Sibl

Major Changes

* Added fact namespacing, from now on facts will be available under 'ansible_facts' namespace (i.e. `ansible_facts.ansible_os_distribution`), they will still also be added into the main namespace directly but now also having a configuration toggle to disable this. Eventually this will be on by default. This is done to avoid collisions and possible security issues as facts come from the remote targets and they might be compromised.
* new 'order' play level keyword that allows the user to change the order in which Ansible processes hosts when dispatching tasks.
* Users can now set group merge priority for groups of the same depth (parent child relationship), using the new `ansible_group_priority` variable, when values are the same or don't exist it will fallback to the previous 'sorting by name'.
* Support for Python-2.4 and Python-2.5 on the managed system's side was
dropped. If you need to manage a system that ships with Python-2.4 or
Python-2.5 you'll need to install Python-2.6 or better there or run
Ansible-2.3 until you can upgrade the system.

Deprecations
* The behaviour when specifying --tags (or --skip-tags) multiple times on the command line
has changed so that the tags are merged together by default. See the
documentation for how to temporarily use the old behaviour if needed:
https://docs.ansible.com/ansible/intro_configuration.htmlmerge-multiple-cli-tags
* The fetch module's validate_md5 parameter has been deprecated and will be
removed in 2.8. If you wish to disable post-validation of the downloaded
file, use validate_checksum instead.
* Those using ansible as a library should note that the ansible.vars.unsafe_proxy
module is deprecated and slated to go away in 2.8. The functionality has been
moved to ansible.utils.unsafe_proxy to avoid a circular import.

Minor Changes
* removed previously deprecated config option 'hostfile' and env var 'ANSIBLE_HOSTS'
* removed unused and deprecated config option 'pattern'
* Updated the copy of six bundled for modules to use from 1.4.1 to 1.10.0
* Fixed a cornercase with ini inventory vars. Previously, if an inventory var
was a quoted string with hash marks ("") in it then the parsed string
included the quotes. Now the string will not be quoted. Previously, if the
quoting ended before the string finished and then the hash mark appeared, the
hash mark was included as part of the string. Now it is treated as
a trailing comment::

Before:
var1="stringcomment" ===> var1: "\"stringcomment\""
var1="string" comment ===> var1: "\"string\" comment"
After:
var1="stringcomment" ===> var1: "stringcomment"
var1="string" comment ===> var1: "string"

The new behaviour mirrors how the variables would appear if there was no hash
mark in the string.
- As of 2.4.0, the fetch module fails if there are errors reading the remote
file. Use ignore_errors or failed_when in playbooks if you wish to ignore
errors.

New Inventory scripts:
- lxd

New: Tests
- any : true if any element is true
- all: true if all elements are true

Module Notes

New Modules

- avi
* avi_cloud
* avi_cloudproperties.
* avi_gslb
* avi_gslbhealthmonitor
* avi_gslbservice
* avi_ipaddrgroup
* avi_network
* avi_serviceenginegroup

Major Changes
* Documented and renamed the previously released 'single var vaulting' feature, allowing user to use vault encryption for single variables in a normal YAML vars file.
* Allow module_utils for custom modules to be placed in site-specific directories and shipped in roles
* On platforms that support it, use more modern system polling API instead of select in the ssh connection plugin.
This removes one limitation on how many parallel forks are feasible on these systems.
* Windows/WinRM supports (experimental) become method "runas" to run modules and scripts as a different user, and to transparently access network resources.
* The WinRM connection plugin now uses pipelining when executing modules, resulting in significantly faster execution for small tasks.
* The WinRM connection plugin can now manage Kerberos tickets automatically when `ansible_winrm_transport=kerberos` and `ansible_user`/`ansible_password` are specified.
* Refactored/standardized most Windows modules, adding check-mode and diff support where possible.
* Extended Windows module API with parameter-type support, helper functions. (i.e. Expand-Environment, Add-Warning, Add-DeprecatationWarning)
* restructured how async works to allow it to apply to action plugins that choose to support it.

