[RFC PATCH 1/2] ansible.cfg: Enable the Ansible debugger when a task fails

[RFC PATCH 1/2] ansible.cfg: Enable the Ansible debugger when a task fails

[Chuck Lever]

From: Chuck Lever <chuck.lever@oracle.com>

This is useful to avoid generating a whole bunch of unwanted output
that can change thread timing.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 kconfigs/Kconfig.ansible_cfg                        | 13 +++++++++++++
 .../roles/ansible_cfg/templates/ansible.cfg.j2      |  1 +
 2 files changed, 14 insertions(+)

diff --git a/kconfigs/Kconfig.ansible_cfg b/kconfigs/Kconfig.ansible_cfg
index b587596bc8d5..48f84d8fe04e 100644
--- a/kconfigs/Kconfig.ansible_cfg
+++ b/kconfigs/Kconfig.ansible_cfg
@@ -10,6 +10,10 @@ config ANSIBLE_CFG_FORKS_SET_BY_CLI
 	bool
 	default $(shell, scripts/check-cli-set-var.sh ANSIBLE_CFG_FORKS)
 
+config ANSIBLE_CFG_TASK_DEBUGGER_SET_BY_CLI
+	bool
+	default $(shell, scripts/check-cli-set-var.sh ANSIBLE_CFG_TASK_DEBUGGER)
+
 menu "Ansible Callback Plugin Configuration"
 choice
 	prompt "Ansible Callback Plugin"
@@ -207,6 +211,15 @@ config ANSIBLE_CFG_FORKS
 
 endif # !ANSIBLE_CFG_FORKS_CUSTOM
 
+config ANSIBLE_CFG_TASK_DEBUGGER
+	bool "Enable the Ansible task debugger on failed tasks"
+	output yaml
+	default n
+	help
+	  When this setting is enabled, a task failure invokes the
+	  Ansible debugger. Generally this is useful only when
+	  running kdevops from the command line.
+
 if DISTRO_OPENSUSE
 
 config ANSIBLE_CFG_RECONNECTION_RETRIES
diff --git a/playbooks/roles/ansible_cfg/templates/ansible.cfg.j2 b/playbooks/roles/ansible_cfg/templates/ansible.cfg.j2
index 2bc916321f42..f71033b2c88f 100644
--- a/playbooks/roles/ansible_cfg/templates/ansible.cfg.j2
+++ b/playbooks/roles/ansible_cfg/templates/ansible.cfg.j2
@@ -10,6 +10,7 @@ show_per_host_start = {{ ansible_cfg_callback_plugin_show_per_host_start }}
 show_task_path_on_failure = {{ ansible_cfg_callback_plugin_show_task_path_on_failure }}
 interpreter_python = {{ ansible_cfg_interpreter_python_string }}
 forks = {{ ansible_cfg_forks }}
+enable_task_debugger = {{ ansible_cfg_task_debugger }}
 {% if ansible_facts['distribution'] == 'openSUSE' %}
 [connection]
 retries = {{ ansible_cfg_reconnection_retries }}
-- 
2.50.0

[RFC PATCH 2/2] ansible.cfg: Explicitly set the ssh user

[Chuck Lever]

From: Chuck Lever <chuck.lever@oracle.com>

I've been seeing tasks that are marked "become: true" fail with
this message:

  Timeout (12s): waiting for privilege escalation promt:

This appears to be a common failure mode, but it is due to a broad
variety of causes. I think I've nailed this one with this addition
to ansible.cfg. It changes "ESTABLISHING SSH SESSION FOR: NONE"
to "... FOR: <user>" where <user> is always a user that is allowed
to use sudo.

