role-name: false positives with galaxy roles (106)

[konstruktoid]

Summary

106 Role name konstruktoid.hardening does not match ``^[a-z][a-z0-9_]+$`` pattern but https://galaxy.ansible.com/docs/using/installing.html#roles states, and Ansible Galaxy is structured around, the <user>.<role> naming scheme.

Issue Type

• Bug Report

Ansible and Ansible Lint details

ansible-lint 4.3.3.dev1+gcc23bae

• ansible and ansible-lint installed using pip3, https://github.com/konstruktoid/ansible-role-hardening/blob/master/action-lint/Dockerfile#L16-L17

OS / ENVIRONMENT

GitHub Actions, https://github.com/konstruktoid/ansible-role-hardening/actions

STEPS TO REPRODUCE

Run ansible-lint with a role name containing a ..

[greg-hellings]

The user name gets added automatically. You don't name your role "me.myrole". You name it "myrole" and when it gets added to Galaxy, then it gets your name prefixed to it.

[konstruktoid]

True, e.g. https://galaxy.ansible.com/konstruktoid/hardening but then I ansible-galaxy install konstruktoid.hardening which results in

$ ansible-galaxy list
# /etc/ansible/roles
- konstruktoid.hardening

and use the role as in https://github.com/konstruktoid/ansible-role-hardening/blob/master/tests/test.yml#L5-L6

[greg-hellings]

I'm not seeing what exactly ansible-lint is choking on in your code. Is it choking on the name of the folder it's running in?

[konstruktoid]

It chokes when running ansible-lint -vv tests/test.yml (https://github.com/konstruktoid/ansible-role-hardening/blob/master/tests/test.yml) containing:

- hosts: all
  become: true
  tasks:
    - include_role:
        name: konstruktoid.hardening

- hosts: all
  become: true
  tasks:
    - include: debug_facts.yml
...

$ ls  /etc/ansible/roles/
konstruktoid.hardening

generated by ansible-galaxy install konstruktoid.hardening

[konstruktoid]

https://pipelines.actions.githubusercontent.com/gMaQJj8yHNHPAX1w5gwMZt0fEFZDr0Z6ErIVAIhHbF95ZfSR2d/_apis/pipelines/1/runs/82/signedlogcontent/3?urlExpires=2020-08-26T19%3A17%3A12.9510676Z&urlSigningMethod=HMACV1&urlSignature=eIRKKqEwG10rXhBmUOAhG6YYd%2FQ7GBX61DT9peL2FU4%3D

