Topics
- ansible-galaxy - Prevent roles from using symlinks to overwrite files outside of the installation directory (CVE-2023-5115)
- ansible-galaxy info - fix reporting no role found when lookup_role_by_name returns None.
- Removed
exclude
andrecursive-exclude
commands for generated files from theMANIFEST.in
file. These excludes were unnecessary since releases are expected to be built with a clean worktree. - Removed
exclude
commands for sanity test files from theMANIFEST.in
file. These tests were previously excluded because they did not pass when run from an sdist. However, sanity tests are not expected to pass from an sdist, so excluding some (but not all) of the failing tests makes little sense. - Removed redundant
include
commands from theMANIFEST.in
file. These includes either duplicated default behavior or another command. - The
ansible-core
sdist no longer contains pre-generated man pages. Instead, apackaging/cli-doc/build.py
script is included in the sdist. This script can generate man pages and standalone RST documentation foransible-core
CLI programs. - The
docs
andexamples
directories are no longer included in theansible-core
sdist. These directories have been moved to the https://github.com/ansible/ansible-documentation repository. - The minimum required
setuptools
version is now 45.2.0, as it is the oldest version to support Python 3.10. - Use
include
whererecursive-include
is unnecessary in theMANIFEST.in
file. - Use
package_data
instead ofinclude_package_data
forsetup.cfg
to avoidsetuptools
warnings. - ansible-test - Update the logic used to detect when
ansible-test
is running from source. - ansible-test — Replaced freebsd/12.3 remote with freebsd/12.4. The former is no longer functional.
- ansible-test — Replaced freebsd/13.0 remote with freebsd/13.1. The former is no longer functional.
- Exclude internal options from man pages and docs.
- Fix
ansible-config init
man page option indentation. - The
ansible-config init
command now has a documentation description. - The
ansible-galaxy collection download
command now has a documentation description. - The
ansible-galaxy collection install
command documentation is now visible (previously hidden by a decorator). - The
ansible-galaxy collection verify
command now has a documentation description. - The
ansible-galaxy role install
command documentation is now visible (previously hidden by a decorator). - The
ansible-inventory
command command now has a documentation description (previously used as the epilog). - Update module_utils.urls unit test to work with cryptography >= 41.0.0.
- When generating man pages, use
func
to find the command function instead of looking it up by the command name. - ansible-galaxy - Enabled the
data
tarfile filter during role installation for Python versions that support it. A probing mechanism is used to avoid Python versions with a broken implementation. - ansible-test - Always use ansible-test managed entry points for ansible-core CLI tools when not running from source. This fixes issues where CLI entry points created during install are not compatible with ansible-test.
- ansible-test - Pre-build a PyYAML wheel before installing requirements to avoid a potential Cython build failure.
- man page build - Sub commands of
ansible-galaxy role
andansible-galaxy collection
are now documented. - tarfile - handle data filter deprecation warning message for extract and extractall (#80832).
- Removed
straight.plugin
from the build and packaging requirements.
- ansible-test - Fix a traceback that occurs when attempting to test Ansible source using a different ansible-test. A clear error message is now given when this scenario occurs.
- ansible-test local change detection - use
git merge-base <branch> HEAD
instead ofgit merge-base --fork-point <branch>
(#79734). - man page build - Remove the dependency on the
docs
directory for building man pages.
- ansible-test - Allow float values for the
--timeout
option to theenv
command. This simplifies testing. - ansible-test - Refactored
env
command logic and timeout handling. - ansible-test - Use
datetime.datetime.now
withtz
specified instead ofdatetime.datetime.utcnow
.
- ansible-galaxy - fix installing signed collections (#80648).
- ansible-galaxy collection verify - fix verifying signed collections when the keyring is not configured.
- ansible-test - Fix handling of timeouts exceeding one day.
- ansible-test - Fix various cases where the test timeout could expire without terminating the tests.
- ansible-test - When bootstrapping remote FreeBSD instances, use the OS packaged
setuptools
instead of installing the latest version from PyPI. - pep517 build backend - Copy symlinks when copying the source tree. This avoids tracebacks in various scenarios, such as when a venv is present in the source tree.
- ansible-test - Moved git handling out of the validate-modules sanity test and into ansible-test.
- ansible-test - Removed the
--keep-git
sanity test option, which was limited to testing ansible-core itself. - ansible-test - Updated the Azure Pipelines CI plugin to work with newer versions of git.
- ansible-test - Integration tests which depend on specific file permissions when running in an ansible-test managed host environment may require changes. Tests that require permissions other than
755
or644
may need to be updated to set the necessary permissions as part of the test run.
- Fix
MANIFEST.in
to exclude unwanted files in thepackaging/
directory. - Fix
MANIFEST.in
to include*.md
files in thetest/support/
directory. - Windows - Display a warning if the module failed to cleanup any temporary files rather than failing the task. The warning contains a brief description of what failed to be deleted.
- Windows - Ensure the module temp directory contains more unique values to avoid conflicts with concurrent runs - #80294
- Windows - Improve temporary file cleanup used by modules. Will use a more reliable delete operation on Windows Server 2016 and newer to delete files that might still be open by other software like Anti Virus scanners. There are still scenarios where a file or directory cannot be deleted but the new method should work in more scenarios.
- ansible-doc - stop generating wrong module URLs for module see-alsos. The URLs for modules in ansible.builtin do now work, and URLs for modules outside ansible.builtin are no longer added (#80280).
- ansible-galaxy - Improve retries for collection installs, to properly retry, and extend retry logic to common URL related connection errors (#80170 #80174)
- ansible-galaxy - reduce API calls to servers by fetching signatures only for final candidates.
- ansible-test - Add support for
argcomplete
version 3. - ansible-test - Always indicate the Python version being used before installing requirements. Resolves issue #72855
- ansible-test - Exclude ansible-core vendored Python packages from ansible-test payloads.
