ansible-core 2.13 "Nobody's Fault but Mine" Release Notes

Topics

v2.13.13rc1
v2.13.12
v2.13.11
v2.13.10
v2.13.9
v2.13.8
v2.13.7
v2.13.6
v2.13.5
- Release Summary
- Bugfixes
v2.13.4
- Release Summary
- Bugfixes
v2.13.3
- Release Summary
- Bugfixes
v2.13.2
v2.13.1
v2.13.0

v2.13.13rc1

Release Summary

Release Date: 2023-10-03

Porting Guide

Security Fixes

ansible-galaxy - Prevent roles from using symlinks to overwrite files outside of the installation directory (CVE-2023-5115)

Bugfixes

ansible-galaxy info - fix reporting no role found when lookup_role_by_name returns None.

v2.13.12

Release Summary

Release Date: 2023-09-11

Porting Guide

Minor Changes

Removed exclude and recursive-exclude commands for generated files from the MANIFEST.in file. These excludes were unnecessary since releases are expected to be built with a clean worktree.
Removed exclude commands for sanity test files from the MANIFEST.in file. These tests were previously excluded because they did not pass when run from an sdist. However, sanity tests are not expected to pass from an sdist, so excluding some (but not all) of the failing tests makes little sense.
Removed redundant include commands from the MANIFEST.in file. These includes either duplicated default behavior or another command.
The ansible-core sdist no longer contains pre-generated man pages. Instead, a packaging/cli-doc/build.py script is included in the sdist. This script can generate man pages and standalone RST documentation for ansible-core CLI programs.
The docs and examples directories are no longer included in the ansible-core sdist. These directories have been moved to the https://github.com/ansible/ansible-documentation repository.
The minimum required setuptools version is now 45.2.0, as it is the oldest version to support Python 3.10.
Use include where recursive-include is unnecessary in the MANIFEST.in file.
Use package_data instead of include_package_data for setup.cfg to avoid setuptools warnings.
ansible-test - Update the logic used to detect when ansible-test is running from source.
ansible-test — Replaced freebsd/12.3 remote with freebsd/12.4. The former is no longer functional.
ansible-test — Replaced freebsd/13.0 remote with freebsd/13.1. The former is no longer functional.

Bugfixes

Exclude internal options from man pages and docs.
Fix ansible-config init man page option indentation.
The ansible-config init command now has a documentation description.
The ansible-galaxy collection download command now has a documentation description.
The ansible-galaxy collection install command documentation is now visible (previously hidden by a decorator).
The ansible-galaxy collection verify command now has a documentation description.
The ansible-galaxy role install command documentation is now visible (previously hidden by a decorator).
The ansible-inventory command command now has a documentation description (previously used as the epilog).
Update module_utils.urls unit test to work with cryptography >= 41.0.0.
When generating man pages, use func to find the command function instead of looking it up by the command name.
ansible-galaxy - Enabled the data tarfile filter during role installation for Python versions that support it. A probing mechanism is used to avoid Python versions with a broken implementation.
ansible-test - Always use ansible-test managed entry points for ansible-core CLI tools when not running from source. This fixes issues where CLI entry points created during install are not compatible with ansible-test.
ansible-test - Pre-build a PyYAML wheel before installing requirements to avoid a potential Cython build failure.
man page build - Sub commands of ansible-galaxy role and ansible-galaxy collection are now documented.
tarfile - handle data filter deprecation warning message for extract and extractall (#80832).

v2.13.11

Release Summary

Release Date: 2023-07-18

Porting Guide

Minor Changes

Removed straight.plugin from the build and packaging requirements.

Bugfixes

ansible-test - Fix a traceback that occurs when attempting to test Ansible source using a different ansible-test. A clear error message is now given when this scenario occurs.
ansible-test local change detection - use git merge-base <branch> HEAD instead of git merge-base --fork-point <branch> (#79734).
man page build - Remove the dependency on the docs directory for building man pages.

v2.13.10

Release Summary

Release Date: 2023-05-22

Porting Guide

Minor Changes

ansible-test - Allow float values for the --timeout option to the env command. This simplifies testing.
ansible-test - Refactored env command logic and timeout handling.
ansible-test - Use datetime.datetime.now with tz specified instead of datetime.datetime.utcnow.

Bugfixes

ansible-galaxy - fix installing signed collections (#80648).
ansible-galaxy collection verify - fix verifying signed collections when the keyring is not configured.
ansible-test - Fix handling of timeouts exceeding one day.
ansible-test - Fix various cases where the test timeout could expire without terminating the tests.
ansible-test - When bootstrapping remote FreeBSD instances, use the OS packaged setuptools instead of installing the latest version from PyPI.
pep517 build backend - Copy symlinks when copying the source tree. This avoids tracebacks in various scenarios, such as when a venv is present in the source tree.

v2.13.9

Release Summary

Release Date: 2023-04-24

Porting Guide

Minor Changes

ansible-test - Moved git handling out of the validate-modules sanity test and into ansible-test.
ansible-test - Removed the --keep-git sanity test option, which was limited to testing ansible-core itself.
ansible-test - Updated the Azure Pipelines CI plugin to work with newer versions of git.

Breaking Changes / Porting Guide

ansible-test - Integration tests which depend on specific file permissions when running in an ansible-test managed host environment may require changes. Tests that require permissions other than 755 or 644 may need to be updated to set the necessary permissions as part of the test run.