2020-08-26T18:28:09.7434846Z # Running ansible-lint
2020-08-26T18:28:10.4508092Z ansible-lint 4.3.3.dev1+gcc23bae
2020-08-26T18:28:11.5532061Z DEBUG    Logging initialized to level 10
2020-08-26T18:28:11.5536058Z DEBUG    Options: Namespace(colored=False, config_file=None, display_relative_path=True, exclude_paths=[], format='plain', listrules=False, listtags=False, parseable=False, parseable_severity=False, playbook=['./tests/test.yml'], quiet=False, rulesdir=[], skip_list=[], tags=[], use_default_rules=False, verbosity=2, warn_list=[])
2020-08-26T18:28:11.5541533Z DEBUG    Loading rules from /usr/lib/python3.8/site-packages/ansiblelint/rules
2020-08-26T18:28:12.0269577Z DEBUG    Examining tests/test.yml of type playbook
2020-08-26T18:28:12.0408257Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/aide.yml of type tasks
2020-08-26T18:28:12.9108210Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/path.yml of type tasks
2020-08-26T18:28:13.0758800Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/password.yml of type tasks
2020-08-26T18:28:13.7906972Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/extras.yml of type tasks
2020-08-26T18:28:14.0838753Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/postfix.yml of type tasks
2020-08-26T18:28:14.3198008Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/resolvedconf.yml of type tasks
2020-08-26T18:28:14.4155490Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/motdnews.yml of type tasks
2020-08-26T18:28:14.6541892Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/timesyncd.yml of type tasks
2020-08-26T18:28:14.7567407Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/disablemod.yml of type tasks
2020-08-26T18:28:14.8602901Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/packages.yml of type tasks
2020-08-26T18:28:15.9405350Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/firewall.yml of type tasks
2020-08-26T18:28:16.9467426Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/users.yml of type tasks
2020-08-26T18:28:17.0651234Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/rootaccess.yml of type tasks
2020-08-26T18:28:17.2762074Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/rkhunter.yml of type tasks
2020-08-26T18:28:17.5863092Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/umask.yml of type tasks
2020-08-26T18:28:18.1725666Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/adduser.yml of type tasks
2020-08-26T18:28:18.3186974Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/fstab.yml of type tasks
2020-08-26T18:28:18.5175246Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/cron.yml of type tasks
2020-08-26T18:28:18.9407182Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/logindconf.yml of type tasks
2020-08-26T18:28:19.0460774Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/sshdconfig.yml of type tasks
2020-08-26T18:28:19.1458058Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/hosts.yml of type tasks
2020-08-26T18:28:19.2960662Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/journalconf.yml of type tasks
2020-08-26T18:28:19.6594469Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/limits.yml of type tasks
2020-08-26T18:28:19.8161620Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/issue.yml of type tasks
2020-08-26T18:28:19.9148355Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/suid.yml of type tasks
2020-08-26T18:28:20.0050838Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/disablenet.yml of type tasks
2020-08-26T18:28:20.1102371Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/disablefs.yml of type tasks
2020-08-26T18:28:20.2055463Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/auditd.yml of type tasks
2020-08-26T18:28:20.6264217Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/lockroot.yml of type tasks
2020-08-26T18:28:20.6966228Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/ctrlaltdel.yml of type tasks
2020-08-26T18:28:20.7830662Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/pre.yml of type tasks
2020-08-26T18:28:21.3531131Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/prelink.yml of type tasks
2020-08-26T18:28:21.5774997Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/logindefs.yml of type tasks
2020-08-26T18:28:21.6636292Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/mount.yml of type tasks
2020-08-26T18:28:21.7469570Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/pkgupdate.yml of type tasks
2020-08-26T18:28:22.5120243Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/sysctl.yml of type tasks
2020-08-26T18:28:22.6112835Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/sudo.yml of type tasks
2020-08-26T18:28:23.0498151Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/systemdconf.yml of type tasks
2020-08-26T18:28:23.2396405Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/apport.yml of type tasks
2020-08-26T18:28:23.3491819Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/main.yml of type tasks
2020-08-26T18:28:23.6136105Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/handlers/main.yml of type handlers
2020-08-26T18:28:23.7013724Z DEBUG    Examining ../../etc/ansible/roles/konstruktoid.hardening/meta/main.yml of type meta
2020-08-26T18:28:23.7172843Z DEBUG    Examining tests/debug_facts.yml of type tasks
2020-08-26T18:28:23.8118458Z 106 Role name konstruktoid.hardening does not match ``^[a-z][a-z0-9_]+$`` pattern
2020-08-26T18:28:23.8118731Z ../../etc/ansible/roles/konstruktoid.hardening/tasks/aide.yml:1
2020-08-26T18:28:23.8118972Z ---
2020-08-26T18:28:23.8119079Z 
2020-08-26T18:28:23.8122729Z ##[error][E106] Role name konstruktoid.hardening does not match ``^[a-z][a-z0-9_]+$`` pattern
2020-08-26T18:28:23.8126197Z You can skip specific rules by adding them to the skip_list section of your     
2020-08-26T18:28:23.8126580Z configuration file:                                                             
2020-08-26T18:28:23.8126654Z 
2020-08-26T18:28:23.8127234Z ┌──────────────────────────────────────────────────────────────────────────────┐
2020-08-26T18:28:23.8127555Z │# .ansible-lint                                                               │
2020-08-26T18:28:23.8127858Z │warn_list:  # or 'skip_list' to silence them completely                       │
2020-08-26T18:28:23.8128164Z │  - '106'  # Role name {} does not match ``^[a-z][a-z0-9_]+$`` pattern'       │
2020-08-26T18:28:23.8128515Z └──────────────────────────────────────────────────────────────────────────────┘
2020-08-26T18:28:23.8643674Z ansible-lint failed.

[konstruktoid]

Related #1001 #967

[coglinev3]

The user name gets added automatically. You don't name your role "me.myrole". You name it "myrole" and when it gets added to Galaxy, then it gets your name prefixed to it.

With ansible-lint 4.3.0 I get the same error with all of my Ansible Galaxy roles, for example coglinev3.ansible_python

ansible-lint tests/test.yml
[106] Role name coglinev3.ansible_python does not match ``^[a-z][a-z0-9_]+$`` pattern
tasks/install-python3.yml:1

Since I publish my Ansible roles on Ansible Galaxy, I name the Ansible roles locally or for testing with a CI / CD tool, such as Travis-CI, according to the Ansible Galaxy naming scheme author_name.role_name as @konstruktoid has described.
In my opinion, the dot should be a valid character when checking rule [106]. Otherwise, a large number of developers working with Ansible Galaxy roles will run into a problem which will result in them adding rule [106] to the skip list.

