Topics
Release Date: 2024-12-02
- ansible-test - When detection of the current container network fails, a warning is now issued and execution continues. This simplifies usage in cases where the current container cannot be inspected, such as when running in GitHub Codespaces.
- Templating will not prefer AnsibleUnsafe when a variable is referenced via hostvars - CVE-2024-11079
- Fix returning 'unreachable' for the overall task result. This prevents false positives when a looped task has unignored unreachable items (#84019).
- ansible-test - Fix traceback that occurs after an interactive command fails.
- dnf5 - fix installing a package using
state=latest
when a binary of the same name as the package is already installed (#84259) - dnf5 - matching on a binary can be achieved only by specifying a full path (#84334)
- runas become - Fix up become logic to still get the SYSTEM token with the most privileges when running as SYSTEM.
Release Date: 2024-11-04
- Add
gid_min
,gid_max
to the group plugin to overwrite the defaults provided by the/etc/login.defs
file (#81770). - Add
python3.13
to the defaultINTERPRETER_PYTHON_FALLBACK
list. - Add
uid_min
,uid_max
to the user plugin to overwrite the defaults provided by the/etc/login.defs
file (#81770). - Add a new meta task
end_role
(#22286) - Add a new mount_facts module to support gathering information about mounts that are excluded by default fact gathering.
- Introducing COLOR_INCLUDED parameter. This can set a specific color for "included" events.
- Removed the shell
environment
config entry as this is already covered by the play/task directives documentation and the value itself is not used in the shell plugins. This should remove any confusion around how people set the environment for a task. - Suppress cryptography deprecation warnings for Blowfish and TripleDES when the
paramiko
Python module is installed. - The minimum supported Python version on targets is now Python 3.8.
ansible-galaxy collection publish
- add configuration options for the initial poll interval and the exponential when checking the import status of a collection, since the default is relatively slow.- ansible-config has new 'validate' option to find mispelled/forgein configurations in ini file or environment variables.
- ansible-doc - show examples in role entrypoint argument specs (#82671).
- ansible-galaxy - Handle authentication errors and token expiration
- ansible-test - Add Ubuntu 24.04 remote.
- ansible-test - Add support for Python 3.13.
- ansible-test - An
ansible_core.egg-info
directory is no longer generated when running tests. - ansible-test - Connection options can be set for ansible-test managed remote Windows instances.
- ansible-test - Default to Python 3.13 in the
base
anddefault
containers. - ansible-test - Disable the
deprecated-
prefixedpylint
rules as their results vary by Python version. - ansible-test - Improve container runtime probe error handling. When unexpected probe output is encountered, an error with more useful debugging information is provided.
- ansible-test - Improve the error message shown when an unknown
--remote
or--docker
option is given. - ansible-test - Remove Python 2.7 compatibility imports.
- ansible-test - Removed the
vyos/1.1.8
network remote as it is no longer functional. - ansible-test - Replace Alpine 3.19 container and remote with Alpine 3.20.
- ansible-test - Replace Fedora 39 container and remote with Fedora 40.
- ansible-test - Replace FreeBSD 14.0 remote with FreeBSD 14.1.
- ansible-test - Replace RHEL 9.3 remote with RHEL 9.4.
- ansible-test - Replace Ubuntu 20.04 container with Ubuntu 24.04 container.
- ansible-test - The
empty-init
sanity test no longer applies tomodule_utils
packages. - ansible-test - Update
ansible-test-utility-container
to version 3.1.0. - ansible-test - Update
base
anddefault
containers to omit Python 3.7. - ansible-test - Update
coverage
to version 7.6.1. - ansible-test - Update
http-test-container
to version 3.0.0. - ansible-test - Update
nios-test-container
to version 5.0.0. - ansible-test - Update
pylint
sanity test to use version 3.3.1. - ansible-test - Update
pypi-test-container
to version 3.2.0. - ansible-test - Update the
base
anddefault
containers. - ansible-test - Updated the frozen requirements for all sanity tests.