Minor Changes
* The version and release facts for OpenBSD hosts were reversed.
This has been changed so that version has the numeric portion and release has the name of the release.
* removed 'package' from default squash actions as not all package managers support it and it creates errors when using loops,
any user can add back via config options if they don't use those package managers or otherwise avoid the errors.
* Blocks can now have a `name` field, to aid in playbook readability.
* default strategy is now configurable via ansible.cfg or environment variable.
* Added 'ansible_playbook_python' which contains 'current python executable', it can be blank in some cases in which Ansible is not invoked via the standard CLI (sys.executable limitation).
* Added 'metadata' to modules to enable classification
* ansible-doc now displays path to module and existing 'metadata'
* added optional 'piped' transfer method to ssh plugin for when scp and sftp are missing, ssh plugin is also now 'smarter' when using these options
* default controlpersist path is now a custom hash of host-port-user to avoid the socket path length errors for long hostnames
* Various fixes for Python3 compatibility
* Fixed issues with inventory formats not handling 'all' and 'ungrouped' in an uniform way.
* 'service' tasks can now use async again, we had lost this capability when changed into an action plugin.
* made any_errors_fatal inheritable from play to task and all other objects in between.
* many small performance improvements in inventory and variable handling and in task execution.

Deprecations
* Specifying --tags (or --skip-tags) multiple times on the command line
currently leads to the last one overriding all the previous ones. This behaviour is deprecated.
In the future, if you specify --tags multiple times the tags will be merged together.
From now on, using --tags multiple times on one command line will emit a deprecation warning.
Setting the merge_multiple_cli_tags option to True in the ansible.cfg file will enable the new behaviour.
In 2.4, the default will be to merge and you can enable the old overwriting behaviour via the config option.
In 2.5, multiple --tags options will be merged with no way to go back to the old behaviour.

* Modules (scheduled for removal in 2.5)
* ec2_vpc
* cl_bond
* cl_bridge
* cl_img_install
* cl_interface
* cl_interface_policy
* cl_license
* cl_ports
* nxos_mtu, use nxos_system instead

New: Callbacks

- dense: minimal stdout output with fallback to default when verbose

New: lookups

- keyring: allows getting password from the 'controller' system's keyrings

New: cache

- pickle (uses python's own serializer)
- yaml

New: inventory scripts
- oVirt/RHV

New: filters
- combinations
- permutations
- zip
- zip_longest


Module Notes
- AWS lambda: previously ignored changes that only affected one parameter. Existing deployments may have outstanding changes that this bugfix will apply.
- oVirt/RHV: Added support for 4.1 features and the following:
* data centers, clusters, hosts, storage domains and networks management.
* hosts and virtual machines affinity groups and labels.
* users, groups and permissions management.
* Improved virtual machines and disks management.
- Mount: Some fixes so bind mounts are not mounted each time the playbook runs.