- ansible-test - Integration test target prefixes defined in a
tests/integration/target-prefixes.{group}
file can now contain an underscore (_
) character. Resolves issue #79225 - ansible-test - Removed pointless comparison in diff evaluation logic.
- ansible-test - Set
PYLINTHOME
for thepylint
sanity test to prevent failures due topylint
checking for the existence of an obsolete home directory. - ansible-test - Support loading of vendored Python packages from ansible-core.
- ansible-test - Use consistent file permissions when delegating tests to a container or remote host. Files with any execute bit set will use permissions
755
. All other files will use permissions644
. (Resolves issue #75079) - password lookup now correctly reads stored ident fields.
- pep517 build backend - Use the documented
import_module
import fromimportlib
.
- ansible-test - Docker Desktop on WSL2 is now supported (additional configuration required).
- ansible-test - Docker and Podman are now supported on hosts with cgroup v2 unified. Previously only cgroup v1 and cgroup v2 hybrid were supported.
- ansible-test - Podman now works on container hosts without systemd. Previously only some containers worked, while others required rootfull or rootless Podman, but would not work with both. Some containers did not work at all.
- ansible-test - Podman on WSL2 is now supported.
- ansible-test - When additional cgroup setup is required on the container host, this will be automatically detected. Instructions on how to configure the host will be provided in the error message shown.
- ansible-test - A new
audit
option is available when running custom containers. This option can be used to indicate whether a container requires the AUDIT_WRITE capability. The default isrequired
, which most containers will need when using Podman. If necessary, thenone
option can be used to opt-out of the capability. This has no effect on Docker, which always provides the capability. - ansible-test - A new
cgroup
option is available when running custom containers. This option can be used to indicate a container requires cgroup v1 or that it does not use cgroup. The default behavior assumes the container works with cgroup v2 (as well as v1). - ansible-test - Add support for provisioning Alpine 3.16 remote instances.
- ansible-test - Add support for provisioning Fedora 36 remote instances.
- ansible-test - Add support for provisioning Ubuntu 20.04 remote instances.
- ansible-test - Add support for provisioning remotes which require
doas
for become. - ansible-test - Additional log details are shown when containers fail to start or SSH connections to containers fail.
- ansible-test - Alpine remotes now use
sudo
for tests, usingdoas
only for bootstrapping. - ansible-test - Become support for remote instance provisioning is no longer tied to a fixed list of platforms.
- ansible-test - Connection failures to remote provisioned hosts now show failure details as a warning.
- ansible-test - Containers included with ansible-test no longer disable seccomp by default.
- ansible-test - Failure to connect to a container over SSH now results in a clear error. Previously tests would be attempted even after initial connection attempts failed.
- ansible-test - FreeBSD remotes now use
sudo
for tests, usingsu
only for bootstrapping. - ansible-test - Integration tests can be excluded from retries triggered by the
--retry-on-error
option by adding theretry/never
alias. This is useful for tests that cannot pass on a retry or are too slow to make retries useful. - ansible-test - More details are provided about an instance when provisioning fails.
- ansible-test - Reduce the polling limit for SSHD startup in containers from 60 retries to 10. The one second delay between retries remains in place.
- ansible-test - Remote Alpine instances now have the
acl
package installed. - ansible-test - Remote Fedora instances now have the
acl
package installed. - ansible-test - Remote FreeBSD instances now have ACLs enabled on the root filesystem.
- ansible-test - Remote Ubuntu instances now have the
acl
package installed. - ansible-test - SSH connections from OpenSSH 8.8+ to CentOS 6 containers now work without additional configuration. However, clients older than OpenSSH 7.0 can no longer connect to CentOS 6 containers as a result. The container must have
centos6
in the image name for this work-around to be applied. - ansible-test - SSH shell connections from OpenSSH 8.8+ to ansible-test provisioned network instances now work without additional configuration. However, clients older than OpenSSH 7.0 can no longer open shell sessions for ansible-test provisioned network instances as a result.
- ansible-test - Specify the configuration file location required by test plugins when the config file is not found. This resolves issue: #79411
- ansible-test - The
ansible-test env
command now detects and reports the container ID if running in a container. - ansible-test - Unit tests now support network disconnect by default when running under Podman. Previously this feature only worked by default under Docker.
- ansible-test - Use
stop --time 0
followed byrm
to remove ephemeral containers instead ofrm -f
. This speeds up teardown of ephemeral containers. - ansible-test - Warnings are now shown when using containers that were built with VOLUME instructions.
- ansible-test - When setting the max open files for containers, the container host's limit will be checked. If the host limit is lower than the preferred value, it will be used and a warning will be shown.
- ansible-test - When using Podman, ansible-test will detect if the loginuid used in containers is incorrect. When this occurs a warning is displayed and the container is run with the AUDIT_CONTROL capability. Previously containers would fail under this situation, with no useful warnings or errors given.
- ansible-test acme test container - update version to update used Pebble version, underlying Python and Go base containers, and Python requirements (#79783).
- Ansible.Basic.cs - Ignore compiler warning (reported as an error) when running under PowerShell 7.3.x.
- TaskExecutor - don't ignore templated _raw_params that k=v parser failed to parse (#79862)
- ansible-test - Always remove containers after failing to create/run them. This avoids leaving behind created containers when using podman.
- ansible-test - Avoid using
exec
after container startup when possible. This improves container startup performance and avoids intermittent startup issues with some old containers. - ansible-test - Connection attempts to managed remote instances no longer abort on
Permission denied
errors. - ansible-test - Detection for running in a Podman or Docker container has been fixed to detect more scenarios. The new detection relies on
/proc/self/mountinfo
instead of/proc/self/cpuset
. Detection now works with custom cgroups and private cgroup namespaces. - ansible-test - Fix bootstrapping of Python 3.9 on Ubuntu 20.04 remotes.