Bugfixes

Fix MANIFEST.in to exclude unwanted files in the packaging/ directory.
Fix MANIFEST.in to include *.md files in the test/support/ directory.
Windows - Display a warning if the module failed to cleanup any temporary files rather than failing the task. The warning contains a brief description of what failed to be deleted.
Windows - Ensure the module temp directory contains more unique values to avoid conflicts with concurrent runs - #80294
Windows - Improve temporary file cleanup used by modules. Will use a more reliable delete operation on Windows Server 2016 and newer to delete files that might still be open by other software like Anti Virus scanners. There are still scenarios where a file or directory cannot be deleted but the new method should work in more scenarios.
ansible-doc - stop generating wrong module URLs for module see-alsos. The URLs for modules in ansible.builtin do now work, and URLs for modules outside ansible.builtin are no longer added (#80280).
ansible-galaxy - Improve retries for collection installs, to properly retry, and extend retry logic to common URL related connection errors (#80170 #80174)
ansible-galaxy - reduce API calls to servers by fetching signatures only for final candidates.
ansible-test - Add support for argcomplete version 3.
ansible-test - Always indicate the Python version being used before installing requirements. Resolves issue #72855
ansible-test - Exclude ansible-core vendored Python packages from ansible-test payloads.
ansible-test - Integration test target prefixes defined in a tests/integration/target-prefixes.{group} file can now contain an underscore (_) character. Resolves issue #79225
ansible-test - Removed pointless comparison in diff evaluation logic.
ansible-test - Set PYLINTHOME for the pylint sanity test to prevent failures due to pylint checking for the existence of an obsolete home directory.
ansible-test - Support loading of vendored Python packages from ansible-core.
ansible-test - Use consistent file permissions when delegating tests to a container or remote host. Files with any execute bit set will use permissions 755. All other files will use permissions 644. (Resolves issue #75079)
password lookup now correctly reads stored ident fields.
pep517 build backend - Use the documented import_module import from importlib.

v2.13.8

Release Summary

Release Date: 2023-02-27

Porting Guide

Major Changes

ansible-test - Docker Desktop on WSL2 is now supported (additional configuration required).
ansible-test - Docker and Podman are now supported on hosts with cgroup v2 unified. Previously only cgroup v1 and cgroup v2 hybrid were supported.
ansible-test - Podman now works on container hosts without systemd. Previously only some containers worked, while others required rootfull or rootless Podman, but would not work with both. Some containers did not work at all.
ansible-test - Podman on WSL2 is now supported.
ansible-test - When additional cgroup setup is required on the container host, this will be automatically detected. Instructions on how to configure the host will be provided in the error message shown.

Minor Changes

ansible-test - A new audit option is available when running custom containers. This option can be used to indicate whether a container requires the AUDIT_WRITE capability. The default is required, which most containers will need when using Podman. If necessary, the none option can be used to opt-out of the capability. This has no effect on Docker, which always provides the capability.
ansible-test - A new cgroup option is available when running custom containers. This option can be used to indicate a container requires cgroup v1 or that it does not use cgroup. The default behavior assumes the container works with cgroup v2 (as well as v1).
ansible-test - Add support for provisioning Alpine 3.16 remote instances.
ansible-test - Add support for provisioning Fedora 36 remote instances.
ansible-test - Add support for provisioning Ubuntu 20.04 remote instances.
ansible-test - Add support for provisioning remotes which require doas for become.
ansible-test - Additional log details are shown when containers fail to start or SSH connections to containers fail.
ansible-test - Alpine remotes now use sudo for tests, using doas only for bootstrapping.
ansible-test - Become support for remote instance provisioning is no longer tied to a fixed list of platforms.
ansible-test - Connection failures to remote provisioned hosts now show failure details as a warning.
ansible-test - Containers included with ansible-test no longer disable seccomp by default.
ansible-test - Failure to connect to a container over SSH now results in a clear error. Previously tests would be attempted even after initial connection attempts failed.
ansible-test - FreeBSD remotes now use sudo for tests, using su only for bootstrapping.
ansible-test - Integration tests can be excluded from retries triggered by the --retry-on-error option by adding the retry/never alias. This is useful for tests that cannot pass on a retry or are too slow to make retries useful.
ansible-test - More details are provided about an instance when provisioning fails.
ansible-test - Reduce the polling limit for SSHD startup in containers from 60 retries to 10. The one second delay between retries remains in place.
ansible-test - Remote Alpine instances now have the acl package installed.
ansible-test - Remote Fedora instances now have the acl package installed.
ansible-test - Remote FreeBSD instances now have ACLs enabled on the root filesystem.
ansible-test - Remote Ubuntu instances now have the acl package installed.
ansible-test - SSH connections from OpenSSH 8.8+ to CentOS 6 containers now work without additional configuration. However, clients older than OpenSSH 7.0 can no longer connect to CentOS 6 containers as a result. The container must have centos6 in the image name for this work-around to be applied.
ansible-test - SSH shell connections from OpenSSH 8.8+ to ansible-test provisioned network instances now work without additional configuration. However, clients older than OpenSSH 7.0 can no longer open shell sessions for ansible-test provisioned network instances as a result.
ansible-test - Specify the configuration file location required by test plugins when the config file is not found. This resolves issue: #79411
ansible-test - The ansible-test env command now detects and reports the container ID if running in a container.
ansible-test - Unit tests now support network disconnect by default when running under Podman. Previously this feature only worked by default under Docker.
ansible-test - Use stop --time 0 followed by rm to remove ephemeral containers instead of rm -f. This speeds up teardown of ephemeral containers.
ansible-test - Warnings are now shown when using containers that were built with VOLUME instructions.
ansible-test - When setting the max open files for containers, the container host's limit will be checked. If the host limit is lower than the preferred value, it will be used and a warning will be shown.
ansible-test - When using Podman, ansible-test will detect if the loginuid used in containers is incorrect. When this occurs a warning is displayed and the container is run with the AUDIT_CONTROL capability. Previously containers would fail under this situation, with no useful warnings or errors given.
ansible-test acme test container - update version to update used Pebble version, underlying Python and Go base containers, and Python requirements (#79783).