New Modules
- a10_server_axapi3
- amazon:
* aws_kms
* cloudfront_facts
* ec2_group_facts
* ec2_lc_facts
* ec2_vpc_igw_facts
* ec2_vpc_nat_gateway_facts
* ec2_vpc_vgw_facts
* ecs_ecr
* elasticache_parameter_group
* elasticache_snapshot
* iam_role
* s3_sync
- archive
- beadm
- bigswitch:
* bigmon_chain
* bigmon_policy
- cisco
* cisco_spark
- cloudengine:
* ce_command
- cloudscale_server
- cloudstack:
* cs_host
* cs_nic
* cs_region
* cs_role
* cs_vpc
- dimensiondata_network
- eos:
* eos_banner
* eos_system
* eos_user
- f5:
* bigip_gtm_facts
* bigip_hostname
* bigip_snat_pool
* bigip_sys_global
- foreman:
* foreman
* katello
- fortios
* fortios_config
- gconftool2
- google:
* gce_eip
* gce_snapshot
* gcpubsub
* gcpubsub_facts
- hpilo:
* hpilo_boot
* hpilo_facts
* hponcfg
- icinga2_feature
- illumos:
* dladm_iptun
* dladm_linkprop
* dladm_vlan
* ipadm_addr
* ipadm_addrprop
* ipadm_ifprop
- infinidat:
* infini_export
* infini_export_client
* infini_fs
* infini_host
* infini_pool
* infini_vol
- ipa:
* ipa_group
* ipa_hbacrule
* ipa_host
* ipa_hostgroup
* ipa_role
* ipa_sudocmd
* ipa_sudocmdgroup
* ipa_sudorule
* ipa_user
- ipinfoio_facts
- ios:
* ios_banner
* ios_system
* ios_vrf
- iosxr_system
- iso_extract
- java_cert
- jenkins_script
- ldap:
* ldap_attr
* ldap_entry
- logstash_plugin
- mattermost
- net_command
- netapp:
* sf_account_manager
* sf_snapshot_schedule_manager
* sf_volume_manager
* sf_volume_access_group_manager
- nginx_status_facts
- nsupdate
- omapi_host
- openssl:
* openssl_privatekey
* openssl_publickey
- openstack:
* os_nova_host_aggregate
* os_quota
- openwrt_init
- ordnance:
* ordnance_config
* ordnance_facts
- ovirt:
* ovirt_affinity_groups
* ovirt_affinity_labels
* ovirt_affinity_labels_facts
* ovirt_clusters
* ovirt_clusters_facts
* ovirt_datacenters
* ovirt_datacenters_facts
* ovirt_external_providers
* ovirt_external_providers_facts
* ovirt_groups
* ovirt_groups_facts
* ovirt_host_networks
* ovirt_host_pm
* ovirt_hosts
* ovirt_hosts_facts
* ovirt_mac_pools
* ovirt_networks
* ovirt_networks_facts
* ovirt_nics
* ovirt_nics_facts
* ovirt_permissions
* ovirt_permissions_facts
* ovirt_quotas
* ovirt_quotas_facts
* ovirt_snapshots
* ovirt_snapshots_facts
* ovirt_storage_domains
* ovirt_storage_domains_facts
* ovirt_tags
* ovirt_tags_facts
* ovirt_templates
* ovirt_templates_facts
* ovirt_users
* ovirt_users_facts
* ovirt_vmpools
* ovirt_vmpools_facts
* ovirt_vms_facts
- pacemaker_cluster
- packet:
* packet_device
* packet_sshkey
- pamd
- panos:
* panos_address
* panos_admin
* panos_admpwd
* panos_cert_gen_ssh
* panos_check
* panos_commit
* panos_dag
* panos_import
* panos_interface
* panos_lic
* panos_loadcfg
* panos_mgtconfig
* panos_nat_policy
* panos_pg
* panos_restart
* panos_security_policy
* panos_service
- postgresql_schema
- proxmox_kvm
- pubnub_blocks
- pulp_repo
- runit
- serverless
- set_stats
- panos:
* panos_security_policy
- smartos:
* imgadm
* vmadm
- sorcery
- stacki_host
- swupd
- tempfile
- tower:
* tower_credential
* tower_group
* tower_host
* tower_inventory
* tower_job_template
* tower_label
* tower_organization
* tower_project
* tower_role
* tower_team
* tower_user
- vmware:
* vmware_guest_facts
* vmware_guest_snapshot
- web_infrastructure:
* jenkins_script
- system
* parted
- windows:
* win_disk_image
* win_dns_client
* win_domain
* win_domain_controller
* win_domain_membership
* win_find
* win_msg
* win_path
* win_psexec
* win_reg_stat
* win_region
* win_say
* win_shortcut
* win_tempfile
- xbps
- zfs:
* zfs_facts
* zpool_facts

Major Changes

* Security fix for CVE-2016-9587 - An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server as the user and group Ansible is running as.

