Ansible 10 Porting Guide

Ansible 10 is based on Ansible-core 2.17.

We suggest you read this page along with the Ansible 10 Changelog to understand what updates you may need to make.

Playbook

  • Conditionals - due to mitigation of security issue CVE-2023-5764 in ansible-core 2.16.1, conditional expressions with embedded template blocks can fail with the message “Conditional is marked as unsafe, and cannot be evaluated.” when an embedded template consults data from untrusted sources like module results or vars marked !unsafe. Conditionals with embedded templates can be a source of malicious template injection when referencing untrusted data, and can nearly always be rewritten without embedded templates. Playbook task conditional keywords such as when and until have long displayed warnings discouraging use of embedded templates in conditionals; this warning has been expanded to non-task conditionals as well, such as the assert action.

    - name: task with a module result (always untrusted by Ansible)
      shell: echo "hi mom"
      register: untrusted_result
    
    # don't do it this way...
    # - name: insecure conditional with embedded template consulting untrusted data
    #   assert:
    #     that: '"hi mom" is in {{ untrusted_result.stdout }}'
    
    - name: securely access untrusted values directly as Jinja variables instead
      assert:
        that: '"hi mom" is in untrusted_result.stdout'
    

Command Line

  • Python 2.7 and Python 3.6 are no longer supported remote versions. Python 3.7+ is now required for target execution.

Deprecated

No notable changes

Modules

No notable changes

Modules removed

The following modules no longer exist:

  • No notable changes

Deprecation notices

No notable changes

Noteworthy module changes

No notable changes

Plugins

No notable changes

Porting custom scripts

No notable changes

Networking

No notable changes

Porting Guide for v10.1.0

Added Collections

  • ieisystem.inmanage (version 2.0.0)

Known Issues

community.general

dellemc.openmanage

  • idrac_diagnostics - Issue(285322) - This module doesn’t support export of diagnostics file to HTTP and HTTPS share via SOCKS proxy.

  • idrac_firmware - Issue(279282) - This module does not support firmware update using HTTP, HTTPS, and FTP shares with authentication on iDRAC8.

  • idrac_storage_volume - Issue(290766) - The module will report success instead of showing failure for new virtual creation on the BOSS-N1 controller if a virtual disk is already present on the same controller.

  • ome_diagnostics - Issue(279193) - Export of SupportAssist collection logs to the share location fails on OME version 4.0.0.

  • ome_smart_fabric_uplink - Issue(186024) - The module supported by OpenManage Enterprise Modular, however it does not allow the creation of multiple uplinks of the same name. If an uplink is created using the same name as an existing uplink, then the existing uplink is modified.

Major Changes

containers.podman

  • Add mount and unmount for volumes

  • Add multiple subnets for networks

  • Add new options for podman_container

  • Add new options to pod module

  • Add podman search

  • Improve idempotency for networking in podman_container

  • Redesign idempotency for Podman Pod module

dellemc.openmanage

  • Added support to use session ID for authentication of iDRAC, OpenManage Enterprise and OpenManage Enterprise Modular.

  • ome_session - This module allows you to create and delete the sessions on OpenManage Enterprise and OpenManage Enterprise Modular.

Deprecated Features

community.general

Porting Guide for v10.0.0

Added Collections

  • community.library_inventory_filtering_v1 (version 1.0.1)

  • kaytus.ksmanage (version 1.2.1)

Known Issues

community.docker

  • Please note that the fix for requests 2.32.0 included in community.docker 3.10.1 only fixes problems with the vendored Docker SDK for Python code. Modules and plugins that use Docker SDK for Python can still fail due to the SDK currently being incompatible with requests 2.32.0.

    If you still experience problems with requests 2.32.0, such as error messages like Not supported URL scheme http+docker, please restrict requests to <2.32.0.

dellemc.openmanage

  • idrac_diagnostics - Issue(285322) - This module doesn’t support export of diagnostics file to HTTP and HTTPS share via SOCKS proxy.

  • idrac_firmware - Issue(279282) - This module does not support firmware update using HTTP, HTTPS, and FTP shares with authentication on iDRAC8.

  • idrac_network_attributes - Issue(279049) - If unsupported values are provided for the parameter ome_network_attributes, then this module does not provide a correct error message.

  • idrac_storage_volume - Issue(290766) - The module will report success instead of showing failure for new virtual creation on the BOSS-N1 controller if a virtual disk is already present on the same controller.

  • ome_device_network_services - Issue(212681) - The module does not provide a proper error message if unsupported values are provided for the following parameters- port_number, community_name, max_sessions, max_auth_retries, and idle_timeout.

  • ome_device_power_settings - Issue(212679) - The module displays the following message if the value provided for the parameter power_cap is not within the supported range of 0 to 32767, Unable to complete the request because PowerCap does not exist or is not applicable for the resource URI.