- ansible-test - Upgrade
pip
used in ansible-test managed virtual environments from version 24.0 to 24.2. - ansible-test - Virtual environments created by ansible-test no longer include the
wheel
orsetuptools
packages. - ansible-test - update HTTP test container to 3.2.0 (#83469).
- ansible.log now also shows log severity field
- distribution.py - Added SL-Micro in Suse OS Family. (#83541)
- dnf - minor internal changes in how the errors from the dnf API are handled; rely solely on the exceptions rather than inspecting text embedded in them
- dnf - remove legacy code for unsupported dnf versions
- dnf5 - implement
enable_plugin
anddisable_plugin
options - fact gathering - Gather /proc/sysinfo facts on s390 Linux on Z
- facts - add systemd version and features
- find - change the datatype of
elements
topath
in optionpaths
(#83575). - ini lookup - add new
interpolation
option (#83755) - isidentifier - remove unwanted Python 2 specific code.
- loop_control - add a break_when option to to break out of a task loop early based on Jinja2 expressions (#83442).
- package_facts module now supports using aliases for supported package managers, for example managers=yum or managers=dnf will resolve to using the underlying rpm.
- plugins, deprecations and warnings concerning configuration are now displayed to the user, technical issue that prevented 'de-duplication' have been resolved.
- psrp - Remove connection plugin extras vars lookup. This should have no affect on existing users as all options have been documented.
- remove extraneous selinux import (#83657).
- replace random with secrets library.
- rpm_key - allow validation of gpg key with a subkey fingerprint
- rpm_key - enable gpg validation that requires presence of multiple fingerprints
- service_mgr - add support for dinit service manager (#83489).
- task timeout now returns timedout key with frame/code that was in execution when the timeout is triggered.
- timedout test for checking if a task result represents a 'timed out' task.
- unarchive - Remove Python 2.7 compatibility imports.
- validate-modules sanity test - detect if names of an option (option name + aliases) do not match between argument spec and documentation (#83598, #83599).
- validate-modules sanity test - reject option/aliases names that are identical up to casing but belong to different options (#83530).
- vaulted_file test filter added, to test if the provided path is an 'Ansible vaulted' file
- yum_repository - add
excludepkgs
alias to theexclude
option.
- Stopped wrapping all commands sent over SSH on a Windows target with a
powershell.exe
executable. This results in one less process being started on each command for Windows to improve efficiency, simplify the code, and makeraw
an actual raw command run with the default shell configured on the Windows sshd settings. This should have no affect on most tasks except forraw
which now is not guaranteed to always be running in a PowerShell shell and from having the console output codepage set to UTF-8. To avoid this issue either swap to usingansible.windows.win_command
,ansible.windows.win_shell
,ansible.windows.win_powershell
or manually wrap the raw command with the shell commands needed to set the output console encoding. - persistent connection plugins - The
ANSIBLE_CONNECTION_PATH
config option no longer has any effect.
- Deprecate
ansible.module_utils.basic.AnsibleModule.safe_eval
andansible.module_utils.common.safe_eval
as they are no longer used. - persistent connection plugins - The
ANSIBLE_CONNECTION_PATH
config option no longer has any effect, and will be removed in a future release. - yum_repository - deprecate
async
option as it has been removed in RHEL 8 and will be removed in ansible-core 2.22. - yum_repository - the following options are deprecated:
deltarpm_metadata_percentage
,gpgcakey
,http_caching
,keepalive
,metadata_expire_filter
,mirrorlist_expire
,protect
,ssl_check_cert_permissions
,ui_repoid_vars
as they have no effect for dnf as an underlying package manager. The options will be removed in ansible-core 2.22.
- Play - removed deprecated
ROLE_CACHE
property in favor ofrole_cache
. - Remove deprecated VariableManager._get_delegated_vars method (#82950)
- Removed Python 3.10 as a supported version on the controller. Python 3.11 or newer is required.
- Removed support for setting the
vars
keyword to lists of dictionaries. It is now required to be a single dictionary. - loader - remove deprecated non-inclusive words (#82947).
- paramiko_ssh - removed deprecated ssh_args from the paramiko_ssh connection plugin (#82939).