- ansible-test - Fix validate-modules error when retrieving PowerShell argspec when retrieved inside a Cmdlet
- ansible-test - Handle server errors when executing the
docker info
command. - ansible-test - Multiple containers now work under Podman without specifying the
--docker-network
option. - ansible-test - Pass the
XDG_RUNTIME_DIR
environment variable through to container commands. - ansible-test - Perform PyPI proxy configuration after instances are ready and bootstrapping has been completed. Only target instances are affected, as controller instances were already handled this way. This avoids proxy configuration errors when target instances are not yet ready for use.
- ansible-test - Prevent concurrent / repeat inspections of the same container image.
- ansible-test - Prevent concurrent / repeat pulls of the same container image.
- ansible-test - Prevent concurrent execution of cached methods.
- ansible-test - Show the exception type when reporting errors during instance provisioning.
- ansible-test - Support Podman 4.4.0+ by adding the
SYS_CHROOT
capability when running containers. - ansible-test - Temporary executables are now verified as executable after creation. Without this check, path injected scripts may not be found, typically on systems with
/tmp
mounted using the "noexec" option. This can manifest as a missing Python interpreter, or use of the wrong Python interpreter, as well as other error conditions. - ansible-test - Test containers are now run with the
--tmpfs
option for/tmp
,/run
and/run/lock
. This allows use of containers built without theVOLUME
instruction. Additionally, containers with those volumes defined no longer create anonymous volumes for them. This avoids leaving behind volumes on the container host after the container is stopped and deleted. - ansible-test - fix warning message about failing to run an image to include the image name
- file - touch action in check mode was always returning ok. Fix now evaluates the different conditions and returns the appropriate changed status. (#79360)
- ansible-test - Additional configuration may be required for certain container host and container combinations. Further details are available in the testing documentation.
- ansible-test - Custom containers with
VOLUME
instructions may be unable to start, when previously the containers started correctly. Remove theVOLUME
instructions to resolve the issue. Containers with this condition will causeansible-test
to emit a warning. - ansible-test - Systems with Podman networking issues may be unable to run containers, when previously the issue went unreported. Correct the networking issues to continue using
ansible-test
with Podman. - ansible-test - Using Docker on systems with SELinux may require setting SELinux to permissive mode. Podman should work with SELinux in enforcing mode.
- ansible-test - Improve consistency of executed
pylint
commands by making the plugins ordered.
- file lookup now plays nice with generic lookup
errors
option.
- ansible-test - Improve consistency of version specific documentation links.
- BSD network facts - Do not assume column indexes, look for
netmask
andbroadcast
for determining the correct columns when parsinginet
line (#79117) - ansible-galaxy - make initial call to Galaxy server on-demand only when installing, getting info about, and listing roles.
- ansible-test - Add
wheel < 0.38.0
constraint for Python 3.6 and earlier. - ansible-test - Fix broken documentation link for
aws
test plugin error messages. - copy module will no longer move 'non files' set as src when remote_src=true.
- file lookup now handles missing files more gracefully.
- service_facts - Use python re to parse service output instead of grep (#78541)
- updated error messages to include 'acl' and not just mode changes when failing to set required permissions on remote.
ansible-galaxy
- remove extra server api call during dependency resolution for requirements and dependencies that are already satisfied (#77443).- ansible-test - Allow disabled, unsupported, unstable and destructive integration test targets to be selected using their respective prefixes.
- ansible-test - Allow unstable tests to run when targeted changes are made and the
--allow-unstable-changed
option is specified (resolves #74213). - apt - Fix module failure when a package is not installed and only_upgrade=True. Skip that package and check the remaining requested packages for upgrades. (#78762)
- apt module should not traceback on invalid type given as package. issue 78663.
- known_hosts - do not return changed status when a non-existing key is removed (#78598)
- paramiko - Add back support for
ssh_args
,ssh_common_args
, andssh_extra_args
for parsing theProxyCommand
(#78750) - plugin loader, fix detection for existing configuration before initializing for a plugin
- Fix for network_cli not getting all relevant connection options
- ansible-galaxy - Fix detection of
--role-file
in arguments for implicit role invocation (#78204) - ansible-galaxy - Fix exit codes for role search and delete (#78516)
- ansible-test - Fix change detection for ansible-test's own integration tests.
- ansible-test - ansible-doc sanity test - Correctly determine the fully-qualified collection name for plugins in subdirectories, resolving #78490.
- apt - don't actually update the cache in check mode with update_cache=true.
- apt - don't mark existing packages as manually installed in check mode (#66413).
- apt - fix package selection to include /etc/apt/preferences(.d) (#77969)
- urls - Guard imports of
urllib3
by catchingException
instead ofImportError
to prevent exceptions in the import process of optional dependencies from preventing use ofurls.py
(#78648) - wait_for - Read file and perform comparisons using bytes to avoid decode errors (#78214)
- Avoid 'unreachable' error when chmod on AIX has 255 as return code.
- Fix PluginLoader to mimic Python import machinery by adding module to sys.modules before exec
- Fix dnf module documentation to indicate that comparison operators for package version require spaces around them (#78295)
- ansible-connection - decrypt vaulted parameters before sending over the socket, as vault secrets are not available on the other side.
- ansible-galaxy - Fix reinitializing the whole collection directory with
ansible-galaxy collection init ns.coll --force
. Now directories and files that are not included in the collection skeleton will be removed. - ansible-galaxy - do not require mandatory keys in the
galaxy.yml
of source collections when listing them (#70180). - ansible-galaxy - fix listing collections that contains metadata but the namespace or name are not strings.
- ansible-galaxy - fix setting the cache for paginated responses from Galaxy NG/AH (#77911).
- ansible-test - Delegation for commands which generate output for programmatic consumption no longer redirect all output to stdout. The affected commands and options are
shell
,sanity --lint
,sanity --list-tests
,integration --list-targets
,coverage analyze
- ansible-test - Delegation now properly handles arguments given after
--
on the command line. - ansible-test - Test configuration for collections is now parsed only once, prior to delegation. Fixes issue: #78334
- ansible-test - The
shell
command no longer redirects all output to stdout when running a provided command. Any command output written to stderr will be mixed with the stderr output from ansible-test. - ansible-test - The
shell
command no longer requests a TTY when using delegation unless an interactive shell is being used. An interactive shell is the default behavior when no command is given to pass to the shell. - dnf - fix output parsing on systems with
LANGUAGE
set to a language other than English (#78193) - if a config setting prevents running ansible it should at least show it's "origin".
