
+      release_summary: '| Release Date: 2025-02-24
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.3_summary.yaml
+    release_date: '2025-02-24'
+  2.18.3rc1:
+    changes:
+      bugfixes:
+      - include_vars - fixed erroneous warning if an unreserved variable name contains
+        a single character that matches a reserved variable. (https://github.com/ansible/ansible/issues/84623)
+      - linear strategy - fix executing ``end_role`` meta tasks for each host, instead
+        of handling these as implicit run_once tasks (https://github.com/ansible/ansible/issues/84660).
+      minor_changes:
+      - ansible-test - Automatically retry HTTP GET/PUT/DELETE requests on exceptions.
+      - ansible-test - Use Python's ``urllib`` instead of ``curl`` for HTTP requests.
+      release_summary: '| Release Date: 2025-02-17
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.3rc1_summary.yaml
+    - 84660-fix-meta-end_role-linear-strategy.yml
+    - ansible-test-curl.yml
+    - fix-include_vars-reserved-warning.yml
+    release_date: '2025-02-17'
+  2.18.4:
+    changes:
+      release_summary: '| Release Date: 2025-03-25
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.4_summary.yaml
+    release_date: '2025-03-25'
+  2.18.4rc1:
+    changes:
+      bugfixes:
+      - Windows - add support for running on system where WDAC is in audit mode with
+        ``Dynamic Code Security`` enabled.
+      - dnf5 - fix ``is_installed`` check for packages that are not installed but
+        listed as provided by an installed package (https://github.com/ansible/ansible/issues/84578)
+      - dnf5 - libdnf5 - use ``conf.pkg_gpgcheck`` instead of deprecated ``conf.gpgcheck``
+        which is used only as a fallback
+      - facts - gather pagesize and calculate respective values depending upon architecture
+        (https://github.com/ansible/ansible/issues/84773).
+      - module respawn - limit to supported Python versions
+      release_summary: '| Release Date: 2025-03-17
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.4rc1_summary.yaml
+    - 84578-dnf5-is_installed-provides.yml
+    - darwin_pagesize.yml
+    - dnf5-remove-usage-deprecated-option.yml
+    - respawn-min-python.yml
+    - win-wdac-audit.yml
+    release_date: '2025-03-17'
+  2.18.5:
+    changes:
+      release_summary: '| Release Date: 2025-04-21
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.5_summary.yaml
+    release_date: '2025-04-21'
+  2.18.5rc1:
+    changes:
+      bugfixes:
+      - build - Pin ``wheel`` in ``pyproject.toml`` to ensure compatibility with supported
+        ``setuptools`` versions.
+      - dnf5 - Handle forwarded exceptions from dnf5-5.2.13 where a generic ``RuntimeError``
+        was previously raised
+      - find - skip ENOENT error code while recursively enumerating files. find module
+        will now be tolerant to race conditions that remove files or directories from
+        the target it is currently inspecting. (https://github.com/ansible/ansible/issues/84873).
+      - gather_facts action, will now add setup when 'smart' appears with other modules
+        in the FACTS_MODULES setting (#84750).
+      - uri - Form location correctly when the server returns a relative redirect
+        (https://github.com/ansible/ansible/issues/84540)
+      release_summary: '| Release Date: 2025-04-14
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.5rc1_summary.yaml
+    - 84540-uri-relative-redirect.yml
+    - dnf5-exception-forwarding.yml
+    - find_enoent.yml
+    - gather_facts_smart_fix.yml
+    - pin-wheel.yml
+    release_date: '2025-04-14'
+  2.18.6:
+    changes:
+      release_summary: '| Release Date: 2025-05-19
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.6_summary.yaml
+    release_date: '2025-05-19'
+  2.18.6rc1:
+    changes:
+      bugfixes:
+      - Ansible will now ensure predictable permissions on remote artifacts, until
+        now it only ensured executable and relied on system masks for the rest.
+      - ansible-doc - fix indentation for first line of descriptions of suboptions
+        and sub-return values (https://github.com/ansible/ansible/pull/84690).
+      - ansible-doc - fix line wrapping for first line of description of options and
+        return values (https://github.com/ansible/ansible/pull/84690).
+      - dnf5 - avoid generating excessive transaction entries in the dnf5 history
+        (https://github.com/ansible/ansible/issues/85046)
+      - dnf5 - when ``bugfix`` and/or ``security`` is specified, skip packages that
+        do not have any such updates, even for new versions of libdnf5 where this
+        functionality changed and it is considered failure
+      - script - Fix up become support for Windows scripts when become was set through
+        host variables and not on the task directly - https://github.com/ansible/ansible/issues/85076
+      minor_changes:
+      - ansible-test - Use the ``-t`` option to set the stop timeout when stopping
+        a container. This avoids use of the ``--time`` option which was deprecated
+        in Docker v28.0.
+      release_summary: '| Release Date: 2025-05-12
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.6rc1_summary.yaml
+    - 84690-ansible-doc-indent-wrapping.yml
+    - 85046-dnf5-history-entries.yml
+    - ansible-test-container-stop.yml
+    - dnf5-advisory-type.yml
+    - ensure_remote_perms.yml
+    - win-script-become.yml
+    release_date: '2025-05-12'
+  2.18.7:
+    changes:
+      release_summary: '| Release Date: 2025-07-15
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.7_summary.yaml
+    release_date: '2025-07-15'
+  2.18.7rc1:
+    changes:
+      bugfixes:
+      - ansible-doc will no longer ignore docs for modules without an extension (https://github.com/ansible/ansible/issues/85279).
+      - ansible-pull change detection will now work independently of callback or result
+        format settings.
+      - ansible-test - Fix Python relative import resolution from ``__init__.py``
+        files when using change detection.
+      - dnf5 - handle all libdnf5 specific exceptions (https://github.com/ansible/ansible/issues/84634)
+      - meta - avoid traceback when retrieving the meta task name (https://github.com/ansible/ansible/issues/85367).
+      - password lookup - fix acquiring the lock when human-readable FileExistsError
+        error message is not English.
+      - user - Set timeout for passphrase interaction.
+      - user - Update prompt for SSH key passphrase (https://github.com/ansible/ansible/issues/84484).
+      minor_changes:
+      - ansible-test - Add RHEL 10.0 as a remote platform for testing.
+      release_summary: '| Release Date: 2025-07-08
+
+        | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__
+
+        '
+    codename: Fool in the Rain
+    fragments:
+    - 2.18.7rc1_summary.yaml
+    - 84634-dnf5-all-exceptions.yml
+    - adoc_noext_fix.yml
+    - ansible-test-change-detection-fix.yml
+    - ansible-test-rhel-10.yml
+    - fix-lookup-password-lock-acquisition.yml
+    - meta_raw_params.yml
+    - pull_changed_fix.yml
+    - user_passphrase.yml
+    release_date: '2025-07-08'

changelogs/fragments/2.18.0_summary.yaml

@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2024-11-04
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

changelogs/fragments/2.18.0b1_summary.yaml

@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2024-09-24
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

changelogs/fragments/2.18.0rc1_summary.yaml

@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2024-10-14
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

