Bug 1733034 - Vulnerability Remediation Playbook gives error when running in Ansible Check Mode
Summary: Vulnerability Remediation Playbook gives error when running in Ansible Check ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Cloud Software Services (cloud.redhat.com)
Classification: Red Hat
Component: Vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: ---
Assignee: Jaylin Zhou
QA Contact: Jaylin Zhou
Kevin Blake
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-25 04:58 UTC by Nikhil Gupta
Modified: 2019-11-01 03:50 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-20 15:06:12 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Nikhil Gupta 2019-07-25 04:58:22 UTC
Description of problem:

When running Ansible Vulnerability Remediation Playbook in Ansible 'Check Mode', getting the following error:

Example BEFORE (original) Playbook:
~~~
- name: update vulnerable packages
  hosts: "abc.example.com"
  become: true
  tasks:
    - name: check for update
      shell: "{{ ansible_facts['pkg_mgr'] }} check-update -q --cve CVE-2019-11478"
      register: check_out
      failed_when: check_out.rc != 0 and check_out.rc != 100
      args:
        warn: false
~~~

# ansible-playbook remediate_vul.yml --check

{
    "msg": "The conditional check 'check_out.rc == 100' failed. The error was: error while evaluating conditional (check_out.rc == 100): 'dict object' has no attribute 'rc'\n\nThe error appears to be in '/var/lib/awx/projects/testing/remediate_vul.yml': line 28, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n    - when: check_out.rc == 100\n      ^ here\n",
    "_ansible_no_log": false
}


This is due to previous task "check for update" not executed in Ansible Check Mode. Therefore you will there is no Return Code generated. Return Code 100 (rc ==100) is needed for the next task "upgrade package" to run with conditional "when: check_out.rc == 100". This results in the Playbook to terminate with the previous mentioned error.


How reproducible:
Always

Steps to Reproduce:
1. Download Vulnerability remediation playbook from Insights portal for a host
2. Run it in check mode as "ansible-playbook remediate_vul.yml --check"


Actual results:
Received following error:
{
    "msg": "The conditional check 'check_out.rc == 100' failed. The error was: error while evaluating conditional (check_out.rc == 100): 'dict object' has no attribute 'rc'\n\nThe error appears to be in '/var/lib/awx/projects/testing/remediate_vul.yml': line 28, column 7, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n    - when: check_out.rc == 100\n      ^ here\n",
    "_ansible_no_log": false
}

Expected results:
Playbook should run smoothly and not terminate with errors in ansible check mode.

Additional info:

To get the Playbook to execute successful even in Check Mode, I recommend to add "check_mode: no" to the "check for update" task. 

This forces the task to execute even when running the Playbook in check mode and give Return Code 100 to allow the next task to execute. This task is not making changes anyway and is safe. This also allows the Playbook to run smoothly and not terminate with errors.


Example AFTER (proposed change) Playbook:
~~~
- name: update vulnerable packages
  hosts: "abc.example.com"
  become: true
  tasks:
    - name: check for update
      shell: "{{ ansible_facts['pkg_mgr'] }} check-update -q --cve CVE-2019-11478"
      check_mode: no
      register: check_out
      failed_when: check_out.rc != 0 and check_out.rc != 100
      args:
        warn: false
~~~

Comment 2 Tomas Lestach 2019-08-20 15:06:12 UTC
Closing as CURRENTRELEASE as the associated Jira has been resolved.


Note You need to log in before you can comment on or make changes to this bug.