Bugfixes

Ansible.Basic.cs - Ignore compiler warning (reported as an error) when running under PowerShell 7.3.x.
TaskExecutor - don't ignore templated _raw_params that k=v parser failed to parse (#79862)
ansible-test - Always remove containers after failing to create/run them. This avoids leaving behind created containers when using podman.
ansible-test - Avoid using exec after container startup when possible. This improves container startup performance and avoids intermittent startup issues with some old containers.
ansible-test - Connection attempts to managed remote instances no longer abort on Permission denied errors.
ansible-test - Detection for running in a Podman or Docker container has been fixed to detect more scenarios. The new detection relies on /proc/self/mountinfo instead of /proc/self/cpuset. Detection now works with custom cgroups and private cgroup namespaces.
ansible-test - Fix bootstrapping of Python 3.9 on Ubuntu 20.04 remotes.
ansible-test - Fix validate-modules error when retrieving PowerShell argspec when retrieved inside a Cmdlet
ansible-test - Handle server errors when executing the docker info command.
ansible-test - Multiple containers now work under Podman without specifying the --docker-network option.
ansible-test - Pass the XDG_RUNTIME_DIR environment variable through to container commands.
ansible-test - Perform PyPI proxy configuration after instances are ready and bootstrapping has been completed. Only target instances are affected, as controller instances were already handled this way. This avoids proxy configuration errors when target instances are not yet ready for use.
ansible-test - Prevent concurrent / repeat inspections of the same container image.
ansible-test - Prevent concurrent / repeat pulls of the same container image.
ansible-test - Prevent concurrent execution of cached methods.
ansible-test - Show the exception type when reporting errors during instance provisioning.
ansible-test - Support Podman 4.4.0+ by adding the SYS_CHROOT capability when running containers.
ansible-test - Temporary executables are now verified as executable after creation. Without this check, path injected scripts may not be found, typically on systems with /tmp mounted using the "noexec" option. This can manifest as a missing Python interpreter, or use of the wrong Python interpreter, as well as other error conditions.
ansible-test - Test containers are now run with the --tmpfs option for /tmp, /run and /run/lock. This allows use of containers built without the VOLUME instruction. Additionally, containers with those volumes defined no longer create anonymous volumes for them. This avoids leaving behind volumes on the container host after the container is stopped and deleted.
ansible-test - fix warning message about failing to run an image to include the image name
file - touch action in check mode was always returning ok. Fix now evaluates the different conditions and returns the appropriate changed status. (#79360)

Known Issues

ansible-test - Additional configuration may be required for certain container host and container combinations. Further details are available in the testing documentation.
ansible-test - Custom containers with VOLUME instructions may be unable to start, when previously the containers started correctly. Remove the VOLUME instructions to resolve the issue. Containers with this condition will cause ansible-test to emit a warning.
ansible-test - Systems with Podman networking issues may be unable to run containers, when previously the issue went unreported. Correct the networking issues to continue using ansible-test with Podman.
ansible-test - Using Docker on systems with SELinux may require setting SELinux to permissive mode. Podman should work with SELinux in enforcing mode.

v2.13.7

Release Summary

Release Date: 2022-12-05

Porting Guide

Minor Changes

ansible-test - Improve consistency of executed pylint commands by making the plugins ordered.

Bugfixes

file lookup now plays nice with generic lookup errors option.

v2.13.6

Release Summary

Release Date: 2022-11-07

Porting Guide

Minor Changes

ansible-test - Improve consistency of version specific documentation links.

Bugfixes

BSD network facts - Do not assume column indexes, look for netmask and broadcast for determining the correct columns when parsing inet line (#79117)
ansible-galaxy - make initial call to Galaxy server on-demand only when installing, getting info about, and listing roles.
ansible-test - Add wheel < 0.38.0 constraint for Python 3.6 and earlier.
ansible-test - Fix broken documentation link for aws test plugin error messages.
copy module will no longer move 'non files' set as src when remote_src=true.
file lookup now handles missing files more gracefully.
service_facts - Use python re to parse service output instead of grep (#78541)
updated error messages to include 'acl' and not just mode changes when failing to set required permissions on remote.

v2.13.5

Release Summary

Release Date: 2022-10-10

Porting Guide

Bugfixes

ansible-galaxy - remove extra server api call during dependency resolution for requirements and dependencies that are already satisfied (#77443).
ansible-test - Allow disabled, unsupported, unstable and destructive integration test targets to be selected using their respective prefixes.
ansible-test - Allow unstable tests to run when targeted changes are made and the --allow-unstable-changed option is specified (resolves #74213).
apt - Fix module failure when a package is not installed and only_upgrade=True. Skip that package and check the remaining requested packages for upgrades. (#78762)
apt module should not traceback on invalid type given as package. issue 78663.
known_hosts - do not return changed status when a non-existing key is removed (#78598)
paramiko - Add back support for ssh_args, ssh_common_args, and ssh_extra_args for parsing the ProxyCommand (#78750)
plugin loader, fix detection for existing configuration before initializing for a plugin

v2.13.4

Release Summary

Release Date: 2022-09-12

Porting Guide

Bugfixes

Fix for network_cli not getting all relevant connection options
ansible-galaxy - Fix detection of --role-file in arguments for implicit role invocation (#78204)
ansible-galaxy - Fix exit codes for role search and delete (#78516)
ansible-test - Fix change detection for ansible-test's own integration tests.
ansible-test - ansible-doc sanity test - Correctly determine the fully-qualified collection name for plugins in subdirectories, resolving #78490.
apt - don't actually update the cache in check mode with update_cache=true.
apt - don't mark existing packages as manually installed in check mode (#66413).
apt - fix package selection to include /etc/apt/preferences(.d) (#77969)
urls - Guard imports of urllib3 by catching Exception instead of ImportError to prevent exceptions in the import process of optional dependencies from preventing use of urls.py (#78648)
wait_for - Read file and perform comparisons using bytes to avoid decode errors (#78214)

