search

freeipa / ansible-freeipa

Ansible roles and modules for FreeIPA
GNU General Public License v3.0
505 stars 231 forks source link

ipaclient: main.yml relies on setup: discovered facts without running setup: #695

Closed ewenmcneill closed 5 months ago

ewenmcneill commented 3 years ago

The roles/ipaclient/tasks/main.yml relies on Ansible discovered facts (to figure out which set of variables to load, for packages ot install):

https://github.com/freeipa/ansible-freeipa/blob/90e8098bf4ad4272202c7d1a312f699de9b10f5e/roles/ipaclient/tasks/main.yml#L4-L17

which having ensured that those facts have been discovered / are still known.

In particular if included immediately after:

- meta: clear_facts

but possibly also if it's included as the only task, so the include_vars happens as the very first action, then the various discovered Ansible distribution variables are not available, which results in falling through to including the default variables.

The default variables are mostly the same, except for Debian.yml, which is used for Ubuntu, so falling through to the default variables "mostly works", except on Debian / Ubuntu, where using the default / RedHat-derived package naming results in:

TASK [ipaclient : Install - Ensure that IPA client packages are installed] ***************************************************************
fatal: [ipaclient2.example.com]: FAILED! => {"changed": false, "msg": "No package matching 'ipa-client' is available"}

because the actual Ubuntu package is freeipa-client, as per Debian.yml.

The work around for this is to force fact (re)discovery immediately:

- setup:

so that the variables are definitely set. And I'd suggest that be included at the top of at least roles/ipaclient/tasks/main.yml before relying on those variables being set. And/or a check on them not being set and a fatal: being generated instead.

FTR, I found this issue as fallout of the work around for an earlier issue with delegate_to Python interpeter discovery; see https://github.com/freeipa/ansible-freeipa/issues/688#issuecomment-977187355 for more background. (Where - meta: clear_facts is one of the known work arounds for force the delegate_to python interpeter to be re-discovered on older Ansible versions.) For now I've worked around this by adding a - setup: immediately below my - meta: clear_facts, so that at the point the ipaclient role is included just the facts from the current target should be known, not the others from previous step's delegate_to hosts.

Ewen

ewenmcneill commented 5 months ago

Closing issue, since using - meta: clear_facts is an edge case (only necessary in a specific client setup due to conflicting variable names). Given no one else has commented on this, or done anything about it in the last couple of years it's probaby not worth keeping open. (And for the client with the issue, I deployed a work around by forcing - setup: to run explicitly before including the IPA Client roles.)

Ewen