===================================================== Ansible 2.1 "The Song Remains the Same" Release Notes ===================================================== 2.1.4 "The Song Remains the Same" - 2017-01-16 ---------------------------------------------- - Security fix for CVE-2016-9587 - An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server as the user and group Ansible is running as. - Fixed a bug with conditionals in loops, where undefined variables and other errors will defer raising the error until the conditional has been evaluated. - Added a version check for jinja2-2.9, which does not fully work with Ansible currently. 2.1.3 "The Song Remains the Same" - 2016-11-04 ---------------------------------------------- - Security fix for CVE-2016-8628 - Command injection by compromised server via fact variables. In some situations, facts returned by modules could overwrite connection-based facts or some other special variables, leading to injected commands running on the Ansible controller as the user running Ansible (or via escalated permissions). - Security fix for CVE-2016-8614 - apt\_key module not properly validating keys in some situations. Minor Changes: ~~~~~~~~~~~~~~ - The subversion module from core now marks its password parameter as no\_log so the password is obscured when logging. - The postgresql\_lang and postgresql\_ext modules from extras now mark login\_password as no\_log so the password is obscured when logging. - Fixed several bugs related to locating files relative to role/playbook directories. - Fixed a bug in the way hosts were tested for failed states, resulting in incorrectly skipped block sessions. - Fixed a bug in the way our custom JSON encoder is used for the ``to_json*`` filters. - Fixed some bugs related to the use of non-ascii characters in become passwords. - Fixed a bug with Azure modules which may be using the latest rc6 library. - Backported some docker\_common fixes. 2.1.2 "The Song Remains the Same" - 2016-09-29 ---------------------------------------------- Minor Changes ~~~~~~~~~~~~~ - Fixed a bug related to creation of retry files (#17456) - Fixed a bug in the way include params are used when an include task is dynamic (#17064) - Fixed a bug related to including blocks in an include task (#15963) - Fixed a bug related to the use of hostvars internally when creating the connection plugin. This prevents things like variables using lookups from being evaluated unnecessarily (#17024) - Fixed a bug where using a variable containing a list for the ``hosts`` of a play resulted in an list of lists (#16583) - Fixed a bug where integer values would cause an error if a module param was of type ``float`` (no issue) - Fixed a bug with net\_template failing if src was not specified (#17726) - Fixed a bug in "ansible-galaxy import" (#17417) - Fixed a bug in which INI files incorrectly treated a hosts range as a section header (#15331) - Fixed a bug in which the max\_fail\_percentage calculation erroneously caused a series of plays to stop executing (#15954) - Fixed a bug in which the task names were not properly templated (#16295) - Fixed a bug causing "squashed" loops (ie. yum, apt) to incorrectly report results (ansible-modules-core#4214) - Fixed several bugs related to includes: - when including statically, make sure that all parents were also included statically (issue #16990) - properly resolve nested static include paths - print a message when a file is statically included - Fixed a bug in which module params expected to be float types were not converted from integers (only strings) (#17325) - Fixed a bug introduced by static includes in 2.1, which prevented notifications from going to the "top level" handler name. - Fixed a bug where a group\_vars or host\_vars directory in the current working directory would be used (and would take precedence) over those in the inventory and/or playbook directory. - Fixed a bug which could occur when the result of an async task did not parse as valid JSON. - (re)-allowed the use of ansible\_python\_interpreter lines with more than one argument. - Fixed several bugs related to the creation of the implicit localhost in inventory. - Fixed a bug related to an unspecified number of retries when using until. - Fixed a race-condition bug when creating temp directories before the worker process is forked. - Fix a bug with async's poll keyword not making use of ansible\_python\_interpreter to run (and thus