#ansible-meeting log

19:00:50 <Shrews> #startmeeting Ansible Core Public IRC Meeting
19:00:50 <zodbot> Meeting started Tue Nov 10 19:00:50 2020 UTC.
19:00:50 <zodbot> This meeting is logged and archived in a public location.
19:00:50 <zodbot> The chair is Shrews. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:50 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
19:00:50 <zodbot> The meeting name has been set to 'ansible_core_public_irc_meeting'
19:00:56 <Shrews> #chair mattclay
19:00:56 <zodbot> Current chairs: Shrews mattclay
19:00:59 * mattclay waves
19:01:05 <Shrews> #info Agenda: https://github.com/ansible/community/issues/570
19:01:14 <sdoran> o/
19:01:15 <Shrews> who wants to discuss ansible type things today?
19:01:29 <nitzmahone> o/
19:01:49 <bcoca> no, nones, niente, niet
19:01:50 <bcoca> done
19:02:04 <Stas55> Hi
19:02:11 * bcoca waves
19:02:15 <Shrews> o/
19:02:24 <Shrews> #topic Add filter dict
19:02:30 <Shrews> #link https://github.com/ansible/ansible/pull/72413
19:02:41 <Shrews> is this yours Stas55 ?
19:02:49 <bcoca> not really against, since i see a use for map/select/reject combos, but overlaps with dict() function already in jinja
19:02:51 <Stas55> Mine. Thanks
19:03:21 <bcoca> but also question why not push to collection
19:04:33 <Shrews> Yes, the name would overlap. Is there an existing collection where this might fit, as an alternative to core?
19:04:44 <Shrews> maybe c.g?
19:05:23 <mattclay> If it goes into a collection, `community.general` does seem appropriate.
19:05:52 <Stas55> As to me this feels more like a code feature. Regarding the name, the reason I made it dict is because I tried to use dict multiple times (intuitively) and every time was surprised that dict is a function and cannot be used as a filter.
19:06:02 <Stas55> s/code/core/
19:06:20 <bcoca> well, its a jinja2 thing, not really core
19:06:28 <bcoca> dict() function is built in
19:07:03 <sdoran> I have long thought Jinja should have a `dict` filter.
19:07:17 <bcoca> i dont disagree, but there is a conflict in the name
19:07:31 <sivel> I recommended on the issue to call it dict_kv
19:07:44 <sivel> since it's got a different signature as well
19:08:09 <Stas55> initially I used `dict` function for this filter exactly
19:08:19 <sivel> actually seems move like dict_vk
19:08:23 <Stas55> then I realized that there is no point as it cannot take more arguments
19:08:37 <bcoca> but then we also have things like zip that overlap with this functionality
19:08:39 <nitzmahone> Plus while we can usually get away with a filter/func name conflict, it's probably not a good idea to create one purposely
19:08:46 <sivel> dict_vk(value, key) => {key: value}
19:09:11 <bcoca> sivel: more like  value|dict_vk(key)
19:09:28 <sivel> bcoca: yeah, I get that, was more expressing order of params
19:09:31 <bcoca> as stand alone its not really usefule, only in map context
19:09:42 <bcoca> as dict(key,value) already works
19:10:06 <felixfontein> darn, it's already past 19:00 UTC
19:10:26 <Shrews> yeah, the standalone version is rather unuseful
19:10:43 <bcoca> now that i think of it existing dict() + zip  already cover this case
19:11:04 <sivel> the `map` case is complicated though
19:11:05 <bcoca> dict(keys|zip(values))
19:11:08 <Stas55> quite not intuitive though
19:11:17 <bcoca> ^ no need for map, zip takes care of iteration
19:11:24 <sivel> bcoca: true
19:11:40 <bcoca> for 'fun' you can stil lhave map/select/reject feed zipo
19:11:55 <bcoca> dict( stuff|map(...)|zip(values))
19:11:59 <sivel> I think overall I'm -1 on this, and bcoca just pushed me over from -0.5
19:12:04 <nitzmahone> ditto
19:12:34 <bcoca> ^ just came to me .. need to check if we have example in data manip doc
19:13:17 <bcoca> also slice .. which we have example of
19:13:20 <Shrews> Stas55: any thoughts on the suggested alternative from bcoca?