- paramiko_ssh - removed deprecated ssh_common_args from the paramiko_ssh connection plugin (#82940).
- paramiko_ssh - removed deprecated ssh_extra_args from the paramiko_ssh connection plugin (#82941).
- play_context - remove deprecated PlayContext.verbosity property (#82945).
- utils/listify - remove deprecated 'loader' argument from listify_lookup_plugin_terms API (#82949).
- include_vars action - Ensure that result masking is correctly requested when vault-encrypted files are read. (CVE-2024-8775)
- task result processing - Ensure that action-sourced result masking (
_ansible_no_log=True
) is preserved. (CVE-2024-8775) - user action won't allow ssh-keygen, chown and chmod to run on existing ssh public key file, avoiding traversal on existing symlinks (CVE-2024-9902).
- -> runas become - Generate new token for the SYSTEM token to use for become. This should result in the full SYSTEM token being used and problems starting the process that fails with
The process creation has been blocked
. - Add a version ceiling constraint for pypsrp to avoid potential breaking changes in the 1.0.0 release.
- Add descriptions for
ansible-galaxy install --help` and ``ansible-galaxy role|collection install --help
. - Avoid truncating floats when casting into int, as it can lead to truncation and unexpected results. 0.99999 will be 0, not 1.
- COLOR_SKIP will not alter "included" events color display anymore.
- Callbacks now correctly get the resolved connection plugin name as the connection used.
- Darwin - add unit tests for Darwin hardware fact gathering.
- Errors now preserve stacked error messages even when YAML is involved.
- Fix
SemanticVersion.parse()
to store the version string so that__repr__
reports it instead ofNone
(#83831). - Fix a traceback when an environment variable contains certain special characters (#83498)
- Fix an issue when setting a plugin name from an unsafe source resulted in
ValueError: unmarshallable object
(#82708) - Fix an issue where registered variable was not available for templating in
loop_control.label
on skipped looped tasks (#83619) - Fix disabling SSL verification when installing collections and roles from git repositories. If
--ignore-certs
isn't provided, the value for theGALAXY_IGNORE_CERTS
configuration option will be used (#83326). - Fix for
meta
tasks breaking host/fork affinity withhost_pinned
strategy (#83294) - Fix handlers not being executed in lockstep using the linear strategy in some cases (#82307)
- Fix rapid memory usage growth when notifying handlers using the
listen
keyword (#83392) - Fix the task attribute
resolved_action
to show the FQCN instead ofNone
whenaction
orlocal_action
is used in the playbook. - Fix using
module_defaults
withlocal_action
/action
(#81905). - Fix using the current task's directory for looking up relative paths within roles (#82695).
- Improve performance on large inventories by reducing the number of implicit meta tasks.
- Remove deprecated config options DEFAULT_FACT_PATH, DEFAULT_GATHER_SUBSET, and DEFAULT_GATHER_TIMEOUT in favor of setting
fact_path
,gather_subset
andgather_timeout
asmodule_defaults
foransible.builtin.setup
. These will apply to both thegather_facts
play keyword, and anyansible.builtin.setup
tasks. To configure these options only for thegather_facts
keyword, set these options as play keywords also. - Set LANGUAGE environment variable is set to a non-English locale (#83608).
- Use the requested error message in the ansible.module_utils.facts.timeout timeout function instead of hardcoding one.
ansible-galaxy install --help
- Fix the usage text and document that the requirements file passed to-r
can include collections and roles.ansible-galaxy role install
- update the default timeout to download archive URLs from 20 seconds to 60 (#83521).end_host
- fix incorrect return code when executingend_host
in therescue
section (#83447)package
/dnf
action plugins - provide the reason behind the failure to gather theansible_pkg_mgr
fact to identify the package backend- addressed issue of trailing text been ignored, non-ASCII characters are parsed, enhance white space handling and fixed overly permissive issue of human_to_bytes filter(#82075)
- ansible-config will now properly template defaults before dumping them.
- ansible-doc - fixed "inicates" typo in output
- ansible-doc - format top-level descriptions with multiple paragraphs as multiple paragraphs, instead of concatenating them (#83155).