v2.13.3

Release Summary

Release Date: 2022-08-15

Porting Guide

Bugfixes

Avoid 'unreachable' error when chmod on AIX has 255 as return code.
Fix PluginLoader to mimic Python import machinery by adding module to sys.modules before exec
Fix dnf module documentation to indicate that comparison operators for package version require spaces around them (#78295)
ansible-connection - decrypt vaulted parameters before sending over the socket, as vault secrets are not available on the other side.
ansible-galaxy - Fix reinitializing the whole collection directory with ansible-galaxy collection init ns.coll --force. Now directories and files that are not included in the collection skeleton will be removed.
ansible-galaxy - do not require mandatory keys in the galaxy.yml of source collections when listing them (#70180).
ansible-galaxy - fix listing collections that contains metadata but the namespace or name are not strings.
ansible-galaxy - fix setting the cache for paginated responses from Galaxy NG/AH (#77911).
ansible-test - Delegation for commands which generate output for programmatic consumption no longer redirect all output to stdout. The affected commands and options are shell, sanity --lint, sanity --list-tests, integration --list-targets, coverage analyze
ansible-test - Delegation now properly handles arguments given after -- on the command line.
ansible-test - Test configuration for collections is now parsed only once, prior to delegation. Fixes issue: #78334
ansible-test - The shell command no longer redirects all output to stdout when running a provided command. Any command output written to stderr will be mixed with the stderr output from ansible-test.
ansible-test - The shell command no longer requests a TTY when using delegation unless an interactive shell is being used. An interactive shell is the default behavior when no command is given to pass to the shell.
dnf - fix output parsing on systems with LANGUAGE set to a language other than English (#78193)
if a config setting prevents running ansible it should at least show it's "origin".
prevent type annotation shim failures from causing runtime failures (#77860)
template module/lookup - fix convert_data option that was effectively always set to True for Jinja macros (#78141)
uri - properly use uri parameter use_proxy (#58632)
yum - fix traceback when releasever is specified with latest (#78058)

v2.13.2

Release Summary

Release Date: 2022-07-18

Porting Guide

Minor Changes

ansible-test - An improved error message is shown when the download of a pip bootstrap script fails. The download now uses urllib2 instead of urllib on Python 2.

Bugfixes

Move undefined check from concat to finalize (#78156)
ansible-doc - no longer list module and plugin aliases that are created with symlinks (#78137).
ansible-doc - when listing modules in collections, proceed recursively. This fixes module listing for community.general 5.x.y and community.network 4.x.y (#78137).
ansible-doc will not add 'website for' in ":ref:" substitutions as it made them confusing.
file backed cache plugins now handle concurrent access by making atomic updates to the files.
password lookup does not ignore k=v arguments anymore.
user - Fix error "Permission denied" in user module while generating SSH keys (#78017).

v2.13.1

Release Summary

Release Date: 2022-06-20

Porting Guide

Minor Changes

Add an 'action_plugin' field for modules in runtime.yml plugin_routing.

This fixes module_defaults by supporting modules-as-redirected-actions without redirecting module_defaults entries to the common action.

With the runtime.yml above for ns.coll, a task such as

will end up with defaults for eos_facts and eos_command since both modules redirect to the same action.

To select an action plugin for a module without merging module_defaults, define an action_plugin field for the resolved module in the runtime.yml.

The action_plugin field can be a redirected action plugin, as it is resolved normally.

Using the modified runtime.yml, the example task will only use the ns.coll.eos_facts defaults.
ansible-galaxy - Support resolvelib versions 0.6.x, 0.7.x, and 0.8.x. The full range of supported versions is now >= 0.5.3, < 0.9.0.
ansible-test - Add RHEL 9.0 remote support.
ansible-test - Add support for Ubuntu VMs using the --remote option.
ansible-test - Add support for exporting inventory with ansible-test shell --export {path}.
ansible-test - Add support for multi-arch remotes.
ansible-test - Add support for running non-interactive commands with ansible-test shell.
ansible-test - Avoid using the mock_use_standalone_module setting for unit tests running on Python 3.8 or later.
ansible-test - Blocking mode is now enforced for stdin, stdout and stderr. If any of these are non-blocking then ansible-test will exit during startup with an error.
ansible-test - Improve consistency of output messages by using stdout or stderr for most output, but not both.
ansible-test - The shell command can be used outside a collection if no controller delegation is required.

Bugfixes

Add PyYAML >= 5.1 as a dependency of ansible-core to be compatible with Python 3.8+.
ansible-config dump - Only display plugin type headers when plugin options are changed if --only-changed is specified.
ansible-galaxy - handle unsupported versions of resolvelib gracefully.
ansible-test - Fix internal validation of remote completion configuration.
ansible-test - Prevent --target- prefixed options for the shell command from being combined with legacy environment options.
ansible-test - Sanity test output with the --lint option is no longer mixed in with bootstrapping output.
ansible-test - Subprocesses are now isolated from the stdin, stdout and stderr of ansible-test. This avoids issues with subprocesses tampering with the file descriptors, such as SSH making them non-blocking. As a result of this change, subprocess output from unit and integration tests on stderr now go to stdout.
ansible-test - Subprocesses no longer have access to the TTY ansible-test is connected to, if any. This maintains consistent behavior between local testing and CI systems, which typically do not provide a TTY. Tests which require a TTY should use pexpect or another mechanism to create a PTY.
apt module now correctly handles virtual packages.
lookup plugin - catch KeyError when lookup returns dictionary (#77789).
pip - fix cases where resolution of pip Python module fails when importlib.util has not already been imported
plugin loader - Sort results when fuzzy matching plugin names (#77966).
plugin loader will now load config data for plugin by name instead of by file to avoid issues with the same file being loaded under different names (fqcn + short name).
psrp connection now handles default to inventory_hostname correctly.
winrm connection now handles default to inventory_hostname correctly.

v2.13.0

Release Summary

Release Date: 2022-05-16

Porting Guide

Major Changes

Jinja2 Controller Requirement - Jinja2 3.0.0 or newer is required for the control node (the machine that runs Ansible) (#75881)
Templating - remove safe_eval in favor of using NativeEnvironment but utilizing literal_eval only in cases when safe_eval was used (#75587)