The current Terraform Kconfig menu sets this user, but guestfs does
not -- the Ansible ssh user for guestfs is always "kdevops". The
ansible.cfg.j2 file reflects this.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 playbooks/roles/ansible_cfg/templates/ansible.cfg.j2 | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/playbooks/roles/ansible_cfg/templates/ansible.cfg.j2 b/playbooks/roles/ansible_cfg/templates/ansible.cfg.j2
index f71033b2c88f..60525506335c 100644
--- a/playbooks/roles/ansible_cfg/templates/ansible.cfg.j2
+++ b/playbooks/roles/ansible_cfg/templates/ansible.cfg.j2
@@ -11,6 +11,11 @@ show_task_path_on_failure = {{ ansible_cfg_callback_plugin_show_task_path_on_fai
 interpreter_python = {{ ansible_cfg_interpreter_python_string }}
 forks = {{ ansible_cfg_forks }}
 enable_task_debugger = {{ ansible_cfg_task_debugger }}
+{% if ssh_config_user is defined %}
+remote_user = {{ ssh_config_user }}
+{% else %}
+remote_user = kdevops
+{% endif %}
 {% if ansible_facts['distribution'] == 'openSUSE' %}
 [connection]
 retries = {{ ansible_cfg_reconnection_retries }}
-- 
2.50.0

Re: [RFC PATCH 1/2] ansible.cfg: Enable the Ansible debugger when a task fails

[Daniel Gomez]

On 16/07/2025 02.11, Chuck Lever wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
> 
> This is useful to avoid generating a whole bunch of unwanted output
> that can change thread timing.

What do you mean? Debugging tasks (with debug module) may add delays that can
affect the playbook time execution?

> 
> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

Looks useful. From the docs example looks like import pdb; pdb.set_trace().
https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_debugger.html#resolving-errors-in-the-debugger

Can you add the Ansible debugger docs link to the Kconfig?

Reviewed-by: Daniel Gomez <da.gomez@samsung.com>

Re: [RFC PATCH 2/2] ansible.cfg: Explicitly set the ssh user

[Daniel Gomez]

On 16/07/2025 02.11, Chuck Lever wrote:
> From: Chuck Lever <chuck.lever@oracle.com>
> 
> I've been seeing tasks that are marked "become: true" fail with
> this message:
> 
>   Timeout (12s): waiting for privilege escalation promt:
> 
> This appears to be a common failure mode, but it is due to a broad
> variety of causes. I think I've nailed this one with this addition
> to ansible.cfg. It changes "ESTABLISHING SSH SESSION FOR: NONE"
> to "... FOR: <user>" where <user> is always a user that is allowed
> to use sudo.

In which cases do we get NONE instead of the user? Looks like we may be
missing something... Perhaps tasks that are marked as become: true but not with
become_method: ansible.builtin.sudo?

> 
> The current Terraform Kconfig menu sets this user, but guestfs does
> not -- the Ansible ssh user for guestfs is always "kdevops". The
> ansible.cfg.j2 file reflects this.

Does this also affect the controller host user?

> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> ---
>  playbooks/roles/ansible_cfg/templates/ansible.cfg.j2 | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/playbooks/roles/ansible_cfg/templates/ansible.cfg.j2 b/playbooks/roles/ansible_cfg/templates/ansible.cfg.j2
> index f71033b2c88f..60525506335c 100644
> --- a/playbooks/roles/ansible_cfg/templates/ansible.cfg.j2
> +++ b/playbooks/roles/ansible_cfg/templates/ansible.cfg.j2
> @@ -11,6 +11,11 @@ show_task_path_on_failure = {{ ansible_cfg_callback_plugin_show_task_path_on_fai
>  interpreter_python = {{ ansible_cfg_interpreter_python_string }}
>  forks = {{ ansible_cfg_forks }}
>  enable_task_debugger = {{ ansible_cfg_task_debugger }}
> +{% if ssh_config_user is defined %}
> +remote_user = {{ ssh_config_user }}
> +{% else %}
> +remote_user = kdevops
> +{% endif %}

I think it makes sense. But I wonder if we want this to be set in the inventory
file instead of globally here? I'm looking at these 2 links:

https://docs.ansible.com/ansible/latest/inventory_guide/connection_details.html#setting-a-remote-user
https://docs.ansible.com/ansible/2.9/plugins/connection/ssh.html#ssh-connection

>  {% if ansible_facts['distribution'] == 'openSUSE' %}
>  [connection]
>  retries = {{ ansible_cfg_reconnection_retries }}

Re: [RFC PATCH 1/2] ansible.cfg: Enable the Ansible debugger when a task fails

[Chuck Lever]

On 7/16/25 1:44 PM, Daniel Gomez wrote:
> On 16/07/2025 02.11, Chuck Lever wrote:
>> From: Chuck Lever <chuck.lever@oracle.com>
>>
>> This is useful to avoid generating a whole bunch of unwanted output
>> that can change thread timing.
> 
> What do you mean? Debugging tasks (with debug module) may add delays that can
> affect the playbook time execution?

