stackhpc · Alex-Welsh · Dec 8, 2025 · Nov 25, 2025 · Dec 3, 2025 · Nov 25, 2025
@@ -9,32 +9,15 @@ exclude_paths:
 strict: false
 use_default_rules: true
 skip_list:
-  # [E301] Commands should not change things if nothing needs doing
-  # TODO(mnasiadka): Fix tasks that fail this check in a later iteration
-  - no-changed-when
-  # [E503] Tasks that run when changed should likely be handlers
-  - no-handler
   # [unnamed-task] All tasks should be named
   # FIXME(mgoddard): Add names to all tasks
   - unnamed-task
   # disable experimental rules
   - experimental
-  # Package installs should not use latest
-  - package-latest
-  # Most files should not contain tabs
-  - no-tabs
   # NOTE(frickler): Agreed at Zed PTG not to use FQCN for builtin actions for now, due to
   # conflicts with open patches and backports.
   - fqcn-builtins
-  # Allow Jinja templating inside task and play names
-  - name[template]
   # FQCNs again, now for module actions
   - fqcn[action]
-  # role name check matching ^*$
-  - role-name
-  # TODO(frickler): Discuss these in detail, skipping for now to unblock things
-  - name[play]
   - var-naming[no-role-prefix]
-  - risky-file-permissions
-  - risky-shell-pipe
   - yaml[line-length]
@@ -1,5 +1,6 @@
 ---
-- import_playbook: gather-facts.yml
+- name: Gather facts
+  import_playbook: gather-facts.yml
   when: >-
     kolla_enable_tls_backend | default(false) | bool or
     rabbitmq_enable_tls | default(false) | bool or

@@ -1,5 +1,6 @@
 ---
-- import_playbook: gather-facts.yml
+- name: Gather facts
+  import_playbook: gather-facts.yml
 
 - name: Apply role baremetal
   hosts: baremetal

@@ -1,5 +1,6 @@
 ---
-- import_playbook: gather-facts.yml
+- name: Gather facts
+  import_playbook: gather-facts.yml
   vars:
     kolla_action: migrate-container-engine
 

@@ -1,5 +1,6 @@
 ---
-- import_playbook: gather-facts.yml
+- name: Gather facts
+  import_playbook: gather-facts.yml
 
 - name: Remove nova_libvirt container
   gather_facts: false

@@ -1,5 +1,6 @@
 ---
-- import_playbook: gather-facts.yml
+- name: Gather facts
+  import_playbook: gather-facts.yml
 
 - name: Apply role prune-images
   hosts: baremetal

@@ -1,5 +1,6 @@
 ---
-- import_playbook: gather-facts.yml
+- name: Gather facts
+  import_playbook: gather-facts.yml
 
 - name: Group hosts based on configuration (RabbitMQ Only)
   hosts: all
@@ -15,7 +16,8 @@
       changed_when: false
   tags: always
 
-- import_playbook: rabbitmq.yml
+- name: Run RabbitMQ upgrade
+  import_playbook: rabbitmq.yml
   vars:
     kolla_action: upgrade
     rabbitmq_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/rabbitmq-{{ rabbitmq_version_suffix | regex_replace('\\.', '-') }}"
@@ -4,6 +4,7 @@
     nginx_user: "{{ 'www-data' if is_debian else 'nginx' }}"
     is_debian: "{{ kolla_base_distro in ['debian', 'ubuntu'] }}"
   become: true
+  changed_when: true
   command: >
      {{ kolla_container_engine }} exec bifrost_deploy
      bash -c 'mkdir -p /var/log/kolla/ironic &&
@@ -13,6 +14,7 @@
 
 - name: Bootstrap bifrost (this may take several minutes)
   become: true
+  changed_when: true
   command: >
      {{ kolla_container_engine }} exec bifrost_deploy
      bash -c
@@ -23,6 +25,7 @@
 
 - name: Installing ssh keys
   become: true
+  changed_when: true
   command: >
      {{ kolla_container_engine }} exec bifrost_deploy
      bash -c 'mkdir -p /root/.ssh ; mkdir -p /home/ironic/.ssh;

@@ -1,6 +1,7 @@
 ---
 - name: Enrolling physical servers with ironic
   become: true
+  changed_when: true
   command: >
      {{ kolla_container_engine }} exec bifrost_deploy
      bash -c 'export OS_CLOUD=bifrost &&
@@ -11,6 +12,7 @@
 
 - name: Deploy physical servers with ironic
   become: true
+  changed_when: true
   command: >
      {{ kolla_container_engine }} exec bifrost_deploy
      bash -c 'export OS_CLOUD=bifrost &&

@@ -57,7 +57,7 @@
     - "{{ check_results.results }}"
 
 - include_tasks: start.yml
-  when: remove_containers.changed
+  when: remove_containers.changed  # noqa no-handler
 