changelogs/fragments/2.18.0rc2_summary.yaml

@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2024-10-29
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

changelogs/fragments/2.18.1_summary.yaml

@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2024-12-02
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

changelogs/fragments/2.18.1rc1_summary.yaml

@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2024-11-25
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

changelogs/fragments/2.18.2_summary.yaml

@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2025-01-27
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

changelogs/fragments/2.18.2rc1_summary.yaml

@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2025-01-20
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

changelogs/fragments/2.18.3_summary.yaml

@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2025-02-24
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

changelogs/fragments/2.18.3rc1_summary.yaml

@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2025-02-17
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

changelogs/fragments/2.18.4_summary.yaml

@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2025-03-25
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

changelogs/fragments/2.18.4rc1_summary.yaml

@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2025-03-17
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

changelogs/fragments/2.18.5_summary.yaml

@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2025-04-21
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

changelogs/fragments/2.18.5rc1_summary.yaml

@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2025-04-14
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

changelogs/fragments/2.18.6_summary.yaml

@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2025-05-19
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

changelogs/fragments/2.18.6rc1_summary.yaml

@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2025-05-12
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

changelogs/fragments/2.18.7_summary.yaml

@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2025-07-15
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

changelogs/fragments/2.18.7rc1_summary.yaml

@@ -0,0 +1,3 @@
+release_summary: |
+   | Release Date: 2025-07-08
+   | `Porting Guide <https://docs.ansible.com/ansible-core/2.18/porting_guides/porting_guide_core_2.18.html>`__

changelogs/fragments/82708-unsafe-plugin-name-error.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - "Fix an issue when setting a plugin name from an unsafe source resulted in ``ValueError: unmarshallable object`` (https://github.com/ansible/ansible/issues/82708)"

changelogs/fragments/84019-ignore_unreachable-loop.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - Fix returning 'unreachable' for the overall task result. This prevents false positives when a looped task has unignored unreachable items (https://github.com/ansible/ansible/issues/84019).

changelogs/fragments/84238-fix-reset_connection-ssh_executable-templated.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - ssh - connection options were incorrectly templated during ``reset_connection`` tasks (https://github.com/ansible/ansible/pull/84238).

changelogs/fragments/84259-dnf5-latest-fix.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - "dnf5 - fix installing a package using ``state=latest`` when a binary of the same name as the package is already installed (https://github.com/ansible/ansible/issues/84259)"

changelogs/fragments/84334-dnf5-consolidate-settings.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - dnf5 - matching on a binary can be achieved only by specifying a full path (https://github.com/ansible/ansible/issues/84334)

changelogs/fragments/84540-uri-relative-redirect.yml

@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - uri - Form location correctly when the server returns a relative redirect (https://github.com/ansible/ansible/issues/84540)

changelogs/fragments/84578-dnf5-is_installed-provides.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - "dnf5 - fix ``is_installed`` check for packages that are not installed but listed as provided by an installed package (https://github.com/ansible/ansible/issues/84578)"

changelogs/fragments/84634-dnf5-all-exceptions.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - "dnf5 - handle all libdnf5 specific exceptions (https://github.com/ansible/ansible/issues/84634)"

changelogs/fragments/84660-fix-meta-end_role-linear-strategy.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - linear strategy - fix executing ``end_role`` meta tasks for each host, instead of handling these as implicit run_once tasks (https://github.com/ansible/ansible/issues/84660).

changelogs/fragments/84690-ansible-doc-indent-wrapping.yml

@@ -0,0 +1,3 @@
+bugfixes:
+  - "ansible-doc - fix indentation for first line of descriptions of suboptions and sub-return values (https://github.com/ansible/ansible/pull/84690)."
+  - "ansible-doc - fix line wrapping for first line of description of options and return values (https://github.com/ansible/ansible/pull/84690)."

changelogs/fragments/85046-dnf5-history-entries.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - dnf5 - avoid generating excessive transaction entries in the dnf5 history (https://github.com/ansible/ansible/issues/85046)

changelogs/fragments/Ansible.Basic-required_if-null.yml

@@ -0,0 +1,3 @@
+bugfixes:
+  - >-
+    Ansible.Basic - Fix ``required_if`` check when the option value to check is unset or set to null.

changelogs/fragments/adoc_noext_fix.yml

@@ -0,0 +1,2 @@
+bugfixes:
+- ansible-doc will no longer ignore docs for modules without an extension (https://github.com/ansible/ansible/issues/85279).

changelogs/fragments/ansible-test-change-detection-fix.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - ansible-test - Fix Python relative import resolution from ``__init__.py`` files when using change detection.

changelogs/fragments/ansible-test-container-stop.yml

@@ -0,0 +1,3 @@
+minor_changes:
+  - ansible-test - Use the ``-t`` option to set the stop timeout when stopping a container.
+    This avoids use of the ``--time`` option which was deprecated in Docker v28.0.

changelogs/fragments/ansible-test-coverage-test-files.yml

@@ -0,0 +1,4 @@
+bugfixes:
+  - >-
+    ansible-test - Fix up coverage reporting to properly translate the temporary path of integration test modules to
+    the expected static test module path.

changelogs/fragments/ansible-test-curl.yml

@@ -0,0 +1,3 @@
+minor_changes:
+  - ansible-test - Use Python's ``urllib`` instead of ``curl`` for HTTP requests.
+  - ansible-test - Automatically retry HTTP GET/PUT/DELETE requests on exceptions.

changelogs/fragments/ansible-test-fix-command-traceback.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - ansible-test - Fix traceback that occurs after an interactive command fails.

changelogs/fragments/ansible-test-network-detection.yml

@@ -0,0 +1,3 @@
+minor_changes:
+  - ansible-test - When detection of the current container network fails, a warning is now issued and execution continues.
+    This simplifies usage in cases where the current container cannot be inspected, such as when running in GitHub Codespaces.

changelogs/fragments/ansible-test-probe-error-handling.yml

@@ -0,0 +1,3 @@
+minor_changes:
+  - ansible-test - Improve container runtime probe error handling.
+    When unexpected probe output is encountered, an error with more useful debugging information is provided.

changelogs/fragments/ansible-test-pylint-fix.yml

@@ -0,0 +1,4 @@
+bugfixes:
+  - ansible-test - Enable the ``sys.unraisablehook`` work-around for the ``pylint`` sanity test on Python 3.11.
+    Previously the work-around was only enabled for Python 3.12 and later.
+    However, the same issue has been discovered on Python 3.11.

changelogs/fragments/ansible-test-rhel-10.yml

@@ -0,0 +1,2 @@
+minor_changes:
+  - ansible-test - Add RHEL 10.0 as a remote platform for testing.

changelogs/fragments/ansible-test-update.yml

@@ -0,0 +1,5 @@
+minor_changes:
+  - ansible-test - Update ``pylint`` sanity test to use version 3.3.1.
+  - ansible-test - Default to Python 3.13 in the ``base`` and ``default`` containers.
+  - ansible-test - Disable the ``deprecated-`` prefixed ``pylint`` rules as their results vary by Python version.
+  - ansible-test - Update the ``base`` and ``default`` containers.