[jobcespedes]

same here

[ssbarnea]

The real issue here is that you are linting code from outside current repository. You should add ../../etc to the linter exclude path to prevent it from nagging you about untracked ansible code.

[konstruktoid]

I'm sorry @ssbarnea, but where does it nag about untracked Ansible code?

[ssbarnea]

Look at Examining ../../etc/ansible/roles/konstruktoid.hardening/tasks/ this is clearly code that is not from inside the repository and we should not care about it. You should not lint code installed with galaxy, that is supposed to be linted by the author.

Anything starting with ../ is outside repository root.

[konstruktoid]

Updated to ansible-lint-4.3.4.dev8+g0d4142c.

$ cd /etc/ansible/roles/konstruktoid.hardening
$ pwd
/etc/ansible/roles/konstruktoid.hardening
$ ls
LICENSE  README.md  Vagrantfile  action-lint  defaults  handlers  meta  molecule  postChecks.sh  provision  renovate.json  runPlaybook.sh  tasks  templates  tests
$ pip3 install git+https://github.com/ansible/ansible-lint.git
Collecting git+https://github.com/ansible/ansible-lint.git
  Cloning https://github.com/ansible/ansible-lint.git to /private/var/folders/g5/cz5cgtwd5l59bzkjkr0cbj0xwnlwnj/T/pip-req-build-a8globg3
[...]
Successfully installed ansible-lint-4.3.4.dev8+g0d4142c
$ ansible-lint -vv .
DEBUG    Logging initialized to level 10
DEBUG    Options: Namespace(colored=False, config_file=None, display_relative_path=True, exclude_paths=[], format='rich', listrules=False, listtags=False, parseable=False, parseable_severity=False, playbook=['.'], quiet=False, rulesdir=[], skip_list=[], tags=[], use_default_rules=False, verbosity=2, warn_list=['106', '208'])
DEBUG    Loading rules from /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/ansiblelint/rules
DEBUG    Examining tasks/journalconf.yml of type tasks
DEBUG    Examining tasks/sshdconfig.yml of type tasks
DEBUG    Examining tasks/ctrlaltdel.yml of type tasks
DEBUG    Examining tasks/resolvedconf.yml of type tasks
DEBUG    Examining tasks/disablenet.yml of type tasks
DEBUG    Examining tasks/adduser.yml of type tasks
DEBUG    Examining tasks/sudo.yml of type tasks
DEBUG    Examining tasks/timesyncd.yml of type tasks
DEBUG    Examining tasks/disablemod.yml of type tasks
DEBUG    Examining tasks/fstab.yml of type tasks
DEBUG    Examining tasks/prelink.yml of type tasks
DEBUG    Examining tasks/packages.yml of type tasks
DEBUG    Examining tasks/logindconf.yml of type tasks
DEBUG    Examining tasks/users.yml of type tasks
DEBUG    Examining tasks/cron.yml of type tasks
DEBUG    Examining tasks/password.yml of type tasks
DEBUG    Examining tasks/limits.yml of type tasks
DEBUG    Examining tasks/apport.yml of type tasks
DEBUG    Examining tasks/postfix.yml of type tasks
DEBUG    Examining tasks/rkhunter.yml of type tasks
DEBUG    Examining tasks/firewall.yml of type tasks
DEBUG    Examining tasks/motdnews.yml of type tasks
DEBUG    Examining tasks/issue.yml of type tasks
DEBUG    Examining tasks/extras.yml of type tasks
DEBUG    Examining tasks/path.yml of type tasks
DEBUG    Examining tasks/pkgupdate.yml of type tasks
DEBUG    Examining tasks/rootaccess.yml of type tasks
DEBUG    Examining tasks/lockroot.yml of type tasks
DEBUG    Examining tasks/aide.yml of type tasks
DEBUG    Examining tasks/suid.yml of type tasks
DEBUG    Examining tasks/auditd.yml of type tasks
DEBUG    Examining tasks/sysctl.yml of type tasks
DEBUG    Examining tasks/logindefs.yml of type tasks
DEBUG    Examining tasks/apparmor.yml of type tasks
DEBUG    Examining tasks/mount.yml of type tasks
DEBUG    Examining tasks/pre.yml of type tasks
DEBUG    Examining tasks/systemdconf.yml of type tasks
DEBUG    Examining tasks/main.yml of type tasks
DEBUG    Examining tasks/hosts.yml of type tasks
DEBUG    Examining tasks/umask.yml of type tasks
DEBUG    Examining tasks/disablefs.yml of type tasks
DEBUG    Examining handlers/main.yml of type handlers
DEBUG    Examining meta/main.yml of type meta
208 File permissions not mentioned
tasks/auditd.yml:21
Task/Handler: enable syslog plugin