Minor Changes

Action Plugins - Add helper method for argument spec validation, and extend to pause and async_wrapper
Added AIX root CA certs folders - enhance the TLS support in uri task on AIX
Added module_utils.compat.typing to facilitate type-hinting on all supported Python versions.
Ansible.Basic - small changes to allow use in PowerShell modules running on non-Windows platforms (#76924).
AnsibleModule.run_command() now has a toggle to allow caller to decide to handle exceptions from executing the command itself
Attach concat function to an environment class (#76282)
Clarify in a comment that unrolling an iterator in Templar._finalize is actually necessary. Also switch to using the _unroll_iterator decorator directly to deduplicate code in Templar._finalize. (#76436)
Installation - modernize our python installation, to reduce dynamic code in setup.py, and migrate what is feasible to setup.cfg. This will enable shipping wheels in the future.
PlayIterator - introduce public methods to access PlayIterator._host_states (#74416)
PlayIterator - use enums for Iterating and Failed states (#74511)
Reduce number of iterations through PlayIterator (#74175)
Remove more Python 2.x compatibility code from controller (#77320).
Start of moving away from using Six, Python 2 and 3 compatibility library (#75863)
The collection loader now reports a Python warning if an attempt is made to install the Ansible collection loader a second time. Previously this condition was reported using an Ansible warning.
ansible-galaxy collection [install|verify] - allow user-provided signature sources in addition to those from the Galaxy server. Each collection entry in a requirements file can specify a signatures key followed by a list of sources. Collection name(s) provided on the CLI can specify additional signature sources by using the --signatures CLI option. Signature sources should be URIs that can be opened with urllib.request.urlopen(), such as "https://example.com/path/to/detached_signature.asc" or "file:///path/to/detached_signature.asc". The --keyring option must be specified if signature sources are provided.
ansible-galaxy collection [install|verify] - use gpg to verify the authenticity of the signed MANIFEST.json with ASCII armored detached signatures provided by the Galaxy server. The keyring (which is not managed by ansible-galaxy) must be provided with the --keyring option to use signature verification. If no --keyring is specified and the collection to install|verify has associated detached signatures on the Galaxy server, a warning is provided.
ansible-galaxy collection install - Add a global configuration to modify the required number of signatures that must verify the authenticity of the collection. By default, the number of required successful signatures is 1. Set this option to all to require all signatures verify the collection. To ensure signature verification fails if there are no valid signatures, prepend the value with '+', such as +all or +1.
ansible-galaxy collection install - Add a global ignore list for gpg signature errors. This can be used to ignore certain signatures when the number of required successful signatures is all. When the required number of successful signatures is a positive integer, the only effect this has is to display fewer errors to the user on failure (success is determined by having the minimum number of successful signatures, in which case all errors are disregarded).
ansible-galaxy collection install - Add a global toggle to turn off GPG signature verification.
ansible-galaxy collection install - Store Galaxy server metadata alongside installed collections for provenance. Signatures obtained from the Galaxy server can be used for offline verification with ansible-galaxy collection verify --offline.
ansible-console - Provide a way to customize the stdout callback
ansible-core modules - Remove unused Python shebangs from built-in modules.
ansible-doc metadata dump - add option --no-fail-on-errors which allows to not fail the ansible-doc invocation when errors happen during docs parsing or processing. Instead they are reported in the JSON result in an error key for the affected plugins (#77035).
ansible-galaxy - the option to skip certificate verification now also applies when cloning via SCM (git/hg) (#41077)
ansible-test - Accept new-style Python modules without a shebang.
ansible-test - Add --version support to show the ansible-core version.
ansible-test - Add support for rhel/8.5 remote instances.
ansible-test - Add support for remote testing of FreeBSD 12.3.
ansible-test - Add support for running container tests with podman remote (#75753)
ansible-test - Added the fedora35 test container.
ansible-test - Change the maximum number of open files in a test container from the default to 10240.
ansible-test - Declare public dependencies of ansible-core and use to limit unguarded imports in plugins.
ansible-test - Importing distutils now results in an error.
ansible-test - Installation of cryptography is no longer version constrained when openssl 1.1.0 or later is installed.
ansible-test - Miscellaneous code cleanup and type hint fixes.
ansible-test - PowerShell in the base and default containers has been upgraded to version 7.1.4.
ansible-test - Remove RHEL 8.4 remote (rhel/8.4) support.
ansible-test - Remove idna constraint.
ansible-test - Remove obsolete MAXFD display.
ansible-test - Remove obsolete constraints for Python 2.6.
ansible-test - Remove support for FreeBSD 12.2 remote provisioning.
ansible-test - Remove support for macOS 11.1 remote provisioning.
ansible-test - Remove support for provisioning remote AIX instances.
ansible-test - Remove the centos8 test container since CentOS 8 will reach end-of-life soon.