- ansible-doc - handle no_fail condition for role.
- ansible-doc - make colors configurable.
- ansible-galaxy collection install - remove old installation info when installing collections (#83182).
- ansible-galaxy role install - fix symlinks (#82702, #81965).
- ansible-test - Enable the
sys.unraisablehook
work-around for thepylint
sanity test on Python 3.11. Previously the work-around was only enabled for Python 3.12 and later. However, the same issue has been discovered on Python 3.11. - ansible-test - The
pylint
sanity test now includes the controller/target context of files when grouping them. This allows the--py-version
option to be passed topylint
to indicate the minimum supported Python version for each test context, preventingpylint
from defaulting to the Python version used to invoke the test. - ansible-test action-plugin-docs - Fix to check for sidecar documentation for action plugins
- ansible_managed restored it's 'templatability' by ensuring the possible injection routes are cut off earlier in the process.
- apt - report changed=True when some packages are being removed (#46314).
- apt_* - add more info messages raised while updating apt cache (#77941).
- assemble - update argument_spec with 'decrypt' option which is required by action plugin (#80840).
- atomic_move - fix using the setgid bit on the parent directory when creating files (#46742, #67177).
- config, restored the ability to set module compression via a variable
- connection plugins using the 'extras' option feature would need variables to match the plugin's loaded name, sometimes requiring fqcn, which is not the same as the documented/declared/expected variables. Now we fall back to the 'basename' of the fqcn, but plugin authors can still set the expected value directly.
- copy - mtime/atime not updated. Fix now update mtime/atime(#83013)
- csvfile lookup - give an error when no search term is provided using modern config syntax (#83689).
- debconf - fix normalization of value representation for boolean vtypes in new packages (#83594)
- debconf - set empty password values (#83214).
- delay keyword is now a float, matching the underlying 'time' API and user expectations.
- display - warn user about empty log filepath (#79959).
- display now does a better job of mapping warnings/errors to the proper log severity when using ansible.log. We still use color as a fallback mapping (now prioritiezed by severity) but mostly rely on it beind directly set by warnning/errors calls.
- distro package - update the distro package version from 1.8.0 to 1.9.0 (#82935)
- dnf - Ensure that we are handling DownloadError properly in the dnf module
- dnf - Substitute variables in DNF cache path (#80094).
- dnf - fix an issue where two packages of the same
evr
but different arch failed to install (#83406) - dnf - honor installroot for
cachedir
,logdir
andpersistdir
- dnf - perform variable substitutions in
logdir
andpersistdir
- dnf, dnf5 - fix for installing a set of packages by specifying them using a wildcard character (#83373)
- dnf5 - fix traceback when
enable_plugins
/disable_plugins
is used onpython3-libdnf5
versions that do not support this functionality - dnf5 - re-introduce the
state: installed
alias tostate: present
(#83960) - dnf5 - replace removed API calls
- ensure we have logger before we log when we have increased verbosity.
- facts - support_discard now returns 0 if either discard_granularity or discard_max_hw_bytes is zero; otherwise it returns the value of discard_granularity, as before (#83480).
- facts - add a generic detection for VMware in product name.
- facts - add facts about x86_64 flags to detect microarchitecture (#83331).
- facts - skip if distribution file path is directory, instead of raising error (#84006).
- fetch - add error message when using
dest
with a trailing slash that becomes a local directory - #82878 - file - retrieve the link's full path when hard linking a soft link with follow (#33911).
- fixed the issue of creating user directory using tilde(~) always reported "changed".(#82490)
- fixed unit test test_borken_cowsay to address mock not been properly applied when existing unix system already have cowsay installed.
- freebsd - refactor dmidecode fact gathering code for simplicity.
- freebsd - update disk and slices regex for fact gathering (#82081).
- get_url - Verify checksum using tmpsrc, not dest (#64092)
- git - check if git version is available or not before using it for comparison (#72321).
- include_tasks - Display location when attempting to load a task list where
include_*
did not specify any value - #83874 - known_hosts - the returned module invocation now accurately reflects the module arguments.
- linear strategy now provides a properly templated task name to the v2_runner_on_started callback event.