 - name: Restart containers
   become: true

@@ -18,6 +18,7 @@
         # order.
         - name: Stop services gracefully
           become: true
+          changed_when: true
           command: "{{ kolla_container_engine }} exec bifrost_deploy systemctl stop {{ item }}.service"
           with_items:
             - ironic

@@ -54,7 +54,7 @@
     - should_copy_custom_meter_definitions
   with_dict: "{{ ceilometer_services | select_services_enabled_and_mapped_to_host }}"
 
-- name: Check if the folder ["{{ node_custom_config }}/ceilometer/{{ ceilometer_dynamic_pollsters_local_folder }}"] for dynamic pollsters definitions exist
+- name: Check if the folder for dynamic pollsters definitions exist
   stat:
     path: "{{ node_custom_config }}/ceilometer/{{ ceilometer_dynamic_pollsters_local_folder }}"
   delegate_to: localhost

@@ -69,8 +69,9 @@
   copy:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
+    mode: "0600"
     remote_src: true
-  with_items:
+  loop:
     - src: "{{ kolla_tls_backend_cert }}"
       dest: "{{ kolla_certificates_dir }}/rabbitmq-cert.pem"
     - src: "{{ kolla_tls_backend_key }}"
@@ -82,11 +83,12 @@
   copy:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    mode: "0660"
+    mode: "{{ item.mode | default('0600') }}"
     remote_src: true
   with_items:
     - src: "{{ kolla_tls_backend_cert }}"
       dest: "{{ kolla_certificates_dir }}/mariadb-cert.pem"
+      mode: "0644"
     - src: "{{ kolla_tls_backend_key }}"
       dest: "{{ kolla_certificates_dir }}/mariadb-key.pem"
   when:

@@ -28,13 +28,13 @@
   when:
     - cloudkitty_policy.results | length > 0
 
-- name: Check if custom {{ cloudkitty_custom_metrics_yaml_file }} exists
+- name: Check if custom metrics file exists
   stat:
     path: "{{ node_custom_config }}/cloudkitty/{{ cloudkitty_custom_metrics_yaml_file }}"
   delegate_to: localhost
   register: cloudkitty_custom_metrics_file
 
-- name: Copying {{ cloudkitty_custom_metrics_yaml_file }} if it exists
+- name: Copying custom metrics file
   copy:
     src: "{{ node_custom_config }}/cloudkitty/{{ cloudkitty_custom_metrics_yaml_file }}"
     dest: "{{ node_config_directory }}/{{ item.key }}/{{ cloudkitty_custom_metrics_yaml_file }}"

@@ -51,6 +51,7 @@
         target_path: "{{ engine_data[target_engine].volumes_dir }}/{{ item.path | basename }}"
         source_path: "{{ item.path }}/_data"
       become: true
+      changed_when: true
       command: "mv -f {{ source_path }} {{ target_path }}"
       with_items: "{{ container_volumes.files }}"
 

@@ -1,6 +1,7 @@
 ---
 - name: Remove OVS bridges from neutron
   become: true
+  changed_when: true
   command: >
     {{ current_engine }} exec -u root neutron_openvswitch_agent neutron-ovs-cleanup
     --config-file /etc/neutron/neutron.conf
@@ -9,6 +10,7 @@
 
 - name: Remove OVS bridges
   become: true
+  changed_when: true
   command: >
     {{ current_engine }} exec openvswitch_vswitchd
     bash -c 'for br in `ovs-vsctl list-br`;do ovs-vsctl --if-exists del-br $br;done'
@@ -1,6 +1,7 @@
 ---
 - name: Non-destructive DNS pools update
   become: true
+  changed_when: true
   command: "{{ kolla_container_engine }} exec -t designate_worker designate-manage pool update"
   run_once: true
   delegate_to: "{{ groups['designate-worker'][0] }}"
@@ -4,6 +4,7 @@
     service_name: "etcd"
     service: "{{ etcd_services[service_name] }}"
   become: true
+  changed_when: true
   command: >-
     {{ kolla_container_engine }} exec {{ service.container_name }}
     etcdctl member add {{ ansible_facts.hostname }}

@@ -29,6 +29,7 @@
       {{ etcd_member_list_result.stdout | from_json
       | json_query('members[].{key: name, value: ID}') | items2dict }}
   become: true
+  changed_when: true
   command: >-
     {{ kolla_container_engine }} exec {{ service.container_name }}
     etcdctl member remove {{ '%x' % etcd_member_id[etcd_deleted_member] }}

@@ -2,6 +2,7 @@
 - name: Ensure config directories exist
   file:
     path: "{{ node_custom_config }}/{{ item }}"
+    mode: "0755"
     state: directory
   delegate_to: localhost
   changed_when: false