ansible-test - Remove the fedora33 test container since Fedora 33 will reach end-of-life soon.
ansible-test - Remove unused Python 2.x compatibility code.
ansible-test - Removed support for Sherlock from the Azure provisioning plugin.
ansible-test - Removed used MarkupSafe constraint for Python 3.5 and earlier.
ansible-test - Requirements for the plugin import test are now frozen.
ansible-test - Shellcheck in the base and default containers has been upgraded to version 0.7.0.
ansible-test - Stop early with an error if the current working directory contains an invalid collection namespace or name.
ansible-test - The --help option is now available when an unsupported cwd is in use.
ansible-test - The --help output now shows the same instructions about cwd as would be shown in error messages if the cwd is unsupported.
ansible-test - The pip and wheel packages are removed from all sanity test virtual environments after installation completes to reduce their size. Previously they were only removed from the environments used for the import sanity test.
ansible-test - The explanation about cwd usage has been improved to explain more clearly what is required.
ansible-test - The hash for all managed sanity test virtual environments has changed. Containers that include ansible-test sanity --prime-venvs will need to be rebuilt to continue using primed virtual environments.
ansible-test - Update base container to version 2.1.0.
ansible-test - Update base container to version 2.2.0.
ansible-test - Update default containers to version 5.2.0.
ansible-test - Update default containers to version 5.4.0.
ansible-test - Update default containers to version 5.5.0.
ansible-test - Update default containers to version 5.6.2.
ansible-test - Update default containers to version 5.7.0.
ansible-test - Update default containers to version 5.8.0.
ansible-test - Update default containers to version 5.9.0.
ansible-test - Update pip used to bootstrap remote FreeBSD instances from version 20.3.4 to 21.3.1.
ansible-test - Update sanity test requirements.
ansible-test - Update the NIOS test plugin container to version 1.4.0.
ansible-test - Update the alpine container to version 3.3.0. This updates the base image from 3.14.2 to 3.15.0, which includes support for installing binary wheels using pip.
ansible-test - Update the base and default containers from Python 3.10.0rc2 to 3.10.0.
ansible-test - Update the base and default containers from a Ubuntu 18.04 to Ubuntu 20.04 base image.
ansible-test - Update the default containers to version 5.1.0.
ansible-test - Update the galaxy test plugin to get its container from a copy on quay.io.
ansible-test - Update the openshift test plugin to get its container from a copy on quay.io.
ansible-test - Use Python 3.10 as the default Python version for the base and default containers.
ansible-test - add macOS 12.0 as a remote target (#76328)
ansible-test - handle JSON decode error gracefully in podman environment.
ansible-test pslint - Added the AvoidLongLines rule set to a length of 160.
ansible-test pslint - Added the PlaceCloseBrace rule set to enforce close braces on a newline.
ansible-test pslint - Added the PlaceOpenBrace rule set to enforce open braces on the same line and a subsequent newline.
ansible-test pslint - Added the UseConsistentIndentation rule to enforce indentation is done with 4 spaces.
ansible-test pslint - Added the UseConsistentWhitespace rule to enforce whitespace consistency in PowerShell.
ansible-test pslint - Updated PowerShellScriptAnalyzer to 1.20.0
ansible-test sanity validate-modules - the validate-modules sanity test now also checks the documentation of documentable plugin types (#71734).
ansible-test validate-modules sanity test - add more schema checks to improve quality of plugin documentation (#77268).
ansible-test validate_modules - allow choices for return values (#76009).
apt - Add support for using ">=" in package version number matching.
apt - Adds APT option --allow-change-held-packages as module parameter allow_change_held_packages to allow APT up- or downgrading a package which is on APTs hold list (#65325)
auto inventory plugin will now give plugin loading information on verbose output
callbacks - Add result serialization format options to _dump_results allowing plugins such as the default callback to emit YAML serialized task results in addition to JSON
dnf - add more specific error message for GPG validation (#76192)
env lookup, add default option
facts - report prefix length for IPv4 addresses in Linux network facts.
get_parsable_locale now logs result when in debug mode.
git - display the destination directory path in error msg when local_mods detects local modifications conflict so that users see the exact location
iptables - add the chain_management parameter that controls iptables chain creation and deletion
jinja2_native - keep same behavior on Python 3.10.
junit callback - Add support for replacing the directory portion of out-of-tree relative task paths with a placeholder.
k8s - scenario guides for kubernetes migrated to kubernetes.core collection.
module_utils.distro - Add missing typing import from original code.
package_facts - add pkg_info support for OpenBSD and NetBSD (#76580)
services_facts - Add support for openrc (#76373).
setting DEFAULT_FACT_PATH is being deprecated in favor of the generic module_defaults keyword
uri - Avoid reading the response body when not needed
uri - Eliminate multiple requests to determine the final URL for file naming with dest
validate-modules - do some basic validation on the M(...), U(...), L(..., ...) and R(..., ...) documentation markups (#76262).
vmware - migrated vmware scenario guides to community.vmware repo.
yum, dnf - add sslverify option to temporarily disable certificate validation for a repository

