Beware! Ansible 2.5 incompatibility
I had plans to transition to ansible 2.5 after their fist bugfix release. But Ubuntu included ansible 2.5 into Bionic, and it crawled into my system usual updates. Surprisingly, most of the code worked (not counting few deprecation warning), but I found a problem, which I troubled to fix. It relates to this bug: https://github.com/ansible/ansible/issues/35398 which they claims is not a bug, but a feature. This bug-o-feature is related to the way delegate_to
and include_role
acts together. Older version of Ansible (2.4) permitted to use delegate_to
with include_role
to delegate some role to another server. Newer version allows this only with import_role
.
Example (real example from my production, so, hold on):
- name: Configure data checks
delegate_to: '{{monitoring_host}}'
become: yes
include_role:
name: shinken-configure
tasks_from: services
vars:
services:
- hostgroup_name: app
service_description: 'has_any_data_{{foo.name}}_{{foo.bar}}'
contact_groups:
- someone
- else
retry_interval: 1
check_command: 'check_api!/api/foo/verify/{{foo.id}}'
when: baz.fobar is defined
with_items: '{{baz.foobar}}'
loop_control:
loop_var: foo
label: '{{foo.name}} - {{foo.carrier}}'
(I hope I obscured my production well enough).
This code start to fail, complaining that there is no /etc/shinken
. There is /etc/shinken
on monitoring host, but it does not exist on all other hosts. That means, that delegation has failed.
The key part here is this (generic version):
delegate_to: '{{some_host}}'
include_role:
name: some_role
with_items: [one, two]
Analysis:
- We couldn’t use
import_role
together withwith_items
. I specifically checked it with 2.5. Still, we couldn’t. - We couldn’t use
include_role
withdelegate_to
anymore. We can in 2.4, we couldn’t in 2.5.
The danger
The key problem here is that delegate_to
with include_role
is working, but working incorrectly. Delegation is simply ignored, so included role is run on an unexpected different host. If there are no critical issues with this (like lack of /etc/shinken
) in my case, code is silently does wrong things and repors success after that.
What to do?
I don’t know yet. For now I add a simple safeguard to my playbook:
- assert:
that:
- "ansible_version.full | version_compare('2.4', '>=')"
- "ansible_version.full | version_compare('2.5', '<')"
I plan to return to this topic during migration to 2.5. So far I still waiting for bugfix release.
P. S.
I checked changelog for 2.5, documentation page for include_role
, chapter on delegation, and found that there is nothing about this change. A very, very, very nasty surprise, I’d say.
P.P.S. I found the solution
See my next post: https://medium.com/opsops/ansible-2-5-delegate-to-and-include-role-20cd7e67008e