changelogs/fragments/become-runas-system-deux.yml

@@ -0,0 +1,3 @@
+bugfixes:
+  - >-
+    runas become - Fix up become logic to still get the SYSTEM token with the most privileges when running as SYSTEM.

changelogs/fragments/copy_validate_input.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - copy action now prevents user from setting internal options.

changelogs/fragments/cve-2024-8775.yml

@@ -0,0 +1,5 @@
+security_fixes:
+  - task result processing - Ensure that action-sourced result masking (``_ansible_no_log=True``)
+    is preserved. (CVE-2024-8775)
+  - include_vars action - Ensure that result masking is correctly requested when vault-encrypted
+    files are read. (CVE-2024-8775)

changelogs/fragments/darwin_pagesize.yml

@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - facts - gather pagesize and calculate respective values depending upon architecture (https://github.com/ansible/ansible/issues/84773).

changelogs/fragments/debconf_empty_password.yml

@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - debconf - set empty password values (https://github.com/ansible/ansible/issues/83214).

changelogs/fragments/dnf5-advisory-type.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - "dnf5 - when ``bugfix`` and/or ``security`` is specified, skip packages that do not have any such updates, even for new versions of libdnf5 where this functionality changed and it is considered failure"

changelogs/fragments/dnf5-exception-forwarding.yml

@@ -0,0 +1,2 @@
+bugfixes:
+- dnf5 - Handle forwarded exceptions from dnf5-5.2.13 where a generic ``RuntimeError`` was previously raised

changelogs/fragments/dnf5-plugins-compat.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - "dnf5 - fix traceback when ``enable_plugins``/``disable_plugins`` is used on ``python3-libdnf5`` versions that do not support this functionality"

changelogs/fragments/dnf5-remove-usage-deprecated-option.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - dnf5 - libdnf5 - use ``conf.pkg_gpgcheck`` instead of deprecated ``conf.gpgcheck`` which is used only as a fallback

changelogs/fragments/ensure_remote_perms.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - Ansible will now ensure predictable permissions on remote artifacts, until now it only ensured executable and relied on system masks for the rest.

changelogs/fragments/find_enoent.yml

@@ -0,0 +1,5 @@
+---
+bugfixes:
+  - find - skip ENOENT error code while recursively enumerating files.
+    find module will now be tolerant to race conditions that remove files or directories
+    from the target it is currently inspecting. (https://github.com/ansible/ansible/issues/84873).

changelogs/fragments/fix-ansible-galaxy-ignore-certs.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - Fix disabling SSL verification when installing collections and roles from git repositories. If ``--ignore-certs`` isn't provided, the value for the ``GALAXY_IGNORE_CERTS`` configuration option will be used (https://github.com/ansible/ansible/issues/83326).

changelogs/fragments/fix-include_vars-reserved-warning.yml

@@ -0,0 +1,5 @@
+bugfixes:
+- >-
+  include_vars - fixed erroneous warning if an unreserved variable name
+  contains a single character that matches a reserved variable.
+  (https://github.com/ansible/ansible/issues/84623)

changelogs/fragments/fix-lookup-password-lock-acquisition.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - password lookup - fix acquiring the lock when human-readable FileExistsError error message is not English.

changelogs/fragments/fix-module-utils-facts-timeout.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - Use the requested error message in the ansible.module_utils.facts.timeout timeout function instead of hardcoding one.

changelogs/fragments/fix_errors.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - Errors now preserve stacked error messages even when YAML is involved.

changelogs/fragments/gather_facts_netos_fixes.yml

@@ -0,0 +1,3 @@
+bugfixes:
+  - gather_facts action will now issues errors and warnings as appropriate if a network OS is detected but no facts modules are defined for it.
+  - gather_facts action now defaults to `ansible.legacy.setup` if `smart` was set, no network OS was found and no other alias for `setup` was present.

changelogs/fragments/gather_facts_smart_fix.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - gather_facts action, will now add setup when 'smart' appears with other modules in the FACTS_MODULES setting (#84750).

changelogs/fragments/macos-correct-lock.yml

@@ -0,0 +1,2 @@
+bugfixes:
+- Use consistent multiprocessing context for action write locks

changelogs/fragments/meta_raw_params.yml

@@ -0,0 +1,3 @@
+---
+bugfixes:
+   - meta - avoid traceback when retrieving the meta task name (https://github.com/ansible/ansible/issues/85367).

changelogs/fragments/os_family.yml

@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - facts - skip if distribution file path is directory, instead of raising error (https://github.com/ansible/ansible/issues/84006).

changelogs/fragments/package-dnf-action-plugins-facts-fail-msg.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - "``package``/``dnf`` action plugins - provide the reason behind the failure to gather the ``ansible_pkg_mgr`` fact to identify the package backend"

changelogs/fragments/pin-wheel.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - build - Pin ``wheel`` in ``pyproject.toml`` to ensure compatibility with supported ``setuptools`` versions.

changelogs/fragments/pull_changed_fix.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - ansible-pull change detection will now work independently of callback or result format settings.

changelogs/fragments/reserved_module_chekc.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - Ansible will now also warn when reserved keywords are set via a module (set_fact, include_vars, etc).

changelogs/fragments/respawn-min-python.yml

@@ -0,0 +1,2 @@
+bugfixes:
+- module respawn - limit to supported Python versions

changelogs/fragments/skip-implicit-flush_handlers-no-notify.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - "Improve performance on large inventories by reducing the number of implicit meta tasks."

changelogs/fragments/ssh-clixml.yml

@@ -0,0 +1,4 @@
+bugfixes:
+  - >-
+    ssh - Improve the logic for parsing CLIXML data in stderr when working with Windows host. This fixes issues when
+    the raw stderr contains invalid UTF-8 byte sequences and improves embedded CLIXML sequences.

changelogs/fragments/unsafe-fixes-2.yml

@@ -0,0 +1,3 @@
+bugfixes:
+- unsafe data - Address an incompatibility with ``AnsibleUnsafeText`` and ``AnsibleUnsafeBytes`` when pickling with ``protocol=0``
+- unsafe data - Address an incompatibility when iterating or getting a single index from ``AnsibleUnsafeBytes``

changelogs/fragments/unsafe-intern.yml

@@ -0,0 +1,3 @@
+bugfixes:
+- unsafe data - Enable directly using ``AnsibleUnsafeText`` with Python ``pathlib``
+  (https://github.com/ansible/ansible/issues/82414)

changelogs/fragments/unsafe_hostvars_fix.yml

@@ -0,0 +1,2 @@
+security_fixes:
+  - Templating will not prefer AnsibleUnsafe when a variable is referenced via hostvars - CVE-2024-11079

changelogs/fragments/user_action_fix.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - user module now avoids changing ownership of files symlinked in provided home dir skeleton

changelogs/fragments/user_passphrase.yml

@@ -0,0 +1,4 @@
+---
+bugfixes:
+  - user - Update prompt for SSH key passphrase (https://github.com/ansible/ansible/issues/84484).
+  - user - Set timeout for passphrase interaction.