- prevent type annotation shim failures from causing runtime failures (#77860)
- template module/lookup - fix
convert_data
option that was effectively always set to True for Jinja macros (#78141) - uri - properly use uri parameter use_proxy (#58632)
- yum - fix traceback when
releasever
is specified withlatest
(#78058)
- ansible-test - An improved error message is shown when the download of a pip bootstrap script fails. The download now uses
urllib2
instead ofurllib
on Python 2.
- Move undefined check from concat to finalize (#78156)
- ansible-doc - no longer list module and plugin aliases that are created with symlinks (#78137).
- ansible-doc - when listing modules in collections, proceed recursively. This fixes module listing for community.general 5.x.y and community.network 4.x.y (#78137).
- ansible-doc will not add 'website for' in ":ref:" substitutions as it made them confusing.
- file backed cache plugins now handle concurrent access by making atomic updates to the files.
- password lookup does not ignore k=v arguments anymore.
- user - Fix error "Permission denied" in user module while generating SSH keys (#78017).
Add an 'action_plugin' field for modules in runtime.yml plugin_routing.
This fixes module_defaults by supporting modules-as-redirected-actions without redirecting module_defaults entries to the common action.
With the runtime.yml above for ns.coll, a task such as
will end up with defaults for eos_facts and eos_command since both modules redirect to the same action.
To select an action plugin for a module without merging module_defaults, define an action_plugin field for the resolved module in the runtime.yml.
The action_plugin field can be a redirected action plugin, as it is resolved normally.
Using the modified runtime.yml, the example task will only use the ns.coll.eos_facts defaults.
ansible-galaxy - Support resolvelib versions 0.6.x, 0.7.x, and 0.8.x. The full range of supported versions is now >= 0.5.3, < 0.9.0.
ansible-test - Add RHEL 9.0 remote support.
ansible-test - Add support for Ubuntu VMs using the
--remote
option.ansible-test - Add support for exporting inventory with
ansible-test shell --export {path}
.ansible-test - Add support for multi-arch remotes.
ansible-test - Add support for running non-interactive commands with
ansible-test shell
.ansible-test - Avoid using the
mock_use_standalone_module
setting for unit tests running on Python 3.8 or later.ansible-test - Blocking mode is now enforced for stdin, stdout and stderr. If any of these are non-blocking then ansible-test will exit during startup with an error.
ansible-test - Improve consistency of output messages by using stdout or stderr for most output, but not both.
ansible-test - The
shell
command can be used outside a collection if no controller delegation is required.
- Add PyYAML >= 5.1 as a dependency of ansible-core to be compatible with Python 3.8+.
- ansible-config dump - Only display plugin type headers when plugin options are changed if --only-changed is specified.
- ansible-galaxy - handle unsupported versions of resolvelib gracefully.
- ansible-test - Fix internal validation of remote completion configuration.
- ansible-test - Prevent
--target-
prefixed options for theshell
command from being combined with legacy environment options. - ansible-test - Sanity test output with the
--lint
option is no longer mixed in with bootstrapping output. - ansible-test - Subprocesses are now isolated from the stdin, stdout and stderr of ansible-test. This avoids issues with subprocesses tampering with the file descriptors, such as SSH making them non-blocking. As a result of this change, subprocess output from unit and integration tests on stderr now go to stdout.
- ansible-test - Subprocesses no longer have access to the TTY ansible-test is connected to, if any. This maintains consistent behavior between local testing and CI systems, which typically do not provide a TTY. Tests which require a TTY should use pexpect or another mechanism to create a PTY.
- apt module now correctly handles virtual packages.
- lookup plugin - catch KeyError when lookup returns dictionary (#77789).
- pip - fix cases where resolution of pip Python module fails when importlib.util has not already been imported
- plugin loader - Sort results when fuzzy matching plugin names (#77966).
- plugin loader will now load config data for plugin by name instead of by file to avoid issues with the same file being loaded under different names (fqcn + short name).
- psrp connection now handles default to inventory_hostname correctly.
- winrm connection now handles default to inventory_hostname correctly.
- Jinja2 Controller Requirement - Jinja2 3.0.0 or newer is required for the control node (the machine that runs Ansible) (#75881)
- Templating - remove
safe_eval
in favor of usingNativeEnvironment
but utilizingliteral_eval
only in cases whensafe_eval
was used (#75587)
- Action Plugins - Add helper method for argument spec validation, and extend to pause and async_wrapper
- Added AIX root CA certs folders - enhance the TLS support in
uri
task on AIX - Added
module_utils.compat.typing
to facilitate type-hinting on all supported Python versions. - Ansible.Basic - small changes to allow use in PowerShell modules running on non-Windows platforms (#76924).
- AnsibleModule.run_command() now has a toggle to allow caller to decide to handle exceptions from executing the command itself
- Attach concat function to an environment class (#76282)
- Clarify in a comment that unrolling an iterator in
Templar._finalize
is actually necessary. Also switch to using the_unroll_iterator
decorator directly to deduplicate code inTemplar._finalize
. (#76436) - Installation - modernize our python installation, to reduce dynamic code in setup.py, and migrate what is feasible to setup.cfg. This will enable shipping wheels in the future.
- PlayIterator - introduce public methods to access
PlayIterator._host_states
(#74416) - PlayIterator - use enums for Iterating and Failed states (#74511)
- Reduce number of iterations through PlayIterator (#74175)
- Remove more Python 2.x compatibility code from controller (#77320).
