sap-linuxlab
sap_hostagent: unexpected become removal
Ansible Role
sap_hostagent
OS Family
RHEL
Ansible Controller - Python version
3.9.18
Ansible-core version
2.14.14
Bug Description
Since the last release of this collection the collection the ansible_become: true is removed from the role.
The installation of the SAP Host Agent has to be done with user root, so at least the task Install SAPHOSTAGENT has always to be executed with privilege.
We have the role included in big playbooks with the sar_remote option. Unfortunately the role is not idempotent so it does not determine if an agent is already installed and always extracts the SAR. So we check if we already have an Agent on the host and do a dynamic include of the role to reduce the runtime. But since the default become was removed from the role this is not possible anymore (Took us some time to find the change in the role).
So would it possible to add become to specific task within the role or do you won't do that, so everybody has to do a privileged static import of the role?
Bug reproduction
Include the role to a playbook.
Community participation
Happy to implement this bug fix
@crysaki I've just created role to install (unpack and execute install action) for saphostagent SAR archives. One can find the role in sap.sap_operations collection version 2.15 (and above) https://galaxy.ansible.com/ui/repo/published/sap/sap_operations/content/role/saphostagent_sar/
There is a sample playbook that demonstrates how this role can be used end to end (download SAR archive, install sapcar, install saphostagent) https://github.com/redhat-sap/rh_operations/blob/galaxy-2.15.0/playbooks/sample_saphostagent_sar_e2e.yml
Documentation for the role saphostagent_sar can be found here: https://docs.galaxy.saponrhel.org/collections/sap/sap_operations/saphostagent_sar_role.html#ansible-collections-sap-sap-operations-saphostagent-sar-role
@crysaki Thanks for spending time on bringing this behavior to our attention. I am happy to assist and help solving your issue inside of this collection - instead of allowing unwanted behavior to remain in our code for no good reason (of course, subject to prioritization).
We would like to avoid setting ansible_become: true in defaults/main.yml but would rather use become: true on the task level. Until then, can you maybe use import_role instead of include_role? The ansible.builtin.import_role module supports setting become: true on the task level, and the behavior of that one is similar to calling the role directly with become: true as a playbook variable. I tested with ansible-core version 2.18.6, using the following playbook snippet:
tasks:
- name: Find out if the SAP Host Agent is installed
ansible.builtin.shell: set -o pipefail && /usr/sap/hostctrl/exe/saphostexec -version | awk 'BEGIN{a=0}/SAPHOSTAGENT information/{a++}END{print a}'
register: shell_result
ignore_errors: true
- name: Display the shell command result
ansible.builtin.debug:
msg: |
"shell_result.stdout: >{{ shell_result.stdout }}<"
"shell_result.rc: >{{ shell_result.rc }}<"
ignore_errors: true
- name: Call the role 'sap_hostagent'
# ansible.builtin.include_role: # won't work with 'become:'
ansible.builtin.import_role:
name: sap_hostagent
become: true
when:
- shell_result.rc != 0
- shell_result.stdout | int != 1
If this doesn't help or is not desired (e.g. because you do not want to, or cannot, use static imports), can you please provide a code snippet which shows how you called the role sap_hostagent during the time when ansible_become: true was still in defaults/main.yml?
From what I understand, your problem could also be avoided at all if the role sap_hostagent was fully (or nearly, depending on the complexity of the detection of the desired status) idempotent. Then we should probably focus our efforts on that topic.
