Role check executes ansible code

[saez0pub]

Summary

ansible-lint is executing the code in my roles

Issue Type

• Bug Report

OS / ENVIRONMENT

ansible-lint --version
ansible-lint 6.14.5 using ansible 2.14.4

• ansible installation method: pip
• ansible-lint installation method: pip

STEPS TO REPRODUCE

# cd "$(mktemp -d)"
# python3 -m venv venv
# source venv/bin/activate
(venv) # pip install ansible-lint
(venv) # mkdir -p roles/test/tasks
(venv) # cat <<EOF > roles/test/tasks/main.yml
---
- name: command
  command: /bin/sh -c "exit 1"
EOF
ansible-lint -v roles/test/

Desired Behavior

syntax check as usual, no ansible real commands

Actual Behavior

Ansible tasks are run 😱
Imagine I have recurse deletion on my home in a playbook.

(venv) # ansible-lint -v roles/test/
INFO     Set ANSIBLE_LIBRARY=/Users/me/.cache/ansible-compat/68dab1/modules:/Users/me/.ansible/plugins/modules:/usr/share/ansible/plugins/modules
INFO     Set ANSIBLE_COLLECTIONS_PATH=/Users/me/.cache/ansible-compat/68dab1/collections:/Users/me/.ansible/collections:/usr/share/ansible/collections
INFO     Set ANSIBLE_ROLES_PATH=/Users/me/.cache/ansible-compat/68dab1/roles:roles:/Users/me/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
INFO     Looking up for files, excluding .cache|.git|.hg|.svn|.tox ...
INFO     Executing syntax check on role roles/test (0.49s)
WARNING  Listing 1 violation(s) that are fatal
internal-error: Unexpected error code 2 from execution of: ansible localhost --syntax-check --module-name=include_role --args name=roles/test
roles/test:1 [WARNING]: No inventory was parsed, only implicit localhost is available

localhost | SUCCESS => {
    "changed": false,
    "include_args": {
        "name": "roles/test"
    }
}
localhost | FAILED | rc=1 >>
non-zero return code


Read documentation for instructions on how to ignore specific rule violations.

              Rule Violation Summary
 count tag            profile rule associated tags
     1 internal-error min     core

Failed after : 1 failure(s), 0 warning(s) on 2 files.

[macwinnie]

Found the same issue ... please fix it soon!

Linter should never execute the actual stuff – and never remark missing given become tokens ;)

localhost | FAILED! => {
    "changed": false,
    "module_stderr": "sudo: a password is required\n",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}

[saez0pub]

I reverted to 6.14.2, waiting for a fix

[evgeni]

FTR, it comes from this commit: 502ea61

Which is not even listed in the changelog? https://github.com/ansible/ansible-lint/releases/tag/v6.14.5

[sivel]

fwiw, we've gotten a report in ansible/ansible for this at ansible/ansible#80506

Ultimately core does not support the ability to syntax check just an individual role. --syntax-check being available to the ansible adhoc command was errant, and is in the process of being removed. Once it is removed, lint would get an error from core in the current state.

To syntax check an individual role would require creating a temporary playbook that only invokes that single role, and the syntax check the temporary playbook.

[ssbarnea]

@sivel Last time I checked about this I was told that this was not accidental!... I do not remember exactly who told me, but it was someone from core team.

I guess that we would be forced to use the temp playbook approach which has lots of problems, especially for linting in real-time (IDE). There are repositories with >100 roles, creating temporary playbooks for each of them, would have notable performance impact.

I yanked yesterday release, v6.14.5, so we can fix it today.