What would you like to see in the new Ansible report

lzap · May 25, 2021, 8:13am

Hello,

me and @ofedoren are redesigning reports from scratch, the gist of our work is throwing away most of the code we have and storing and presenting reports in a new way. We aim to support Puppet, Ansible and OpenSCAP from the day one and good options for plugin authors to add new formats.

We won’t be changing much in the Puppet format, the report data and presentation will remain the same. However both Ansible and OpenSCAP were both designed in a way that reports do “fit” into Puppet ConfigReport implementation. This rewrite is a chance to design better reports for both, we are starting with Ansible.

I did create few test Ansible playbooks and configured Ansible with its built-in JSON callback to see how reports look like:

A dummy playbook without fact gathering: Ansible JSON callback example · GitHub
A dummy podman playbook with fact gathering: Ansible ANSI JSON callback example · GitHub

Now, from what I’ve learned, there are not many common information we can show for each Ansible task. Here is what I was able to find, fill me in what you would like to see in an Ansible report for each host:

Hostname
Time of the report
Statistics (number of tasks applied, failed, skipped…)
List of:
- Task action (e.g. “shell”)
- Task name
- Status: changed, failed, skipped

What is a bit surprising is that there is no telemetry (timing) information per individual tasks for each hosts, some tasks do have this (e.g. shell) but most others don’t. Callback is only informed how much time it took to complete across all hosts, if I understand this correctly. This could be presented on a report but with some warning perhaps about what the duration do actually represent.

I am wondering, if this is enough. It looks like Ansible have been designed in a way that tasks do not have necessary common output. This is a bit different from puppet where reports are more of “standard output” captures with some extra information about manifests which created these lines. Maybe to implement some output capturing for specific tasks like shell?

There is also a common key “invocation” which contains a lot of input data for each task, I am wondering how useful that would be. Some tasks, however, have ton of these (mostly set to null), maybe filtering out null values could make it more readable.

Finally, one major difference between Puppet and Ansible report seems to be diff. In Ansible, diff is only shown when explicitly executed with --diff argument. Since Foreman does not support diff for Ansible reports today, we will not implement it, but I would love to hear opinions about that. I think that diff show in reports is a very useful feature for Puppet users.

Marek_Hulan · May 25, 2021, 11:05am

Hello,

just recently I created an example ansible role representing some common tasks. Feel free to use that for creating testing GitHub - ares/foreman_ansible_test report. I also created an example of what I’d like to see in a report for such role run. This is roughly what I’d like to see.

level	task	additional data
info	Display all parameters known for the Foreman host	No additional data
info	Apply role	No additional data
info	Install the openssh package	Nothing to do
info	Start and enable the sshd	Service “sshd” started (enabled: yes)
info	Install the base packages	Installed: perl-IO-Socket-IP-0.39-5.el8.noarch
		Installed: perl-Digest-1.17-395.el8.noarch
		Installed: perl-IO-Socket-SSL-2.066-4.module_el8.3.0+410+ff426aa3.noarch
		+ Show More
notice	Create the message of the day	Rendered template “motd.j2” to “/etc/motd”
notice	Update the message of the day	Rendered template “motd.j2” to “/etc/motd”
info	Create foreman-admins group	User group “foreman-admins” present, gid: 1001
info	Create user ares	User “ares” present, uid: 1000
notice	Create a /work directory if it does not exist	No additional data
notice	Change /work ownership, group and permissions	No additional data
info	Set the group in /work every now and then	Cron job: 0 * * * * chgrp -R foreman-admins /work/* (disabled: no)
info	Symlink work from home directory	No additional data
notice	Copy local /etc/bashrc to remote home dire skeleton	Copy “bashrc” to “/etc/skel/bashrc”
notice	foreman_ansible_test	This system ansible-test.example.com is managed by Satellite
notice	foreman_ansible_test	"boot.log
		dnf.log
		dnf.rpm.log
		hawkey.log
		d41d8cd98f00b204e9800998ecf8427e boot.log
		46749f1c85e7f792b01146e23af336fd dnf.log
		+ Show more
notice	foreman_ansible_test	No additional data

All of this data should be available in the callback. We may want to add more “additional data” parsers for commonly used modules later, but I think this covers the basic ones.

It may also be interesting to see, if something was skipped, if something was ran in check mode.

In general one thing I find confusing about the reports (regardless of the source) is, that we combine log level with the status of the task/puppet resource/openscap rule. We typically use debug log level if the task was skipped (already in the desired state), notice when it was changed (e.g. package installed) error when it failed (e.g. package unavailable). As a new user, I wouldn’t necessarily understand this and would benefit from seeing “changed”, “nothing to do”, “failed” kind of indicators.

lzap · May 26, 2021, 9:36am

Thanks that is useful. One thing to realize tho is that we can drop completely how reports are shown today, no need to “map” things to three columns. Therefore I think we should probably show the following columns:

Task name
Status (Ok, Skipped, Failed…)
Additional data

There is no concept of “logs” in ansible callbacks thus no log levels as well. All we can work with are task names, status and additional data which is very different per individual task.

lzap · May 27, 2021, 9:06am

Ok since there is undergoing effort to improve Ansible (Foreman legacy) report right now, I have decided to take the default JSON callback and turn it into Foreman Host Report callback. I will perform all the transformation on the proxy and for now I will not do any changes to the JSON callback:

github.com

ansible-collections/ansible.posix/blob/main/plugins/callback/json.py

# (c) 2016, Matt Martz <matt@sivel.net>
# (c) 2017 Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)

# Make coding more python3-ish
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type

DOCUMENTATION = '''
    callback: json
    short_description: Ansible screen output as JSON
    description:
        - This callback converts all events into JSON output to stdout
    type: stdout
    requirements:
      - Set as stdout in config
    options:
      show_custom_stats:
        name: Show custom stats
        description: 'This adds the custom stats set via the set_stats plugin to the play recap'

This file has been truncated. show original

So a generated JSON callback for your example repository looks like this:

gist.github.com

https://gist.github.com/lzap/7a0493ffbc852f5ddb23bc0bcceff9d2

example-ansible-callback.json

{
    "custom_stats": {},
    "global_custom_stats": {},
    "plays": [
        {
            "play": {
                "duration": {
                    "end": "2021-05-27T08:39:28.758622Z",
                    "start": "2021-05-27T08:39:04.605320Z"
                },

This file has been truncated. show original

In the future, I will add some filtering - dropping irrelevant keys from the report. But the structure will remain the same as I want the report coming out of Ansible to be as close as what Ansible does.

bnerickson · March 11, 2022, 10:38pm

FWIW I’d be interested in Foreman supporting Ansible diff mode in reporting. The way I see it, configuration management would benefit from a report alerting on whether a host’s configuration files’ contents, permissions, and owners differ from what Ansible expects. Having this info would be invaluable for enforcing consistent configuration state on hosts imo.