ansible / ansible-lint Goto Github PK

ansible-lint checks playbooks for practices and behavior that could potentially be improved and can fix some of the most common ones for you

Home Page: https://ansible.readthedocs.io/projects/lint/

License: GNU General Public License v3.0

Python 98.84% Shell 0.38% TypeScript 0.77%

ansible ansible-lint pre-commit-hook hacktoberfest dot-config pep-621 ansible-dev-tools

ansible-lint's Introduction

Ansible-lint

ansible-lint checks playbooks for practices and behavior that could potentially be improved. As a community-backed project ansible-lint supports only the last two major versions of Ansible.

Visit the Ansible Lint docs site

Using ansible-lint as a GitHub Action

This action allows you to run ansible-lint on your codebase without having to install it yourself.

# .github/workflows/ansible-lint.yml
name: ansible-lint
on:
  pull_request:
    branches: ["main", "stable", "release/v*"]
jobs:
  build:
    name: Ansible Lint # Naming the build is important to use it as a status check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run ansible-lint
        uses: ansible/ansible-lint@main # or version tag instead of 'main'

For more details, see ansible-lint-action.

Contributing

Please read Contribution guidelines if you wish to contribute.

Licensing

The ansible-lint project is distributed as GPLv3 due to use of GPLv3 runtime dependencies, like ansible and yamllint.

For historical reasons, its own code-base remains licensed under a more liberal MIT license and any contributions made are accepted as being made under original MIT license.

Authors

ansible-lint was created by Will Thames and is now maintained as part of the Ansible by Red Hat project.

ansible-lint's People

Contributors

Stargazers

Watchers

Forkers

milk opsgit msabramo kwilken mvillis klynch abulimov wybczu somaddict masteinhauser nickpack hughsaunders mscherer kaz-tk myrjola widyono jeanfred danrue underyx rusllonrails eemz shawnferry shirou kovacsbalu rgordeev thisendout davidtacheny schlueter charleswhchan sagiru timani no2a sigmavirus24 elzibubble harryrybacki-zz pabelanger s-yanagida bhcopeland jpcope dmsimard yannig caphrim007 raviagarwal101 tomdev smarkets cloudnull panickervinod erouan50 linearregression suzywu2014 lowess zentavr jean chouseknecht pnemade larsks ramnes pombredanne faulkner jzafran tom-jennings-axomic ludovicc igloonet beejhuff stpierre rvben adrianmoisey martinnowak straight-shoota yeshwantrh robinro anthcourtney jozog vshender rbramwell jborean93 jparrill cnicolov petegallagher jbscare mdelagrange greg-hellings charims 40a mozz100 ildarmf bdflemin lastsky jandradap stephenpc nathonfowlie jellyfrog paulcalabro optionalg prabhashkm bkozora omgjlk matrixcrawler njenan rhpvorderman

ansible-lint's Issues

Ansible 2: Inconsistent parsing of blocks ?

Reference: http://docs.ansible.com/ansible/playbooks_blocks.html

It looks like ansible-lint is not able to parse blocks properly, here's how to reproduce with the sample block taken from the documentation.

Setup:

  $ virtualenv lint
  New python executable in lint/bin/python
  Installing setuptools, pip, wheel...done.

  $ . ./lint/bin/activate.fish

  (lint) $ pip install 'ansible>=2.0' 'ansible-lint>=2.3'
  Collecting ansible>=2.0
  Collecting ansible-lint>=2.3
    Downloading ansible-lint-2.3.0.tar.gz
  Collecting paramiko (from ansible>=2.0)
    Using cached paramiko-1.16.0-py2.py3-none-any.whl
  Requirement already satisfied (use --upgrade to upgrade): setuptools in ./lint/lib/python2.7/site-packages (from ansible>=2.0)
  Collecting PyYAML (from ansible>=2.0)
  Collecting pycrypto>=2.6 (from ansible>=2.0)
  Collecting jinja2 (from ansible>=2.0)
    Using cached Jinja2-2.8-py2.py3-none-any.whl
  Collecting ecdsa>=0.11 (from paramiko->ansible>=2.0)
    Using cached ecdsa-0.13-py2.py3-none-any.whl
  Collecting MarkupSafe (from jinja2->ansible>=2.0)
  Building wheels for collected packages: ansible-lint
    Running setup.py bdist_wheel for ansible-lint
    Stored in directory: /home/dmsimard/.cache/pip/wheels/67/91/11/eddbc9181f0c591aef25dd203bba33e94ad43c78c715d04852
  Successfully built ansible-lint
  Installing collected packages: ecdsa, pycrypto, paramiko, PyYAML, MarkupSafe, jinja2, ansible, ansible-lint
  Successfully installed MarkupSafe-0.23 PyYAML-3.11 ansible-2.0.0.1 ansible-lint-2.3.0 ecdsa-0.13 jinja2-2.8 paramiko-1.16.0 pycrypto-2.6.1

  (lint) $ mkdir -p playbooks/roles/test/tasks

playbooks/playbook.yml


---
- name: Include test role
  hosts: all
  gather_facts: no
  roles:
    - role: test

playbooks/roles/tasks/main.yml


---
- block:
    - debug: msg='i execute normally'
    - command: /bin/false
    - debug: msg='i never execute, cause ERROR!'
  rescue:
    - debug: msg='I caught an error'
    - command: /bin/false
    - debug: msg='I also never execute :-('
  always:
    - debug: msg="this always executes"

ansible-lint output

  (lint) $ ansible-lint playbooks/playbook.yml; echo $status
  Was not expecting value [{'debug': 'msg="this always executes"', '__line__': 11}] of type <type 'list'> for key always
  Task: {'always': [{'debug': 'msg="this always executes"', '__line__': 11}], 'block': [{'debug': "msg='i execute normally'", '__line__': 3}, {'command': '/bin/false', '__line__': 4}, {'debug': "msg='i never execute, cause ERROR!'", '__line__': 5}], 'rescue': [{'debug': "msg='I caught an error'", '__line__': 7}, {'command': '/bin/false', '__line__': 8}, {'debug': "msg='I also never execute :-('", '__line__': 9}], '__line__': 2}
  1
  (lint) $ ansible-lint playbooks/roles/test/tasks/main.yml; echo $status
  0

