Ansible – How to Show Diff of Newly Created File in Check Mode

ansibleansible-playbook

Let's say I manage file myfile.conf with Ansible, e.g.:

- template:
    src: "myfile.conf.j2"
    dest: "/etc/myfile.conf"

I can then see the diff in a dry-run, like this:

$ ansible-playbook --check --diff myplaybook.yaml

Cool. But it seems to only display the diff when the file exists on the remote host. If the file is absent, I don't see the output other than task OK.

How do I tell Ansible to show the diff if the file is absent currently?

Perhaps similar to how Git would show a diff in a commit of a newly created file in style like with /dev/null as base in the diff:

--- /dev/null
+++ b/myfile.conf.j2

Best Answer

Works for me (ansible 2.7.9):

  - name: Create haproxy.cfg
    template:
      src: templates/haproxy.cfg.j2
      dest: /var/tmp/haproxy-keepalived/haproxy.cfg

ansible-playbook --check --diff haproxy-keepalived.yaml
...
changed: [kmaster2]
--- before
+++ after: /root/.ansible/tmp/ansible-local-31057pak66sgj/tmp_de6cqgb/haproxy.cfg.j2
@@ -0,0 +1,33 @@
+global
+  daemon
+  log 127.0.0.1 local0 debug
...

Perhaps it is version-dependent or you are hitting max_diff_size (default 104448 bytes).

Related Solutions

File created by ansible seems to have mangled permissions

The first ls you quoted is what happens when you try to ls -l a directory on which you have r permission but no x permission. The r bit on a directory gives you the ability to call readdir on it, so you can get the filenames inside it, but without x you can't stat them to find out all the other information that ls -l normally prints.

ls told you about the inability to get the information with its Permission denied error messages and fields full of question marks.

The second ls confirms the diagnosis with this line:

drw-r--r-- 2 myusername myusername 4096 Sep 17 19:54 .

The user myusername has read permission but no execute permission. You probably want to u+x or a+x that directory.

One interesting thing I learned from your post is that r-without-x now gives slightly more information than it did in olden times... you can see in the original listing that authorized_keys is a regular file and . and .. are directories (first column d vs. -). On an older Unix/Linux system that first column would be a question mark too! Nowadays readdir returns file type information as a bonus so you can get it without stating.

...I kind of skimmed past the second half of your question because I've never seen that stuff before, but this looks like the culprit

file: dest="/home/{{userid}}/.ssh"
      mode=0644

I'd expect a .ssh directory to be 0700 normally. And the files inside to be 0600. It's an area where you really don't want other users wandering in. Anyway it needs to be at least 0500 for ls -l to function normally for the owner.

Reasonable performance for a simple Ansible playbook against ~100 hosts

in your ansible.cfg set the following:

[defaults]

# profile each task
callback_whitelist = profile_tasks

# [don't validate host keys](http://docs.ansible.com/ansible/intro_configuration.html#host-key-checking)
host_key_checking = False

[ssh_connection]
pipelining = True

Also, in your playbook, set the strategy as 'free'

- hosts: all
  strategy: free
  tasks: [...]

Finally, disable fact gathering on your play: gather_facts: false

If, after profiling, you are seeing a lot of this:

TASK [pip foo]
ok: [10.192.197.252] => (item=ansible)
ok: [10.192.197.252] => (item=boto)
ok: [10.192.197.252] => (item=boto3)
ok: [10.192.197.252] => (item=passlib)
ok: [10.192.197.252] => (item=cryptography)

squash those actions in ansible.cfg under [defaults]:

e.g. squash_actions = yum,pip,bar

Best Answer

Related Solutions

File created by ansible seems to have mangled permissions

Reasonable performance for a simple Ansible playbook against ~100 hosts

Related Topic