Bug 1733034
| Summary: | Vulnerability Remediation Playbook gives error when running in Ansible Check Mode | ||
|---|---|---|---|
| Product: | Red Hat Hybrid Cloud Console (console.redhat.com) | Reporter: | Nikhil Gupta <ngupta> |
| Component: | Vulnerability | Assignee: | Jaylin Zhou <zzhou> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Jaylin Zhou <zzhou> |
| Severity: | low | Docs Contact: | Kevin Blake <kblake> |
| Priority: | unspecified | ||
| Version: | unspecified | CC: | dajohnso, jnewton, robwilli, tlestach |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-20 15:06:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Closing as CURRENTRELEASE as the associated Jira has been resolved. |
Description of problem: When running Ansible Vulnerability Remediation Playbook in Ansible 'Check Mode', getting the following error: Example BEFORE (original) Playbook: ~~~ - name: update vulnerable packages hosts: "abc.example.com" become: true tasks: - name: check for update shell: "{{ ansible_facts['pkg_mgr'] }} check-update -q --cve CVE-2019-11478" register: check_out failed_when: check_out.rc != 0 and check_out.rc != 100 args: warn: false ~~~ # ansible-playbook remediate_vul.yml --check { "msg": "The conditional check 'check_out.rc == 100' failed. The error was: error while evaluating conditional (check_out.rc == 100): 'dict object' has no attribute 'rc'\n\nThe error appears to be in '/var/lib/awx/projects/testing/remediate_vul.yml': line 28, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - when: check_out.rc == 100\n ^ here\n", "_ansible_no_log": false } This is due to previous task "check for update" not executed in Ansible Check Mode. Therefore you will there is no Return Code generated. Return Code 100 (rc ==100) is needed for the next task "upgrade package" to run with conditional "when: check_out.rc == 100". This results in the Playbook to terminate with the previous mentioned error. How reproducible: Always Steps to Reproduce: 1. Download Vulnerability remediation playbook from Insights portal for a host 2. Run it in check mode as "ansible-playbook remediate_vul.yml --check" Actual results: Received following error: { "msg": "The conditional check 'check_out.rc == 100' failed. The error was: error while evaluating conditional (check_out.rc == 100): 'dict object' has no attribute 'rc'\n\nThe error appears to be in '/var/lib/awx/projects/testing/remediate_vul.yml': line 28, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n - when: check_out.rc == 100\n ^ here\n", "_ansible_no_log": false } Expected results: Playbook should run smoothly and not terminate with errors in ansible check mode. Additional info: To get the Playbook to execute successful even in Check Mode, I recommend to add "check_mode: no" to the "check for update" task. This forces the task to execute even when running the Playbook in check mode and give Return Code 100 to allow the next task to execute. This task is not making changes anyway and is safe. This also allows the Playbook to run smoothly and not terminate with errors. Example AFTER (proposed change) Playbook: ~~~ - name: update vulnerable packages hosts: "abc.example.com" become: true tasks: - name: check for update shell: "{{ ansible_facts['pkg_mgr'] }} check-update -q --cve CVE-2019-11478" check_mode: no register: check_out failed_when: check_out.rc != 0 and check_out.rc != 100 args: warn: false ~~~