changelogs/fragments/user_ssh_fix.yml

@@ -0,0 +1,4 @@
+bugfixes:
+  - user action will now require O(force) to overwrite the public part of an ssh key when generating ssh keys, as was already the case for the private part.
+security_fixes:
+  - user action won't allow ssh-keygen, chown and chmod to run on existing ssh public key file, avoiding traversal on existing symlinks (CVE-2024-9902).

changelogs/fragments/vault_cli_fix.yml

@@ -0,0 +1,2 @@
+bugfixes:
+  - ansible-vault will now correctly handle `--prompt`, previously it would issue an error about stdin if no 2nd argument was passed

changelogs/fragments/win-script-become.yml

@@ -0,0 +1,4 @@
+bugfixes:
+  - >-
+    script - Fix up become support for Windows scripts when become was set through host variables and not on the task
+    directly - https://github.com/ansible/ansible/issues/85076

changelogs/fragments/win-wdac-audit.yml

@@ -0,0 +1,4 @@
+bugfixes:
+  - >-
+    Windows - add support for running on system where WDAC is in audit mode with
+    ``Dynamic Code Security`` enabled.

lib/ansible/cli/doc.py

@@ -1170,12 +1170,16 @@ class DocCLI(CLI, RoleMixin):
         return 'version %s' % (version_added, )
 
     @staticmethod
-    def warp_fill(text, limit, initial_indent='', subsequent_indent='', **kwargs):
+    def warp_fill(text, limit, initial_indent='', subsequent_indent='', initial_extra=0, **kwargs):
         result = []
         for paragraph in text.split('\n\n'):
-            result.append(textwrap.fill(paragraph, limit, initial_indent=initial_indent, subsequent_indent=subsequent_indent,
+            wrapped = textwrap.fill(paragraph, limit, initial_indent=initial_indent + ' ' * initial_extra, subsequent_indent=subsequent_indent,
-                                        break_on_hyphens=False, break_long_words=False, drop_whitespace=True, **kwargs))
+                                    break_on_hyphens=False, break_long_words=False, drop_whitespace=True, **kwargs)
+            if initial_extra and wrapped.startswith(' ' * initial_extra):
+                wrapped = wrapped[initial_extra:]
+            result.append(wrapped)
             initial_indent = subsequent_indent
+            initial_extra = 0
         return '\n'.join(result)
 
     @staticmethod
@@ -1207,20 +1211,23 @@ class DocCLI(CLI, RoleMixin):
             text.append('')
 
             # TODO: push this to top of for and sort by size, create indent on largest key?
-            inline_indent = base_indent + ' ' * max((len(opt_indent) - len(o)) - len(base_indent), 2)
+            inline_indent = ' ' * max((len(opt_indent) - len(o)) - len(base_indent), 2)
-            sub_indent = inline_indent + ' ' * (len(o) + 3)
+            extra_indent = base_indent + ' ' * (len(o) + 3)
+            sub_indent = inline_indent + extra_indent
             if is_sequence(opt['description']):
                 for entry_idx, entry in enumerate(opt['description'], 1):
                     if not isinstance(entry, string_types):
                         raise AnsibleError("Expected string in description of %s at index %s, got %s" % (o, entry_idx, type(entry)))
                     if entry_idx == 1:
-                        text.append(key + DocCLI.warp_fill(DocCLI.tty_ify(entry), limit, initial_indent=inline_indent, subsequent_indent=sub_indent))
+                        text.append(key + DocCLI.warp_fill(DocCLI.tty_ify(entry), limit,
+                                    initial_indent=inline_indent, subsequent_indent=sub_indent, initial_extra=len(extra_indent)))
                     else:
                         text.append(DocCLI.warp_fill(DocCLI.tty_ify(entry), limit, initial_indent=sub_indent, subsequent_indent=sub_indent))
             else:
                 if not isinstance(opt['description'], string_types):
                     raise AnsibleError("Expected string in description of %s, got %s" % (o, type(opt['description'])))
-                text.append(key + DocCLI.warp_fill(DocCLI.tty_ify(opt['description']), limit, initial_indent=inline_indent, subsequent_indent=sub_indent))
+                text.append(key + DocCLI.warp_fill(DocCLI.tty_ify(opt['description']), limit,
+                            initial_indent=inline_indent, subsequent_indent=sub_indent, initial_extra=len(extra_indent)))
             del opt['description']
 
             suboptions = []

lib/ansible/cli/pull.py

@@ -31,6 +31,34 @@ from ansible.utils.display import Display
 
 display = Display()
 
+SAFE_OUTPUT_ENV = {
+    'ANSIBLE_CALLBACK_RESULT_FORMAT': 'json',
+    'ANSIBLE_LOAD_CALLBACK_PLUGINS': '0',
+}
+
+
+def safe_output_env(f):
+
+    def wrapper(*args, **kwargs):
+
+        orig = {}
+
+        for k, v in SAFE_OUTPUT_ENV.items():
+            orig[k] = os.environ.get(k, None)
+            os.environ[k] = v
+
+        result = f(*args, **kwargs)
+
+        for key in orig.keys():
+            if orig[key] is None:
+                del os.environ[key]
+            else:
+                os.environ[key] = orig[key]
+
+        return result
+
+    return wrapper
+
 
 class PullCLI(CLI):
     ''' Used to pull a remote copy of ansible on each managed node,
@@ -42,7 +70,7 @@ class PullCLI(CLI):
         you should use an external scheduler and/or locking to ensure there are no clashing operations.
 
         The setup playbook can be tuned to change the cron frequency, logging locations, and parameters to ansible-pull.
-        This is useful both for extreme scale-out as well as periodic remediation.
+        This is useful both for extreme scale-out and periodic remediation.
         Usage of the 'fetch' module to retrieve logs from ansible-pull runs would be an
         excellent way to gather and analyze remote logs from ansible-pull.
     '''
@@ -76,8 +104,9 @@ class PullCLI(CLI):
         return inv_opts
 
     def init_parser(self):
-        ''' create an options parser for bin/ansible '''
+        """ Specific args/option parser for pull """
 
