community.general
community.general copied to clipboard
ipa_dnsrecord `no modifications to be performed` when A record already exists
SUMMARY
When using ipa_dnsrecord to create & check a DNS A record it reports an error if the record exists and is not changed the IPA server responds with msg: 'response dnsrecord_add: no modifications to be performed'
and Ansible reports this as an error and halts.
Seems related to: https://github.com/ansible/ansible/issues/56872
ISSUE TYPE
- Bug Report
COMPONENT NAME
plugins/modules/identity/ipa/ipa_dnsrecord.py
ANSIBLE VERSION
ansible 2.10.5
config file = /home/username/ansible_DNS/ansible.cfg
configured module search path = ['/home/username/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/username/ansible_DNS/venv/lib64/python3.6/site-packages/ansible
executable location = /home/username/ansible_DNS/venv/bin/ansible
python version = 3.6.8 (default, Aug 24 2020, 17:57:11) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
CONFIGURATION
CACHE_PLUGIN(/home/username/ansible_DNS/ansible.cfg) = jsonfile
CACHE_PLUGIN_CONNECTION(/home/username/ansible_DNS/ansible.cfg) = ignore/facts_cache
COLLECTIONS_PATHS(/home/username/ansible_DNS/ansible.cfg) = ['/home/username/ansible_DNS/ignore/collections']
DEFAULT_CALLBACK_WHITELIST(/home/username/ansible_DNS/ansible.cfg) = ['profile_tasks']
DEFAULT_GATHERING(/home/username/ansible_DNS/ansible.cfg) = smart
DEFAULT_LOAD_CALLBACK_PLUGINS(/home/username/ansible_DNS/ansible.cfg) = True
DEFAULT_ROLES_PATH(/home/username/ansible_DNS/ansible.cfg) = ['/home/username/ansible_DNS/ignore/roles']
DEFAULT_STDOUT_CALLBACK(/home/username/ansible_DNS/ansible.cfg) = yaml
DEFAULT_STRATEGY_PLUGIN_PATH(/home/username/ansible_DNS/ansible.cfg) = ['/home/username/ansible_DNS/venv/lib/python3.6/site-packages/ansible_mitogen/plugins/strategy']
DEFAULT_TIMEOUT(/home/username/ansible_DNS/ansible.cfg) = 60
DEFAULT_VAULT_IDENTITY_LIST(/home/username/ansible_DNS/ansible.cfg) = ['.vault_password']
DISPLAY_SKIPPED_HOSTS(/home/username/ansible_DNS/ansible.cfg) = False
HOST_KEY_CHECKING(/home/username/ansible_DNS/ansible.cfg) = False
INVENTORY_CACHE_ENABLED(/home/username/ansible_DNS/ansible.cfg) = True
INVENTORY_CACHE_PLUGIN_CONNECTION(/home/username/ansible_DNS/ansible.cfg) = ignore/inventory_cache
TRANSFORM_INVALID_GROUP_CHARS(/home/username/ansible_DNS/ansible.cfg) = ignore
OS / ENVIRONMENT
CentOS8, FreeIPA, version: 4.6.6
STEPS TO REPRODUCE
- name: Check DNS entry
ipa_dnsrecord:
name: "hostname.example.com."
record_value: "192.168.1.1"
record_type: A
zone_name: "example.com"
ipa_host: "ipaserver.example.com"
ipa_user: "admin}"
ipa_pass: "XXXXXX"
EXPECTED RESULTS
That the task would be unchanged after first run to create the DNS A record.
Also, the response msg: 'response dnsrecord_add: no modifications to be performed'
should not be considered as an error.
ACTUAL RESULTS
TASK [Check InfinBand DNS entry] *****************************************************************
task path: /home/hicksaw/dev/bcm91-baremetal-bootstrapper/bootstrapper.yaml:106
fatal: [192.168.235.17]: FAILED! => changed=false
invocation:
module_args:
ipa_host: hpcaipa02.kupe.niwa.co.nz
ipa_pass: VALUE_SPECIFIED_IN_NO_LOG_PARAMETER
ipa_port: 443
ipa_prot: https
ipa_timeout: 10
ipa_user: enrollhost
name: hpcakaos01.ib.kupe.niwa.co.nz.
record_name: hpcakaos01.ib.kupe.niwa.co.nz.
record_ttl: null
record_type: A
record_value: 192.168.236.17
state: present
validate_certs: true
zone_name: kupe.niwa.co.nz
msg: 'response dnsrecord_add: no modifications to be performed'
Files identified in the description:
If these files are inaccurate, please update the component name
section of the description or use the !component
bot command.
cc @Akasurde @Nosmoht @fxfitz click here for bot help
current workaround is:
ignore_error: yes
🔥
I'm looking at the code in https://github.com/ansible-collections/community.general/blob/9c648c8e3acedf0881c9fbeb08b353230457c945/plugins/modules/identity/ipa/ipa_dnsrecord.py
It's looking to me that the test for the IPA record exits line [258[(https://github.com/ansible-collections/community.general/blob/9c648c8e3acedf0881c9fbeb08b353230457c945/plugins/modules/identity/ipa/ipa_dnsrecord.py#L258) is failing, causing the module to try dnsrecord_add
when it should be moving on to comparing the existing record and trying dnsrecord_mod
Hmmm.... my script includes the trailing periods that are 'correct' for the name when creating a DNS record.
Actually with a few CLI tests I've figured it out. When you use ipa dnsrecord_find domain FQDN
it fails, you only want to search for the hostname
or hostname.subdomain
to ipa_dnsrecord
This is not clear in the documentation, and maybe updating the module to detect a FQDN and breaking off the hostname.subdomain
part for doing the dnsrecord_find
and comparing dnsrecords would make the module safer and more resilient.
The workaround (or correct usage depending on PoV) is to only use the short hostname
or hostname.subdomain
to specify the DNS record, rather than the FQDN, so my task becomes:
- name: Check DNS entry
ipa_dnsrecord:
name: hostname
record_value: "192.168.1.1"
record_type: A
zone_name: "example.com"
ipa_host: "ipaserver.example.com"
ipa_user: "admin}"
ipa_pass: "XXXXXX"
after which it passes
It still fails if using record_ttl. But fortunately record_ttl is not required anymore (previously the task failed without record_ttl).
cc @justchris1 click here for bot help
Files identified in the description:
If these files are incorrect, please update the component name
section of the description or use the !component
bot command.
The same issue happens with record_type: CNAME
when record_ttl
is set.