Hi Folks,
We've been shipping Ansible 1.9.x on the slaves for a while now. Do any of you have use-cases to stay pinned to such an old version?
We'd like to update at least to the 2.1 branch (2.2 has some templating/variable-quoting gotchas) in the near future.
Questions, comments?
--Brian
Worth mentioning that 1.9.x and 2.0.x are officially unsupported and unmaintained [1].
[1]: https://groups.google.com/forum/#!topic/ansible-devel/6-6FdxZ94kc
David Moreau Simard Senior Software Engineer | Openstack RDO
dmsimard = [irc, github, twitter]
On Wed, Jan 25, 2017 at 12:07 PM, Brian Stinson brian@bstinson.com wrote:
Hi Folks,
We've been shipping Ansible 1.9.x on the slaves for a while now. Do any of you have use-cases to stay pinned to such an old version?
We'd like to update at least to the 2.1 branch (2.2 has some templating/variable-quoting gotchas) in the near future.
Questions, comments?
--Brian
Ci-users mailing list Ci-users@centos.org https://lists.centos.org/mailman/listinfo/ci-users
I'm not using Ansible inside CI yet, but I remember having had to adapt some 1.9 playbooks for 2.x. [1]
Perhaps also worth mentioning, Ansible 2.2.1.0 fixed CVE-2016-9587, CVE-2016-8647, CVE-2016-9587 and CVE-2016-8647 (the first is about a compromised remote system being able to run commands on the Ansible controller - I think 1.9 is also vulnerable [2]). Unless we can afford to quickly backport such security fixes, wouldn't it be better to use the EPEL version everywhere inside CentOS?
Regards, Laurențiu
[1] https://docs.ansible.com/ansible/porting_guide_2.0.html [2] https://lwn.net/Articles/711357/
On Wed, Jan 25, 2017 at 7:49 PM, David Moreau Simard dms@redhat.com wrote:
Worth mentioning that 1.9.x and 2.0.x are officially unsupported and unmaintained [1].
David Moreau Simard Senior Software Engineer | Openstack RDO
dmsimard = [irc, github, twitter]
On Wed, Jan 25, 2017 at 12:07 PM, Brian Stinson brian@bstinson.com wrote:
Hi Folks,
We've been shipping Ansible 1.9.x on the slaves for a while now. Do any of you have use-cases to stay pinned to such an old version?
We'd like to update at least to the 2.1 branch (2.2 has some templating/variable-quoting gotchas) in the near future.
Questions, comments?
--Brian
Ci-users mailing list Ci-users@centos.org https://lists.centos.org/mailman/listinfo/ci-users
Ci-users mailing list Ci-users@centos.org https://lists.centos.org/mailman/listinfo/ci-users
I'm on the latest version via virtualenv. I'd welcome having the latest version on the nodes by default.
On Thu, Jan 26, 2017 at 12:46 AM, Laurențiu Păncescu lpancescu@gmail.com wrote:
I'm not using Ansible inside CI yet, but I remember having had to adapt some 1.9 playbooks for 2.x. [1]
Perhaps also worth mentioning, Ansible 2.2.1.0 fixed CVE-2016-9587, CVE-2016-8647, CVE-2016-9587 and CVE-2016-8647 (the first is about a compromised remote system being able to run commands on the Ansible controller - I think 1.9 is also vulnerable [2]). Unless we can afford to quickly backport such security fixes, wouldn't it be better to use the EPEL version everywhere inside CentOS?
Regards, Laurențiu
[1] https://docs.ansible.com/ansible/porting_guide_2.0.html [2] https://lwn.net/Articles/711357/
On Wed, Jan 25, 2017 at 7:49 PM, David Moreau Simard dms@redhat.com wrote:
Worth mentioning that 1.9.x and 2.0.x are officially unsupported and unmaintained [1].
David Moreau Simard Senior Software Engineer | Openstack RDO
dmsimard = [irc, github, twitter]
On Wed, Jan 25, 2017 at 12:07 PM, Brian Stinson brian@bstinson.com wrote:
Hi Folks,
We've been shipping Ansible 1.9.x on the slaves for a while now. Do any of you have use-cases to stay pinned to such an old version?
We'd like to update at least to the 2.1 branch (2.2 has some templating/variable-quoting gotchas) in the near future.
Questions, comments?