Yes, or that using "make AV=3" can generate thousands of lines of output
versus just a hundred.


>> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
> 
> Looks useful. From the docs example looks like import pdb; pdb.set_trace().
> https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_debugger.html#resolving-errors-in-the-debugger
> 
> Can you add the Ansible debugger docs link to the Kconfig?

Yes.


> Reviewed-by: Daniel Gomez <da.gomez@samsung.com>


-- 
Chuck Lever

Re: [RFC PATCH 2/2] ansible.cfg: Explicitly set the ssh user

[Chuck Lever]

On 7/16/25 2:05 PM, Daniel Gomez wrote:
> On 16/07/2025 02.11, Chuck Lever wrote:
>> From: Chuck Lever <chuck.lever@oracle.com>
>>
>> I've been seeing tasks that are marked "become: true" fail with
>> this message:
>>
>>   Timeout (12s): waiting for privilege escalation promt:
>>
>> This appears to be a common failure mode, but it is due to a broad
>> variety of causes. I think I've nailed this one with this addition
>> to ansible.cfg. It changes "ESTABLISHING SSH SESSION FOR: NONE"
>> to "... FOR: <user>" where <user> is always a user that is allowed
>> to use sudo.
> 
> In which cases do we get NONE instead of the user?

I see that for all connections to remote (non-controller) hosts.

Now, I've also followed a recent recommendation to supercede paramiko
with python3-ansible-pylibssh. Could that be the problem?


> Looks like we may be
> missing something... Perhaps tasks that are marked as become: true but not with
> become_method: ansible.builtin.sudo?

I saw the privilege escalation failure with tasks that had a
become_method: attribute.


>> The current Terraform Kconfig menu sets this user, but guestfs does
>> not -- the Ansible ssh user for guestfs is always "kdevops". The
>> ansible.cfg.j2 file reflects this.
> 
> Does this also affect the controller host user?

It does not appear to. Local connections continue to utilize my user
(cel).


>> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
>> ---
>>  playbooks/roles/ansible_cfg/templates/ansible.cfg.j2 | 5 +++++
>>  1 file changed, 5 insertions(+)
>>
>> diff --git a/playbooks/roles/ansible_cfg/templates/ansible.cfg.j2 b/playbooks/roles/ansible_cfg/templates/ansible.cfg.j2
>> index f71033b2c88f..60525506335c 100644
>> --- a/playbooks/roles/ansible_cfg/templates/ansible.cfg.j2
>> +++ b/playbooks/roles/ansible_cfg/templates/ansible.cfg.j2
>> @@ -11,6 +11,11 @@ show_task_path_on_failure = {{ ansible_cfg_callback_plugin_show_task_path_on_fai
>>  interpreter_python = {{ ansible_cfg_interpreter_python_string }}
>>  forks = {{ ansible_cfg_forks }}
>>  enable_task_debugger = {{ ansible_cfg_task_debugger }}
>> +{% if ssh_config_user is defined %}
>> +remote_user = {{ ssh_config_user }}
>> +{% else %}
>> +remote_user = kdevops
>> +{% endif %}
> 
> I think it makes sense. But I wonder if we want this to be set in the inventory
> file instead of globally here? I'm looking at these 2 links:
> 
> https://docs.ansible.com/ansible/latest/inventory_guide/connection_details.html#setting-a-remote-user
> https://docs.ansible.com/ansible/2.9/plugins/connection/ssh.html#ssh-connection

I didn't see anything there that suggested setting these in the
inventory was any better. I don't have much of a preference,
though.


>>  {% if ansible_facts['distribution'] == 'openSUSE' %}
>>  [connection]
>>  retries = {{ ansible_cfg_reconnection_retries }}


-- 
Chuck Lever