19:13:24 <Stas55> > dict(keys|zip(values)) - also, how would we use it in the middle of a filter pipeline?
19:13:42 <bcoca> https://docs.ansible.com/ansible/latest/user_guide/complex_data_manipulation.html#create-dictionary-from-list
19:13:49 <bcoca> Stas55: above i show putting map in middle
19:14:08 <bcoca> though you can use it in any part
19:14:09 <felixfontein> regarding the name, I wouldn't use dict for this, but something more expressive. mainly to avoid burning the name dict for a filter
19:14:10 <Shrews> though there is a bug in that documenation
19:14:29 <bcoca> Shrews: list is redundant, but not really a bnug
19:14:35 <bcoca> also PR exists
19:14:51 <Shrews> bcoca: it should be `dict(single_list | slice(2))
19:14:53 <Shrews> `
19:15:19 <Shrews> it was the first issue from triage today (a doc PR)
19:16:13 <Stas55> How would you do something like "myservers | map('dict', 'server')" ?
19:17:45 <bcoca> zip_longest and use 'server' as filler
19:17:52 <Stas55> Here is an actual place where we are using it:
19:17:54 <Stas55> postgresql_pg_hba_default: "{{ postgresql_pg_hba_static + (pg_cluster_masters + pg_cluster_slaves) | map('extract', hostvars, 'ansible_host') | product(['/32']) | map('join') | map('sbi_dict', 'address') | map('combine', hba_replication_template) | list }}"
19:18:01 <Stas55> see "sbi_dict"
19:18:30 <sivel> there's also nothing from preventing this from being shipped in a collection, or kept as a custom private filter
19:18:50 <bcoca> well, but that is not for discussion here
19:18:57 <bcoca> here we only discuss if accepting into core
19:19:01 <Shrews> yeah, i'm leaning toward suggesting a collection now
19:19:16 <bcoca> and i think we are pretty much all leaning to same answer
19:19:42 <nitzmahone> There are innumerable special-case utility things for Jinja that come up, and we've historically been inconsistent about which random ones we accept into core and which ones we don't, but with collections, it's probably better to let things like this soak somewhere
19:19:45 <Stas55> pushing to collections + renaming?
19:20:21 <Shrews> ok, i think we have a majority on this one. Stas55, yes, i would suggest proposing to `community.general` or a private collection
19:20:23 <nitzmahone> You've got the primary `community.general` maintainer in the room right now, maybe see what he thinks? ;)
19:21:01 <bcoca> i would move on to next topic, since that detail can be discussed elsewhere and/or durign community meetings
19:21:08 <nitzmahone> +1
19:21:11 <Shrews> #agreed rejecting 72413 for inclusion in core, propose pushing to a collection
19:21:22 <Shrews> #topic hosts: reference parent groups from children (makes copy/pastes easy)
19:21:30 <bcoca> #info zip filters can mostly do same
19:21:49 <Shrews> #chair bcoca
19:21:49 <zodbot> Current chairs: Shrews bcoca mattclay
19:21:50 <nitzmahone> I wasn't clear on what the ask was here
19:22:01 <bcoca> yeah, what does 'reference' mean in this context
19:22:12 <bcoca> and what are you copy/pasting?
19:22:30 <Shrews> Stas55: care to elaborate a bit?
19:22:39 <Stas55> right now we can specify children in definitions of host groups
19:23:10 <Stas55> the problem is that every time I create a new group I have to go back to the parent one and add another children
19:23:26 <Stas55> it would be useful to be able to say "here is your parent"
19:23:31 <Stas55> or parents
19:23:46 <bcoca> that depends on which inventory plugin you are using, easy to accomplish with custom one
19:24:04 <bcoca> each one uses slightly diff way of referencing the relationship
19:24:29 <bcoca> ini, yaml and toml do 'mostly' work as you say but with diff sections depending on where you define
19:25:06 <Stas55> > ini, yaml and toml do 'mostly' work as you say but with diff sections depending on where you define
19:25:14 <Stas55> With the default inventory plugin?