+        # signature is different from parent as caller should not need to add usage/desc
         super(PullCLI, self).init_parser(
             usage='%prog -U <repository> [options] [<playbook.yml>]',
             desc="pulls playbooks from a VCS repo and executes them on target host")
@@ -106,10 +135,12 @@ class PullCLI(CLI):
                                  help='path to the directory to which Ansible will checkout the repository.')
         self.parser.add_argument('-U', '--url', dest='url', default=None, help='URL of the playbook repository')
         self.parser.add_argument('--full', dest='fullclone', action='store_true', help='Do a full clone, instead of a shallow one.')
+        # TODO: resolve conflict with check mode, added manually below
         self.parser.add_argument('-C', '--checkout', dest='checkout',
                                  help='branch/tag/commit to checkout. Defaults to behavior of repository module.')
         self.parser.add_argument('--accept-host-key', default=False, dest='accept_host_key', action='store_true',
                                  help='adds the hostkey for the repo url if not already added')
+        # Overloaded with adhoc ... but really passthrough to adhoc
         self.parser.add_argument('-m', '--module-name', dest='module_name', default=self.DEFAULT_REPO_TYPE,
                                  help='Repository module name, which ansible will use to check out the repo. Choices are %s. Default is %s.'
                                       % (self.REPO_CHOICES, self.DEFAULT_REPO_TYPE))
@@ -121,7 +152,7 @@ class PullCLI(CLI):
         self.parser.add_argument('--track-subs', dest='tracksubs', default=False, action='store_true',
                                  help='submodules will track the latest changes. This is equivalent to specifying the --remote flag to git submodule update')
         # add a subset of the check_opts flag group manually, as the full set's
-        # shortcodes conflict with above --checkout/-C
+        # shortcodes conflict with above --checkout/-C, see to-do above
         self.parser.add_argument("--check", default=False, dest='check', action='store_true',
                                  help="don't make any changes; instead, try to predict some of the changes that may occur")
         self.parser.add_argument("--diff", default=C.DIFF_ALWAYS, dest='diff', action='store_true',
@@ -177,7 +208,7 @@ class PullCLI(CLI):
             limit_opts = 'localhost,127.0.0.1'
         base_opts = '-c local '
         if context.CLIARGS['verbosity'] > 0:
-            base_opts += ' -%s' % ''.join(["v" for x in range(0, context.CLIARGS['verbosity'])])
+            base_opts += ' -%s' % ''.join(["v" for dummy in range(0, context.CLIARGS['verbosity'])])
 
         # Attempt to use the inventory passed in as an argument
         # It might not yet have been downloaded so use localhost as default
@@ -250,15 +281,21 @@ class PullCLI(CLI):
         # RUN the Checkout command
         display.debug("running ansible with VCS module to checkout repo")
         display.vvvv('EXEC: %s' % cmd)
-        rc, b_out, b_err = run_cmd(cmd, live=True)
+        rc, b_out, b_err = safe_output_env(run_cmd)(cmd, live=True)
 
         if rc != 0:
             if context.CLIARGS['force']:
                 display.warning("Unable to update repository. Continuing with (forced) run of playbook.")
             else:
                 return rc
-        elif context.CLIARGS['ifchanged'] and b'"changed": true' not in b_out:
+        elif context.CLIARGS['ifchanged']:
-            display.display("Repository has not changed, quitting.")
+            # detect json/yaml/header, any count as 'changed'
+            for detect in (b'"changed": true', b"changed: True", b"| CHANGED =>"):
+                if detect in b_out:
+                    break
+            else:
+                # no change, we bail
+                display.display(f"Repository has not changed, quitting: {b_out!r}")
                 return 0
 
         playbook = self.select_playbook(context.CLIARGS['dest'])

lib/ansible/cli/vault.py

@@ -138,11 +138,12 @@ class VaultCLI(CLI):
             raise AnsibleOptionsError("At most one input file may be used with the --output option")
 
         if options.action == 'encrypt_string':
-            if '-' in options.args or not options.args or options.encrypt_string_stdin_name:
+            if '-' in options.args or options.encrypt_string_stdin_name or (not options.args and not options.encrypt_string_prompt):
+                # prompting from stdin and reading from stdin are mutually exclusive, if stdin is still provided, it is ignored
                 self.encrypt_string_read_stdin = True
 
-            # TODO: prompting from stdin and reading from stdin seem mutually exclusive, but verify that.
             if options.encrypt_string_prompt and self.encrypt_string_read_stdin:
+                # should only trigger if prompt + either - or encrypt string stdin name were provided
                 raise AnsibleOptionsError('The --prompt option is not supported if also reading input from stdin')
 
         return options

lib/ansible/errors/__init__.py

@@ -66,14 +66,18 @@ class AnsibleError(Exception):
         from ansible.parsing.yaml.objects import AnsibleBaseYAMLObject
 
         message = [self._message]
+
+        # Add from previous exceptions
+        if self.orig_exc:
+            message.append('. %s' % to_native(self.orig_exc))
+
+        # Add from yaml to give specific file/line no
         if isinstance(self.obj, AnsibleBaseYAMLObject):
             extended_error = self._get_extended_error()
             if extended_error and not self._suppress_extended_error:
                 message.append(
                     '\n\n%s' % to_native(extended_error)
                 )
-        elif self.orig_exc:
-            message.append('. %s' % to_native(self.orig_exc))
 
         return ''.join(message)
 

lib/ansible/executor/action_write_locks.py

@@ -19,7 +19,7 @@ from __future__ import annotations
 
 import multiprocessing.synchronize
 
-from multiprocessing import Lock
+from ansible.utils.multiprocessing import context as multiprocessing_context
 
 from ansible.module_utils.facts.system.pkg_mgr import PKG_MGRS
 
@@ -32,7 +32,7 @@ if 'action_write_locks' not in globals():
     # Below is a Lock for use when we weren't expecting a named module.  It gets used when an action
     # plugin invokes a module whose name does not match with the action's name.  Slightly less
     # efficient as all processes with unexpected module names will wait on this lock
-    action_write_locks[None] = Lock()
+    action_write_locks[None] = multiprocessing_context.Lock()
 
     # These plugins are known to be called directly by action plugins with names differing from the
     # action plugin name.  We precreate them here as an optimization.
@@ -41,4 +41,4 @@ if 'action_write_locks' not in globals():
 
     mods.update(('copy', 'file', 'setup', 'slurp', 'stat'))
     for mod_name in mods:
-        action_write_locks[mod_name] = Lock()
+        action_write_locks[mod_name] = multiprocessing_context.Lock()

lib/ansible/executor/play_iterator.py

@@ -447,6 +447,24 @@ class PlayIterator:
 
             # if something above set the task, break out of the loop now
             if task:
+                # skip implicit flush_handlers if there are no handlers notified
+                if (
+                    task.implicit
+                    and task.action in C._ACTION_META
+                    and task.args.get('_raw_params', None) == 'flush_handlers'
+                    and (
+                        # the state store in the `state` variable could be a nested state,
+                        # notifications are always stored in the top level state, get it here
+                        not self.get_state_for_host(host.name).handler_notifications
+                        # in case handlers notifying other handlers, the notifications are not
+                        # saved in `handler_notifications` and handlers are notified directly
+                        # to prevent duplicate handler runs, so check whether any handler
+                        # is notified
+                        and all(not h.notified_hosts for h in self.handlers)
+                    )
+                ):
+                    continue
+
                 break
 
         return (state, task)

lib/ansible/executor/task_executor.py

@@ -150,6 +150,7 @@ class TaskExecutor:
                         if 'unreachable' in item and item['unreachable']:
                             item_ignore_unreachable = item.pop('_ansible_ignore_unreachable')
                             if not res.get('unreachable'):
+                                res['unreachable'] = True
                                 self._task.ignore_unreachable = item_ignore_unreachable
                             elif self._task.ignore_unreachable and not item_ignore_unreachable:
                                 self._task.ignore_unreachable = item_ignore_unreachable
@@ -684,8 +685,8 @@ class TaskExecutor:
                 self._handler.cleanup()
             display.debug("handler run complete")
 