breaking when /usr/bin/python is not present on the remote machine.) - Fix a bug where hosts that started with a range in inventory were being treated as an invalid section header. Module fixes: \* Fixed a bug where the temporary CA files created by the module helper code were not being deleted properly in some situations (#17073) \* Fixed many bugs in the unarchive module \* Fixes for module ec2: - Fixed a bug related to source\_dest\_check when used with non-vpc instances (core#3243) - Fixed a bug in ec2 where instances were not powering of when referenced via tags only (core#4765) - Fixed a bug where instances with multiple interfaces were not powering up/down correctly (core#3234) \* Fixes for module get\_url: - Fixed a bug in get\_url module to force a download if there is a checksum mismatch regardless of the last modified time (core#4262) - Fixed a bug in get\_url module to properly process FTP results (core#3661 and core#4601) \* Fixed a bug in win\_user related to users with disabled accounts/expired passwords (core#4369) \* ini\_file: - Fixed a bug where option lines are now inserted before blank lines. - Fixed a bug where leading whitespace prevented matches on options. \* Fixed a bug in iam\_cert when dup\_ok is used as a string. \* Fixed a bug in postgresql\_db related to the changed logic when state=absent. \* Fixed a bug where single\_transaction and quick were not passed into db\_dump for the mysql\_db module. \* Fixed a bug where the fetch module was not idempotent when retrieving the target of a symlink. \* Many minor fixes for bugs in extras modules. Deprecations ~~~~~~~~~~~~ - Deprecated the use of ``_fixup_perms``. Use ``_fixup_perms2`` instead. This change only impacts custom action plugins using ``_fixup_perms``. Incompatible Changes ~~~~~~~~~~~~~~~~~~~~ - Use of ``_fixup_perms`` with ``recursive=True`` (the default) is no longer supported. Custom action plugins using ``_fixup_perms`` will require changes unless they already use ``recursive=False``. Use ``_fixup_perms2`` if support for previous releases is not required. Otherwise use ``_fixup_perms`` with ``recursive=False``. 2.1 "The Song Remains the Same" ------------------------------- Major Changes: ~~~~~~~~~~~~~~ - Official support for the networking modules, originally available in 2.0 as a tech preview. - Refactored and expanded support for Docker with new modules and many improvements to existing modules, as well as a new Kubernetes module. - Added new modules for Azure (see below for the full list) - Added the ability to specify includes as "static" (either through a configuration option or on a per-include basis). When includes are static, they are loaded at compile time and cannot contain dynamic features like loops. - Added a new strategy ``debug``, which allows per-task debugging of playbooks, for more details see https://docs.ansible.com/ansible/playbooks\_debugger.html - Added a new option for tasks: ``loop_control``. This currently only supports one option - ``loop_var``, which allows a different loop variable from ``item`` to be used. - Added the ability to filter facts returned by the fact gathering setup step using the ``gather_subset`` option on the play or in the ansible.cfg configuration file. See http://docs.ansible.com/ansible/intro\_configuration.html#gathering for details on the format of the option. - Added the ability to send per-item callbacks, rather than a batch update (this more closely resembles the behavior of Ansible 1.x). - Added facility for modules to send back 'diff' for display when ansible is called with --diff, updated several modules to return this info - Added ansible-console tool, a REPL shell that allows running adhoc tasks against a chosen inventory (based on https://github.com/dominis/ansible-shell) - Added two new variables, which are set when the ``rescue`` portion of a ``block`` is started: - ``ansible_failed_task``, which contains the serialized version of the failed task. - ``ansible_failed_result``, which contains the result of the failed task. - New meta action, ``meta: clear_host_errors`` which will clear any hosts which were marked as failed (but not unreachable hosts). - New meta action, ``meta: clear_facts`` which will remove existing facts for the current host from current memory and facts cache. - copy module can now transparently use a vaulted file as source, if vault passwords were provided it will decrypt and copy on the fly. - The way