Compatilbility with Ansible 2.x

While on ansible 1.9x working fine. Clean install of Ansible 2.x (devel branch) and having issue of module parse_yaml_from_file not available.

ansible-lint playbooks/test_update.yml
Traceback (most recent call last):
File "/usr/bin/ansible-lint", line 4, in
import('pkg_resources').run_script('ansible-lint==2.1.3', 'ansible-lint')
File "/usr/lib/python2.6/site-packages/pkg_resources/init.py", line 735, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python2.6/site-packages/pkg_resources/init.py", line 1652, in run_script
exec(code, namespace, namespace)
File "/usr/lib/python2.6/site-packages/ansible_lint-2.1.3-py2.6.egg/EGG-INFO/scripts/ansible-lint", line 110, in
sys.exit(main(sys.argv[1:]))
File "/usr/lib/python2.6/site-packages/ansible_lint-2.1.3-py2.6.egg/EGG-INFO/scripts/ansible-lint", line 97, in main
matches = runner.run()
File "/usr/lib/python2.6/site-packages/ansible_lint-2.1.3-py2.6.egg/ansiblelint/init.py", line 172, in run
for file in ansiblelint.utils.find_children(arg):
File "/usr/lib/python2.6/site-packages/ansible_lint-2.1.3-py2.6.egg/ansiblelint/utils.py", line 87, in find_children
pb_data = ansible.utils.parse_yaml_from_file(playbook[0])
AttributeError: 'module' object has no attribute 'parse_yaml_from_file'

Can I go over directory instead of playbook?

Usage calls for a specific playbook. How can I go over all playbooks in dir instead?

Should linter consider .yml incorrect in favor of .yaml?

http://www.yaml.org/faq.html says "please use .yaml whenever possible". Would a PR to make ansible-lint warn when files have .yml rather than .yaml extensions be welcome?

Ansible-lint crash when using action with module parameters

Here's a simple example showing this crash:

---
- name: "Crash ansible-lint"
  gather_facts: no
  hosts: "localhost"
  tasks:
    - anything: module=test

Launching ansible-lint test.yml result in following crash:

Traceback (most recent call last):
  File "./bin/ansible-lint", line 116, in <module>
    sys.exit(main(sys.argv[1:]))
  File "./bin/ansible-lint", line 103, in main
    matches = runner.run()
  File "/home/yannig/dev/yannig/ansible-lint/lib/ansiblelint/__init__.py", line 211, in run
    skip_list=set(self.skip_list)))
  File "/home/yannig/dev/yannig/ansible-lint/lib/ansiblelint/__init__.py", line 123, in run
    matches.extend(rule.matchtasks(playbookfile, text))
  File "/home/yannig/dev/yannig/ansible-lint/lib/ansiblelint/__init__.py", line 59, in matchtasks
    for task in ansiblelint.utils.get_action_tasks(yaml, file):
  File "/home/yannig/dev/yannig/ansible-lint/lib/ansiblelint/utils.py", line 292, in get_action_tasks
    if 'include' not in task.keys()]
  File "/home/yannig/dev/yannig/ansible-lint/lib/ansiblelint/utils.py", line 240, in normalize_task
    v = _kv_to_dict(k + ' ' + v)
  File "/home/yannig/dev/yannig/ansible-lint/lib/ansiblelint/utils.py", line 222, in _kv_to_dict
    return (dict(module=command, module_arguments=args, **kwargs))
TypeError: type object got multiple values for keyword argument 'module'

I'll send you a PR which rename module keys into ansible_module and fix this crash.

AssertionError on roles: in playbook

I've updated ansible-lint using pip:

sudo pip install ansible-lint --upgrade

Still getting the same error but different lines in the source code now.

mbell@Michaels-MacBook-Pro-2 [11:35:18] [~/Vagrant/drupaldev-vm] [dev *]
-> % ansible-lint --version
ansible-lint 2.1.0
mbell@Michaels-MacBook-Pro-2 [11:35:25] [~/Vagrant/drupaldev-vm] [dev *]
-> % ansible-lint provisioning/playbook.yml
Traceback (most recent call last):
  File "/usr/local/bin/ansible-lint", line 110, in <module>
    sys.exit(main(sys.argv[1:]))
  File "/usr/local/bin/ansible-lint", line 97, in main
    matches = runner.run()
  File "/Library/Python/2.7/site-packages/ansiblelint/__init__.py", line 178, in run
    skip_tags=set(self.skip_tags)))
  File "/Library/Python/2.7/site-packages/ansiblelint/__init__.py", line 112, in run
    matches.extend(rule.matchtasks(playbookfile, text))
  File "/Library/Python/2.7/site-packages/ansiblelint/__init__.py", line 59, in matchtasks
    for task in ansiblelint.utils.get_action_tasks(yaml, file):
  File "/Library/Python/2.7/site-packages/ansiblelint/utils.py", line 254, in get_action_tasks
    if 'include' not in task.keys()]
  File "/Library/Python/2.7/site-packages/ansiblelint/utils.py", line 227, in normalize_task
    assert False
AssertionError