Minor Changes

* Fixes a bug where undefined variables in with_* loops would cause a task failure even if the when condition would cause the task to be skipped.
* Fixed a bug related to roles where in certain situations a role may be run more than once despite not allowing duplicates.
* Fixed some additional bugs related to atomic_move for modules.
* Fixes multiple bugs related to field/attribute inheritance in nested blocks and includes, as well as task iteration logic during failures.
* Fixed pip installing packages into virtualenvs using the system pip instead of the virtualenv pip.
* Fixed dnf on systems with dnf-2.0.x (some changes in the API).
* Fixed traceback with dnf install of groups.
* Fixes a bug in which include_vars was not working with failed_when.
* Fix for include_vars only loading files with .yml, .yaml, and .json extensions. This was only supposed to apply to loading a directory of vars files.
* Fixes several bugs related to properly incrementing the failed count in the host statistics.
* Fixes a bug with listening handlers which did not specify a `name` field.
* Fixes a bug with the `play_hosts` internal variable, so that it properly reflects the current list of hosts.
* Fixes a bug related to the v2_playbook_on_start callback method and legacy (v1) plugins.
* Fixes an openssh related process exit race condition, related to the fact that connections using ControlPersist do not close stderr.
* Improvements and fixes to OpenBSD fact gathering.
* Updated `make deb` to use pbuilder. Use `make local_deb` for the previous non-pbuilder build.
* Fixed Windows async to avoid blocking due to handle inheritance.
* Fixed bugs in the mount module on older Linux kernels and *BSDs
* Various minor fixes for Python 3
* Inserted some checks for jinja2-2.9, which can cause some issues with Ansible currently.

Major Changes:

* Added the `listen` feature for modules. This feature allows tasks to more easily notify multiple handlers, as well as making it easier for handlers from decoupled roles to be notified.
* Major performance improvements.
* Added support for binary modules
* Added the ability to specify serial batches as a list (`serial: [1, 5, 10]`), which allows for so-called "canary" actions in one play.
* Fixed 'local type' plugins and actions to have a more predictable relative path. Fixes a regression of 1.9 (PR 16805). Existing users of 2.x will need to adjust related tasks.
* `meta` tasks can now use conditionals.
* `raw` now returns `changed: true` to be consistent with shell/command/script modules. Add `changed_when: false` to `raw` tasks to restore the pre-2.2 behavior if necessary.
* New privilege escalation become method `ksu`
* Windows `async:` support for long-running or background tasks.
* Windows `environment:` support for setting module environment vars in play/task.
* Added a new `meta` option: `end_play`, which can be used to skip to the end of a play.
* roles can now be included in the middle of a task list via the new `include_role` module, this also allows for making the role import 'loopable' and/or conditional.
* The service module has been changed to use system specific modules if they exist and fall back to the old service module if they cannot be found or detected.
* Add ability to specify what ssh client binary to use on the controller. This
can be configured via ssh_executable in the ansible config file or by setting
ansible_ssh_executable as an inventory variable if different ones are needed
for different hosts.
* Windows:
* several facts were modified or renamed for consistency with their Unix counterparts, and many new facts were added. If your playbooks rely on any of the following keys, please ensure they are using the correct key names and/or values:
- ansible_date_time.date (changed to use yyyy-mm-dd format instead of default system-locale format)
- ansible_date_time.iso8601 (changed to UTC instead of local time)
- ansible_distribution (now uses OS caption string, e.g.: "Microsoft Windows Server 2012 R2 Standard", version is still available on ansible_distribution_version)
- ansible_totalmem (renamed to ansible_memtotal_mb, units changed to MB instead of bytes)
* `async:` support for long-running or background tasks.
* `environment:` support for setting module environment vars in play/task.
* Tech Preview: Work has been done to get Ansible running under Python3. This work is not complete enough to depend upon in production environments but it is enough to begin testing it.
* Most of the controller side should now work. Users should be able to run python3 /usr/bin/ansible and python3 /usr/bin/ansible-playbook and have core features of ansible work.
* A few of the most essential modules have been audited and are known to work. Others work out of the box.
* We are using unit and integration tests to help us port code and not regress later. Even if you are not familiar with python you can still help by contributing integration tests (just ansible roles) that exercise more of the code to make sure it continues to run on both Python2 and Python3.
* scp_if_ssh now supports True, False and "smart". "smart" is the default and will retry failed sftp transfers with scp.
* Network:
* Refactored all network modules to remove duplicate code and take advantage of Ansiballz implementation
* All functionality from *_template network modules have been combined into *_config module
* Network *_command modules not longer allow configuration mode statements