19:25:19 <Stas55> I'm not sure what you mean
19:25:22 <bcoca> all of the above + auto
19:25:32 <bcoca> there is no ONE plugin
19:25:37 <bcoca> + script .. almost forgot
19:25:53 <Stas55> I see. I guess I need to explore this more.
19:26:07 <bcoca> default: ['host_list', 'script', 'auto', 'yaml', 'ini', 'toml']
19:26:14 <bcoca> ^ also for got host_list
19:27:21 <Shrews> ok, so Stas55 can explore a custom inventory plugin a bit to see if it will work
19:27:53 <Shrews> #agreed suggest looking into a custom inventory plugin and research existing plugins
19:28:01 <Shrews> #topic Empty value of --limit should raise an error (or at least be no-op)
19:28:11 <bcoca> hmm, its already a noop
19:28:18 <bcoca> ansible -m debug -i localhost, --limit '' all
19:28:23 <bcoca> 'works'tm
19:29:03 <Stas55> Were were hit badly by this one when running ansible-playbook someplay.yml --limit "$host"
19:29:17 <Stas55> if host is empty it runs for all hosts
19:29:21 <Stas55> at least in ansible 2.9
19:29:22 <bcoca> yes
19:29:29 <bcoca> that is what 'noop' means, limit is ignored
19:29:32 <bcoca> if empty
19:29:57 <Shrews> yeah, i don't see us changing that
19:29:59 <nitzmahone> Sounds like the ask is to distinguish "not specified" from "empty string"
19:30:13 <nitzmahone> but yeah, that'd almost certainly require deprecation period
19:30:15 <Stas55> right
19:30:27 <bcoca> empty string is 'valid limit' for many cases , i can point to many others that depend on that behaviour
19:30:29 <nitzmahone> (and not sure if it's even what we want, I'm sure *someone* is using that as a feature)
19:30:38 <Shrews> ^ this
19:30:41 <bcoca> use -e to avoid 'empty vars' in your scripts if that is a requirement
19:30:49 <bcoca> nitzmahone: many other projects that depend on us
19:31:38 <nitzmahone> and thennnn?
19:31:41 <bcoca> Stas55: if you cannot control at script level, you could always add an 'assert task' at top of play to ensure limit was not empty
19:32:16 <Stas55> no as I know I do this exactly, it's easy do make this mistake though
19:32:20 <bcoca> assert: that: ansible_limit is defined and true
19:32:29 <Stas55> I understand why you would want to keep it this way now
19:32:41 <Stas55> as somebody may depend on it
19:32:46 <bcoca> s/may/does/
19:32:51 <Stas55> I see
19:32:58 <Shrews> #agreed empty `limit` is valid and likely relied on by others. Suggest external validation for empty vars supplied to it.
19:33:12 <Shrews> #topic Playbooks: Inventory variables should override playbook lever variables by default
19:33:20 <Shrews> #link https://github.com/ansible/ansible/issues/63668
19:33:21 <bcoca> #info ansible_limit var is avaiable to play
19:33:59 <bcoca> no, this goes against the established precedence every ansible user already relies on
19:34:27 <Stas55> > every ansible user already relies on
19:34:32 <bcoca> this is why there is a  connection varaibles > play keywords precedence, but need to allow for play still to override, why play vars > inventory vars
19:35:11 <bcoca> example, overriding a task to force using root to login for setting up common user vars: asnbile_user: root, while ansible_user is specified in group_vars/all.yml as the 'general user'
19:35:45 <Stas55> do people actually rely on this? When searching found quite a few messages of being surprised by the default behaviour
19:35:50 <bcoca> ansible_user > remote_user as 'hosts might have specific needs', but having play being able to override ansible_user for specific cases is also needed
19:36:06 <Stas55> every newcomer to ansible does the same mistake also (from my experience)
19:36:13 <sivel> This precendence has been in place for years, and we cannot just change it because a few people have had some misunderstandings
19:36:15 <nitzmahone> guaranteed there are people relying on it
19:36:25 <bcoca> Stas55:  its because not everyone has homogeneous contexts, otherwise it would not be needed
19:37:18 <bcoca> but since people have heterogeneous servers and services .. we need a variety of precedences to approach hosts, if we did as you ask, there would be no way to 'bootsrap the common user' .. if it is set in inventory .. cause you would need all machines to already have it
19:38:22 <Stas55> understood
19:39:03 <Shrews> anything else on this topic then?