---
- hosts: all
  sudo: yes
  vars_files:
    - "./vars/main.yml"
    - "./vars/sites.yml"
  tasks:
    - name: register rvm
      stat: path=/home/vagrant/.rvm
      register: rvmpath
    - name: install python-pycurl
      apt: pkg=python-pycurl state=latest
    - name: Create ssh config file
      template: src=../files/config dest=/home/vagrant/.ssh/config owner=vagrant group=vagrant mode=0644
    - name: Create Databases
      mysql_db: name={{ item }} state=present login_user="root" login_password={{ mariadb_root_password }}
      with_items: mysql_dbs.keys()
      tags: db
    - name: Create DB Users
      mysql_user: name={{ item.value.user }} password={{ item.value.pass }} priv="{{ item.key }}.*:ALL" login_user="root" login_password={{ mariadb_root_password }}
      tags: db
      with_dict: mysql_dbs
  roles:
    - common
    - { role: ansible-mariadb55 }
    - { role: jdauphant.nginx, tags: nginx }
    - { role: geerlingguy.php }
    - { role: geerlingguy.drush }
    - { role: geerlingguy.java }
    - { role: geerlingguy.solr }
    - { role: geerlingguy.php-xdebug, php_xdebug_max_nesting_level: 256}
    - { role: geerlingguy.mailhog }
  handlers:
    - name: update repositories
      apt: update_cache=yes cache_valid_time=3600

False positive in DeprecatedTemplateBracketsRule

The DeprecatedTemplateBracketsRule module will report ANSIBLE0001 in the following example even though this would be a valid use of ${}

lineinfile: dest=/etc/init.d/mysql regexp="^MYSQLD_STARTUP_TIMEOUT" insertafter="^### END INIT INFO" line="MYSQLD_STARTUP_TIMEOUT=${MYSQLD_STARTUP_TIMEOUT:-180}"

DeprecatedVariableRule.match in README causes traceback

The DeprecatedVariableRule.match method in the readme takes two arguments, (self, line), when it should be (self, file, line).

Bug in ansible-lint current and previous version

Whenever I ran ansible-lint I got a Python error referencing that a type could not be NoneType. Drilling down to it I could 'bypass' it by commenting out the 'if' in init.py at line 60 and 61.
Yesterday I found the root cause to be a 'tags:' part without any items in it.

I believe ansible-lint should be throwing an error with regards to the empty tags part instead of throwing a Python error and exit.

I caught this when I started using Ansible 2.0 which throws the error that 'Tags must be in a list'

Error when the path to a playbook contains a space

If the path to my playbook contains a space, it fails to open it.

The culprit seems to be https://github.com/willthames/ansible-lint/blob/master/lib/ansiblelint/utils.py#L93

$ ./venv/bin/ansible-lint /Users/x/Library/Application Support/x/x/playbook.yml
Traceback (most recent call last):
  File "./venv/bin/ansible-lint", line 110, in <module>
    sys.exit(main(sys.argv[1:]))
  File "./venv/bin/ansible-lint", line 97, in main
    matches = runner.run()
  File "/Users/x/x/x/venv/lib/python2.7/site-packages/ansiblelint/__init__.py", line 178, in run
    skip_tags=set(self.skip_tags)))
  File "/Users/x/x/x/venv/lib/python2.7/site-packages/ansiblelint/__init__.py", line 106, in run
    with open(playbookfile['path'], 'Ur') as f:
IOError: [Errno 2] No such file or directory: 'Support/x/x/playbook.yml'

Ansible's unarchive module is not always analogous to the tar command

If I have a task that creates an archive (instead of expanding) there is no Ansible equivalent module to my knowledge that can accomplish this, yet the linter is reporting ANSIBLE0006.

For example:
shell: "/bin/tar czf {{support_log_root}}/{{timestamp}}/support.tgz *"

Feature: Local message control

Requesting a new feature for ansible-lint to support message controls embedded in the ansible yaml as comments. This allows users to enable/disable rules for small blocks of code. The most common use for this is disabling a rule for individual issues.

Sample message controls:

ansible-lint: disable=ANSIBLE0005

ansible-lint: enable=ANSIBLE0005, ANSIBLE0006

Lint vault files

I'd like to lint whole Ansible playbooks including vault files. An idea would be to provide ansible-lint the vault-pass parameter. Currently linting a vault file leads to a (correct) error:

ansible.errors.AnsibleError: ERROR! Decryption failed

is this listed in available atom packages?

CommandsInsteadOfArgumentsRule

With the following handler:

- name: "Run ldconfig"
  shell: |
    executable=/bin/bash
    ldconfig
  tags:
    - mesos

I got the following error:

Traceback (most recent call last):
  File "../ansible-lint/bin/ansible-lint", line 105, in <module>
    sys.exit(main(sys.argv[1:]))
  File "../ansible-lint/bin/ansible-lint", line 92, in main
    matches = runner.run()
  File "../ansible-lint/lib/ansiblelint/__init__.py", line 179, in run
    skip_tags=set(self.skip_tags)))
  File "../ansible-lint/lib/ansiblelint/__init__.py", line 113, in run
    matches.extend(rule.matchtasks(playbookfile, text))
  File "../ansible-lint/lib/ansiblelint/__init__.py", line 64, in matchtasks
    result = self.matchtask(file, task)
  File "../ansible-lint/lib/ansiblelint/rules/CommandsInsteadOfArgumentsRule.py", line 41, in matchtask
    executable = os.path.basename(task["action"]["args"][0])
IndexError: list index out of range

The task returned in the matchtask function is:

{'action': {'executable': '/bin/bash\nldconfig\n', 'args': [], 'module': 'shell'}, 'name': 'Run ldconfig', 'tags': ['mesos']}

I'm using ansible 1.4.5.

Installing `git` fires [ANSIBLE0004]

Example code:

- name: "Install Jenkins prerequisites"
  apt:
    pkg={{ item }}
    state=present
  sudo: yes
  with_items:
    - git
    - ruby
    - bundler
    - maven
    - openjdk-7-jdk
    - ttf-dejavu
    - ttf-bitstream-vera

Output:

[ANSIBLE0004] Checkouts must contain explicit version
roles/jenkins/tasks/main.yml:9
    - git

I think a matchblock instead of match is in order.