New Modules
- apache2_mod_proxy
- asa
* asa_acl
* asa_command
* asa_config
- atomic
* atomic_host
* atomic_image
- aws
* cloudformation_facts
* ec2_asg_facts
* ec2_customer_gateway
* ec2_lc_find
* ec2_vpc_dhcp_options_facts
* ec2_vpc_nacl
* ec2_vpc_nacl_facts
* ec2_vpc_nat_gateway
* ec2_vpc_peer
* ec2_vpc_vgw
* efs
* efs_facts
* execute_lambda
* iam_mfa_device_facts
* iam_server_certificate_facts
* kinesis_stream
* lambda
* lambda_alias
* lambda_event
* lambda_facts
* redshift
* redshift_subnet_group
* s3_website
* sts_session_token
- cloudstack
* cs_router
* cs_snapshot_policy
- dellos6
* dellos6_command
* dellos6_config
* dellos6_facts
- dellos9
* dellos9_command
* dellos9_config
* dellos9_facts
- dellos10
* dellos10_command
* dellos10_config
* dellos10_facts
- digital_ocean_block_storage
- docker
* docker_network
- eos
* eos_facts
- exoscale:
* exo_dns_domain
* exo_dns_record
- f5:
* bigip_device_dns
* bigip_device_ntp
* bigip_device_sshd
* bigip_gtm_datacenter
* bigip_gtm_virtual_server
* bigip_irule
* bigip_routedomain
* bigip_selfip
* bigip_ssl_certificate
* bigip_sys_db
* bigip_vlan
- github
* github_key
* github_release
- google
* gcdns_record
* gcdns_zone
* gce_mig
- honeybadger_deployment
- illumos
* dladm_etherstub
* dladm_vnic
* flowadm
* ipadm_if
* ipadm_prop
- ipmi
* ipmi_boot
* ipmi_power
- ios
* ios_facts
- iosxr
* iosxr_facts
- include_role
- jenkins
* jenkins_job
* jenkins_plugin
- kibana_plugin
- letsencrypt
- logicmonitor
- logicmonitor_facts
- lxd
* lxd_profile
* lxd_container
- netapp
* netapp_e_amg
* netapp_e_amg_role
* netapp_e_amg_sync
* netapp_e_auth
* netapp_e_facts
* netapp_e_flashcache
* netapp_e_hostgroup
* netapp_e_host
* netapp_e_lun_mapping
* netapp_e_snapshot_group
* netapp_e_snapshot_images
* netapp_e_snapshot_volume
* netapp_e_storage_system
* netapp_e_storagepool
* netapp_e_volume
* netapp_e_volume_copy
- netconf_config
- netvisor
* pn_cluster
* pn_ospfarea
* pn_ospf
* pn_show
* pn_trunk
* pn_vlag
* pn_vlan
* pn_vrouterbgp
* pn_vrouterif
* pn_vrouterlbif
* pn_vrouter
- nxos
* nxos_aaa_server_host
* nxos_aaa_server
* nxos_acl_interface
* nxos_acl
* nxos_bgp_af
* nxos_bgp_neighbor_af
* nxos_bgp_neighbor
* nxos_bgp
* nxos_evpn_global
* nxos_evpn_vni
* nxos_file_copy
* nxos_gir_profile_management
* nxos_gir
* nxos_hsrp
* nxos_igmp_interface
* nxos_igmp
* nxos_igmp_snooping
* nxos_install_os
* nxos_interface_ospf
* nxos_mtu
* nxos_ntp_auth
* nxos_ntp_options
* nxos_ntp
* nxos_ospf
* nxos_ospf_vrf
* nxos_overlay_global
* nxos_pim_interface
* nxos_pim
* nxos_pim_rp_address
* nxos_portchannel
* nxos_rollback
* nxos_smu
* nxos_snapshot
* nxos_snmp_community
* nxos_snmp_contact
* nxos_snmp_host
* nxos_snmp_location
* nxos_snmp_traps
* nxos_snmp_user
* nxos_static_route
* nxos_udld_interface
* nxos_udld
* nxos_vpc_interface
* nxos_vpc
* nxos_vrf_af
* nxos_vtp_domain
* nxos_vtp_password
* nxos_vtp_version
* nxos_vxlan_vtep
* nxos_vxlan_vtep_vni
- mssql_db
- ovh_ip_loadbalancing_backend
- opendj_backendprop
- openstack
* os_keystone_service
* os_recordset
* os_server_group
* os_stack
* os_zone
- ovirt
* ovirt_auth
* ovirt_disks
* ovirt_vms
- rhevm
- rocketchat
- sefcontext
- sensu_subscription
- smartos
* smartos_image_facts
- sros
* sros_command
* sros_config
* sros_rollback
- statusio_maintenance
- systemd
- telegram
- univention
* udm_dns_record
* udm_dns_zone
* udm_group
* udm_share
* udm_user
- vmware
* vmware_guest
* vmware_local_user_manager
* vmware_vmotion
- vyos
* vyos_command
* vyos_config
* vyos_facts
- wakeonlan
- windows
* win_command
* win_robocopy
* win_shell