- Start of moving away from using Six, Python 2 and 3 compatibility library (#75863)
- The collection loader now reports a Python warning if an attempt is made to install the Ansible collection loader a second time. Previously this condition was reported using an Ansible warning.
ansible-galaxy collection [install|verify]
- allow user-provided signature sources in addition to those from the Galaxy server. Each collection entry in a requirements file can specify asignatures
key followed by a list of sources. Collection name(s) provided on the CLI can specify additional signature sources by using the--signatures
CLI option. Signature sources should be URIs that can be opened withurllib.request.urlopen()
, such as "https://example.com/path/to/detached_signature.asc" or "file:///path/to/detached_signature.asc". The--keyring
option must be specified if signature sources are provided.ansible-galaxy collection [install|verify]
- use gpg to verify the authenticity of the signedMANIFEST.json
with ASCII armored detached signatures provided by the Galaxy server. The keyring (which is not managed byansible-galaxy
) must be provided with the--keyring
option to use signature verification. If no--keyring
is specified and the collection toinstall|verify
has associated detached signatures on the Galaxy server, a warning is provided.ansible-galaxy collection install
- Add a global configuration to modify the required number of signatures that must verify the authenticity of the collection. By default, the number of required successful signatures is 1. Set this option toall
to require all signatures verify the collection. To ensure signature verification fails if there are no valid signatures, prepend the value with '+', such as+all
or+1
.ansible-galaxy collection install
- Add a global ignore list for gpg signature errors. This can be used to ignore certain signatures when the number of required successful signatures is all. When the required number of successful signatures is a positive integer, the only effect this has is to display fewer errors to the user on failure (success is determined by having the minimum number of successful signatures, in which case all errors are disregarded).ansible-galaxy collection install
- Add a global toggle to turn off GPG signature verification.ansible-galaxy collection install
- Store Galaxy server metadata alongside installed collections for provenance. Signatures obtained from the Galaxy server can be used for offline verification withansible-galaxy collection verify --offline
.- ansible-console - Provide a way to customize the stdout callback
- ansible-core modules - Remove unused Python shebangs from built-in modules.
- ansible-doc metadata dump - add option
--no-fail-on-errors
which allows to not fail the ansible-doc invocation when errors happen during docs parsing or processing. Instead they are reported in the JSON result in anerror
key for the affected plugins (#77035). - ansible-galaxy - the option to skip certificate verification now also applies when cloning via SCM (git/hg) (#41077)
- ansible-test - Accept new-style Python modules without a shebang.
- ansible-test - Add
--version
support to show the ansible-core version. - ansible-test - Add support for
rhel/8.5
remote instances. - ansible-test - Add support for remote testing of FreeBSD 12.3.
- ansible-test - Add support for running container tests with
podman remote
(#75753) - ansible-test - Added the
fedora35
test container. - ansible-test - Change the maximum number of open files in a test container from the default to
10240
. - ansible-test - Declare public dependencies of ansible-core and use to limit unguarded imports in plugins.
- ansible-test - Importing
distutils
now results in an error. - ansible-test - Installation of
cryptography
is no longer version constrained whenopenssl
1.1.0 or later is installed. - ansible-test - Miscellaneous code cleanup and type hint fixes.
- ansible-test - PowerShell in the
base
anddefault
containers has been upgraded to version 7.1.4. - ansible-test - Remove RHEL 8.4 remote (
rhel/8.4
) support. - ansible-test - Remove
idna
constraint. - ansible-test - Remove obsolete
MAXFD
display. - ansible-test - Remove obsolete constraints for Python 2.6.
- ansible-test - Remove support for FreeBSD 12.2 remote provisioning.
- ansible-test - Remove support for macOS 11.1 remote provisioning.
- ansible-test - Remove support for provisioning remote AIX instances.
- ansible-test - Remove the
centos8
test container since CentOS 8 will reach end-of-life soon. - ansible-test - Remove the
fedora33
test container since Fedora 33 will reach end-of-life soon. - ansible-test - Remove unused Python 2.x compatibility code.
- ansible-test - Removed support for Sherlock from the Azure provisioning plugin.
- ansible-test - Removed used
MarkupSafe
constraint for Python 3.5 and earlier. - ansible-test - Requirements for the plugin import test are now frozen.
- ansible-test - Shellcheck in the
base
anddefault
containers has been upgraded to version 0.7.0. - ansible-test - Stop early with an error if the current working directory contains an invalid collection namespace or name.
- ansible-test - The
--help
option is now available when an unsupported cwd is in use. - ansible-test - The
--help
output now shows the same instructions about cwd as would be shown in error messages if the cwd is unsupported. - ansible-test - The
pip
andwheel
packages are removed from all sanity test virtual environments after installation completes to reduce their size. Previously they were only removed from the environments used for theimport
sanity test. - ansible-test - The explanation about cwd usage has been improved to explain more clearly what is required.
- ansible-test - The hash for all managed sanity test virtual environments has changed. Containers that include
ansible-test sanity --prime-venvs
will need to be rebuilt to continue using primed virtual environments. - ansible-test - Update
base
container to version 2.1.0. - ansible-test - Update
base
container to version 2.2.0. - ansible-test - Update
default
containers to version 5.2.0. - ansible-test - Update
default
containers to version 5.4.0. - ansible-test - Update
default
containers to version 5.5.0. - ansible-test - Update
default
containers to version 5.6.2. - ansible-test - Update
default
containers to version 5.7.0. - ansible-test - Update
default
containers to version 5.8.0. - ansible-test - Update
default
containers to version 5.9.0. - ansible-test - Update
pip
used to bootstrap remote FreeBSD instances from version 20.3.4 to 21.3.1. - ansible-test - Update sanity test requirements.
- ansible-test - Update the NIOS test plugin container to version 1.4.0.