Maybe python 2.6 syntax error

Hi,

Just cloned you module, ran it on a CentOS 6 machine, and got the following
error

<rizo:ansible-lint> bin/ansible-lint -T
Traceback (most recent call last):
  File "bin/ansible-lint", line 68, in <module>
    sys.exit(main(sys.argv[1:]))
  File "bin/ansible-lint", line 43, in main
    rules = RulesCollection.create_from_directory(options.rulesdir)
  File "/home/kal/Projects/ansible-lint/lib/ansiblelint/__init__.py", line 70, in create_from_directory
    result.rules = utils.load_plugins(rulesdir)
  File "/home/kal/Projects/ansible-lint/lib/ansiblelint/utils.py", line 16, in load_plugins
    mod = imp.load_module(pluginname, fh, filename, desc)
  File "bin/../rules/DeprecatedTemplateBracketsRule.py", line 9
    tags = {'deprecation'}
                         ^
SyntaxError: invalid syntax

I've set

PYTHONPATH=/srv/ansible-source/lib:/home/kal/Projects/ansible-lint/lib

Maybe this a python 2.6 syntax error?

Parseable format

The quiet output is [<ERROR_ID>] <FILE>:<LINE>

I may be mistaken, but I was under the impression that the format <FILE>:<LINE>: <ERROR_ID> was more commonly used − eg pep8, pylint or cpplint.

Could the output be changed, or a parseable output implemented?

My use case being: I would like to track ansible-lint violations in a Jenkins job, and I would love to not have to add a Parser to some plugin. :-)

Add minimum requirement info

Hi, usage of "contains_vars" (in utils.py line 89) means one must have at least ansible 1.8.x.

Could you please insert a note in README.md (for example) stating such minimum requirement? Or, optionally, allow use with ansible 1.7.x by replacing line 89 in lib/ansiblelint/utils.py with:

if "$" in child['path'] or "{{" in child['path']:

Rule for full octal permissions

Ansible can interpret numeric permissions strangely if they only contain three of the proper four digits (i.e. 644 != 0644). Would you accept a PR creating a rule to check for this?

Some errors have the wrong line number

The examples/example.yml gets the wrong line number 0 for errors like:

[ANSIBLE0006] git used in place of git module
[ANSIBLE0004] Git checkouts must contain explicit version

➜  ansible-lint git:(master) python --version
Python 2.7.6
➜  ansible-lint git:(master) pip list
ansible (1.8.2)
ansible-lint (2.0.4)
ecdsa (0.11)
Jinja2 (2.7.3)
MarkupSafe (0.23)
paramiko (1.15.2)
pip (6.0.6)
pycrypto (2.6.1)
PyYAML (3.11)
RBTools (0.6.3)
setuptools (11.3.1)
vboxapi (1.0)
➜  ansible-lint git:(master) ansible-lint examples/example.yml
[ANSIBLE0006] git used in place of git module
examples/example.yml:0
Task/Handler: executing git through command

[ANSIBLE0006] git used in place of git module
examples/example.yml:0
Task/Handler: executing git through command

[ANSIBLE0001] Old style (${var}) brackets
examples/example.yml:10
    action: command echo ${oldskool}

[ANSIBLE0004] Git checkouts must contain explicit version
examples/example.yml:0
Task/Handler: git check

[ANSIBLE0004] Git checkouts must contain explicit version
examples/example.yml:0
Task/Handler: git check 2

[ANSIBLE0004] Git checkouts must contain explicit version
examples/example.yml:0
Task/Handler: using git module

[ANSIBLE0003] Mismatched { and }
examples/example.yml:13
    action: debug oops a missing {{bracket}

[ANSIBLE0002] Trailing whitespace
examples/example.yml:19
    action: do nothing

[ANSIBLE0002] Trailing whitespace
examples/example.yml:41
    with_items:

Feature Request - Add exclude-paths option

I work on a project that is slowly integrating ansible-lint into the standards. We're working on doing this on a per-role basis and what we'd like to do is have a list of paths that we don't check and slowly remove them from that list until we have no more left.

Would the project be open to a command-line option that would allow us to do something like

$ ansible-lint --exclude-paths=roles/roleA,roles/roleB,roles/roleC *.yml

Perhaps instead something like

$ ansible-lint --exclude-roles=roleA,roleB,roleC *.yml

I'd be happy to work on implementing this.

False positive: curl used in place of get_url module

$ ansible-lint --version
ansible-lint 2.1.0

We need to do a POST (not a GET) with cURL, but ansible-lint throws an [ANSIBLE0006] curl used in place of get_url module

Example (not using the Slack module, since it doesn't support attachments ATM):

command: >
  curl -XPOST  -d '{{ slack_body | to_json }}' https://hooks.slack.com/services/{{slack.token}}

I would assume the check needs to make sure it's actually a cURL GET to have a match.

Stacktrace on when running

I get the following when trying to run a playbook

ansible-lint baseconf.yml
Traceback (most recent call last):
File "/Users/loke/.virtualenvs/network-ansible/bin/ansible-lint", line 104, in
sys.exit(main(sys.argv[1:]))
File "/Users/loke/.virtualenvs/network-ansible/bin/ansible-lint", line 91, in main
matches = runner.run()
File "/Users/loke/.virtualenvs/network-ansible/lib/python2.7/site-packages/ansiblelint/init.py", line 177, in run
skip_tags=set(self.skip_tags)))
File "/Users/loke/.virtualenvs/network-ansible/lib/python2.7/site-packages/ansiblelint/init.py", line 111, in run
matches.extend(rule.matchtasks(playbookfile, text))
File "/Users/loke/.virtualenvs/network-ansible/lib/python2.7/site-packages/ansiblelint/init.py", line 60, in matchtasks
for task in utils.get_action_tasks(yaml, file):
File "/Users/loke/.virtualenvs/network-ansible/lib/python2.7/site-packages/ansiblelint/utils.py", line 216, in get_action_tasks
if 'include' not in task.keys()]
File "/Users/loke/.virtualenvs/network-ansible/lib/python2.7/site-packages/ansiblelint/utils.py", line 190, in normalize_task
assert False
AssertionError

Inconsistencies in README

From source:
git clone https://github.com/willthames/ansible-lint
export PYTHONPATH=$PYTHONPATH:pwd/ansible-lint/lib

And what's the expected outcome? I guess, this also should include adding bin/ subdir to PATH?