Breaking Changes / Porting Guide

Module Python Dependency - Drop support for Python 2.6 in module execution.
Templating - it is no longer allowed to perform arithmetic and concatenation operations outside of the jinja template (#75587)
The finalize method is no longer exposed in the globals for use in templating.

Deprecated Features

ansible-core - Remove support for Python 2.6.
ansible-test - Remove support for Python 2.6.
ssh connection plugin option scp_if_ssh in favor of ssh_transfer_method.

Removed Features (previously deprecated)

Remove deprecated Templar.set_available_variables() method (#75828)
cli - remove deprecated ability to set verbosity before the sub-command (#75823)
copy - remove deprecated thirsty alias (#75824)
psrp - Removed fallback on put_file with older pypsrp versions. Users must have at least pypsrp>=0.4.0.
url_argument_spec - remove deprecated thirsty alias for get_url and uri modules (#75825, #75826)

Security Fixes

Do not include params in exception when a call to set_options fails. Additionally, block the exception that is returned from being displayed to stdout. (CVE-2021-3620)

Bugfixes

Add a YAML representer for NativeJinjaText
Add a YAML representer for NativeJinjaUnsafeText
AnsiballZ - Ensure we use the full python package in the module cache filename to avoid a case where collections: is used to execute a module via short name, where the short name duplicates another module from ansible.builtin or another collection that was executed previously.
Ansible.ModuleUtils.LinkUtil - Ignore the LIB environment variable when loading the LinkUtil code
Ansible.ModuleUtils.SID - Use user principal name as is for lookup in the Convert-ToSID function - #77316
Detect package manager for Amazon Linux 2022 (AL2022) as dnf
Ensure the correct environment_class is set on AnsibleJ2Template
Fix AttributeError when providing password file via --connection-password-file (#76530)
Fix end_play to end the current play only (#76672)
Fix collection filter/test plugin redirects (#77192).
Fix executing includes in the always section in the free strategy (#75642)
Fix for when templating empty template file resulted in file with string 'None' (#76610)
Fix help message for the 'ansible-galaxy collection verify' positional argument. The positional argument must be a collection name (#76087).
Fix module logging issue when using custom module on WSL2 (#76320)
Fix task debugger to work with run_once using linear strategy (#76049)
Fix traceback when installing a collection from a git repository and git is not installed (#77479).
Interpreter Discovery - Fallback to OS family if the distro is not found in INTERPRETER_PYTHON_DISTRO_MAP (#75560)
Interpreter discovery - Add RHEL to OS_FAMILY_MAP for correct family fallback for interpreter discovery (#77368)
Make include_role/include_tasks work with any_errors_fatal (#50897)
Parser errors from within includes should not be rescueable (#73657)
Prevent losing unsafe on results returned from lookups (#77535)
Templating - Ensure we catch exceptions when getting .filters and .tests attributes on their respective plugins and properly error, instead of aborting which results in no filters being added to the jinja2 environment
Trigger an undefined error when an undefined variable is detected within a dictionary and/or list (#75587)
_run_loop - Add the task name to the warning (#76011)
Templar.copy_with_new_env - set the finalize method of the new Templar object for the new environment (#76379)
add_host/group_by: fix using changed_when in a loop (#71627)
ansible - Exclude Python 2.6 from Python interpreter discovery.
ansible-config avoid showing _terms and _input when --only-changed.
ansible-doc - Fix ansible-doc -l ansible.builtin / ansible.legacy not returning anything
ansible-doc - ignore plugin deprecation warnings (#75671)
ansible-galaxy - Add galaxy_collection_skeleton/galaxy_collection_skeleton_ignore configuration options
ansible-galaxy - Fix using the '--ignore-certs' option when there is no server-specific configuration for the Galaxy server.
ansible-galaxy - installing/downloading collections with invalid versions in git repositories and directories now gives a formatted error message (#76425, #75404).
ansible-galaxy - when installing a role properly raise an error when inaccessible path is specified multiple times in roles_path (e.g. via environment variable and command line option) (#76316)
ansible-galaxy collection build - Ignore any existing MANIFEST.json and FILES.json in the root directory when building a collection.
ansible-galaxy collection verify - display files/directories not included in the FILES.json as modified content.
ansible-galaxy publish - Fix warning and error detection in import messages to properly display them in Ansible
ansible-pull handle case where hostname and nodename are empty
ansible-test - Add default entry for Windows remotes to be used with unknown versions.
ansible-test - All virtual environments managed by ansible-test are marked as usable after being bootstrapped, to avoid errors caused by use of incomplete environments. Previously this was only done for sanity tests. Existing environments from previous versions of ansible-test will be recreated on demand due to lacking the new marker.
ansible-test - Automatic target requirements installation is now based on the target environment instead of the controller environment.
ansible-test - Correctly detect when running as the root user (UID 0) on the origin host. The result of the detection was incorrectly being inverted.
ansible-test - Don't fail if network cannot be disconnected (#77472)
ansible-test - Fix Python real prefix detection when running in a venv virtual environment.
ansible-test - Fix windows-integration and network-integration when used with the --docker option and user-provided inventory.
ansible-test - Fix installation and usage of pyyaml requirement for the import sanity test for collections.
ansible-test - Fix path to inventory file for windows-integration and network-integration commands for collections.
ansible-test - Fix plugin loading.
ansible-test - Fix skipping of tests marked needs/python on the origin host.
ansible-test - Fix skipping of tests marked needs/root on the origin host.
ansible-test - Fix the import sanity test to work properly when Ansible's built-in vendoring support is in use.
ansible-test - Fix the validate-modules sanity test to avoid double-loading the collection loader and possibly failing on import of the packaging module.
ansible-test - Fix traceback in import sanity test on Python 2.7 when pip is not available.
ansible-test - Fix traceback in the validate-modules sanity test when testing an Ansible module without any callables.
ansible-test - Fix traceback when running from an install and delegating execution to a different Python interpreter.
ansible-test - Fix traceback when using the --all option with PowerShell code coverage.
ansible-test - Fix type hints.
ansible-test - Import yaml.cyaml.CParser instead of _yaml.CParser in the yamllint sanity test.
ansible-test - Limit paramiko installation to versions before 2.9.0. This is required to maintain support for systems which do not support RSA SHA-2 algorithms.
ansible-test - Pylint Deprecated Plugin - Use correct message symbols when date or version is not a float or str (#77085)
ansible-test - Relocate constants to eliminate symlink.
ansible-test - Replace the directory portion of out-of-tree paths in JUnit files from integration tests with the out-of-tree: prefix.
ansible-test - Sanity tests run with the --requirements` option for Python 2.x now install ``virtualenv when it is missing or too old. Previously it was only installed if missing. Version 16.7.12 is now installed instead of the latest version.
ansible-test - Set the pytest option --rootdir instead of letting it be auto-detected.
ansible-test - Show an error message instead of a traceback when running outside of a supported directory.
ansible-test - Target integration test requirements are now correctly installed for target environments running on the controller.
ansible-test - The import sanity test no longer reports errors about packaging being missing when testing collections.
ansible-test - Update distribution test containers to version 3.1.0.