- ansible-test - Update the
alpine
container to version 3.3.0. This updates the base image from 3.14.2 to 3.15.0, which includes support for installing binary wheels using pip. - ansible-test - Update the
base
anddefault
containers from Python 3.10.0rc2 to 3.10.0. - ansible-test - Update the
base
anddefault
containers from a Ubuntu 18.04 to Ubuntu 20.04 base image. - ansible-test - Update the
default
containers to version 5.1.0. - ansible-test - Update the
galaxy
test plugin to get its container from a copy on quay.io. - ansible-test - Update the
openshift
test plugin to get its container from a copy on quay.io. - ansible-test - Use Python 3.10 as the default Python version for the
base
anddefault
containers. - ansible-test - add macOS 12.0 as a remote target (#76328)
- ansible-test - handle JSON decode error gracefully in podman environment.
- ansible-test pslint - Added the AvoidLongLines rule set to a length of 160.
- ansible-test pslint - Added the PlaceCloseBrace rule set to enforce close braces on a newline.
- ansible-test pslint - Added the PlaceOpenBrace rule set to enforce open braces on the same line and a subsequent newline.
- ansible-test pslint - Added the UseConsistentIndentation rule to enforce indentation is done with 4 spaces.
- ansible-test pslint - Added the UseConsistentWhitespace rule to enforce whitespace consistency in PowerShell.
- ansible-test pslint - Updated
PowerShellScriptAnalyzer
to 1.20.0 - ansible-test sanity validate-modules - the validate-modules sanity test now also checks the documentation of documentable plugin types (#71734).
- ansible-test validate-modules sanity test - add more schema checks to improve quality of plugin documentation (#77268).
- ansible-test validate_modules - allow
choices
for return values (#76009). - apt - Add support for using ">=" in package version number matching.
- apt - Adds APT option
--allow-change-held-packages
as module parameterallow_change_held_packages
to allow APT up- or downgrading a package which is on APTs hold list (#65325) - auto inventory plugin will now give plugin loading information on verbose output
- callbacks - Add result serialization format options to
_dump_results
allowing plugins such as thedefault
callback to emitYAML
serialized task results in addition toJSON
- dnf - add more specific error message for GPG validation (#76192)
- env lookup, add default option
- facts - report prefix length for IPv4 addresses in Linux network facts.
- get_parsable_locale now logs result when in debug mode.
- git - display the destination directory path in error msg when local_mods detects local modifications conflict so that users see the exact location
- iptables - add the
chain_management
parameter that controls iptables chain creation and deletion - jinja2_native - keep same behavior on Python 3.10.
- junit callback - Add support for replacing the directory portion of out-of-tree relative task paths with a placeholder.
- k8s - scenario guides for kubernetes migrated to
kubernetes.core
collection. - module_utils.distro - Add missing
typing
import from original code. - package_facts - add pkg_info support for OpenBSD and NetBSD (#76580)
- services_facts - Add support for openrc (#76373).
- setting DEFAULT_FACT_PATH is being deprecated in favor of the generic module_defaults keyword
- uri - Avoid reading the response body when not needed
- uri - Eliminate multiple requests to determine the final URL for file naming with
dest
- validate-modules - do some basic validation on the
M(...)
,U(...)
,L(..., ...)
andR(..., ...)
documentation markups (#76262). - vmware - migrated vmware scenario guides to community.vmware repo.
- yum, dnf - add sslverify option to temporarily disable certificate validation for a repository
- Module Python Dependency - Drop support for Python 2.6 in module execution.
- Templating - it is no longer allowed to perform arithmetic and concatenation operations outside of the jinja template (#75587)
- The
finalize
method is no longer exposed in the globals for use in templating.
- ansible-core - Remove support for Python 2.6.
- ansible-test - Remove support for Python 2.6.
- ssh connection plugin option scp_if_ssh in favor of ssh_transfer_method.
- Remove deprecated
Templar.set_available_variables()
method (#75828) - cli - remove deprecated ability to set verbosity before the sub-command (#75823)
- copy - remove deprecated
thirsty
alias (#75824) - psrp - Removed fallback on
put_file
with olderpypsrp
versions. Users must have at leastpypsrp>=0.4.0
. - url_argument_spec - remove deprecated
thirsty
alias forget_url
anduri
modules (#75825, #75826)
- Do not include params in exception when a call to
set_options
fails. Additionally, block the exception that is returned from being displayed to stdout. (CVE-2021-3620)
- Add a YAML representer for
NativeJinjaText
- Add a YAML representer for
NativeJinjaUnsafeText
- AnsiballZ - Ensure we use the full python package in the module cache filename to avoid a case where
collections:
is used to execute a module via short name, where the short name duplicates another module fromansible.builtin
or another collection that was executed previously. - Ansible.ModuleUtils.LinkUtil - Ignore the
LIB
environment variable when loading theLinkUtil
code - Ansible.ModuleUtils.SID - Use user principal name as is for lookup in the
Convert-ToSID
function - #77316 - Detect package manager for Amazon Linux 2022 (AL2022) as dnf
- Ensure the correct
environment_class
is set onAnsibleJ2Template
- Fix
AttributeError
when providing password file via--connection-password-file
(#76530) - Fix
end_play
to end the current play only (#76672) - Fix collection filter/test plugin redirects (#77192).
- Fix executing includes in the always section in the free strategy (#75642)
- Fix for when templating empty template file resulted in file with string 'None' (#76610)
- Fix help message for the 'ansible-galaxy collection verify' positional argument. The positional argument must be a collection name (#76087).
- Fix module logging issue when using custom module on WSL2 (#76320)
- Fix task debugger to work with
run_once
usinglinear
strategy (#76049) - Fix traceback when installing a collection from a git repository and git is not installed (#77479).