At least one of the following methods:
match
matchblock
...
An example rule using matchtask is:

So, it says be either match() or matchblock(), and then suddenly talks about matchtask().

ansible-lint seems to ignore the `args:` method to define arguments

ansible-lint seems to ignore the args: method to define arguments

For example I get this error:

[ANSIBLE0004] Git checkouts must contain explicit version

With this code:

- name: checkout repo
  git:
  args:
    repo: "{{ repo_path }}"
    dest: "{{ checkout_folder }}"
    version: "{{ repo_version }}"

But not with this code:

- name: checkout repo
  git: version="{{ repo_version }}"
  args:
    repo: "{{ repo_path }}"
    dest: "{{ checkout_folder }}"

ansible best practice to copy directories?

http://stackoverflow.com/questions/25576871/ansible-best-practice-to-copy-directories

In my playbook I have

- name: Grab h5bp/server-configs-nginx
  git:  repo=https://github.com/h5bp/server-configs-nginx.git
        dest=/tmp/server-configs-nginx
        version="3db5d61f81d7229d12b89e0355629249a49ee4ac"
        force=yes

- name: Copy over h5bp configuration
  command: cp -r /tmp/server-configs-nginx/{{ item }} /etc/nginx/{{ item }}
  with_items:
    - "mime.types"
    - "h5bp/"

Which raises the warning in ansible-lint:

[ANSIBLE0006] cp used in place of copy module
/Users/austinpray/Dropbox/DEV/opensauce/bedrock-ansible/roles/nginx/tasks/main.yml:0
Task/Handler: Copy over h5bp configuration

So this raises the question: is there a better way to do this with ansible modules rather than a command?

[ANSIBLE0006] tar used in place of unarchive module

tasks:
- name: Pack config dirs
shell: tar -zcf /mnt/output.tar.gz /etc/nginx /etc/php5/

this is false positive, because I want to pack files on remote location, not to unpack it.

ansiblelint module object has no attribute version

I like the idea of ansible-lint. However after installing it I was unable to get it to run:

$ pip install --user ansible-lint
Downloading/unpacking ansible-lint
  Downloading ansible-lint-1.0.1.tar.gz
  Running setup.py (path:/tmp/pip_build_schwarz/ansible-lint/setup.py) egg_info for package ansible-lint

Requirement already satisfied (use --upgrade to upgrade): ansible in /usr/lib/python2.7/dist-packages (from ansible-lint)
Requirement already satisfied (use --upgrade to upgrade): paramiko in /usr/lib/python2.7/dist-packages (from ansible->ansible-lint)
Requirement already satisfied (use --upgrade to upgrade): jinja2 in /usr/lib/python2.7/dist-packages (from ansible->ansible-lint)
Requirement already satisfied (use --upgrade to upgrade): PyYAML in /usr/lib/python2.7/dist-packages (from ansible->ansible-lint)
Requirement already satisfied (use --upgrade to upgrade): pycrypto>=2.6 in /usr/lib/python2.7/dist-packages (from ansible->ansible-lint)
Requirement already satisfied (use --upgrade to upgrade): ecdsa in /usr/lib/python2.7/dist-packages (from paramiko->ansible->ansible-lint)
Requirement already satisfied (use --upgrade to upgrade): markupsafe in /usr/lib/python2.7/dist-packages (from jinja2->ansible->ansible-lint)
Installing collected packages: ansible-lint
  Running setup.py install for ansible-lint
    changing mode of build/scripts-2.7/ansible-lint from 664 to 775

    changing mode of /home/schwarz/.local/bin/ansible-lint to 775
Successfully installed ansible-lint
Cleaning up...
$ ansible-lint
Traceback (most recent call last):
  File "/home/schwarz/.local/bin/ansible-lint", line 32, in <module>
    VERSION = ansiblelint.__version__
AttributeError: 'module' object has no attribute '__version__'
$ ansible --version
ansible 1.7.1
$ python --version
Python 2.7.8
$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux jessie/sid"
NAME="Debian GNU/Linux"
ID=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support/"
BUG_REPORT_URL="https://bugs.debian.org/"
$ uname -a
Linux schwarz 3.14-2-amd64 #1 SMP Debian 3.14.15-2 (2014-08-09) x86_64 GNU/Linux

bare variables

[DEPRECATION WARNING]: Using bare variables is deprecated. Update your playbooks so that the environment value uses the full variable syntax ('{{apache_modules}}'). This feature will be removed in a future release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.

Would be great to get these deprecation warnings into lint!

Tests are currently failing

Fresh copy of master with ansible installed:

$ nosetests
EE.EEE......
======================================================================
ERROR: test_rule_matching (TestLintRule.TestRule)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/Users/cgroom/tmp/ansible-lint/test/TestLintRule.py", line 16, in test_rule_matching
    matches = ematcher.matchlines(filename, text)
  File "/Users/cgroom/tmp/ansible-lint/lib/ansiblelint/__init__.py", line 22, in matchlines
    result = self.match(file, line)
TypeError: match() takes exactly 2 arguments (3 given)

======================================================================
ERROR: test_rule_postmatching (TestLintRule.TestRule)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/Users/cgroom/tmp/ansible-lint/test/TestLintRule.py", line 25, in test_rule_postmatching
    matches = rule.matchlines(filename, text)
  File "/Users/cgroom/tmp/ansible-lint/lib/ansiblelint/__init__.py", line 22, in matchlines
    result = self.match(file, line)
TypeError: match() takes exactly 2 arguments (3 given)

