The tilde expansion doesn't work with templates

[romainrichard]

Issue Type:

Bug Report

Ansible Version:

1.6.3 and 1.7.1

Environment:

Ubuntu 14.04

Summary:

When inside a template, the tilde expansion doesn't seem to work correctly.

Steps To Reproduce:

Here's the contents of the playbook:

romain:~/workspace/it_ansible_check_issue $ tree
.
├── copy.yml
└── roles
    └── copy
        ├── tasks
        │   └── main.yml
        └── templates
            └── template.j2

4 directories, 3 files

romain:~/workspace/it_ansible_check_issue $ cat copy.yml 

---
- name: copy template to servers
  hosts: all
  roles:
    - copy

romain:~/workspace/it_ansible_check_issue $ cat roles/copy/tasks/main.yml 
# copy/tasks/main.yml

---
- name: copy template to host (tilde)
  template: >
    src=template.j2
    dest=~romain/template_tilde

- name: copy template to host (slash)
  template: >
    src=template.j2
    dest=/home/romain/template_slash

romain:~/workspace/it_ansible_check_issue $ cat roles/copy/templates/template.j2 
test

Here's what happens when running the playbook without --check:

romain:~/workspace/it_ansible_check_issue $ ansible-playbook copy.yml -i localhost,

PLAY [copy template to servers] *********************************************** 

GATHERING FACTS *************************************************************** 
ok: [localhost]

TASK: [copy | copy template to host (tilde)] ********************************** 
ok: [localhost]

TASK: [copy | copy template to host (slash)] ********************************** 
ok: [localhost]

PLAY RECAP ******************************************************************** 
localhost                  : ok=3    changed=0    unreachable=0    failed=0

Here's what happens when running the playbook with --check:

romain:~/workspace/it_ansible_check_issue $ ansible-playbook copy.yml -i localhost, --check

PLAY [copy template to servers] *********************************************** 

GATHERING FACTS *************************************************************** 
ok: [localhost]

TASK: [copy | copy template to host (tilde)] ********************************** 
changed: [localhost]

TASK: [copy | copy template to host (slash)] ********************************** 
ok: [localhost]

PLAY RECAP ******************************************************************** 
localhost                  : ok=3    changed=1    unreachable=0    failed=0

Expected Results:

Running the playbook with or without the --check option shows the same number of changes.

Actual Results:

Running the playbook with --check option shows changes that don't happen when the playbook is run without it.

[skmoen]

Ok, so what is happening is the template module/plugin is failing to expand the tilde when it connects to the remote to md5 the file, and therefore (in both the normal and --check case) it is assuming the file does not exist on the remote and is acting accordingly. In the normal case it is irrelevant because the copy module appears to still be doing the right thing (eg, it tries to do the file copy, and returns the correct changed based on whether the file was updated). In the case of --check it automatically assumes it is changed (since it thinks there is no file on the remote) and returns changed=True.

playbook:

- name: copy authorized key template to host
  template: >
    src=authorized_keys.j2
    dest=~{{key_user}}/.ssh/authorized_keys

action_plugins/template.py:

    local_md5 = utils.md5s(resultant)
    remote_md5 = self.runner._remote_md5(conn, tmp, dest)  # returns '1', file not found
    if local_md5 != remote_md5:
        ....
        if self.runner.noop_on_check(inject):
            return ReturnData(conn=conn, comm_ok=True, result=dict(changed=True), diff=dict(before_header=dest, after_header=source, before=dest_contents, after=resultant))
        else:
            res = self.runner._execute_module(conn, tmp, 'copy', module_args_tmp, inject=inject, complex_args=complex_args)

As best I can tell, the path isn't being expanded because the path string is being escaped prior to forming the command to md5 the file here:

shell_plugins/sh.py:

    def md5(self, path):
        path = pipes.quote(path)  # this quotes the path string, preventing the tilde from being expanded

If I comment out the line that quotes the path, then everything works fine. Ideally we'd use something like os.path.expanduser to interpret the tilde, but this code is running on the deploy box, not the remote, so that won't work.

Is it safe to just not quote the path? I'm sure it's there for security reasons. Do we need to implement something more fancy to either determine the expanded path ahead of time or approach the md5 process differently altogether?

[skmoen]

FYI we are currently working around this by using the home field from the user module.

- user: user={{key_user}}
  register: user_info

- template: >
    src=authorized_keys.j2
    dest={{user_info.home}}/.ssh/authorized_keys

[mpdehaan]

Hi!

Thanks very much for your interest in Ansible. It sincerely means a lot to us.

On September 26, 2014, due to enormous levels of contribution to the project Ansible decided to reorganize module repos, making it easier
for developers to work on the project and for us to more easily manage new contributions and tickets.

We split modules from the main project off into two repos, http://github.com/ansible/ansible-modules-core and http://github.com/ansible/ansible-modules-extras

If you would still like this ticket attended to, we will need your help in having it reopened in one of the two new repos, and instructions are provided below.

We apologize that we are not able to make this transition happen seamlessly, though this is a one-time change and your help is greatly appreciated --
this will greatly improve velocity going forward.

Both sets of modules will ship with Ansible, though they'll receive slightly different ticket handling.

To locate where a module lives between 'core' and 'extras'

• Find the module at http://docs.ansible.com/list_of_all_modules.html
• Open the documentation page for that module
• If the bottom of the docs say "This is an extras module", submit your ticket to https://github.com/ansible/ansible-modules-extras
• Otherwise, submit your pull request to update the existing module to https://github.com/ansible/ansible-modules-core
• action_plugins (modules with server side components) still live in the main repo. If your ticket affects both, open the ticket
  on the module repo just the same.

Additionally, should you need more help with this, you can ask questions on:

• the ansible-project mailing list: https://groups.google.com/forum/#!forum/ansible-project

Thank you very much!