new-style python modules (which include all of the non-windows modules shipped with Ansible) are assembled before execution on the remote machine has been changed. The new way stays closer to how python imports modules which will make it easier to write modules which rely heavily on shared code. - Reduce the situations in which a module can end up as world readable. For details, see: https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user - Re-implemented the retry file feature, which had been left out of 2.0 (fix was backported to 2.0.1 originally). - Improved winrm argument validation and feature sniffing (for upcoming pywinrm NTLM support). - Improved winrm error handling: basic parsing of stderr from CLIXML stream. New Modules ^^^^^^^^^^^ - aws - ec2\_vol\_facts - ec2\_vpc\_dhcp\_options - ec2\_vpc\_net\_facts - ec2\_snapshot\_facts - azure: - azure\_rm\_deployment - azure\_rm\_networkinterface - azure\_rm\_networkinterface\_facts (TECH PREVIEW) - azure\_rm\_publicipaddress - azure\_rm\_publicipaddress\_facts (TECH PREVIEW) - azure\_rm\_resourcegroup - azure\_rm\_resourcegroup\_facts (TECH PREVIEW) - azure\_rm\_securitygroup - azure\_rm\_securitygroup\_facts (TECH PREVIEW) - azure\_rm\_storageaccount - azure\_rm\_storageaccount\_facts (TECH PREVIEW) - azure\_rm\_storageblob - azure\_rm\_subnet - azure\_rm\_virtualmachine - azure\_rm\_virtualmachineimage\_facts (TECH PREVIEW) - azure\_rm\_virtualnetwork - azure\_rm\_virtualnetwork\_facts (TECH PREVIEW) - cloudflare\_dns - cloudstack - cs\_cluster - cs\_configuration - cs\_instance\_facts - cs\_pod - cs\_resourcelimit - cs\_volume - cs\_zone - cs\_zone\_facts - clustering - kubernetes - cumulus - cl\_bond - cl\_bridge - cl\_img\_install - cl\_interface - cl\_interface\_policy - cl\_license - cl\_ports - eos - eos\_command - eos\_config - eos\_eapi - eos\_template - gitlab - gitlab\_group - gitlab\_project - gitlab\_user - ios - ios\_command - ios\_config - ios\_template - iosxr - iosxr\_command - iosxr\_config - iosxr\_template - junos - junos\_command - junos\_config - junos\_facts - junos\_netconf - junos\_package - junos\_template - make - mongodb\_parameter - nxos - nxos\_command - nxos\_config - nxos\_facts - nxos\_feature - nxos\_interface - nxos\_ip\_interface - nxos\_nxapi - nxos\_ping - nxos\_switchport - nxos\_template - nxos\_vlan - nxos\_vrf - nxos\_vrf\_interface - nxos\_vrrp - openstack - os\_flavor\_facts - os\_group - os\_ironic\_inspect - os\_keystone\_domain\_facts - os\_keystone\_role - os\_port\_facts - os\_project\_facts - os\_user\_facts - os\_user\_role - openswitch - ops\_command - ops\_config - ops\_facts - ops\_template - softlayer - sl\_vm - vmware - vmware\_maintenancemode - vmware\_vm\_shell - windows - win\_acl\_inheritance - win\_owner - win\_reboot - win\_regmerge - win\_timezone - yum\_repository New Strategies ^^^^^^^^^^^^^^ - debug New Filters ^^^^^^^^^^^ - extract - ip4\_hex - regex\_search - regex\_findall New Callbacks ^^^^^^^^^^^^^ - actionable (only shows changed and failed) - slack - json New Tests ^^^^^^^^^ - issubset - issuperset New Inventory scripts: ^^^^^^^^^^^^^^^^^^^^^^ - brook - rackhd - azure\_rm Minor Changes: ~~~~~~~~~~~~~~ - Added support for pipelining mode to more connection plugins, which helps prevent module data from being written to disk. - Added a new '!unsafe' YAML decorator, which can be used in playbooks to ensure a string is not templated. For example: ``foo: !unsafe "Don't template {{me}}"``. - Callbacks now have access to the options with which the CLI was called - Debug now has verbosity option to control when to display by matching number of -v in command line - Modules now get verbosity, diff and other flags as passed to ansible - Mount facts now also show 'network mounts' that use the pattern ``:/`` - Plugins are now sorted before loading. This means, for instance, if you want two custom callback plugins to run in a certain order you can name them 10-first-callback.py and 20-second-callback.py. - Added (alpha) Centirfy's dzdo as another become meethod (privilege escalation) Deprecations: ~~~~~~~~~~~~~ - Deprecated the use of "bare" variables in loops (ie. ``with_items: foo``, where ``foo`` is a variable). The full jinja2 variable syntax of ``{{foo}}`` should always be used instead. This warning will be removed completely in 2.3, after which time it will be an error. - play\_hosts magic variable, use ansible\_play\_batch or ansible\_play\_hosts instead.