Major Changes:
* Releases are now named after Led Zeppelin songs, 1.9 will be the last Van Halen named release.
* The new block/rescue/always directives allow for making task blocks and exception-like semantics
* New strategy plugins (e.g. `free`) allow control over the flow of task execution per play. The default (`linear`) will be the same as before.
* Improved error handling, with more detailed parser messages. General exception handling and display has been revamped.
* Task includes are now evaluated during execution, allowing more dynamic includes and options. Play includes are unchanged both still use the `include` directive.
* "with\_<lookup>" loops can now be used with task includes since they are dynamic.
* Callback, connection, cache and lookup plugin APIs have changed. Existing plugins might require modification to work with the new versions.
* Callbacks are now shipped in the active directory and don't need to be copied, just whitelisted in ansible.cfg.
* Many API changes. Those integrating directly with Ansible's API will encounter breaking changes, but the new API is much easier to use and test.
* Settings are now more inheritable; what you set at play, block or role will be automatically inherited by the contained tasks.
This allows for new features to automatically be settable at all levels, previously we had to manually code this.
* Vars are now settable at play, block, role and task level with the `vars` directive and scoped to the tasks contained.
* Template code now retains types for bools and numbers instead of turning them into strings.
If you need the old behaviour, quote the value and it will get passed around as a string
* Empty variables and variables set to null in yaml will no longer be converted to empty strings. They will retain the value of `None`.
To go back to the old behaviour, you can override the `null_representation` setting to an empty string in your config file or
by setting the `ANSIBLE_NULL_REPRESENTATION` environment variable.
* Added `meta: refresh_inventory` to force rereading the inventory in a play.
This re-executes inventory scripts, but does not force them to ignore any cache they might use.
* New delegate_facts directive, a boolean that allows you to apply facts to the delegated host (true/yes) instead of the inventory_hostname (no/false) which is the default and previous behaviour.
* local connections now work with 'su' as a privilege escalation method
* Ansible 2.0 has deprecated the “ssh” from ansible_ssh_user, ansible_ssh_host, and ansible_ssh_port to become ansible_user, ansible_host, and ansible_port.
* New ssh configuration variables (`ansible_ssh_common_args`, `ansible_ssh_extra_args`) can be used to configure a
per-group or per-host ssh ProxyCommand or set any other ssh options.
`ansible_ssh_extra_args` is used to set options that are accepted only by ssh (not sftp or scp, which have their own analogous settings).
* ansible-pull can now verify the code it runs when using git as a source repository, using git's code signing and verification features.
* Backslashes used when specifying parameters in jinja2 expressions in YAML dicts sometimes needed to be escaped twice.
This has been fixed so that escaping once works. Here's an example of how playbooks need to be modified:
Syntax in 1.9.x
- debug:
msg: "{{ 'test1_junk 1\\\\3' | regex_replace('(.*)_junk (.*)', '\\\\1 \\\\2') }}"
Syntax in 2.0.x
- debug:
msg: "{{ 'test1_junk 1\\3' | regex_replace('(.*)_junk (.*)', '\\1 \\2') }}"
Output:
"msg": "test1 1\\3"
* When a string with a trailing newline was specified in the playbook via yaml
dict format, the trailing newline was stripped. When specified in key=value
format the trailing newlines were kept. In v2, both methods of specifying the
string will keep the trailing newlines. If you relied on the trailing
newline being stripped you can change your playbook like this:
Syntax in 1.9.2
vars:
message: >
Testing
some things
tasks:
- debug:
msg: "{{ message }}"
Syntax in 2.0.x
vars:
old_message: >
Testing
some things
message: "{{ old_messsage[:-1] }}"
- debug:
msg: "{{ message }}"
Output
"msg": "Testing some things"
* When specifying complex args as a variable, the variable must use the full jinja2
variable syntax ('{{var_name}}') - bare variable names there are no longer accepted.