@@ -2,6 +2,7 @@
 - name: Ensure stonith is disabled
   vars:
     service: "{{ hacluster_services['hacluster-pacemaker'] }}"
+  changed_when: true
   command: "{{ kolla_container_engine }} exec {{ service.container_name }} crm_attribute --type crm_config --name stonith-enabled --update false"
   run_once: true
   become: true
@@ -11,6 +12,7 @@
   vars:
     pacemaker_service: "{{ hacluster_services['hacluster-pacemaker'] }}"
     service: "{{ hacluster_services['hacluster-pacemaker-remote'] }}"
+  changed_when: true
   shell: >
     {{ kolla_container_engine }} exec {{ pacemaker_service.container_name }}
     cibadmin --modify --scope resources -X '

@@ -22,10 +22,12 @@
 
     - name: Create ironic_dhcp_hosts volume
       become: true
+      changed_when: true
       command: "{{ kolla_container_engine }} volume create ironic_dhcp_hosts"
 
     - name: Migrate data from ironic_inspector_dhcp_hosts volume
       become: true
+      changed_when: true
       vars:
         volumes_dir: >-
           {{ '/var/lib/docker/volumes' if kolla_container_engine == 'docker'
@@ -87,5 +89,6 @@
 # TODO(mnasiadka): Remove this task in Gazpacho/2026.1 release
 - name: Remove ironic_inspector_dhcp_hosts volume
   become: true
+  changed_when: true
   command: "{{ kolla_container_engine }} volume rm ironic_inspector_dhcp_hosts"
   when: enable_ironic_dnsmasq | bool
@@ -11,6 +11,7 @@
 
 - name: Run key distribution
   become: true
+  changed_when: true
   command: "{{ kolla_container_engine }} exec -t {{ keystone_services['keystone-fernet']['container_name'] }} /usr/bin/fernet-push.sh"
   run_once: true
   delegate_to: >-

@@ -22,6 +22,7 @@
     existing_mappings: "{{ existing_mappings_register.stdout_lines | map('trim') | list }}"
 
 - name: Remove unmanaged attribute mappings
+  changed_when: true
   command: >
     {{ kolla_container_engine }} exec -t keystone openstack
     --os-auth-url={{ openstack_auth.auth_url }}
@@ -43,6 +44,7 @@
 
 - name: Create unexisting domains
   become: true
+  changed_when: true
   kolla_toolbox:
     container_engine: "{{ kolla_container_engine }}"
     module_name: "os_keystone_domain"
@@ -57,6 +59,7 @@
 
 - name: Register attribute mappings in OpenStack
   become: true
+  changed_when: true
   command: >
     {{ kolla_container_engine }} exec -t keystone openstack
     --os-auth-url={{ openstack_auth.auth_url }}
@@ -78,6 +81,7 @@
 
 - name: Update existing attribute mappings in OpenStack
   become: true
+  changed_when: true
   command: >
     {{ kolla_container_engine }} exec -t keystone openstack
     --os-auth-url={{ openstack_auth.auth_url }}
@@ -121,6 +125,7 @@
 
 - name: Remove unmanaged identity providers
   become: true
+  changed_when: true
   command: >
     {{ kolla_container_engine }} exec -t keystone openstack
     --os-auth-url={{ openstack_auth.auth_url }}
@@ -141,6 +146,7 @@
 
 - name: Register Identity Providers in OpenStack
   become: true
+  changed_when: true
   command: >
     {{ kolla_container_engine }} exec -t keystone openstack
     --os-auth-url={{ openstack_auth.auth_url }}
@@ -164,6 +170,7 @@
 
 - name: Update Identity Providers in OpenStack according to Kolla-Ansible configurations
   become: true
+  changed_when: true
   command: >
     {{ kolla_container_engine }} exec -t keystone openstack
     --os-auth-url={{ openstack_auth.auth_url }}
@@ -186,6 +193,7 @@
 
 - name: Configure attribute mappings for each Identity Provider. (We expect the mappings to be configured by the operator)
   become: true
+  changed_when: true
   command: >
     {{ kolla_container_engine }} exec -t keystone openstack
     --os-auth-url={{ openstack_auth.auth_url }}
@@ -208,6 +216,7 @@
 
 - name: Update attribute mappings for each Identity Provider. (We expect the mappings to be configured by the operator).
   become: true
+  changed_when: true
   command: >
     {{ kolla_container_engine }} exec -t keystone openstack
     --os-auth-url={{ openstack_auth.auth_url }}

@@ -22,11 +22,13 @@
     - not use_preconfigured_databases | bool
 
 - name: Init keystone database upgrade
+  changed_when: true
   command: /bin/true
   notify: Init keystone database upgrade
   when: inventory_hostname == groups['keystone'][0]
 
 - name: Finish keystone database upgrade
+  changed_when: true
   command: /bin/true
   notify: Finish keystone database upgrade
   when: inventory_hostname == groups['keystone'][-1]

@@ -2,6 +2,7 @@
 - name: Validating haproxy config files
   vars:
     service: "{{ loadbalancer_services['haproxy'] }}"
+  changed_when: false
   command: >-
     {{ kolla_container_engine }} exec -i haproxy haproxy
     -c -f /etc/haproxy/haproxy.cfg -f /etc/haproxy/services.d/