Ansible-core 2.16 Porting Guide
This section discusses the behavioral changes between ansible-core
2.15 and ansible-core
2.16.
It is intended to assist in updating your playbooks, plugins and other parts of your Ansible infrastructure so they will work with this version of Ansible.
We suggest you read this page along with ansible-core Changelog for 2.16 to understand what updates you may need to make.
This document is part of a collection on porting. The complete list of porting guides can be found at porting guides.
Playbook
Conditionals - due to mitigation of security issue CVE-2023-5764 in ansible-core 2.16.1, conditional expressions with embedded template blocks can fail with the message “
Conditional is marked as unsafe, and cannot be evaluated.
” when an embedded template consults data from untrusted sources like module results or vars marked!unsafe
. Conditionals with embedded templates can be a source of malicious template injection when referencing untrusted data, and can nearly always be rewritten without embedded templates. Playbook task conditional keywords such aswhen
anduntil
have long displayed warnings discouraging use of embedded templates in conditionals; this warning has been expanded to non-task conditionals as well, such as theassert
action.- name: task with a module result (always untrusted by Ansible) shell: echo "hi mom" register: untrusted_result # don't do it this way... # - name: insecure conditional with embedded template consulting untrusted data # assert: # that: '"hi mom" is in {{ untrusted_result.stdout }}' - name: securely access untrusted values directly as Jinja variables instead assert: that: '"hi mom" is in untrusted_result.stdout'