Issue with ansible.builtin.dnf list updates

ume90009 · October 30, 2025, 9:51am

When using the below task:

- name: Get list of available updates
  ansible.builtin.dnf:
    list: updates
  register: dnf_available_patches

- name: Display available updates
  ansible.builtin.debug:
    var: dnf_available_patches

The output shows more updates than what the normal dnf list updates command shows.
Example: Actual updates = 14, but Ansible shows 56.

It looks like the module lists packages from all architectures and repos, not just the unique ones like the normal dnf command does.
This is causing confusion in our post-patching reports (available vs installed counts don’t match).

Questions:

Is this normal behavior of the ansible.builtin.dnf module, or a known bug?
Is there a way to list only security or bugfix updates using this module (without using shell commands)?

This is part of our end-to-end automated patching setup triggered by ITSM, so reporting accuracy is important.

Lyle_McKarns · October 30, 2025, 11:38am

The module documentation says that list is for use with ansible directly, and not in playbooks.

It seems like ansible.builtin.package_facts might be a better approach to what you’re looking for.

ume90009 · October 31, 2025, 6:22am

ansible.builtin.package_facts will be fetching only installed packages not updates, am i rigth?

Lyle_McKarns · October 31, 2025, 1:37pm

Yes, that does appear to be true.

When doing some testing, I’m able to reproduce this with the following

---
- name: Local DNF test
  hosts: localhost
  connection: local
  gather_facts: true

  tasks:
    - name: list updates with dnf module
      tags: [list, mod]
      ansible.builtin.dnf:
        list: updates
      register: module_updates

    - name: debug module
      tags: [debug, mod]
      ansible.builtin.debug:
        msg: "{{ module_updates.results | length }}"

    - name: list updates with shell
      tags: [list, shell]
      ansible.builtin.shell:
        cmd: dnf check-update | grep -c ' updates$'
      register: shell_updates
      changed_when: False

    - name: debug shell
      tags: [debug, shell]
      ansible.builtin.debug:
        msg: "{{ shell_updates.stdout }}"

    - name: list updates pkg facts
      tags: [list, pkg]
      ansible.builtin.package_facts:
        manager: auto

    - name: debug pkg facts
      tags: [debug, pkg]
      ansible.builtin.debug:
        msg: "{{ ansible_facts.packages }}"

using ansible.builtin.dnf (or .dnf5) with list: updates gives me a different number than using the shell command, and ansible.builtin.package_facts does indeed show all installed packages, and I can’t find anything in the output indicating which of them are updateable.

I will also note that on my test system, the difference was one package, and it was one NOT in the updates repo.

Topic		Replies	Views
Getting complete package update information Ansible Project	4	133	March 6, 2024
Ansible.builtin.dnf module - capturing output of package upgrades Get Help rhel , centos , rockylinux , almalinux	3	3152	October 6, 2023
Debian/Ubuntu: Show available updates (or control if all updates are installed) Ansible Project ubuntu	2	65	February 13, 2016
dpkg options Ansible Project	0	8	December 19, 2014
Reporting on dry run package updates Ansible Project galaxy-ng	0	18	December 8, 2015

Issue with ansible.builtin.dnf list updates

Related topics