  • ome_device_quick_deploy - Issue(275231) - This module does not deploy a new configuration to a slot that has disabled IPv6.

  • ome_diagnostics - Issue(279193) - Export of SupportAssist collection logs to the share location fails on OME version 4.0.0.

  • ome_smart_fabric_uplink - Issue(186024) - The module supported by OpenManage Enterprise Modular, however it does not allow the creation of multiple uplinks of the same name. If an uplink is created using the same name as an existing uplink, then the existing uplink is modified.

Breaking Changes

Ansible-core

  • assert - Nested templating may result in an inability for the conditional to be evaluated. See the porting guide for more information.

amazon.aws

cloud.common

  • Bump minimum Python supported version to 3.9.

  • Remove support for ansible-core < 2.14.

community.aws

  • The community.aws collection has dropped support for botocore<1.29.0 and boto3<1.26.0. Most modules will continue to work with older versions of the AWS SDK, however compatability with older versions of the SDK is not guaranteed and will not be tested. When using older versions of the SDK a warning will be emitted by Ansible (https://github.com/ansible-collections/amazon.aws/pull/1763).

  • aws_region_info - The module has been migrated from the community.aws collection. Playbooks using the Fully Qualified Collection Name for this module should be updated to use amazon.aws.aws_region_info.

  • aws_s3_bucket_info - The module has been migrated from the community.aws collection. Playbooks using the Fully Qualified Collection Name for this module should be updated to use amazon.aws.aws_s3_bucket_info.

  • community.aws collection - Support for ansible-core < 2.15 has been dropped (https://github.com/ansible-collections/community.aws/pull/2074).

  • community.aws collection - due to the AWS SDKs announcing the end of support for Python less than 3.7 (https://aws.amazon.com/blogs/developer/python-support-policy-updates-for-aws-sdks-and-tools/) support for Python less than 3.7 by this collection wss been deprecated in release 6.0.0 and removed in release 7.0.0. (https://github.com/ansible-collections/amazon.aws/pull/1763).

  • iam_access_key - The module has been migrated from the community.aws collection. Playbooks using the Fully Qualified Collection Name for this module should be updated to use amazon.aws.iam_access_key.

  • iam_access_key_info - The module has been migrated from the community.aws collection. Playbooks using the Fully Qualified Collection Name for this module should be updated to use amazon.aws.iam_access_key_info.

  • iam_group - The module has been migrated from the community.aws collection. Playbooks using the Fully Qualified Collection Name for this module should be updated to use amazon.aws.iam_group (https://github.com/ansible-collections/community.aws/pull/1945).

  • iam_managed_policy - The module has been migrated from the community.aws collection. Playbooks using the Fully Qualified Collection Name for this module should be updated to use amazon.aws.iam_managed_policy (https://github.com/ansible-collections/community.aws/pull/1954).

  • iam_mfa_device_info - The module has been migrated from the community.aws collection. Playbooks using the Fully Qualified Collection Name for this module should be updated to use amazon.aws.iam_mfa_device_info (https://github.com/ansible-collections/community.aws/pull/1953).

  • iam_password_policy - The module has been migrated from the community.aws collection. Playbooks using the Fully Qualified Collection Name for this module should be updated to use amazon.aws.iam_password_policy.

  • iam_role - The module has been migrated from the community.aws collection. Playbooks using the Fully Qualified Collection Name for this module should be updated to use amazon.aws.iam_role (https://github.com/ansible-collections/community.aws/pull/1948).

  • iam_role_info - The module has been migrated from the community.aws collection. Playbooks using the Fully Qualified Collection Name for this module should be updated to use amazon.aws.iam_role_info (https://github.com/ansible-collections/community.aws/pull/1948).

  • s3_bucket_info - The module has been migrated from the community.aws collection. Playbooks using the Fully Qualified Collection Name for this module should be updated to use amazon.aws.s3_bucket_info.

  • sts_assume_role - The module has been migrated from the community.aws collection. Playbooks using the Fully Qualified Collection Name for this module should be updated to use amazon.aws.sts_assume_role.

community.ciscosmb

  • in facts of interface ‘bandwith’ changed to ‘bandwidth’

community.dns

community.general

community.hrobot

community.okd

hetzner.hcloud

  • Drop support for ansible-core 2.13.

  • certificate - The not_valid_before and not_valid_after values are now returned as ISO-8601 formatted strings.

  • certificate_info - The not_valid_before and not_valid_after values are now returned as ISO-8601 formatted strings.

  • inventory - Remove the deprecated api_token_env option, you may use the ansible.builtin.env lookup as alternative.

