Hi,
We have a playbook to manage SSH keys on our servers (we are not using the authorized_key module because it appends users’ keys without ever deleting the old ones).
For that we created a template to gather all the SSH keys based on the different roles and groups, which is working fine except when using the --check option.
When using that option, Ansible will show changes that are not going to happen when the playbook is run without the option.
As an example:
$ ansible-playbook keys.yml --limit somehost --check
[…]
somehost : ok=15 changed=4 unreachable=0 failed=0
$ ansible-playbook keys.yml --limit somehost
[…]
somehost : ok=15 changed=0 unreachable=0 failed=0
The changes concern the authorized_key file (here 4 changes because the playbook deploys 4 users).
Here’s an extract of the output of the command when ran with the --diff option:
$ ansible-playbook keys.yml --limit somehost --check --diff
[…]
Thanks for your reply, more info below.
This could be handled by having a previous task that copied a blank file over, provided you weren’t logged in as that user.
That’s not a bad idea, I will look into that.
You could also keep a list of previous keys and use state=absent to remove those.
That seems cumbersome.
I’m open to the idea of having a parameter like exclusive=yes that removes the other keys in the file.
Would sure make my task easier.
Some ansible modules don’t fully understand check mode and will report “changed=True” automatically without running in check mode rather than risk making a change.
I see.
Can we see the changed lines from your ansible playbook, as well as the output of ansible --version to confirm this is from those lines and a recent version of Ansible?
$ ansible --version
ansible 1.6.3
Not sure what you meant by “the changed lines from your ansible playbook”.
In this case it is showing that there would be additions from your template that are not in the original file, so it seems that it is returning accurately in this regard.
Or is your assertion that the diff is also wrong? That seems somewhat unlikely, but somewhat resembles what may be an older bug in Ansible – I could be wrong.
It seems that the diff is saying the same thing as the check, so I suppose it is not wrong, but it shows differences while there are actually none (if I had run the command again without the --check, there would have been no changes).
It makes me believe that what Ansible feeds to the diff is wrong, because of that --check option.
Ansible 1.6.3 is no longer the active released version of Ansible, and since 1.6.3 there have been many updates, many security related.
When reporting issues, it’s helpful to have tested at least the latest release, which is 1.7.1.
If you see diff issues there, let us know, but seeing you reported on 1.6.3 there’s a good chance this is now resolved.
Thanks!
Installed Ansible 1.7.1 from the ppa:
$ ansible --version
ansible 1.7.1
And I am seeing the exact same output as with the 1.6.3, the --check still reports the the authorized_keys files on the remote host are empty (the diff is still the same).
I’m wondering if this may be because it doesn’t have permission to read them and the --diff flag has a buglet in it.
check should be generally fine, I would suspect the diff logic could be throwing it.
Does it report a change w/o --diff ?
Ok please file a ticket and we can investigate.
Thanks!