ansible-test - Update help links to reference ansible-core instead of ansible.
ansible-test - Update unit tests to use the --forked option instead of the deprecated --boxed option.
ansible-test - Use https://ci-files.testing.ansible.com/ for instance bootstrapping instead of an S3 endpoint.
ansible-test - Use relative paths in JUnit files generated during integration test runs.
ansible-test - Use the correct variable to reference the client's SSH key when generating inventory.
ansible-test - Use the legacy collection loader for import sanity tests on target-only Python versions.
ansible-test - Virtual environments managed by ansible-test now use consistent versions of pip, setuptools and wheel. This avoids issues with virtual environments containing outdated or dysfunctional versions of these tools. The initial bootstrapping of pip is done by ansible-test from an HTTPS endpoint instead of creating the virtual environment with it already present.
ansible-test - fix a typo in validate-modules.
ansible-test - fixed support container failures (eg http-test-container) under podman
ansible-test compile sanity test - do not crash if a column could not be determined for an error (#77465).
ansible-test pslint - Fix error when encountering validation results that are highly nested - #74151
ansible-vault encrypt_string - fix --output option to correctly write encrypted string into given file (#75101)
ansible.builtin.file modification_time supports check_mode
ansible_facts.devices - Fix parsing of device serial number detected via sg_inq for rhel8 (#75420)
apt - fails to deploy deb file to old debian systems using python-apt < 0.8.9 (#47277)
arg_spec - Fix incorrect no_log warning when a parameter alias is used (#77576)
async - Improve performance of sending async callback events by never sending the full task through the queue (#76729)
catch the case that cowsay is broken which would lead to missing output
cleaning facts will now only warn about the variable name and not post the content, which can be undesireable to disclose
collection_loader - Implement 'find_spec' and 'exec_module' to override deprecated importlib methods 'find_module' and 'load_module' when applicable (#74660).
correctly inherit vars from parent in block (#75286).
default callback - Ensure we compare FQCN also in lockstep logic, to ensure using the FQCN of a strategy plugin triggers the correct behavior in the default callback plugin. (#76782)
distribution - add EuroLinux to fact gathering (#76624).
distribution - detect tencentos and gather correct facts on the distro.
dnf - ensure releasever is passed into libdnf as string (#77010)
extend timeout for ansible-galaxy when communicating with the galaxy server api, and apply it to all interactions with the api
facts - add support for deepin distro information detection (#77286).
first_found - fix to allow for spaces in file names (#77136)
gather_facts - Fact gathering now continues even if it fails to read a file
gather_facts action now handles the move of base connection plugin types into collections to add/prevent subset argument correctly
gather_facts/setup will not fail anymore if capsh is present but not executable
git module fix docs and proper use of ssh wrapper script and GIT_SSH_COMMAND depending on version.
git module is more consistent and clearer about which ssh options are added to git calls.
git module no longer uses wrapper script for ssh options.
hacking - fix incorrect usage of deprecated fish-shell redirection operators that failed to honor --quiet flag when sourced (#77180).
hostname - Do not require SystemdStrategy subclasses for every distro (#76792)
hostname - Fix Debian strategy KeyError, use SystemdStrategy (#76124)
hostname - Update the systemd strategy in the hostname module to not interfere with NetworkManager (#76958)
hostname - add hostname support for openEuler distro (#76619).
hostname - use file_get_content() to read the file containing the host name in the FileStrategy.get_permanent_hostname() method. This prevents a TypeError from being raised when the strategy is used (#77025).
include_vars, properly initialize variable as there is corner case in which it can end up referenced and not defined
inventory - parameterize disable_lookups in Constructable (#76769).
inventory manager now respects --flush-cache
junit callback - Fix traceback during automatic fact gathering when using relative paths.
junit callback - Fix unicode error when handling non-ASCII task paths.
module_utils.common.yaml - The SafeLoader, SafeDumper and Parser classes now fallback to object when yaml is not available. This fixes tracebacks when inheriting from these classes without requiring a HAS_YAML guard around class definitions.
parameters - handle blank values when argument is a list (#77108).
play_context now compensates for when a conneciton sets the default to inventory_hostname but skips adding it to the vars.
playbook/strategy have more informative 'attribute' based errors for playbook objects and handlers.
python modules (new type) will now again prefer the specific python stated in the module's shebang instead of hardcoding to /usr/bin/python.
replace - Always return rc to ensure return values are consistent - #71963
script - skip in check mode if the plugin cannot determine if a change will occur (i.e. neither creates or removes are provided).
service - Fixed handling of sleep arguments during service restarts on AIX. (#76877)
service - Fixed service restarts with arguments on AIX. (#76840)
service_facts module will now give more meaningful warnings when it fails to gather data.
set_fact/include_vars correctly handle delegation assignments within loops
setup - detect docker container with check for ./dockerenv or ./dockinit (#74349).
shell/command - only return changed as True if the task has not been skipped.
shell/command - only skip in check mode if the options creates and removes are both None.
ssh connection - properly quote controlpersist path given by user to avoid issues with spaces and other characters
ssh connection avoid parsing ssh cli debug lines as they can match expected output at high verbosities.
ssh connection now uses more correct host source as play_context can ignore loop/delegation variations.
sudo become plugin, fix handling of non interactive flags, previous substitution was too naive
systemd - check if service is alias so it gets enabled (#75538).
systemd - check if service is indirect so it gets enabled (#76453).
task_executor reverts the change to push facts into delegated vars on loop finalization as result managing code already handles this and was duplicating effort to wrong result.
template lookup - restore inadvertently deleted default for convert_data (#77004)
to_json/to_nice_json filters defaults back to unvaulting/no unsafe packing.
unarchive - Fix zip archive file listing that caused issues with content postprocessing (#76067).
unarchive - Make extraction work when the LANGUAGE environment variable is set to a non-English locale.
unarchive - apply owner and group permissions to top folder (#35426)
unarchive - include the original error when a handler cannot manage the archive (#28977).
unarchive - the io_buffer_size option added in 2.12 was not accepted by the module (#77271).
urls - Allow ca_path to point to a bundle containing multiple PEM certs (#75015)
urls/uri - Address case where HTTPError isn't fully initialized due to the error, and is missing certain methods and attributes (#76386)
user - allow password_expiry_min and password_expiry_min to be set to 0 (#75017)
user - allow password min and max to be set at the same time (#75017)
user - update logic to check if user exists or not in MacOS.
validate_argument_spec - Skip suboption validation if the top level option is an invalid type (#75612).
variablemanager, more efficient read of vars files
vault - Warn instead of fail for missing vault IDs if at least one valid vault secret is found.
winrm - Ensure kinit is run with the same PATH env var as the Ansible process
yum - prevent storing unnecessary cache data by running yum makecache fast (#76336)

Known Issues

get_url - document check_mode correctly with unreliable changed status (#65687).

Files

CHANGELOG-v2.13.rst

Latest commit

History

CHANGELOG-v2.13.rst

File metadata and controls

ansible-core 2.13 "Nobody's Fault but Mine" Release Notes