use failed_when:false for Ansible register: checks
#11782
Conversation
Using ignore_errors leads to user-visible fatal errors
produced by ansible-playbook:
TASK [Enable FIPS Mode - Check to See the Current Status of FIPS Mode] *********
fatal: [192.168.122.178]: FAILED! => {"changed": false, "cmd": ["/usr/bin/fips-mode-setup", "--check"] ...
These are indistinguishable from actually terminating
fatal errors (to a log-reading script) that need to be
investigated.
Using failed_when avoids those, while still registering
the output for use by other checks, as done by many other
checks:
$ grep -i 'failed_when: false' -r linux_os/ | wc -l
25
Signed-off-by: Jiri Jaburek <comps@nomail.dom>
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the full diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode' differs.
--- xccdf_org.ssgproject.content_rule_enable_fips_mode
+++ xccdf_org.ssgproject.content_rule_enable_fips_mode
@@ -7,7 +7,7 @@
- name: Enable FIPS Mode - Check to See the Current Status of FIPS Mode
ansible.builtin.command: /usr/bin/fips-mode-setup --check
register: is_fips_enabled
- ignore_errors: true
+ failed_when: false
changed_when: false
when:
- ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir' differs.
--- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
+++ xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir
@@ -697,7 +697,7 @@
cmd: semanage fcontext -a -t faillog_t "{{ var_accounts_passwords_pam_faillock_dir
}}(/.*)?"
register: result_accounts_passwords_pam_faillock_dir_semanage
- ignore_errors: true
+ failed_when: false
changed_when:
- result_accounts_passwords_pam_faillock_dir_semanage.rc == 0
when: '"pam" in ansible_facts.packages'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_enable_smartcards' differs.
--- xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
+++ xccdf_org.ssgproject.content_rule_sssd_enable_smartcards
@@ -15,7 +15,7 @@
- name: Test for domain group
command: grep '^\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
register: test_grep_domain
- ignore_errors: true
+ failed_when: false
changed_when: false
check_mode: false
when:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_memcache_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_memcache_timeout
@@ -20,7 +20,7 @@
- name: Test for domain group
command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
register: test_grep_domain
- ignore_errors: true
+ failed_when: false
changed_when: false
check_mode: false
when:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration' differs.
--- xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
+++ xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration
@@ -16,7 +16,7 @@
- name: Test for domain group
command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
register: test_grep_domain
- ignore_errors: true
+ failed_when: false
changed_when: false
check_mode: false
when:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
+++ xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout
@@ -20,7 +20,7 @@
- name: Test for domain group
command: grep '\s*\[domain\/[^]]*]' /etc/sssd/sssd.conf
register: test_grep_domain
- ignore_errors: true
+ failed_when: false
changed_when: false
check_mode: false
when: |
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
|
Code Climate has analyzed commit 40fdde4 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.3% (0.0% change). View more on Code Climate. |
There was a problem hiding this comment.
It makes sense to me.
We use failed_when more often than ignore_errors.
There is an informed person who advertises failed_when.
https://medium.com/@sbarnea/why-ansible-ignore-errors-is-evil-500fb6e81229
https://www.reddit.com/r/ansible/comments/j3rtwt/beware_of_illusive_ansible_ignore_errors_when/
|
/retest |
Description:
Using
ignore_errorsleads to user-visible fatal errors produced by ansible-playbook:These are indistinguishable from actually terminating fatal errors (to a log-reading script) that need to be investigated.
Using
failed_whenavoids those, while still registering the output for use by other checks, as done by many other checks:Review Hints:
Double-check that this is sane, please. I'm not an Ansible expert, so I don't know if this may have side-effects, but I did some preliminary testing and it seems to be working as intended.