I found an issue in ansible 2.4.2.0. This may have existed in previous versions.
[defaults]
callback_whitelist = timer
fact_caching = jsonfile
fact_caching_connection = ./.fact_cache
gathering = smart
host_key_checking = False
inventory = ./inventories
log_path = /tmp/ansible.${USER}.log
roles_path = ./roles
The issue revolves around the cache file not being invalidated when different parameters are used to fetch the facts.
In the example below, the root_fact will not be printed and an error is raised.
-
hosts: example_host
gather_facts: true
tasks: -
debug:
msg: “user_fact: {{ user_fact }}” -
hosts: example_host
gather_facts: true
become: true # fetch privileged facts
tasks: -
debug:
msg: “root_fact: {{ root_fact }}”
The reason is the first play fetched the facts and primed the cache with non-privileged results. Subsequent privileged fact lookups will use the cache file, but the privileged facts aren’t in the cache.
I consider this a bug.
And the inverse is also true; if privileged facts are obtained first then subsequent plays will use the cache results and those subsequent plays will have access to privileged facts. In the example below, “root_fact_nonpriv” will be printed.
- hosts: example_host
gather_facts: true
become: true # fetch privileged facts
tasks:
-
debug:
msg: “root_fact: {{ root_fact }}” -
hosts: example_host
gather_facts: true
tasks: -
debug:
msg: “root_fact_nonpriv: {{ root_fact }}”
I don’t know whether I consider this a security bug, but it smells.
In both cases, subtle bugs can be introduced that can be hard to track down.
It seems to me the cache file needs to store the conditions in which it was retrieved. A simple approach would be appending ‘privileged’ to the cache file and using the appropriate cache file based on whether ‘become=true’ is set. Example:
.fact_cache/example_host # non-privileged facts
.fact_cache/example_host.privileged # privileged facts
In summary, a fact cache file obviously needs to continue to check whether it’s stale or not by comparing age of the file to the cache timeout.
In addition, I would argue that ansible also needs to know whether the cache file is privileged or not when considering whether it’s stale or not.
BTW, using meta: clear_facts is a workaround not really a solution.
Thoughts?