  • iso_info - The deprecated value is now returned as ISO-8601 formatted strings.

kubernetes.core

  • Remove support for ansible-core < 2.14

  • Update python kubernetes library to 24.2.0, helm/kind-action to 1.8.0, kubernetes >= 1.24.

theforeman.foreman

  • content_view_filter - stop managing rules from this module, content_view_filter_rule should be used for that

  • inventory plugin - do not default to http://localhost:3000 as the Foreman URL, providing a URL is now mandatory

vmware.vmware_rest

  • Remove support for ansible-core < 2.14

Major Changes

Ansible-core

  • urls.py - Removed support for Python 2

ansible.netcommon

  • Bumping requires_ansible to >=2.14.0, since previous ansible-core versions are EoL now.

ansible.utils

  • Bumping netaddr to >=0.10.1, means that starting from this release, the minimum netaddr version this collection requires is >=0.10.1.

  • Bumping requires_ansible to >=2.14.0, since previous ansible-core versions are EoL now.

  • This release mainly addresses the breaking changes in the netaddr library.

  • With the new release of netaddr 1.0.0, the IPAddress.is_private() method has been removed and instead, the IPAddress.is_global() method has been extended to support the same functionality. This change has been reflected in the ipaddr filter plugin.

arista.eos

  • Bumping requires_ansible to >=2.14.0, since previous ansible-core versions are EoL now.

  • This release removes previously deprecated modules and attributes from this collection. Please refer to the Removed Features section for details.

  • Update the netcommon base version 6.1.0 to support cli_restore plugin.

cisco.asa

  • Bumping requires_ansible to >=2.14.0, since previous ansible-core versions are EoL now.

cisco.ios

  • Bumping requires_ansible to >=2.14.0, since previous ansible-core versions are EoL now.

  • Update the netcommon base version 6.1.0 to support cli_restore plugin.

  • ios_ntp - Remove deprecated ntp legacy module

cisco.iosxr

  • Bumping requires_ansible to >=2.14.0, since previous ansible-core versions are EoL now.

  • This release removes previously deprecated module and attributes from this collection. Please refer to the Removed Features section for details.

  • Update the netcommon base version to support cli_restore plugin.

cisco.nxos

  • Bumping requires_ansible to >=2.14.0, since previous ansible-core versions are EoL now.

  • This release removes four previously deprecated modules from this collection. Please refer to the Removed Features section for details.

  • Updated the minimum required ansible.netcommon version to 6.1.0 to support the cli_restore module.

community.dns

  • The community.dns collection now depends on the community.library_inventory_filtering_v1 collection. This utility collection provides host filtering functionality for inventory plugins. If you use the Ansible community package, both collections are included and you do not have to do anything special. If you install the collection with ansible-galaxy collection install, it will be installed automatically. If you install the collection by copying the files of the collection to a place where ansible-core can find it, for example by cloning the git repository, you need to make sure that you also have to install the dependency if you are using the inventory plugins (https://github.com/ansible-collections/community.dns/pull/196).

community.docker

  • The community.docker collection now depends on the community.library_inventory_filtering_v1 collection. This utility collection provides host filtering functionality for inventory plugins. If you use the Ansible community package, both collections are included and you do not have to do anything special. If you install the collection with ansible-galaxy collection install, it will be installed automatically. If you install the collection by copying the files of the collection to a place where ansible-core can find it, for example by cloning the git repository, you need to make sure that you also have to install the dependency if you are using the inventory plugins (https://github.com/ansible-collections/community.docker/pull/698).

community.hashi_vault

community.hrobot

  • The community.hrobot collection now depends on the community.library_inventory_filtering_v1 collection. This utility collection provides host filtering functionality for inventory plugins. If you use the Ansible community package, both collections are included and you do not have to do anything special. If you install the collection with ansible-galaxy collection install, it will be installed automatically. If you install the collection by copying the files of the collection to a place where ansible-core can find it, for example by cloning the git repository, you need to make sure that you also have to install the dependency if you are using the inventory plugin (https://github.com/ansible-collections/community.hrobot/pull/101).

community.mysql

  • Collection version 2.*.* is EOL, no more bugfixes will be backported. Please consider upgrading to the latest version.

containers.podman

  • Add quadlet support for Podman modules

dellemc.openmanage

  • All OME modules are enhanced to support the environment variables OME_USERNAME and OME_PASSWORD as fallback for credentials.

  • All iDRAC and Redfish modules are enhanced to support the environment variables IDRAC_USERNAME and IDRAC_PASSWORD as fallback for credentials.

  • idrac_certificates - The module is enhanced to support the import and export of CUSTOMCERTIFICATE.

  • idrac_diagnostics - The module is introduced to run and export diagnostics on iDRAC.

  • idrac_gather_facts - This role is enhanced to support secure boot.

  • idrac_license - The module is introduced to configure iDRAC licenses.

  • idrac_session - This module allows you to create and delete the sessions on iDRAC.