======================================================================
ERROR: test_run_collection (TestRulesCollection.TestRulesCollection)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/Users/cgroom/tmp/ansible-lint/test/TestRulesCollection.py", line 17, in test_run_collection
    matches = self.rules.run('test/ematchtest.txt')
  File "/Users/cgroom/tmp/ansible-lint/lib/ansiblelint/__init__.py", line 61, in run
    with open(playbookfile['path'], 'r') as f:
TypeError: string indices must be integers, not str

======================================================================
ERROR: test_skip_tags (TestRulesCollection.TestRulesCollection)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/Users/cgroom/tmp/ansible-lint/test/TestRulesCollection.py", line 33, in test_skip_tags
    matches = self.rules.run('test/ematchtest.txt', skip_tags=['test1'])
  File "/Users/cgroom/tmp/ansible-lint/lib/ansiblelint/__init__.py", line 61, in run
    with open(playbookfile['path'], 'r') as f:
TypeError: string indices must be integers, not str

======================================================================
ERROR: test_tags (TestRulesCollection.TestRulesCollection)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/Users/cgroom/tmp/ansible-lint/test/TestRulesCollection.py", line 21, in test_tags
    matches = self.rules.run('test/ematchtest.txt', tags=['test1'])
  File "/Users/cgroom/tmp/ansible-lint/lib/ansiblelint/__init__.py", line 61, in run
    with open(playbookfile['path'], 'r') as f:
TypeError: string indices must be integers, not str

----------------------------------------------------------------------
Ran 12 tests in 0.087s

FAILED (errors=5)

Register ansible-lint on PyPi

ansible-lint should also live on PyPi.

Trackback error - not sure if ansible-lint or atom-lint

Error: Traceback (most recent call last):
File "/usr/local/bin/ansible-lint", line 113, in
sys.exit(main(sys.argv[1:]))
File "/usr/local/bin/ansible-lint", line 100, in main
matches = runner.run()
File "/usr/local/lib/python2.7/site-packages/ansiblelint/init.py", line 208, in run
skip_list=set(self.skip_list)))
File "/usr/local/lib/python2.7/site-packages/ansiblelint/init.py", line 120, in run
matches.extend(rule.matchtasks(playbookfile, text))
File "/usr/local/lib/python2.7/site-packages/ansiblelint/init.py", line 59, in matchtasks
for task in ansiblelint.utils.get_action_tasks(yaml, file):
File "/usr/local/lib/python2.7/site-packages/ansiblelint/utils.py", line 283, in get_action_tasks
tasks.extend(extract_from_list(yaml, ['tasks', 'handlers', 'pre_tasks', 'post_tasks']))
File "/usr/local/lib/python2.7/site-packages/ansiblelint/utils.py", line 275, in extract_from_list
results.extend(block[candidate])
TypeError: 'NoneType' object is not iterable
at parameters.exit (/Users/adam/.atom/packages/linter-ansible-linting/node_modules/atom-linter/lib/helpers.js:58:20)
at triggerExitCallback (/Applications/Atom Beta.app/Contents/Resources/app.asar/src/buffered-process.js:213:47)
at /Applications/Atom Beta.app/Contents/Resources/app.asar/src/buffered-process.js:220:18
at Socket. (/Applications/Atom Beta.app/Contents/Resources/app.asar/src/buffered-process.js:98:18)
at emitOne (events.js:82:20)
at Socket.emit (events.js:169:7)
at Pipe._onclose (net.js:469:12)

Exit Codes

I've run your example/play.yml, and I noticed that your script is returning a 0 exit code when issues are found. This should exist something other than 0 so Jenkins and the like will report a build failure.

No license file provided in pypi tarball

I downloaded tarball from https://pypi.python.org/pypi/ansible-lint/1.0.2 but it does not contain any license information in setup.py or PKG-INFO and also LICENSE file is not present. Can you please fix this issue and release a new tarball that will add LICENSE file?

Thanks.

Multi-line open and close curly braces cause [ANSIBLE0003] Mismatched { and }

When breaking open and close curly braces over multiple lines like the following:

- name: "Set Origin specific facts on localhost (for later use)"
  hosts: localhost
  gather_facts: no
  tasks:
    - name: Setting oo_minion_ips fact on localhost
      set_fact:
        oo_minion_ips: "{{ hostvars
            | oo_select_keys(groups['tag_env-host-type-' + oo_env + '-openshift-minion'])
            | oo_collect(attribute='ansible_eth0.ipv4.address') }}"
      when: groups['tag_env-host-type-' + oo_env + '-openshift-minion'] is defined

and

 roles:
    - ../../../roles/base_os
    - ../../../roles/repos
    - {
        role: ../../../roles/openshift_master,
        oo_minion_ips: "{{ hostvars['localhost'].oo_minion_ips | default(['']) }}",
        oo_bind_ip: "{{ hostvars[inventory_hostname].ansible_eth0.ipv4.address | default(['']) }}"
      }
    - ../../../roles/pods

(From https://github.com/openshift/openshift-online-ansible/blob/master/playbooks/gce/openshift-master/config.yml)

ansible-lint complains that the { and } are mis-matched, it appears to just be a multi-line parse issue.

$ ansible-lint playbooks/gce/openshift-master/launch.yml 
[ANSIBLE0003] Mismatched { and }
/home/admiller/src/dev/openshift-online-ansible/playbooks/gce/openshift-master/config.yml:21
        oo_minion_ips: "{{ hostvars

[ANSIBLE0003] Mismatched { and }
/home/admiller/src/dev/openshift-online-ansible/playbooks/gce/openshift-master/config.yml:23
            | oo_collect(attribute='ansible_eth0.ipv4.address') }}"

[ANSIBLE0003] Mismatched { and }
/home/admiller/src/dev/openshift-online-ansible/playbooks/gce/openshift-master/config.yml:35
    - {

[ANSIBLE0003] Mismatched { and }
/home/admiller/src/dev/openshift-online-ansible/playbooks/gce/openshift-master/config.yml:39
      }

'become: yes' yields 'Was not expecting value True'

Hi,

thank you for all your work on ansible-lint, it certainly makes our lives a bit easier :)

We recently upgraded our Ansible to 2.0 and started fixing stuff in playbooks / roles due to deprecation warnings.

