Beware! Ansible 2.5 incompatibility

I had plans to transition to ansible 2.5 after their fist bugfix release. But Ubuntu included ansible 2.5 into Bionic, and it crawled into my system usual updates. Surprisingly, most of the code worked (not counting few deprecation warning), but I found a problem, which I troubled to fix. It relates to this bug: https://github.com/ansible/ansible/issues/35398 which they claims is not a bug, but a feature. This bug-o-feature is related to the way delegate_to and include_role acts together. Older version of Ansible (2.4) permitted to use delegate_to with include_role to delegate some role to another server. Newer version allows this only with import_role.

Example (real example from my production, so, hold on):

- name: Configure data checks
  delegate_to: '{{monitoring_host}}'
  become: yes
  include_role:
    name: shinken-configure
    tasks_from: services
  vars:
    services:
    - hostgroup_name: app
      service_description: 'has_any_data_{{foo.name}}_{{foo.bar}}'
      contact_groups:
      - someone
      - else
      retry_interval: 1
      check_command: 'check_api!/api/foo/verify/{{foo.id}}'
  when: baz.fobar is defined
  with_items: '{{baz.foobar}}'
  loop_control:
    loop_var: foo
    label: '{{foo.name}} - {{foo.carrier}}'

(I hope I obscured my production well enough).

This code start to fail, complaining that there is no /etc/shinken. There is /etc/shinken on monitoring host, but it does not exist on all other hosts. That means, that delegation has failed.

The key part here is this (generic version):

delegate_to: '{{some_host}}'
  include_role:
    name: some_role
with_items: [one, two]

Analysis:

1. We couldn’t use import_role together with with_items. I specifically checked it with 2.5. Still, we couldn’t.
2. We couldn’t use include_role with delegate_to anymore. We can in 2.4, we couldn’t in 2.5.

The danger

The key problem here is that delegate_to with include_role is working, but working incorrectly. Delegation is simply ignored, so included role is run on an unexpected different host. If there are no critical issues with this (like lack of /etc/shinken) in my case, code is silently does wrong things and repors success after that.

What to do?

I don’t know yet. For now I add a simple safeguard to my playbook:

- assert:
    that:
     - "ansible_version.full | version_compare('2.4', '>=')"
     - "ansible_version.full | version_compare('2.5', '<')"

I plan to return to this topic during migration to 2.5. So far I still waiting for bugfix release.

P. S.

I checked changelog for 2.5, documentation page for include_role, chapter on delegation, and found that there is nothing about this change. A very, very, very nasty surprise, I’d say.

P.P.S. I found the solution

See my next post: https://medium.com/opsops/ansible-2-5-delegate-to-and-include-role-20cd7e67008e