|
| 1 | + |
| 2 | +.. _porting_2.18_guide_core: |
| 3 | + |
| 4 | +******************************* |
| 5 | +Ansible-core 2.18 Porting Guide |
| 6 | +******************************* |
| 7 | + |
| 8 | +This section discusses the behavioral changes between ``ansible-core`` 2.17 and ``ansible-core`` 2.18. |
| 9 | + |
| 10 | +It is intended to assist in updating your playbooks, plugins and other parts of your Ansible infrastructure so they will work with this version of Ansible. |
| 11 | + |
| 12 | +We suggest you read this page along with `ansible-core Changelog for 2.18 <https://github.com/ansible/ansible/blob/stable-2.18/changelogs/CHANGELOG-v2.18.rst>`_ to understand what updates you may need to make. |
| 13 | + |
| 14 | +This document is part of a collection on porting. The complete list of porting guides can be found at :ref:`porting guides <porting_guides>`. |
| 15 | + |
| 16 | +.. contents:: Topics |
| 17 | + |
| 18 | + |
| 19 | +Playbook |
| 20 | +======== |
| 21 | + |
| 22 | +* Conditionals - due to mitigation of security issue CVE-2023-5764 in ansible-core 2.16.1, |
| 23 | + conditional expressions with embedded template blocks can fail with the message |
| 24 | + "``Conditional is marked as unsafe, and cannot be evaluated.``" when an embedded template |
| 25 | + consults data from untrusted sources like module results or vars marked ``!unsafe``. |
| 26 | + Conditionals with embedded templates can be a source of malicious template injection when |
| 27 | + referencing untrusted data, and can nearly always be rewritten without embedded |
| 28 | + templates. Playbook task conditional keywords such as ``when`` and ``until`` have long |
| 29 | + displayed warnings discouraging use of embedded templates in conditionals; this warning |
| 30 | + has been expanded to non-task conditionals as well, such as the ``assert`` action. |
| 31 | + |
| 32 | + .. code-block:: yaml |
| 33 | +
|
| 34 | + - name: task with a module result (always untrusted by Ansible) |
| 35 | + shell: echo "hi mom" |
| 36 | + register: untrusted_result |
| 37 | +
|
| 38 | + # don't do it this way... |
| 39 | + # - name: insecure conditional with embedded template consulting untrusted data |
| 40 | + # assert: |
| 41 | + # that: '"hi mom" is in {{ untrusted_result.stdout }}' |
| 42 | +
|
| 43 | + - name: securely access untrusted values directly as Jinja variables instead |
| 44 | + assert: |
| 45 | + that: '"hi mom" is in untrusted_result.stdout' |
| 46 | +
|
| 47 | +
|
| 48 | +
|
| 49 | +Command Line |
| 50 | +============ |
| 51 | + |
| 52 | +* Python 3.10 is a no longer supported control node version. Python 3.11+ is now required for running Ansible. |
| 53 | +* Python 3.7 is a no longer supported remote version. Python 3.8+ is now required for target execution. |
| 54 | + |
| 55 | + |
| 56 | +Deprecated |
| 57 | +========== |
| 58 | + |
| 59 | +No notable changes |
| 60 | + |
| 61 | + |
| 62 | +Modules |
| 63 | +======= |
| 64 | + |
| 65 | +No notable changes |
| 66 | + |
| 67 | + |
| 68 | +Modules removed |
| 69 | +--------------- |
| 70 | + |
| 71 | +The following modules no longer exist: |
| 72 | + |
| 73 | +* No notable changes |
| 74 | + |
| 75 | + |
| 76 | +Deprecation notices |
| 77 | +------------------- |
| 78 | + |
| 79 | +No notable changes |
| 80 | + |
| 81 | + |
| 82 | +Noteworthy module changes |
| 83 | +------------------------- |
| 84 | + |
| 85 | +No notable changes |
| 86 | + |
| 87 | + |
| 88 | +Plugins |
| 89 | +======= |
| 90 | + |
| 91 | +* The ``ssh`` connection plugin now officially supports targeting Windows hosts. A |
| 92 | + breaking change has been made as part of this official support is the low level command |
| 93 | + execution done by plugins like ``ansible.builtin.raw`` and action plugins calling |
| 94 | + ``_low_level_execute_command`` is no longer wrapped with a ``powershell.exe`` wrapped |
| 95 | + invocation. These commands will now be executed directly on the target host using |
| 96 | + the default shell configuration set on the Windows host. This change is done to |
| 97 | + simplify the configuration required on the Ansible side, make module execution more |
| 98 | + efficient, and to remove the need to decode stderr CLIXML output. A consequence of this |
| 99 | + change is that ``ansible.builtin.raw`` commands are no longer be guaranteed to be |
| 100 | + run through a PowerShell shell and with the output encoding of UTF-8. To run a command |
| 101 | + through PowerShell and with UTF-8 output support, use the ``ansible.windows.win_shell`` |
| 102 | + or ``ansible.windows.win_powershell`` module instead. |
| 103 | + |
| 104 | + .. code-block:: yaml |
| 105 | +
|
| 106 | + - name: Run with win_shell |
| 107 | + ansible.windows.win_shell: Write-Host "Hello, Café" |
| 108 | +
|
| 109 | + - name: Run with win_powershell |
| 110 | + ansible.windows.win_powershell: |
| 111 | + script: Write-Host "Hello, Café" |
| 112 | +
|
| 113 | +
|
| 114 | +Porting custom scripts |
| 115 | +====================== |
| 116 | + |
| 117 | +No notable changes |
| 118 | + |
| 119 | + |
| 120 | +Networking |
| 121 | +========== |
| 122 | + |
| 123 | +No notable changes |
0 commit comments