  • idrac_user - This role is introduced to manage local users of iDRAC.

dellemc.unity

  • Adding support for Unity Puffin v5.4.

fortinet.fortios

  • Add notes for backup modules in the documentation in both monitor and monitor_fact modules.

  • Supported new FOS versions 7.4.2 and 7.4.3, and support data type mac_address in the collection.

  • Update all the boolean values to true/false in the documents and examples.

  • Update the document of log_fact.

  • Update the documentation for the supported versions from latest to a fix version number.

  • Update the mismatched version message with version ranges.

  • Update the required ansible version to 2.14.

  • Update the required ansible version to 2.15.

  • Update the supported version ranges instead of concrete version numbers to reduce the collection size.

grafana.grafana

ibm.qradar

  • Bumping requires_ansible to >=2.14.0, since previous ansible-core versions are EoL now.

infoblox.nios_modules

  • Upgrade Ansible version support from 2.13 to 2.16.

  • Upgrade Python version support from 3.8 to 3.10.

junipernetworks.junos

  • Bumping requires_ansible to >=2.14.0, since previous ansible-core versions are EoL now.

  • This release removes previously deprecated modules from this collection. Please refer to the Removed Features section for details.

  • Update the netcommon base version 6.1.0 to support cli_restore plugin.

splunk.es

  • Bumping requires_ansible to >=2.14.0, since previous ansible-core versions are EoL now.

Removed Collections

  • community.azure (previously included version: 2.0.0)

  • community.sap (previously included version: 2.0.0)

  • gluster.gluster (previously included version: 1.0.2)

  • hpe.nimble (previously included version: 1.1.4)

  • netapp.aws (previously included version: 21.7.1)

  • netapp.azure (previously included version: 21.10.1)

  • netapp.elementsw (previously included version: 21.7.0)

  • netapp.um_info (previously included version: 21.8.1)

  • purestorage.fusion (previously included version: 1.6.0)

Removed Features

Ansible-core

amazon.aws

arista.eos

  • Remove depreacted eos_bgp module which is replaced with eos_bgp_global and eos_bgp_address_family.

  • Remove deprecated eos_logging module which is replaced with eos_logging_global resource module.

  • Remove deprecated timers.throttle attribute.

cisco.ios

  • Deprecated ios_ntp module in favor of ios_ntp_global.

  • Removed previously deprecated ios_bgp module in favor of ios_bgp_global and ios_bgp_address_family.

cisco.iosxr

  • Remove deprecated iosxr_logging module which is replaced with iosxr_logging_global resource module.

cisco.nxos

  • The nxos_logging module has been removed with this release.

  • The nxos_ntp module has been removed with this release.

  • The nxos_ntp_auth module has been removed with this release.

  • The nxos_ntp_options module has been removed with this release.

community.dns

community.general

community.grafana

  • removed deprecated message argument in grafana_dashboard

community.hrobot

  • The collection no longer supports Ansible, ansible-base, and ansible-core releases that are currently End of Life at the time of the 2.0.0 release. This means that Ansible 2.9, ansible-base 2.10, ansible-core 2.11, ansible-core 2.12, and ansible-core 2.13 are no longer supported. The collection might still work with these versions, but it can stop working at any moment without advance notice, and this will not be considered a bug (https://github.com/ansible-collections/community.hrobot/pull/101).

junipernetworks.junos

  • Remove deprected junos_logging module which is replaced by junos_logging_global resource module.

Deprecated Features

Ansible-core

  • Old style vars plugins which use the entrypoints get_host_vars or get_group_vars are deprecated. The plugin should be updated to inherit from BaseVarsPlugin and define a get_vars method as the entrypoint.

  • The ‘required’ parameter in ‘ansible.module_utils.common.process.get_bin_path’ API is deprecated (https://github.com/ansible/ansible/issues/82464).

  • module_utils - importing the following convenience helpers from ansible.module_utils.basic has been deprecated: get_exception, literal_eval, _literal_eval, datetime, signal, types, chain, repeat, PY2, PY3, b, binary_type, integer_types, iteritems, string_types, test_type, map and shlex_quote.

  • ansible-doc - role entrypoint attributes are deprecated and eventually will no longer be shown in ansible-doc from ansible-core 2.20 on (https://github.com/ansible/ansible/issues/82639, https://github.com/ansible/ansible/pull/82678).

  • paramiko connection plugin, configuration items in the global scope are being deprecated and will be removed in favor or the existing same options in the plugin itself. Users should not need to change anything (how to configure them are the same) but plugin authors using the global constants should move to using the plugin’s get_option().

amazon.aws

community.aws

community.crypto

community.dns

community.docker

community.general

community.hrobot

community.okd

community.vmware

dellemc.openmanage

  • The dellemc_idrac_storage_volume module is deprecated and replaced with idrac_storage_volume.

kubernetes.core