19:39:43 <sivel> Don't think so
19:39:48 <Stas55> fine for now
19:40:07 <nitzmahone> Next one is "custom callback plugin"
19:40:09 <Shrews> #info one reason for this long established var precedence is to bootstrap the common user
19:40:17 <Shrews> #topic Allow custom success/failure message (should work with no_log: true)
19:40:26 <bcoca> fail/assert modules allow this also
19:40:40 <bcoca> depending on what you mean by custom success/failure msg
19:40:50 <Stas55> How do this in a loop?
19:40:52 <bcoca> most actions return their own message
19:41:28 <bcoca> we just pass them through and add 'status' and 'host' most of time
19:41:48 <bcoca> Stas55: an example of what you want to do might be needed
19:41:51 <nitzmahone> customizing the output generally is done through a custom default callback plugin- you can just subclass the builtin one and hack up whatever you want
19:42:05 <Stas55> for example when I run a shell command in a loop it would result in the whole command being printed on error (which may include creds sometimes)
19:42:28 <Stas55> I'd want to hide the output but print some part of the item I'm iterating on
19:42:35 <Stas55> like lable=...
19:42:49 <Stas55> but label doesn't work with no_log: true
19:43:05 <bcoca> ignore_errors and use no_log, then use register var in assert/fail task behind it that iterates over results and gives out specific info
19:43:06 <nitzmahone> (another case for looped blocks w/ task+no_log and a following debug task, but I digress ;) )
19:43:28 <nitzmahone> you could do it today with a looped include, but it's a little messy
19:43:29 <bcoca> no need for loop blocks
19:43:41 <bcoca> just 2 tasks
19:43:58 <nitzmahone> yeah, I guess if you want to loop over the output again that could work too
19:44:16 <bcoca> simpler than looped include
19:44:26 <Stas55> it is getting messy when having lots of loops
19:44:56 <Stas55> though this similar to what we do now
19:44:58 <bcoca> can be, but not really designed around uncontrolled output from tasks, mostly rely on actions/modules to take care of the filtering
19:45:03 <nitzmahone> this might be one where register projections could help a bit too
19:45:09 <bcoca> using 'shell' in that way is not somethign we expect
19:45:30 <bcoca> nitzmahone: not really, would still need 2 tasks
19:45:37 <bcoca> and no_log/ignore errors on first
19:45:40 <Stas55> another example is looping over huge dicts
19:46:02 <Stas55> I would want to hide the whole dict but print only a small label
19:46:12 <bcoca> loop_control: label
19:46:14 <bcoca> already exists
19:46:40 <Stas55> the dict appears with a single -v iirc
19:46:40 <sivel> It doesn't sound like we're going to add any generic success_msg/failure_msg for tasks though. So I'm not sure we really need to continue the discussion here for what existing options can be used
19:46:54 <bcoca> -v means you WANT verbose ... we dont hide it in that case
19:46:56 <Stas55> if I add no_log - label doesn't work anymore
19:47:11 <bcoca> we dont have '-v_except_this_case'
19:47:31 <bcoca> no, since no_log is for security, not for minimizing output
19:47:39 <Stas55> is there a good reason to hide labels on no_log?