We are using ansible-lint 2.3.1 now.

Apparently the following task:

- name: clone content repository
  git:
    repo: '{{ archive_services_repo_url }}'
    dest: '/home/www'
    accept_hostkey: yes
    version: master
    update: no
  become: yes
  become_user: nobody
  notify:
  - restart apache2

yields errors like this one:

Was not expecting value True of type <type 'bool'> for key become
Task: {'git': {'repo': '{{ archive_services_repo_url }}', 'version': 'master', 'module': 'git', 'dest': '/home/www', 'accept_hostkey': True, 'update': False, '__line__': 62, 'module_arguments': []}, 'name': 'clone content repository', 'become_user': 'nobody', 'become': True, '__line__': 61, 'notify': ['restart apache2']}

The task in question seems to be syntactically valid and works well.

We are using Ubuntu Trusty x86_64 and Python 2.7.6 (standard Ubuntu repo version).

pip show ansible-lint says:


---
Name: ansible-lint
Version: 2.3.1
Location: /usr/local/lib/python2.7/dist-packages
Requires: ansible, pyyaml

Is there any more information needed to help resolving this issue?

file module, mode check request

As per http://docs.ansible.com/ansible/file_module.html:

"For those used to /usr/bin/chmod remember that modes are actually octal numbers (like 0644). Leaving off the leading zero will likely have unexpected results. "

Can we get a lint check for this?

TypeError during linting if playbook has no tasks

If you run the ansible-lint on a playbook that doesn't have any tasks in it, it throws a TypeError.
The file in question: https://github.com/CiscoCloud/microservices-infrastructure/blob/master/terraform.sample.yml
The error:

Traceback (most recent call last):
  File "/usr/local/bin/ansible-lint", line 113, in <module>
    sys.exit(main(sys.argv[1:]))
  File "/usr/local/bin/ansible-lint", line 100, in main
    matches = runner.run()
  File "/Library/Python/2.7/site-packages/ansiblelint/__init__.py", line 202, in run
    skip_list=set(self.skip_list)))
  File "/Library/Python/2.7/site-packages/ansiblelint/__init__.py", line 114, in run
    matches.extend(rule.matchtasks(playbookfile, text))
  File "/Library/Python/2.7/site-packages/ansiblelint/__init__.py", line 60, in matchtasks
    if 'skip_ansible_lint' in task.get('tags', []):
TypeError: argument of type 'NoneType' is not utterable

I can try to make a PR to fix this, but I wanted to know what the expected behavior should be. Thanks

Easily disabling some of the rules?

First: thanks for this project!

Now the question:

Is there any less surgical way to disable a rule other than removing it from /usr/local/lib/python2.7/dist-packages/ansiblelint/rules?

For instance, I really don't care for the trailing whitespace rule, to be honest, so it would be great if people could create a configuration file like you can with jslint or jshint.

Thanks!

defaults rules directory

Since 11d86b2, I'm no longer able to use ansible-lint with my project as it forces me to use the default rules, but for different reasons there are not adapted to my project.

Could you provide a way to not use this rules?

Adding a default tag to the rules is a possible solution.

examples.yml clash with README

I was just finishing up an atom package for ansible-lint when I tested it against the examples.yml and noticed that in ansible-lint 2.1.3 the following is NOT thrown despite what the README states:

[ANSIBLE0001] Old style (${var}) brackets
examples/example.yml:10
action: command echo ${oldskool}

False positive detecting OctalPermissionsRule

When trying to setgid permissions

[ANSIBLE0008] Octal file permissions must contain leading zero
mode: 02775

Looks like the regex requires exactly 3 digits, which is not always correct.

# At least an indent, "mode:", optional whitespace, any digits, EOL
mode_regex = re.compile(r'^\s+mode:\s*[0-9]+\s*$')
# Same as above, but with a leading zero before three digits
valid_mode_regex = re.compile(r'^\s+mode:\s*0[0-7]{3}\s*$')

Misreading of include containing playbook_dir

I just got the following traceback which can be reproduced as follows:

$ git clone https://github.com/CiscoCloud/mantl
$ find . -name "*.yml" -exec ansible-lint {} \; -exec echo "PLAYBOOK: " {} \;                                                                                 
Traceback (most recent call last):
  File "/home/siddharthist/.virtualenvs/mantl/bin/ansible-lint", line 116, in <module>
    sys.exit(main(sys.argv[1:]))
  File "/home/siddharthist/.virtualenvs/mantl/bin/ansible-lint", line 103, in main
    matches = runner.run()
  File "/home/siddharthist/.virtualenvs/mantl/lib/python2.7/site-packages/ansiblelint/__init__.py", line 211, in run
    skip_list=set(self.skip_list)))
  File "/home/siddharthist/.virtualenvs/mantl/lib/python2.7/site-packages/ansiblelint/__init__.py", line 115, in run
    with open(playbookfile['path'], 'Ur') as f:
IOError: [Errno 2] No such file or directory: u'/home/siddharthist/Dropbox/code/asteris/mantl/addons/playbooks/check-requirements.yml'
Traceback (most recent call last):
  File "/home/siddharthist/.virtualenvs/mantl/bin/ansible-lint", line 116, in <module>
    sys.exit(main(sys.argv[1:]))
  File "/home/siddharthist/.virtualenvs/mantl/bin/ansible-lint", line 103, in main
    matches = runner.run()
  File "/home/siddharthist/.virtualenvs/mantl/lib/python2.7/site-packages/ansiblelint/__init__.py", line 211, in run
    skip_list=set(self.skip_list)))
  File "/home/siddharthist/.virtualenvs/mantl/lib/python2.7/site-packages/ansiblelint/__init__.py", line 115, in run
    with open(playbookfile['path'], 'Ur') as f:
IOError: [Errno 2] No such file or directory: u'/home/siddharthist/Dropbox/code/asteris/mantl/addons/playbooks/check-requirements.yml'
PLAYBOOK  ./addons/iptables.yml

Looks like there's a problem with parsing the include line in that playbook.

