Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

syntax-check isn't skippable #1350

Closed
klausenbusk opened this issue Feb 14, 2021 · 5 comments
Closed

syntax-check isn't skippable #1350

klausenbusk opened this issue Feb 14, 2021 · 5 comments
Labels
bug

Comments

@klausenbusk
Copy link

Summary

The syntax-check rule isn't skippable.

Issue Type
  • Bug Report
Ansible and Ansible Lint details
$ ansible --version
ansible 2.10.5
  config file = /tmp/infrastructure/ansible.cfg
  configured module search path = ['/tmp/infrastructure/library']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.9.1 (default, Feb  6 2021, 06:49:13) [GCC 10.2.0]
$ ansible-lint --version
ansible-lint 5.0.0
  • ansible installation method: OS package
  • ansible-lint installation method: OS package
OS / ENVIRONMENT

OS: Arch Linux

STEPS TO REPRODUCE
$ git clone https://gitlab.archlinux.org/archlinux/infrastructure.git
$ cd infrastructure
$ ansible-lint -x syntax-check
Desired Behaviour

ansible-linit should skip the syntax-check rule

Actual Behaviour

The syntax-check rule isn't skipped:

$ ansible-lint -x syntax-check
Added ANSIBLE_ROLES_PATH=roles
WARNING  Listing 31 violation(s) that are fatal
internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/accounts.archlinux.org.yml
playbooks/accounts.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/all-hosts-basic.yml
playbooks/all-hosts-basic.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/archive-mirrors.yml
playbooks/archive-mirrors.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/archlinux.org.yml
playbooks/archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/aur-dev.archlinux.org.yml
playbooks/aur-dev.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/aur.archlinux.org.yml
playbooks/aur.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/bbs.archlinux.org.yml
playbooks/bbs.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/bugs.archlinux.org.yml
playbooks/bugs.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/build.archlinux.org.yml
playbooks/build.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/gemini.archlinux.org.yml
playbooks/gemini.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/gitlab-runners.yml
playbooks/gitlab-runners.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/gitlab.archlinux.org.yml
playbooks/gitlab.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/hetzner_storagebox.yml
playbooks/hetzner_storagebox.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/homedir.archlinux.org.yml
playbooks/homedir.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/luna.yml
playbooks/luna.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/mail.archlinux.org.yml
playbooks/mail.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/man.archlinux.org.yml
playbooks/man.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/matrix.archlinux.org.yml
playbooks/matrix.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/md.archlinux.org.yml
playbooks/md.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/mirrors.yml
playbooks/mirrors.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/monitoring.archlinux.org.yml
playbooks/monitoring.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/patchwork.archlinux.org.yml
playbooks/patchwork.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/phrik.yml
playbooks/phrik.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/quassel.archlinux.org.yml
playbooks/quassel.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/rebuilderd-workers.yml
playbooks/rebuilderd-workers.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/redirect.archlinux.org.yml
playbooks/redirect.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/reproducible.archlinux.org.yml
playbooks/reproducible.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/rsync.net.yml
playbooks/rsync.net.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/security.archlinux.org.yml
playbooks/security.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/state.archlinux.org.yml
playbooks/state.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


internal-error: Unexpected error code 1 from execution of: ansible-playbook --syntax-check playbooks/wiki.archlinux.org.yml
playbooks/wiki.archlinux.org.yml:0 gpg: decryption failed: No secret key
[WARNING]: Error in vault password file loading (default): Vault password
script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None
ERROR! Vault password script /tmp/infrastructure/misc/get-vault-pass.sh returned non-zero (2): None


WARNING  Replaced deprecated tag '503' with 'no-handler' but it will become an error in the future.
WARNING  Replaced deprecated tag '701' with 'meta-no-info' but it will become an error in the future.
WARNING  Replaced deprecated tag '403' with 'package-latest' but it will become an error in the future.
You can skip specific rules or tags by adding them to your configuration file:
# .ansible-lint
warn_list:  # or 'skip_list' to silence them completely
  - internal-error  # Unexpected internal error
@ssbarnea
Copy link
Member

Yes, syntax-check is not skippable and will remain like this. That is because we rely on having parseable ansible code before we run our own rules.

That was a decision not easy to take as we knew it may upset some users but it was the only way to make the linter maintenance possible. If we would allow processing of junk input, we would endup having to implement parsers that are more complex the Ansible own ones and that is effectively impossible considering that the linter does not have a full-type development team, as opposed to ansible core.

If ansible fails to pass syntax check on a file you have two directions:

  • decide that the file is not really an Ansible file and add it to the ignore list.
  • make the required changes to make Ansible pass the syntax check on that file, that may involve few recent features we added like installing requirements, mocking collections, roles and module and soon extra_vars vai support extra_vars in syntax check rule #1342

When you correctly setup ansible, it will also be able to access decrypt files. If you do not want to allow the linter to be able to decrypt your vaults or have other requirements, you should look for having two sets of variables: ones encrypted inside a vault, and one set of unencrypted ones, that you would use for linting or even testing.

PS. If we would allow syntax-check to be ignored, we would endup with exceptions inside the linter own code. In fact for some time I went towards this approach while doing development but i realised that the dangers were far to great. If that was left enable, you may endup executing the linter on some code base, where you added internal-error or syntax-check to the exclude list but almost nothing else run on those files because we never ended up running the rules on the same files.

@klausenbusk
Copy link
Author

Hi @ssbarnea

That make perfect sense. Our CI doesn't have access to the vault or dynamic inventory, so I'm just gonna "patch" the ansible.cfg file now.

$ sed "s/,hcloud_inventory.py//" -i ansible.cfg
$ sed "/^vault_password_file/d" -i ansible.cfg

@ssbarnea
Copy link
Member

Usually I am against making changes that get git dirty state (altered tracked files), but your mileage may vary. If someone else finds better alternative, lets hope they will comment here, maybe we can also endup updating the docs.

@klausenbusk
Copy link
Author

load-failure also seems to be not-skippable, so now ansible-vault fails on all the vault files and exclude_paths doesn't support glob like: host_vars/*/vault_*.yml. Can I solve this without excluding the whole host_vars directory?

@ssbarnea
Copy link
Member

We already use an advanced wcmatch glob library in another place, so it should be easy to swap the limited glob used by ignore to that.

@klausenbusk klausenbusk mentioned this issue May 22, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ssbarnea @klausenbusk