In fact, even specifying args with variables has been deprecated, and will not be
allowed in future versions:
---
- hosts: localhost
connection: local
gather_facts: false
vars:
my_dirs:
- { path: /tmp/3a, state: directory, mode: 0755 }
- { path: /tmp/3b, state: directory, mode: 0700 }
tasks:
- file:
args: "{{item}}"
with_items: my_dirs
Plugins
* Rewritten dnf module that should be faster and less prone to encountering bugs in cornercases
* WinRM connection plugin passes all vars named `ansible_winrm_*` to the underlying pywinrm client. This allows, for instance, `ansible_winrm_server_cert_validation=ignore` to be used with newer versions of pywinrm to disable certificate validation on Python 2.7.9+.
* WinRM connection plugin put_file is significantly faster and no longer has file size limitations.
Deprecated Modules (new ones in parens):
* ec2_ami_search (ec2_ami_find)
* quantum_network (os_network)
* glance_image
* nova_compute (os_server)
* quantum_floating_ip (os_floating_ip)
* quantum_router (os_router)
* quantum_router_gateway (os_router)
* quantum_router_interface (os_router)
New Modules:
- amazon
* ec2_ami_copy
* ec2_ami_find
* ec2_elb_facts
* ec2_eni
* ec2_eni_facts
* ec2_remote_facts
* ec2_vpc_igw
* ec2_vpc_net
* ec2_vpc_net_facts
* ec2_vpc_route_table
* ec2_vpc_route_table_facts
* ec2_vpc_subnet
* ec2_vpc_subnet_facts
* ec2_win_password
* ecs_cluster
* ecs_task
* ecs_taskdefinition
* elasticache_subnet_group_facts
* iam
* iam_cert
* iam_policy
* route53_facts
* route53_health_check
* route53_zone
* s3_bucket
* s3_lifecycle
* s3_logging
* sns_topic
* sqs_queue
* sts_assume_role
- apk
- bigip_gtm_wide_ip
- bundler
- centurylink
* clc_aa_policy
* clc_alert_policy
* clc_blueprint_package
* clc_firewall_policy
* clc_group
* clc_loadbalancer
* clc_modify_server
* clc_publicip
* clc_server
* clc_server_snapshot
- circonus_annotation
- consul
* consul
* consul_acl
* consul_kv
* consul_session
- cloudtrail
- cloudstack
* cs_account
* cs_affinitygroup
* cs_domain
* cs_facts
* cs_firewall
* cs_iso
* cs_instance
* cs_instancegroup
* cs_ip_address
* cs_loadbalancer_rule
* cs_loadbalancer_rule_member
* cs_network
* cs_portforward
* cs_project
* cs_securitygroup
* cs_securitygroup_rule
* cs_sshkeypair
* cs_staticnat
* cs_template
* cs_user
* cs_vmsnapshot
- cronvar
- datadog_monitor
- deploy_helper
- docker
* docker_login
- dpkg_selections
- elasticsearch_plugin
- expect
- find
- google
* gce_tag
- hall
- ipify_facts
- iptables
- libvirt
* virt_net
* virt_pool
- maven_artifact
- openstack
* os_auth
* os_client_config
* os_image
* os_image_facts
* os_floating_ip
* os_ironic
* os_ironic_node
* os_keypair
* os_network
* os_network_facts
* os_nova_flavor
* os_object
* os_port
* os_project
* os_router
* os_security_group
* os_security_group_rule
* os_server
* os_server_actions
* os_server_facts
* os_server_volume
* os_subnet
* os_subnet_facts
* os_user
* os_user_group
* os_volume
- openvswitch_db
- osx_defaults
- pagerduty_alert
- pam_limits
- pear
- profitbricks
* profitbricks
* profitbricks_datacenter
* profitbricks_nic
* profitbricks_snapshot
* profitbricks_volume
* profitbricks_volume_attachments
- proxmox
* proxmox
* proxmox_template
- puppet
- pushover
- pushbullet
- rax
* rax_clb_ssl
* rax_mon_alarm
* rax_mon_check
* rax_mon_entity
* rax_mon_notification
* rax_mon_notification_plan
- rabbitmq
* rabbitmq_binding
* rabbitmq_exchange
* rabbitmq_queue
- selinux_permissive
- sendgrid
- sensu
* sensu_check
* sensu_subscription
- seport
- slackpkg
- solaris_zone
- taiga_issue
- vertica
* vertica_configuration
* vertica_facts
* vertica_role
* vertica_schema
* vertica_user
- vmware
* vca_fw
* vca_nat
* vmware_cluster
* vmware_datacenter
* vmware_dns_config
* vmware_dvs_host
* vmware_dvs_portgroup
* vmware_dvswitch
* vmware_host
* vmware_migrate_vmk
* vmware_portgroup
* vmware_target_canonical_facts
* vmware_vm_facts
* vmware_vm_vss_dvs_migrate
* vmware_vmkernel
* vmware_vmkernel_ip_config
* vmware_vsan_cluster
* vmware_vswitch
* vsphere_copy
- webfaction
* webfaction_app
* webfaction_db
* webfaction_domain