106 Role name konstruktoid.hardening does not match ``^[a-z][a-z0-9_]+$`` pattern
tasks/journalconf.yml:1
---

208 File permissions not mentioned
tasks/journalconf.yml:48
Task/Handler: set rsyslog.conf FileCreateMode

[jobcespedes]

I believe there is some misunderstanding of this issue, a legit one, I think. The updated molecule version throws an error when run in the role's parent directory and that directory is named <namespace>.<role> (ansible galaxy default name).

For me, it broke several role's CI pipelines. The workaround is to add rule 106 to warn or skip list; although, it shouldn't have failed in the first place.

[badnetmask]

The release notes for v4.3.5 says this has been fixed by #1044 . I tried the new release today, but the problem persists. (tag: @nre-ableton )

[ssbarnea]

Someone needs to create a repository with a minimal reproduction use case for this issue. Without it we no not have a bug.

[nre-ableton]

The release notes for v4.3.5 says this has been fixed by #1044 . I tried the new release today, but the problem persists. (tag: @nre-ableton )

4.3.5 is working in my projects, are you sure that you are setting role_name correctly in main/meta.yml?

[badnetmask]

Adding role_name does not fully fix the problem (read below for a better explanation). Even if it did, there is some ambiguity here: ansible-galaxy init does not create that variable.

https://galaxy.ansible.com/docs/contributing/creating_role.html

role_name
  Optional. Use to override the name of the role.

Here is a very simple test to confirm the bug persists:

$ ansible-galaxy --version
ansible-galaxy 2.9.13
(...)
  python version = 3.8.5 (default, Aug 12 2020, 00:00:00) [GCC 10.2.1 20200723 (Red Hat 10.2.1-1)]
$ ansible-galaxy init testrole.test
- Role testrole.test was created successfully
$ ansible-lint --version
ansible-lint 4.3.5
$ ansible-lint testrole.test/
(...)
[106] Role name testrole.test does not match ``^[a-z][a-z0-9_]+$`` pattern
testrole.test/tasks/main.yml:1
(...)

Please note this observation in the Galaxy documentation:

Setting the value of role_name on an existing role will change the name of the role by converting it
to lowercase, and translating ‘-‘ and ‘.’ to ‘_’. If the name of an existing role should not be altered,
don’t set the value of role_name.

So, if I set the value of role_name to be testrole_test, then lint passes, however that's not the expected behavior since the variable role_name is optional.

Besides, this test was working fine until 4.3.1, then it started failing from 4.3.2 and forward. This is, at least, a regression.

[nre-ableton]

Well, ansible-lint tests for a number of optional things which one should follow as a best practice. However, Ansible's documentation for role names states:

Role names are limited to lowercase word characters (i.e., a-z, 0-9) and ‘’. No special characters are allowed, including ‘.’, ‘-‘, and space. During import, any ‘.’ and ‘-‘ characters contained in the repository name or role_name will be replaced with ‘’.

[badnetmask]

I think we're both getting confused with interpretation of the docs.

Here's my understanding: the repo name is allowed to have a dot or a dash, in which case Galaxy will convert the dot (or dash) to underscore during the role import process. I believe that, with that being the case, ansible-lint should do the same.

To be more precise, I think ansible-lint should convert the dot to underscore when the role_name variable is not defined, but force the defined regex when the variable is defined (against the value in the variable, ignoring the repo name).

This way you will probably unblock a lot of people's CIs, without forcing them to rename their repos. I personally have at least 85 repos with dot in the name that are being affected by this bug. Renaming all these repos will create a terrible cascade effect.

[nre-ableton]

I'm just a one-time contributor to ansible-lint, so I think that @ssbarnea is in a better place to comment on the behavior. However, I sympathize with you being blocked on updating to 4.3.x on account of this behavior. Is suppressing E106 in a config file not an option for you?

[jobcespedes]

Please consider the usage of namaspace as part of the parent directory name of the role:

• Galaxy docs say:

When referencing a role or collection for download and install the namespace becomes part of the reference in the form namespace.[role | collection]_name

• In many CI pipelines the role_name is converted to namespace.role_name to test it afterwards. Therefore, its parent directory name includes a dot, which gives an error with the rule under consideration