New Callbacks
* foreman

Minor Changes
* now -vvv shows exact path from which 'currently executing module' was picked up from.
* loop_control now has a label option to allow fine grained control what gets displayed per item
* loop_control now has a pause option to allow pausing for N seconds between loop iterations of a task.
* New privilege escalation become method `ksu`
* `raw` now returns `changed: true` to be consistent with shell/command/script modules. Add `changed_when: false` to `raw` tasks to restore the pre-2.2 behavior if necessary.
* removed previously deprecated ';' as host list separator.
* Only check if the default ssh client supports ControlPersist once instead of once for each host + task combination.
* Fix a problem with the pip module updating the python pip package itself.
* ansible_play_hosts is a new magic variable to provide a list of hosts in scope for the current play. Unlike play_hosts it is not subject to the 'serial' keyword.
* ansible_play_batch is a new magic variable meant to substitute the current play_hosts.

For custom front ends using the API
* ansible.parsing.vault:
* VaultLib.is_encrypted() has been deprecated. It will be removed in 2.4.
Use ansible.parsing.vault.is_encrypted() instead
* VaultFile has been removed. This unfinished code was never used inside of
Ansible. The feature it was intended to support has now been implemented
without using this.
* VaultAES, the older, insecure encrypted format that debuted in Ansible-1.5
and was replaced by VaultAES256 less than a week later, now has a deprecation
warning. **It will be removed in 2.3**. In the unlikely event that you
wrote a vault file in that 1 week window and have never modified the file
since (ansible-vault automatically re-encrypts the file using VaultAES256
whenever it is written to but not read), run ``ansible-vault rekey
[filename]`` to move to VaultAES256.

Removed Deprecated
* ';' as host list separator.
* with\_ 'bare variable' handling, now loop items must always be templated `{{ }}` or they will be considered as plain strings.
* skipping task on 'missing attribute' in loop variable, now in a loop an undefined attribute will return an error instead of skipping the task.
* skipping on undefined variables in loop, now loops will have to define a variable or use `|default` to avoid errors.

Deprecations
Notice given that the following will be removed in Ansible 2.4:
* Modules
* eos_template
* ios_template
* iosxr_template
* junos_template
* nxos_template
* ops_template