* webfaction_mailbox
* webfaction_site
- windows
* win_acl
* win_dotnet_ngen
* win_environment
* win_firewall_rule
* win_iis_virtualdirectory
* win_iis_webapplication
* win_iis_webapppool
* win_iis_webbinding
* win_iis_website
* win_lineinfile
* win_nssm
* win_package
* win_regedit
* win_scheduled_task
* win_unzip
* win_updates
* win_webpicmd
- xenserver_facts
- zabbbix
* zabbix_host
* zabbix_hostmacro
* zabbix_screen
- znode
New Inventory scripts:
* cloudstack
* fleetctl
* openvz
* nagios_ndo
* nsot
* proxmox
* rudder
* serf
New Lookups:
* credstash
* hashi_vault
* ini
* shelvefile
New Filters:
* combine
New Connection:
* docker: for talking to docker containers on the ansible controller machine without using ssh.
New Callbacks:
* logentries: plugin to send play data to logentries service
* skippy: same as default but does not display skip messages
Minor changes:
* Many more tests. The new API makes things more testable and we took advantage of it.
* big_ip modules now support turning off ssl certificate validation (use only for self-signed certificates).
* Consolidated code from modules using urllib2 to normalize features, TLS and SNI support.
* synchronize module's dest_port parameter now takes precedence over the ansible_ssh_port inventory setting.
* Play output is now dynamically sized to terminal with a minimum of 80 coluumns (old default).
* vars_prompt and pause are now skipped with a warning if the play is called noninteractively (i.e. pull from cron).
* Support for OpenBSD's 'doas' privilege escalation method.
* Most vault operations can now be done over multilple files.
* ansible-vault encrypt/decrypt read from stdin if no other input file is given, and can write to a given ``--output file`` (including stdout, '-').
This lets you avoid ever writing sensitive plaintext to disk.
* ansible-vault rekey accepts the --new-vault-password-file option.
* ansible-vault now preserves file permissions on edit and rekey and defaults to restrictive permissions for other options.
* Configuration items defined as paths (local only) now all support shell style interpolations.
* Many fixes and new options added to modules, too many to list here.
* Now you can see task file and line number when using verbosity of 3 or above.
* The ``[x-y]`` host range syntax is no longer supported. Note that ``[0:1]`` matches two hosts, i.e. the range is inclusive of its endpoints.
* We now recommend the use of `pattern1,pattern2` to combine host matching patterns.
* The use of ':' as a separator conflicts with IPv6 addresses and host ranges. It will be deprecated in the future.
* The undocumented use of ';' as a separator is now deprecated.
* modules and callbacks have been extended to support no_log to avoid data disclosure.
* new managed_syslog option has been added to control output to syslog on managed machines, no_log supersedes this settings.
* Lookup, vars and action plugin pathing has been normalized, all now follow the same sequence to find relative files.
* We do not ignore the explicitly set login user for ssh when it matches the 'current user' anymore, this allows overriding .ssh/config when it is set
explicitly. Leaving it unset will still use the same user and respect .ssh/config. This also means ansible_ssh_user can now return a None value.
* environment variables passed to remote shells now default to 'controller' settings, with fallback to en_US.UTF8 which was the previous default.
* add_hosts is much stricter about host name and will prevent invalid names from being added.
* ansible-pull now defaults to doing shallow checkouts with git, use `--full` to return to previous behaviour.
* random cows are more random
* when: now gets the registered var after the first iteration, making it possible to break out of item loops
* Handling of undefined variables has changed. In most places they will now raise an error instead of silently injecting an empty string. Use the default filter if you want to approximate the old behaviour:
- debug: msg="The error message was: {{error_code |default('') }}"