- Interpreter Discovery - Fallback to OS family if the distro is not found in
INTERPRETER_PYTHON_DISTRO_MAP
(#75560) - Interpreter discovery - Add
RHEL
toOS_FAMILY_MAP
for correct family fallback for interpreter discovery (#77368) - Make include_role/include_tasks work with any_errors_fatal (#50897)
- Parser errors from within includes should not be rescueable (#73657)
- Prevent losing unsafe on results returned from lookups (#77535)
- Templating - Ensure we catch exceptions when getting
.filters
and.tests
attributes on their respective plugins and properly error, instead of aborting which results in no filters being added to the jinja2 environment - Trigger an undefined error when an undefined variable is detected within a dictionary and/or list (#75587)
- _run_loop - Add the task name to the warning (#76011)
Templar.copy_with_new_env
- set thefinalize
method of the newTemplar
object for the new environment (#76379)- add_host/group_by: fix using changed_when in a loop (#71627)
- ansible - Exclude Python 2.6 from Python interpreter discovery.
- ansible-config avoid showing _terms and _input when --only-changed.
- ansible-doc - Fix ansible-doc -l ansible.builtin / ansible.legacy not returning anything
- ansible-doc - ignore plugin deprecation warnings (#75671)
- ansible-galaxy - Add galaxy_collection_skeleton/galaxy_collection_skeleton_ignore configuration options
- ansible-galaxy - Fix using the '--ignore-certs' option when there is no server-specific configuration for the Galaxy server.
- ansible-galaxy - installing/downloading collections with invalid versions in git repositories and directories now gives a formatted error message (#76425, #75404).
- ansible-galaxy - when installing a role properly raise an error when inaccessible path is specified multiple times in roles_path (e.g. via environment variable and command line option) (#76316)
- ansible-galaxy collection build - Ignore any existing
MANIFEST.json
andFILES.json
in the root directory when building a collection. - ansible-galaxy collection verify - display files/directories not included in the FILES.json as modified content.
- ansible-galaxy publish - Fix warning and error detection in import messages to properly display them in Ansible
- ansible-pull handle case where hostname and nodename are empty
- ansible-test - Add default entry for Windows remotes to be used with unknown versions.
- ansible-test - All virtual environments managed by ansible-test are marked as usable after being bootstrapped, to avoid errors caused by use of incomplete environments. Previously this was only done for sanity tests. Existing environments from previous versions of ansible-test will be recreated on demand due to lacking the new marker.
- ansible-test - Automatic target requirements installation is now based on the target environment instead of the controller environment.
- ansible-test - Correctly detect when running as the
root
user (UID 0) on the origin host. The result of the detection was incorrectly being inverted. - ansible-test - Don't fail if network cannot be disconnected (#77472)
- ansible-test - Fix Python real prefix detection when running in a
venv
virtual environment. - ansible-test - Fix
windows-integration
andnetwork-integration
when used with the--docker
option and user-provided inventory. - ansible-test - Fix installation and usage of
pyyaml
requirement for theimport
sanity test for collections. - ansible-test - Fix path to inventory file for
windows-integration
andnetwork-integration
commands for collections. - ansible-test - Fix plugin loading.
- ansible-test - Fix skipping of tests marked
needs/python
on the origin host. - ansible-test - Fix skipping of tests marked
needs/root
on the origin host. - ansible-test - Fix the
import
sanity test to work properly when Ansible's built-in vendoring support is in use. - ansible-test - Fix the
validate-modules
sanity test to avoid double-loading the collection loader and possibly failing on import of thepackaging
module. - ansible-test - Fix traceback in
import
sanity test on Python 2.7 whenpip
is not available. - ansible-test - Fix traceback in the
validate-modules
sanity test when testing an Ansible module without any callables. - ansible-test - Fix traceback when running from an install and delegating execution to a different Python interpreter.
- ansible-test - Fix traceback when using the
--all
option with PowerShell code coverage. - ansible-test - Fix type hints.
- ansible-test - Import
yaml.cyaml.CParser
instead of_yaml.CParser
in theyamllint
sanity test. - ansible-test - Limit
paramiko
installation to versions before 2.9.0. This is required to maintain support for systems which do not support RSA SHA-2 algorithms. - ansible-test - Pylint Deprecated Plugin - Use correct message symbols when date or version is not a float or str (#77085)
- ansible-test - Relocate constants to eliminate symlink.
- ansible-test - Replace the directory portion of out-of-tree paths in JUnit files from integration tests with the
out-of-tree:
prefix. - ansible-test - Sanity tests run with the
--requirements` option for Python 2.x now install ``virtualenv
when it is missing or too old. Previously it was only installed if missing. Version 16.7.12 is now installed instead of the latest version. - ansible-test - Set the
pytest
option--rootdir
instead of letting it be auto-detected. - ansible-test - Show an error message instead of a traceback when running outside of a supported directory.
- ansible-test - Target integration test requirements are now correctly installed for target environments running on the controller.
- ansible-test - The
import
sanity test no longer reports errors aboutpackaging
being missing when testing collections. - ansible-test - Update distribution test containers to version 3.1.0.
- ansible-test - Update help links to reference
ansible-core
instead ofansible
. - ansible-test - Update unit tests to use the
--forked
option instead of the deprecated--boxed
option. - ansible-test - Use https://ci-files.testing.ansible.com/ for instance bootstrapping instead of an S3 endpoint.
- ansible-test - Use relative paths in JUnit files generated during integration test runs.
- ansible-test - Use the correct variable to reference the client's SSH key when generating inventory.
- ansible-test - Use the legacy collection loader for
import
sanity tests on target-only Python versions. - ansible-test - Virtual environments managed by ansible-test now use consistent versions of
pip
,setuptools
andwheel
. This avoids issues with virtual environments containing outdated or dysfunctional versions of these tools. The initial bootstrapping ofpip
is done by ansible-test from an HTTPS endpoint instead of creating the virtual environment with it already present. - ansible-test - fix a typo in validate-modules.
- ansible-test - fixed support container failures (eg http-test-container) under podman
- ansible-test compile sanity test - do not crash if a column could not be determined for an error (#77465).