19:47:41 <bcoca> it will clobber ALL of it since there might be sensitive info
19:47:50 <bcoca> yes, label can expose sensitive data
19:47:58 <nitzmahone> (we've had CVEs on it before)
19:48:06 <bcoca> since its a jinja2 expresion
19:48:10 <nitzmahone> no_log is the bane of our existence
19:48:24 <Shrews> i agree with sivel. we should move on to the next topic. sounds like we can continue discussing in #ansible-devel
19:48:28 <bcoca> well, security is .. no_log is just one of the linchpins of security
19:49:03 <Shrews> #topic Roles: A variable should not be passed to a role unless specified in a “spec” file
19:49:10 <nitzmahone> Last one seems like a misunderstanding of how/why vars work in Ansible
19:49:28 <bcoca> roles inherit vars, they are not 'passed'
19:49:47 <sivel> when roles are parsed, everything from a role gets injected into the play
19:49:48 <bcoca> every object in herits from teh object it is contained in  play > roles > blocks > tasks
19:49:52 <sivel> roles are not self contained
19:49:59 <sivel> so a role basically disappears, and it's contents become direct parts of the play
19:50:08 <sivel> so it's all play scoped really
19:50:39 <nitzmahone> If we made that change, all connections would stop working in vars unless they were also passed explicitly
19:50:48 <nitzmahone> s/vars/roles/
19:50:56 <bcoca> ^ i have pr that did that .. .broke everything
19:50:59 <nitzmahone> (and numerous other things)
19:50:59 <Stas55> the thinking here was to "force" role creators somehow listing all possible variables in one place (e.g. defaults/)
19:51:09 <nitzmahone> That's what role argspec will do
19:51:11 <bcoca> Stas55: we have a role_spec project
19:51:19 <sivel> Stas55: we are working on a new feature called role arg spec, which will be included in 2.11
19:51:20 <bcoca> that does not 'force' but 'encourage'
19:51:25 <nitzmahone> It's not a matter of "force", but document/verify what's spec'd
19:51:28 <nitzmahone> yep
19:52:03 <Shrews> Stas55: you can see some smallish examples of role arg spec here: https://github.com/ansible/ansible/pull/72120
19:52:26 <Stas55> nice!
19:52:43 <Stas55> this would work
19:52:52 <Shrews> great
19:52:56 <nitzmahone> cool, sounds like we can sign you up to betatest 2.11 ;)
19:53:00 <Shrews> feedback welcome on that too
19:53:16 <Shrews> let's move to the last topic then...
19:53:22 <felixfontein> are role args considered for being backported to 2.9/2.10?
19:53:32 <nitzmahone> almost certainly not
19:53:36 <Stas55> We'll definitely have a look at this
19:53:43 <Shrews> #topic update on internal `plugin_utils` discussion
19:53:48 <Shrews> @nitzmahone go!
19:53:58 <nitzmahone> So we discussed this internally last week- to recap the original ask:
19:54:51 <nitzmahone> felixfontein was asking for a place to put shared non-module code in a collection (eg shared between plugins) that wouldn't be subject to the module_utils sanity test requirements (eg, support controller only Python version)
19:55:09 <nitzmahone> He'd proposed `plugins/plugin_utils`, and we discussed internally last week
19:55:22 <nitzmahone> The answer is "not now", since it'd be mainly changes to ansible-test to support it
19:55:41 <nitzmahone> So for now, folks are free to place code wherever they want in the collection
19:55:57 <nitzmahone> If sanity testing is desired, module_utils is the place for now
19:56:14 <nitzmahone> If the need to drift from module Python reqs arises, ignores can be used for now.
19:56:46 <bcoca> specialy since ignores will be compatible with already published versions
19:56:53 <nitzmahone> We may revisit next year, but with the move to AZP in the works, the folks that might make those changes and work through the implications are busy through the end of the year
19:57:25 <nitzmahone> That's it from me
19:57:33 <Shrews> awsome. thx nitzmahone
19:57:46 <Shrews> with the last couple of minutes, let's open up the floor
19:57:48 <Shrews> #topic Open floor
19:58:02 <Shrews> anybody have anything not on the agenda?
19:58:13 * nitzmahone ducks over for WWG
19:58:18 <sivel> just news, ansible-base is being renamed to ansible-core for 2.11
19:58:41 <Shrews> names will be randomly assigned from 2.12 onward
19:58:47 <sivel> a warning has been added to 2.11 if you are running a python older than 3.8, and 2.12 will drop support for 3.7 and older
19:59:48 <felixfontein> Shrews: I was about to suggest renaming it to ansible-basic for 2.12
20:00:00 <felixfontein> and ansible-seed for 2.13
20:00:05 <Shrews> lol
20:00:11 <bcoca> on odd releases we will rename the cli tools randomly
20:00:21 <Shrews> ok, we're at time. thanks for attending everyone!
20:00:26 <Shrews> #endmeeting