False positive: bash arrays notation when using shell module

For instance this YML:

- hosts: local
  pre_tasks:
    - name: "Get demo directory"
      shell: |
        cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd
      register: demo_directory
      changed_when: false

generates the following warning:

[ANSIBLE0001] Old style (${var}) brackets
demo/playbook.yml:28
        cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd

No doc on how to run tests

There's no tox.ini and if I try to run nosetests, I'm missing ansible.utils. My venv has Ansible 1.9.2 in it as that's what we run with.

Disabling False Positives within the source code

Use Case:

As a developer I would like to have a way of removing false positives within the source code rather than a global configuration

For example:

- name
  lineinfile: dest=/tmp/file.properties regexp="^Listen " line="something ${value}"

[ANSIBLE0001] Old style (${var}) brackets
examples/example.yml:2

I would like something like the below snippet:

# ansible-lint:disable
- name
  lineinfile: dest=/tmp/file.properties regexp="^Listen " line="something ${value}"
[...]
# ansible-lint:disable ANSIBLE0001
- name
  lineinfile: dest=/tmp/file.properties regexp="^Listen " line="something ${value}"

This feature is already part of the rubucop (ruby static analyzer): https://github.com/bbatsov/rubocop#disabling-cops-within-source-code

missing include causes traceback

Not existing includes cause a traceback instead of a warning:


---
  pre_tasks:
    - { include: 'doesnotexist.yml'}

traceback

Traceback (most recent call last):
  File "/usr/local/bin/ansible-lint", line 110, in <module>
    sys.exit(main(sys.argv[1:]))
  File "/usr/local/bin/ansible-lint", line 97, in main
    matches = runner.run()
  File "/usr/local/lib/python2.7/dist-packages/ansiblelint/__init__.py", line 180, in run
    skip_list=set(self.skip_list)))
  File "/usr/local/lib/python2.7/dist-packages/ansiblelint/__init__.py", line 106, in run
    with open(playbookfile['path'], 'Ur') as f:
IOError: [Errno 2] No such file or directory: u'doesnotexist.yml'

I'm using test-kitchen and the file does exist in the vm, but not on the host, fixed it with a softlink to self, but I think it should not traceback but report a error.

ANSIBLE0006 check behaving inconsistently

I have ansible-lint 2.1.3 installed on two different operating systems.

On Ubuntu 15.04 the 0006 check throws warnings for some commands (e.g. git, hg), but not others (e.g. unzip, tar, wget, curl).

On CentOS 7.1 the 0006 check only seems to work if I am executing ansible-lint on a task list that includes other tasks lists with the offending command. Example below:

#foo.yml

---
- command: git foo

#site.yml

---
- include: foo.yml

ansible-lint foo.yml yields no stdout
ansible-lint site.yml throws the ANSIBLE0006 warning for git command instead of git module

AssertionError on roles: in playbook

Running ansible-lint 2.0.3

I get AssertionError on the following playbook:


---
- hosts: all
  sudo: yes
  vars_files:
    - "./vars/main.yml"
    - "./vars/sites.yml"
  tasks:
    - name: register rvm
      stat: path=/home/vagrant/.rvm
      register: rvmpath
    - name: install python-pycurl
      apt: pkg=python-pycurl state=latest
    - name: Create ssh config file
      template: src=../files/config dest=/home/vagrant/.ssh/config owner=vagrant group=vagrant mode=0644
    - name: Create Databases
      mysql_db: name={{ item }} state=present login_user="root" login_password={{ mariadb_root_password }}
      with_items: mysql_dbs.keys()
      tags: db
    - name: Create DB Users
      mysql_user: name={{ item.value.user }} password={{ item.value.pass }} priv="{{ item.key }}.*:ALL" login_user="root" login_password={{ mariadb_root_password }}
      tags: db
      with_dict: mysql_dbs
  roles:
    - common
    - { role: ansible-mariadb55 }
    - { role: jdauphant.nginx, tags: nginx }
    - { role: geerlingguy.php }
    - { role: geerlingguy.drush }
    - { role: geerlingguy.java }
    - { role: geerlingguy.solr }
    - { role: geerlingguy.php-xdebug, php_xdebug_max_nesting_level: 256}
    - { role: geerlingguy.mailhog }
  handlers:
    - name: update repositories
      apt: update_cache=yes cache_valid_time=3600

Error:

mbell@Michaels-MacBook-Pro-2 [10:42:08] [~/Vagrant/drupaldev-vm] [dev *]
-> % ansible-lint provisioning/playbook.yml
Traceback (most recent call last):
  File "/usr/local/bin/ansible-lint", line 104, in <module>
    sys.exit(main(sys.argv[1:]))
  File "/usr/local/bin/ansible-lint", line 91, in main
    matches = runner.run()
  File "/Library/Python/2.7/site-packages/ansiblelint/__init__.py", line 179, in run
    skip_tags=set(self.skip_tags)))
  File "/Library/Python/2.7/site-packages/ansiblelint/__init__.py", line 113, in run
    matches.extend(rule.matchtasks(playbookfile, text))
  File "/Library/Python/2.7/site-packages/ansiblelint/__init__.py", line 60, in matchtasks
    for task in utils.get_action_tasks(yaml, file):
  File "/Library/Python/2.7/site-packages/ansiblelint/utils.py", line 219, in get_action_tasks
    if 'include' not in task.keys()]
  File "/Library/Python/2.7/site-packages/ansiblelint/utils.py", line 192, in normalize_task
    assert False
AssertionError

Removing the roles block doesn't cause this issue.