community.general
community.general copied to clipboard
ansible-collections
pkgng reports insufficient privilege as ok/unchanged, inconsistent with builtin.apt, builtin.yum
Summary
With a barebones "update all installed packages" playbook, a server that requires sudo/root privileges to do so, and intentionally not providing said credentials, pkng reports green/ok/unchanged although it fails to do the task. This is inconsistent with builtin.apt and builtin.yum modules that correctly report red/failed with a result msg of "You need to be root" and "Are you root?" respectively.
Issue Type
Bug Report
Component Name
pkgng
Ansible Version
$ ansible --version
ansible [core 2.13.4]
config file = None
configured module search path = ['/Users/alexis/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/Cellar/ansible/6.4.0/libexec/lib/python3.10/site-packages/ansible
ansible collection location = /Users/alexis/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible
python version = 3.10.7 (main, Sep 15 2022, 01:51:29) [Clang 14.0.0 (clang-1400.0.29.102)]
jinja version = 3.1.2
libyaml = True
Community.general Version
$ ansible-galaxy collection list community.general
# /usr/local/Cellar/ansible/6.4.0/libexec/lib/python3.10/site-packages/ansible_collections
Collection Version
----------------- -------
community.general 5.6.0
Configuration
$ ansible-config dump --only-changed
(empty)
OS / Environment
Control node: macOS Monterey 12.6 Managed (target) node: FreeBSD 13.1-RELEASE amd64
Steps to Reproduce
My playbook:
---
- name: ensures server is up to date
hosts: freebsd-server
tasks:
- name: upgrade all packages
pkgng:
name: '*'
state: latest
Command to run playbook:
$ ansible-playbook -i inventory.ini freebsd-update.yml -vvv
Expected Results
pkgng should return red/failed when it attempts to do a task it has insufficient privileges for to be consistent with builtin.apt and builtin.yum.
As an example, here's the -vvv update from a different server running apt:
fatal: [debian]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"allow_change_held_packages": false,
"allow_downgrade": false,
"allow_unauthenticated": false,
"autoclean": false,
"autoremove": false,
"cache_valid_time": 0,
"clean": false,
"deb": null,
"default_release": null,
"dpkg_options": "force-confdef,force-confold",
"fail_on_autoremove": false,
"force": false,
"force_apt_get": false,
"install_recommends": null,
"lock_timeout": 60,
"name": "*",
"only_upgrade": false,
"package": [
"*"
],
"policy_rc_d": null,
"purge": false,
"state": "latest",
"update_cache": null,
"update_cache_retries": 5,
"update_cache_retry_max_delay": 12,
"upgrade": null
}
},
"msg": "'/usr/bin/apt-get upgrade --with-new-pkgs ' failed: E: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: Permission denied)\nE: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?\n",
"rc": 100,
"stdout": "",
"stdout_lines": []
}
Actual Results
The verbose result as printed in the terminal:
ok: [freebsd-server] => {
"changed": false,
"invocation": {
"module_args": {
"annotation": null,
"autoremove": false,
"cached": false,
"chroot": null,
"ignore_osver": false,
"jail": null,
"name": [
"*"
],
"pkgsite": null,
"rootdir": null,
"state": "latest"
}
},
"msg": "no packages need upgrades",
"stderr": "pkg: Insufficient privilege to upgrade packages\n",
"stderr_lines": [
"pkg: Insufficient privilege to upgrade packages"
],
"stdout": "",
"stdout_lines": []
}
Result of pkg update if I run it without privileges directly on the target server:
user@freebsd-server:~ $ pkg update
pkg: Insufficient privileges to update the repository catalogue.
Code of Conduct
- [X] I agree to follow the Ansible Code of Conduct
Files identified in the description:
If these files are incorrect, please update the component name section of the description or use the !component bot command.
cc @JoergFiedler @MacLemon @bcoca @dch @jasperla @mekanix @opoplawski @overhacked @tuxillo click here for bot help
It looks to me that the module isn't checking return codes most of the time, when it really should.