-            # preserve no log
+            # propagate no log to result- the action can set this, so only overwrite it with the task's value if missing or falsey
-            result["_ansible_no_log"] = no_log
+            result["_ansible_no_log"] = bool(no_log or result.get('_ansible_no_log', False))
 
             if self._task.action not in C._ACTION_WITH_CLEAN_FACTS:
                 result = wrap_var(result)
@@ -1072,18 +1073,6 @@ class TaskExecutor:
         option_vars = C.config.get_plugin_vars('connection', self._connection._load_name)
         varnames.extend(option_vars)
 
-        # create dict of 'templated vars'
-        options = {'_extras': {}}
-        for k in option_vars:
-            if k in variables:
-                options[k] = templar.template(variables[k])
-
-        # add extras if plugin supports them
-        if getattr(self._connection, 'allow_extras', False):
-            for k in variables:
-                if k.startswith('ansible_%s_' % self._connection.extras_prefix) and k not in options:
-                    options['_extras'][k] = templar.template(variables[k])
-
         task_keys = self._task.dump_attrs()
 
         # The task_keys 'timeout' attr is the task's timeout, not the connection timeout.
@@ -1101,7 +1090,8 @@ class TaskExecutor:
         del task_keys['retries']
 
         # set options with 'templated vars' specific to this plugin and dependent ones
-        self._connection.set_options(task_keys=task_keys, var_options=options)
+        var_options = self._connection._resolve_option_variables(variables, templar)
+        self._connection.set_options(task_keys=task_keys, var_options=var_options)
         varnames.extend(self._set_plugin_options('shell', variables, templar, task_keys))
 
         if self._connection.become is not None:

lib/ansible/executor/task_queue_manager.py

@@ -39,7 +39,6 @@ from ansible.plugins.loader import callback_loader, strategy_loader, module_load
 from ansible.plugins.callback import CallbackBase
 from ansible.template import Templar
 from ansible.vars.hostvars import HostVars
-from ansible.vars.reserved import warn_if_reserved
 from ansible.utils.display import Display
 from ansible.utils.lock import lock_decorator
 from ansible.utils.multiprocessing import context as multiprocessing_context
@@ -282,7 +281,6 @@ class TaskQueueManager:
 
         all_vars = self._variable_manager.get_vars(play=play)
         templar = Templar(loader=self._loader, variables=all_vars)
-        warn_if_reserved(all_vars, templar.environment.globals.keys())
 
         new_play = play.copy()
         new_play.post_validate(templar)

lib/ansible/galaxy/collection/concrete_artifact_manager.py

@@ -10,6 +10,7 @@ import os
 import tarfile
 import subprocess
 import typing as t
+import yaml
 
 from contextlib import contextmanager
 from hashlib import sha256
@@ -24,6 +25,7 @@ if t.TYPE_CHECKING:
     )
     from ansible.galaxy.token import GalaxyToken
 
+from ansible import context
 from ansible.errors import AnsibleError
 from ansible.galaxy import get_collections_galaxy_meta_info
 from ansible.galaxy.api import should_retry_error
@@ -38,7 +40,7 @@ from ansible.module_utils.urls import open_url
 from ansible.utils.display import Display
 from ansible.utils.sentinel import Sentinel
 
-import yaml
+import ansible.constants as C
 
 
 display = Display()
@@ -425,11 +427,14 @@ def _extract_collection_from_git(repo_url, coll_ver, b_path):
 
     # Perform a shallow clone if simply cloning HEAD
     if version == 'HEAD':
-        git_clone_cmd = git_executable, 'clone', '--depth=1', git_url, to_text(b_checkout_path)
+        git_clone_cmd = [git_executable, 'clone', '--depth=1', git_url, to_text(b_checkout_path)]
     else:
-        git_clone_cmd = git_executable, 'clone', git_url, to_text(b_checkout_path)
+        git_clone_cmd = [git_executable, 'clone', git_url, to_text(b_checkout_path)]
     # FIXME: '--branch', version
 
+    if context.CLIARGS['ignore_certs'] or C.GALAXY_IGNORE_CERTS:
+        git_clone_cmd.extend(['-c', 'http.sslVerify=false'])
+
     try:
         subprocess.check_call(git_clone_cmd)
     except subprocess.CalledProcessError as proc_err:

lib/ansible/module_utils/common/json.py

@@ -28,7 +28,7 @@ def _preprocess_unsafe_encode(value):
     Used in ``AnsibleJSONEncoder.iterencode``
     """
     if _is_unsafe(value):
-        value = {'__ansible_unsafe': to_text(value, errors='surrogate_or_strict', nonstring='strict')}
+        value = {'__ansible_unsafe': to_text(value._strip_unsafe(), errors='surrogate_or_strict', nonstring='strict')}
     elif is_sequence(value):
         value = [_preprocess_unsafe_encode(v) for v in value]
     elif isinstance(value, Mapping):
@@ -61,7 +61,7 @@ class AnsibleJSONEncoder(json.JSONEncoder):
                 value = {'__ansible_vault': to_text(o._ciphertext, errors='surrogate_or_strict', nonstring='strict')}
         elif getattr(o, '__UNSAFE__', False):
             # unsafe object, this will never be triggered, see ``AnsibleJSONEncoder.iterencode``
-            value = {'__ansible_unsafe': to_text(o, errors='surrogate_or_strict', nonstring='strict')}
+            value = {'__ansible_unsafe': to_text(o._strip_unsafe(), errors='surrogate_or_strict', nonstring='strict')}
         elif isinstance(o, Mapping):
             # hostvars and other objects
             value = dict(o)

lib/ansible/module_utils/common/respawn.py

@@ -4,11 +4,14 @@
 from __future__ import annotations
 
 import os
+import pathlib
 import subprocess
 import sys
 
 from ansible.module_utils.common.text.converters import to_bytes
 
+_ANSIBLE_PARENT_PATH = pathlib.Path(__file__).parents[3]
+
 
 def has_respawned():
     return hasattr(sys.modules['__main__'], '_respawned')
@@ -54,11 +57,20 @@ def probe_interpreters_for_module(interpreter_paths, module_name):
     be returned (or ``None`` if probing fails for all supplied paths).
     :arg module_name: fully-qualified Python module name to probe for (eg, ``selinux``)
     """
+    PYTHONPATH = os.getenv('PYTHONPATH', '')
+    env = os.environ | {'PYTHONPATH': f'{_ANSIBLE_PARENT_PATH}:{PYTHONPATH}'.rstrip(': ')}
     for interpreter_path in interpreter_paths:
         if not os.path.exists(interpreter_path):
             continue
         try:
-            rc = subprocess.call([interpreter_path, '-c', 'import {0}'.format(module_name)])
+            rc = subprocess.call(
+                [
+                    interpreter_path,
+                    '-c',
+                    f'import {module_name}, ansible.module_utils.basic',
+                ],
+                env=env,
+            )
             if rc == 0:
                 return interpreter_path
         except Exception:

lib/ansible/module_utils/common/text/converters.py

@@ -267,14 +267,11 @@ def _json_encode_fallback(obj):
 
 
 def jsonify(data, **kwargs):
-    # After 2.18, we should remove this loop, and hardcode to utf-8 in alignment with requiring utf-8 module responses
-    for encoding in ("utf-8", "latin-1"):
     try:
-            new_data = container_to_text(data, encoding=encoding)
+        new_data = container_to_text(data, encoding='utf-8')
     except UnicodeDecodeError:
-            continue
-        return json.dumps(new_data, default=_json_encode_fallback, **kwargs)
         raise UnicodeError('Invalid unicode encoding encountered')
+    return json.dumps(new_data, default=_json_encode_fallback, **kwargs)
 
 
 def container_to_bytes(d, encoding='utf-8', errors='surrogate_or_strict'):

lib/ansible/module_utils/csharp/Ansible.AccessToken.cs

@@ -339,19 +339,47 @@ namespace Ansible.AccessToken
         public static IEnumerable<SafeNativeHandle> EnumerateUserTokens(SecurityIdentifier sid,
             TokenAccessLevels access = TokenAccessLevels.Query)
         {
-            foreach (System.Diagnostics.Process process in System.Diagnostics.Process.GetProcesses())
+            return EnumerateUserTokens(sid, access, (p, h) => true);
+        }
+
+        public static IEnumerable<SafeNativeHandle> EnumerateUserTokens(
+            SecurityIdentifier sid,
+            TokenAccessLevels access,
+            Func<System.Diagnostics.Process, SafeNativeHandle, bool> processFilter)
         {
             // We always need the Query access level so we can query the TokenUser
+            access |= TokenAccessLevels.Query;
+
+            foreach (System.Diagnostics.Process process in System.Diagnostics.Process.GetProcesses())
+            {
                 using (process)
-                using (SafeNativeHandle hToken = TryOpenAccessToken(process, access | TokenAccessLevels.Query))
+                using (SafeNativeHandle processHandle = NativeMethods.OpenProcess(ProcessAccessFlags.QueryInformation, false, (UInt32)process.Id))
+                {
+                    if (processHandle.IsInvalid)
                     {
-                    if (hToken == null)
                         continue;
+                    }
 
-                    if (!sid.Equals(GetTokenUser(hToken)))
+                    if (!processFilter(process, processHandle))
+                    {
                         continue;
+                    }
 
-                    yield return hToken;
+                    SafeNativeHandle accessToken;
+                    if (!NativeMethods.OpenProcessToken(processHandle, access, out accessToken))
+                    {
+                        continue;
+                    }
+
+                    using (accessToken)
+                    {
+                        if (!sid.Equals(GetTokenUser(accessToken)))
+                        {
+                            continue;
+                        }
+
+                        yield return accessToken;
+                    }
                 }
             }
         }
@@ -440,18 +468,5 @@ namespace Ansible.AccessToken
             for (int i = 0; i < array.Length; i++, ptrOffset = IntPtr.Add(ptrOffset, Marshal.SizeOf(typeof(T))))
                 array[i] = (T)Marshal.PtrToStructure(ptrOffset, typeof(T));
         }
-
-        private static SafeNativeHandle TryOpenAccessToken(System.Diagnostics.Process process, TokenAccessLevels access)
-        {
-            try
-            {
-                using (SafeNativeHandle hProcess = OpenProcess(process.Id, ProcessAccessFlags.QueryInformation, false))
-                    return OpenProcessToken(hProcess, access);
-            }
-            catch (Win32Exception)
-            {
-                return null;
-            }
-        }
     }
 }

lib/ansible/module_utils/csharp/Ansible.Basic.cs

@@ -1210,7 +1210,7 @@ namespace Ansible.Basic
                 object val = requiredCheck[1];
                 IList requirements = (IList)requiredCheck[2];
 
-                if (ParseStr(param[key]) != ParseStr(val))
+                if (param[key] == null || ParseStr(param[key]) != ParseStr(val))
                     continue;
 
                 string term = "all";

lib/ansible/module_utils/csharp/Ansible.Become.cs

@@ -93,10 +93,21 @@ namespace Ansible.Become
             CachedRemoteInteractive,
             CachedUnlock
         }
+
+        [Flags]
+        public enum ProcessChildProcessPolicyFlags
+        {
+            None = 0x0,
+            NoChildProcessCreation = 0x1,
+            AuditNoChildProcessCreation = 0x2,
+            AllowSecureProcessCreation = 0x4,
+        }
     }
 
     internal class NativeMethods
     {
+        public const int ProcessChildProcessPolicy = 13;
+
         [DllImport("advapi32.dll", SetLastError = true)]
         public static extern bool AllocateLocallyUniqueId(
             out Luid Luid);
@@ -116,6 +127,13 @@ namespace Ansible.Become
         [DllImport("kernel32.dll")]
         public static extern UInt32 GetCurrentThreadId();
 
+        [DllImport("kernel32.dll", SetLastError = true)]
+        public static extern bool GetProcessMitigationPolicy(
+            SafeNativeHandle hProcess,
+            int MitigationPolicy,
+            ref NativeHelpers.ProcessChildProcessPolicyFlags lpBuffer,
+            IntPtr dwLength);
+
         [DllImport("user32.dll", SetLastError = true)]
         public static extern NoopSafeHandle GetProcessWindowStation();
 
@@ -217,6 +235,7 @@ namespace Ansible.Become
         };
         private static int WINDOWS_STATION_ALL_ACCESS = 0x000F037F;
         private static int DESKTOP_RIGHTS_ALL_ACCESS = 0x000F01FF;
+        private static bool _getProcessMitigationPolicySupported = true;
 
         public static Result CreateProcessAsUser(string username, string password, string command)
         {
@@ -333,12 +352,13 @@ namespace Ansible.Become
                 // Grant access to the current Windows Station and Desktop to the become user
                 GrantAccessToWindowStationAndDesktop(account);
 
-                // Try and impersonate a SYSTEM token. We need the SeTcbPrivilege for
+                // Try and impersonate a SYSTEM token, we need a SYSTEM token to either become a well known service
-                //  - LogonUser for a service SID
+                // account or have administrative rights on the become access token.
-                //  - S4U logon
+                // If we ultimately are becoming the SYSTEM account we want the token with the most privileges available.
-                //  - Token elevation
+                // https://github.com/ansible/ansible/issues/71453
+                bool usedForProcess = becomeSid == "S-1-5-18";
                 systemToken = GetPrimaryTokenForUser(new SecurityIdentifier("S-1-5-18"),
-                    new List<string>() { "SeTcbPrivilege" });
+                    new List<string>() { "SeTcbPrivilege" }, usedForProcess);
                 if (systemToken != null)
                 {
                     try
@@ -356,9 +376,11 @@ namespace Ansible.Become
 
             try
             {
+                if (becomeSid == "S-1-5-18")
+                    userTokens.Add(systemToken);
                 // Cannot use String.IsEmptyOrNull() as an empty string is an account that doesn't have a pass.
                 // We only use S4U if no password was defined or it was null
-                if (!SERVICE_SIDS.Contains(becomeSid) && password == null && logonType != LogonType.NewCredentials)
+                else if (!SERVICE_SIDS.Contains(becomeSid) && password == null && logonType != LogonType.NewCredentials)
                 {
                     // If no password was specified, try and duplicate an existing token for that user or use S4U to
                     // generate one without network credentials
@@ -381,11 +403,6 @@ namespace Ansible.Become
                     string domain = null;
                     switch (becomeSid)
                     {
-                        case "S-1-5-18":
-                            logonType = LogonType.Service;
-                            domain = "NT AUTHORITY";
-                            username = "SYSTEM";
-                            break;
                         case "S-1-5-19":
                             logonType = LogonType.Service;
                             domain = "NT AUTHORITY";
@@ -427,8 +444,10 @@ namespace Ansible.Become
             return userTokens;
         }
 