- linear strategy: fix handlers included via
include_tasks
handler to be executed in lockstep (#83019) - linux - remove extraneous get_bin_path API call.
- local - handle error while parsing values in ini files (#82717).
- lookup - Fixed examples of csv lookup plugin (#83031).
- module_defaults - do not display action/module deprecation warnings when using an action_group that contains a deprecated plugin (#83490).
- module_utils atomic_move (used by most file based modules), now correctly handles permission copy and setting mtime correctly across all paths
- package_facts - apk fix when cache is empty (#83126).
- package_facts - no longer fails silently when the selected package manager is unable to list packages.
- package_facts - returns the correct warning when package listing fails.
- persistent connection plugins - The correct Ansible persistent connection helper is now always used. Previously, the wrong script could be used, depending on the value of the
PATH
environment variable. As a result, users were sometimes required to setANSIBLE_CONNECTION_PATH
to use the correct script. - powershell - Implement more robust deletion mechanism for C# code compilation temporary files. This should avoid scenarios where the underlying temporary directory may be temporarily locked by antivirus tools or other IO problems. A failure to delete one of these temporary directories will result in a warning rather than an outright failure.
- powershell - Improve CLIXML decoding to decode all control characters and unicode characters that are encoded as surrogate pairs.
- psrp - Fix bug when attempting to fetch a file path that contains special glob characters like
[]
- replace - Updated before/after example (#83390).
- runtime-metadata sanity test - do not crash on deprecations if
galaxy.yml
contains an emptyversion
field (#83831). - service - fix order of CLI arguments on FreeBSD (#81377).
- service_facts - don't crash if OpenBSD rcctl variable contains '=' character (#83457)
- service_facts will now detect failed services more accurately across systemd implementations.
- setup module (fact gathering), added fallbcak code path to handle mount fact gathering in linux when threading is not available
- setup/gather_facts will skip missing
sysctl
instead of being a fatal error (#81297). - shell plugin - properly quote all needed components of shell commands (#82535)
- ssh - Fix bug when attempting to fetch a file path with characters that should be quoted when using the
piped
transfer method - support the countme option when using yum_repository
- systemd - extend systemctl is-enabled check to handle "enabled-runtime" (#77754).
- systemd facts - handle AttributeError raised while gathering facts on non-systemd hosts.
- systemd_service - handle mask operation failure (#81649).
- templating hostvars under native jinja will not cause serialization errors anymore.
- the raw arguments error now just displays the short names of modules instead of every possible variation
- unarchive - Better handling of files with an invalid timestamp in zip file (#81092).
- unarchive - trigger change when size and content differ when other properties are unchanged (#83454).
- unsafe data - Address an incompatibility when iterating or getting a single index from
AnsibleUnsafeBytes
- unsafe data - Address an incompatibility with
AnsibleUnsafeText
andAnsibleUnsafeBytes
when pickling withprotocol=0
- unsafe data - Enable directly using
AnsibleUnsafeText
with Pythonpathlib
(#82414) - uri - deprecate 'yes' and 'no' value for 'follow_redirects' parameter.
- user action will now require O(force) to overwrite the public part of an ssh key when generating ssh keys, as was already the case for the private part.
- user module now avoids changing ownership of files symlinked in provided home dir skeleton
- vault - handle vault password file value when it is directory (#42960).
- vault.is_encrypted_file is now optimized to be called in runtime and not for being called in tests
- vault_encrypted test documentation, name and examples have been fixed, other parts were clarified
- winrm - Add retry after exceeding commands per user quota that can occur in loops and action plugins running multiple commands.
- ansible-test - When using ansible-test containers with Podman on a Ubuntu 24.04 host, ansible-test must be run as a non-root user to avoid permission issues caused by AppArmor.
- ansible-test - When using the Fedora 40 container with Podman on a Ubuntu 24.04 host, the
unix-chkpwd
AppArmor profile must be disabled on the host to allow SSH connections to the container.
- timedout - did the task time out
- vaulted_file - Is this file an encrypted vault
- mount_facts - Retrieve mount information.