[ansible-project] debconf with variable is not really idempotent?

Discussion:

Phyks

2015-07-16 18:08:57 UTC

Hi,

I am using the following line in an Ansible playbook:

```
debconf: name={{ item.name }} question={{ item.question }} vtype={{
item.vtype }} value={{ item.value }}
with_items:
- { name: "mariadb-server-10.0", question:
"mysql-server/root_password", vtype: "password", value:
"{{mysql_root_password}}"}
- { name: "mariadb-server-10.0", question:
"mysql-server/root_password_again", vtype: "password", value:
"{{mysql_root_password}}"}
```

But the task is marked as "changed" at every execution. I would expect
it to be changed only if the values are different than the previous ones
and skipped otherwise.

Moreover, when the value is explicitly given (instead of referencing a
variable), the behaviour is as expected and the task is skipped if it
was already set.

Is it a bug or an expected feature?

Thanks!

--
Phyks
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/55A7F339.2090400%40phyks.me.
For more options, visit https://groups.google.com/d/optout.

Brian Coca

2015-07-16 18:20:02 UTC

Permalink

passwords cannot be read, so they always appear as changed, this is a
limitation of debconf itself.

all other field types should work as you expect

--
Brian Coca
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8%3Dj2AQN%2B1Uj%2B7y3ZwrgP6r1YUHhVmNx7Ctg0aFH0LB3mQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Phyks

2015-07-16 20:42:11 UTC

Permalink

Ok, I did not know about it. I confirm I only have this behavior with
password fields.

Thanks

Post by Brian Coca
passwords cannot be read, so they always appear as changed, this is a
limitation of debconf itself.
all other field types should work as you expect
--
Brian Coca
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8%3Dj2AQN%2B1Uj%2B7y3ZwrgP6r1YUHhVmNx7Ctg0aFH0LB3mQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/55A81723.2060703%40phyks.me.
For more options, visit https://groups.google.com/d/optout.

Mischa ter Smitten

2015-07-16 20:46:46 UTC

Permalink

Is there any way to work around that?

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5d0ad0ce-5504-4b1a-a68a-ce3f077228ff%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Brian Coca

2015-07-16 23:22:33 UTC

Permalink

Not that i know of, debian's debconf deals with passwords this way,
probably to prevent possible security issues.

If someone figures out a way to compare all the passwords, I'm all
open. In the mysql case we can read the /etc/my.cnf, but ... really we
should not be doing that.

--
Brian Coca
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8mHpjTuozGPL8-d_aWC5dJc0Sv806tPFHDHH_zERxFkgw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Phyks

2015-07-16 23:25:29 UTC

Permalink

Sounds like all password fields are not treated this way.

Indeed, `debconf-get-selections` returns:
mariadb-server-10.0 mysql-server/root_password_again password THE_PASSWORD
--
Phyks

Post by Brian Coca
Not that i know of, debian's debconf deals with passwords this way,
probably to prevent possible security issues.
If someone figures out a way to compare all the passwords, I'm all
open. In the mysql case we can read the /etc/my.cnf, but ... really we
should not be doing that.
--
Brian Coca
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8mHpjTuozGPL8-d_aWC5dJc0Sv806tPFHDHH_zERxFkgw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/55A83D69.6040301%40phyks.me.
For more options, visit https://groups.google.com/d/optout.