- ansible-test pslint - Fix error when encountering validation results that are highly nested - #74151
- ansible-vault encrypt_string - fix
--output
option to correctly write encrypted string into given file (#75101) - ansible.builtin.file modification_time supports check_mode
- ansible_facts.devices - Fix parsing of device serial number detected via sg_inq for rhel8 (#75420)
- apt - fails to deploy deb file to old debian systems using python-apt < 0.8.9 (#47277)
- arg_spec - Fix incorrect
no_log
warning when a parameter alias is used (#77576) - async - Improve performance of sending async callback events by never sending the full task through the queue (#76729)
- catch the case that cowsay is broken which would lead to missing output
- cleaning facts will now only warn about the variable name and not post the content, which can be undesireable to disclose
- collection_loader - Implement 'find_spec' and 'exec_module' to override deprecated importlib methods 'find_module' and 'load_module' when applicable (#74660).
- correctly inherit vars from parent in block (#75286).
- default callback - Ensure we compare FQCN also in lockstep logic, to ensure using the FQCN of a strategy plugin triggers the correct behavior in the default callback plugin. (#76782)
- distribution - add EuroLinux to fact gathering (#76624).
- distribution - detect tencentos and gather correct facts on the distro.
- dnf - ensure releasever is passed into libdnf as string (#77010)
- extend timeout for ansible-galaxy when communicating with the galaxy server api, and apply it to all interactions with the api
- facts - add support for deepin distro information detection (#77286).
- first_found - fix to allow for spaces in file names (#77136)
- gather_facts - Fact gathering now continues even if it fails to read a file
- gather_facts action now handles the move of base connection plugin types into collections to add/prevent subset argument correctly
- gather_facts/setup will not fail anymore if capsh is present but not executable
- git module fix docs and proper use of ssh wrapper script and GIT_SSH_COMMAND depending on version.
- git module is more consistent and clearer about which ssh options are added to git calls.
- git module no longer uses wrapper script for ssh options.
- hacking - fix incorrect usage of deprecated fish-shell redirection operators that failed to honor
--quiet
flag when sourced (#77180). - hostname - Do not require SystemdStrategy subclasses for every distro (#76792)
- hostname - Fix Debian strategy KeyError, use SystemdStrategy (#76124)
- hostname - Update the systemd strategy in the
hostname
module to not interfere with NetworkManager (#76958) - hostname - add hostname support for openEuler distro (#76619).
- hostname - use
file_get_content()
to read the file containing the host name in theFileStrategy.get_permanent_hostname()
method. This prevents aTypeError
from being raised when the strategy is used (#77025). - include_vars, properly initialize variable as there is corner case in which it can end up referenced and not defined
- inventory - parameterize
disable_lookups
inConstructable
(#76769). - inventory manager now respects --flush-cache
- junit callback - Fix traceback during automatic fact gathering when using relative paths.
- junit callback - Fix unicode error when handling non-ASCII task paths.
- module_utils.common.yaml - The
SafeLoader
,SafeDumper
andParser
classes now fallback toobject
whenyaml
is not available. This fixes tracebacks when inheriting from these classes without requiring aHAS_YAML
guard around class definitions. - parameters - handle blank values when argument is a list (#77108).
- play_context now compensates for when a conneciton sets the default to inventory_hostname but skips adding it to the vars.
- playbook/strategy have more informative 'attribute' based errors for playbook objects and handlers.
- python modules (new type) will now again prefer the specific python stated in the module's shebang instead of hardcoding to /usr/bin/python.
- replace - Always return
rc
to ensure return values are consistent - #71963 - script - skip in check mode if the plugin cannot determine if a change will occur (i.e. neither creates or removes are provided).
- service - Fixed handling of sleep arguments during service restarts on AIX. (#76877)
- service - Fixed service restarts with arguments on AIX. (#76840)
- service_facts module will now give more meaningful warnings when it fails to gather data.
- set_fact/include_vars correctly handle delegation assignments within loops
- setup - detect docker container with check for ./dockerenv or ./dockinit (#74349).
- shell/command - only return changed as True if the task has not been skipped.
- shell/command - only skip in check mode if the options creates and removes are both None.
- ssh connection - properly quote controlpersist path given by user to avoid issues with spaces and other characters
- ssh connection avoid parsing ssh cli debug lines as they can match expected output at high verbosities.
- ssh connection now uses more correct host source as play_context can ignore loop/delegation variations.
- sudo become plugin, fix handling of non interactive flags, previous substitution was too naive
- systemd - check if service is alias so it gets enabled (#75538).
- systemd - check if service is indirect so it gets enabled (#76453).
- task_executor reverts the change to push facts into delegated vars on loop finalization as result managing code already handles this and was duplicating effort to wrong result.
- template lookup - restore inadvertently deleted default for
convert_data
(#77004) - to_json/to_nice_json filters defaults back to unvaulting/no unsafe packing.
- unarchive - Fix zip archive file listing that caused issues with content postprocessing (#76067).
- unarchive - Make extraction work when the LANGUAGE environment variable is set to a non-English locale.
- unarchive - apply
owner
andgroup
permissions to top folder (#35426) - unarchive - include the original error when a handler cannot manage the archive (#28977).
- unarchive - the
io_buffer_size
option added in 2.12 was not accepted by the module (#77271). - urls - Allow
ca_path
to point to a bundle containing multiple PEM certs (#75015) - urls/uri - Address case where
HTTPError
isn't fully initialized due to the error, and is missing certain methods and attributes (#76386) - user - allow
password_expiry_min
andpassword_expiry_min
to be set to0
(#75017) - user - allow password min and max to be set at the same time (#75017)
- user - update logic to check if user exists or not in MacOS.
- validate_argument_spec - Skip suboption validation if the top level option is an invalid type (#75612).
- variablemanager, more efficient read of vars files
- vault - Warn instead of fail for missing vault IDs if at least one valid vault secret is found.
- winrm - Ensure
kinit
is run with the samePATH
env var as the Ansible process - yum - prevent storing unnecessary cache data by running yum makecache fast (#76336)
- get_url - document
check_mode
correctly with unreliable changed status (#65687).