-        private static SafeNativeHandle GetPrimaryTokenForUser(SecurityIdentifier sid,
+        private static SafeNativeHandle GetPrimaryTokenForUser(
-            List<string> requiredPrivileges = null)
+            SecurityIdentifier sid,
+            List<string> requiredPrivileges = null,
+            bool usedForProcess = false)
         {
             // According to CreateProcessWithTokenW we require a token with
             //  TOKEN_QUERY, TOKEN_DUPLICATE and TOKEN_ASSIGN_PRIMARY
@@ -438,7 +457,19 @@ namespace Ansible.Become
                 TokenAccessLevels.AssignPrimary |
                 TokenAccessLevels.Impersonate;
 
-            foreach (SafeNativeHandle hToken in TokenUtil.EnumerateUserTokens(sid, dwAccess))
+            SafeNativeHandle userToken = null;
+            int privilegeCount = 0;
+
+            // If we are using this token for the process, we need to check the
+            // process mitigation policy allows child processes to be created.
+            var processFilter = usedForProcess
+                ? (Func<System.Diagnostics.Process, SafeNativeHandle, bool>)((p, t) =>
+                {
+                    return GetProcessChildProcessPolicyFlags(t) == NativeHelpers.ProcessChildProcessPolicyFlags.None;
+                })
+                : ((p, t) => true);
+
+            foreach (SafeNativeHandle hToken in TokenUtil.EnumerateUserTokens(sid, dwAccess, processFilter))
             {
                 // Filter out any Network logon tokens, using become with that is useless when S4U
                 // can give us a Batch logon
@@ -448,6 +479,10 @@ namespace Ansible.Become
 
                 List<string> actualPrivileges = TokenUtil.GetTokenPrivileges(hToken).Select(x => x.Name).ToList();
 
+                // If the token has less or the same number of privileges than the current token, skip it.
+                if (usedForProcess && privilegeCount >= actualPrivileges.Count)
+                    continue;
+
                 // Check that the required privileges are on the token
                 if (requiredPrivileges != null)
                 {
@@ -459,16 +494,22 @@ namespace Ansible.Become
                 // Duplicate the token to convert it to a primary token with the access level required.
                 try
                 {
-                    return TokenUtil.DuplicateToken(hToken, TokenAccessLevels.MaximumAllowed,
+                    userToken = TokenUtil.DuplicateToken(hToken, TokenAccessLevels.MaximumAllowed,
                         SecurityImpersonationLevel.Anonymous, TokenType.Primary);
+                    privilegeCount = actualPrivileges.Count;
                 }
                 catch (Process.Win32Exception)
                 {
                     continue;
                 }
+
+                // If we don't care about getting the token with the most privileges, escape the loop as we already
+                // have a token.
+                if (!usedForProcess)
+                    break;
             }
 
-            return null;
+            return userToken;
         }
 
         private static SafeNativeHandle GetS4UTokenForUser(SecurityIdentifier sid, LogonType logonType)
@@ -581,6 +622,35 @@ namespace Ansible.Become
                 return null;
         }
 
+        private static NativeHelpers.ProcessChildProcessPolicyFlags GetProcessChildProcessPolicyFlags(SafeNativeHandle processHandle)
+        {
+            // Because this is only used to check the policy, we ignore any
+            // errors and pretend that the policy is None.
+            NativeHelpers.ProcessChildProcessPolicyFlags policy = NativeHelpers.ProcessChildProcessPolicyFlags.None;
+
+            if (_getProcessMitigationPolicySupported)
+            {
+                try
+                {
+                    if (NativeMethods.GetProcessMitigationPolicy(
+                        processHandle,
+                        NativeMethods.ProcessChildProcessPolicy,
+                        ref policy,
+                        (IntPtr)4))
+                    {
+                        return policy;
+                    }
+                }
+                catch (EntryPointNotFoundException)
+                {
+                    // If the function is not available, we won't try to call it again
+                    _getProcessMitigationPolicySupported = false;
+                }
+            }
+
+            return policy;
+        }
+
         private static NativeHelpers.SECURITY_LOGON_TYPE GetTokenLogonType(SafeNativeHandle hToken)
         {
             TokenStatistics stats = TokenUtil.GetTokenStatistics(hToken);

lib/ansible/module_utils/facts/ansible_collector.py

@@ -113,7 +113,13 @@ class CollectorMetaDataCollector(collector.BaseFactCollector):
         self.module_setup = module_setup
 
     def collect(self, module=None, collected_facts=None):
+        # NOTE: deprecate/remove once DT lands
+        # we can return this data, but should not be top level key
         meta_facts = {'gather_subset': self.gather_subset}
+
+        # NOTE: this is just a boolean indicator that 'facts were gathered'
+        # and should be moved to the 'gather_facts' action plugin
+        # probably revised to handle modules/subsets combos
         if self.module_setup:
             meta_facts['module_setup'] = self.module_setup
         return meta_facts

lib/ansible/module_utils/facts/hardware/darwin.py

@@ -94,6 +94,8 @@ class DarwinHardware(Hardware):
 
         total_used = 0
         page_size = 4096
+        if 'hw.pagesize' in self.sysctl:
+            page_size = int(self.sysctl['hw.pagesize'])
 
         vm_stat_command = self.module.get_bin_path('vm_stat')
         if vm_stat_command is None:

lib/ansible/module_utils/facts/system/distribution.py

@@ -30,7 +30,7 @@ def get_uname(module, flags=('-v')):
 
 def _file_exists(path, allow_empty=False):
     # not finding the file, exit early
-    if not os.path.exists(path):
+    if not os.path.isfile(path):
         return False
 
     # if just the path needs to exists (ie, it can be empty) we are done

lib/ansible/module_utils/facts/timeout.py

@@ -48,7 +48,7 @@ def timeout(seconds=None, error_message="Timer expired"):
                 return res.get(timeout_value)
             except multiprocessing.TimeoutError:
                 # This is an ansible.module_utils.common.facts.timeout.TimeoutError
-                raise TimeoutError('Timer expired after %s seconds' % timeout_value)
+                raise TimeoutError(f'{error_message} after {timeout_value} seconds')
             finally:
                 pool.terminate()