--Brian
Ci-users mailing list Ci-users@centos.org https://lists.centos.org/mailman/listinfo/ci-users
Ci-users mailing list Ci-users@centos.org https://lists.centos.org/mailman/listinfo/ci-users
Ci-users mailing list Ci-users@centos.org https://lists.centos.org/mailman/listinfo/ci-users
On Jan 25 20:16, Laurențiu Păncescu wrote:
I'm not using Ansible inside CI yet, but I remember having had to adapt some 1.9 playbooks for 2.x. [1]
Perhaps also worth mentioning, Ansible 2.2.1.0 fixed CVE-2016-9587, CVE-2016-8647, CVE-2016-9587 and CVE-2016-8647 (the first is about a compromised remote system being able to run commands on the Ansible controller - I think 1.9 is also vulnerable [2]). Unless we can afford to quickly backport such security fixes, wouldn't it be better to use the EPEL version everywhere inside CentOS?
We'd be pretty happy to track the latest version. 1.9.6 was temporary to enable a project or two that were in the middle of upgrading. If we can get to 2.2.x I'm all for that.
Regards, Laurențiu
[1] https://docs.ansible.com/ansible/porting_guide_2.0.html [2] https://lwn.net/Articles/711357/
On Wed, Jan 25, 2017 at 7:49 PM, David Moreau Simard dms@redhat.com wrote:
Worth mentioning that 1.9.x and 2.0.x are officially unsupported and unmaintained [1].
David Moreau Simard Senior Software Engineer | Openstack RDO
dmsimard = [irc, github, twitter]
On Wed, Jan 25, 2017 at 12:07 PM, Brian Stinson brian@bstinson.com wrote:
Hi Folks,
We've been shipping Ansible 1.9.x on the slaves for a while now. Do any of you have use-cases to stay pinned to such an old version?
We'd like to update at least to the 2.1 branch (2.2 has some templating/variable-quoting gotchas) in the near future.
Questions, comments?
--Brian
Ci-users mailing list Ci-users@centos.org https://lists.centos.org/mailman/listinfo/ci-users
Ci-users mailing list Ci-users@centos.org https://lists.centos.org/mailman/listinfo/ci-users
Ci-users mailing list Ci-users@centos.org https://lists.centos.org/mailman/listinfo/ci-users
I don't think it is unreasonable to expect users that want to run 1.9 or other versions to use a virtualenv to do so.
-- Jason DeTiberus
On Jan 26, 2017 1:54 AM, "Brian Stinson" brian@bstinson.com wrote:
On Jan 25 20:16, Laurențiu Păncescu wrote:
I'm not using Ansible inside CI yet, but I remember having had to adapt some 1.9 playbooks for 2.x. [1]
Perhaps also worth mentioning, Ansible 2.2.1.0 fixed CVE-2016-9587, CVE-2016-8647, CVE-2016-9587 and CVE-2016-8647 (the first is about a compromised remote system being able to run commands on the Ansible controller - I think 1.9 is also vulnerable [2]). Unless we can afford to quickly backport such security fixes, wouldn't it be better to use the
EPEL
version everywhere inside CentOS?
We'd be pretty happy to track the latest version. 1.9.6 was temporary to enable a project or two that were in the middle of upgrading. If we can get to 2.2.x I'm all for that.
Regards, Laurențiu
[1] https://docs.ansible.com/ansible/porting_guide_2.0.html [2] https://lwn.net/Articles/711357/
On Wed, Jan 25, 2017 at 7:49 PM, David Moreau Simard dms@redhat.com
wrote:
Worth mentioning that 1.9.x and 2.0.x are officially unsupported and unmaintained [1].
David Moreau Simard Senior Software Engineer | Openstack RDO
dmsimard = [irc, github, twitter]
On Wed, Jan 25, 2017 at 12:07 PM, Brian Stinson brian@bstinson.com wrote:
Hi Folks,
We've been shipping Ansible 1.9.x on the slaves for a while now. Do
any
of you have use-cases to stay pinned to such an old version?
We'd like to update at least to the 2.1 branch (2.2 has some templating/variable-quoting gotchas) in the near future.
Questions, comments?
--Brian
Ci-users mailing list Ci-users@centos.org https://lists.centos.org/mailman/listinfo/ci-users
Ci-users mailing list Ci-users@centos.org https://lists.centos.org/mailman/listinfo/ci-users
Ci-users mailing list Ci-users@centos.org https://lists.centos.org/mailman/listinfo/ci-users
_______________________________________________ Ci-users mailing list Ci-users@centos.org https://lists.centos.org/mailman/listinfo/ci-users
On 01/02/17 15:03, Jason DeTiberus wrote:
I don't think it is unreasonable to expect users that want to run 1.9 or other versions to use a virtualenv to do so.
Indeed (although migrating the playbooks to 2.x isn't that difficult). Upstream has an extensive test suite and is pretty fast in addressing the few bugs that occasionally slip through, not to mention the security fixes. I've been using Ansible's stable releases privately for quite a while (via MacPorts), without ever experiencing any serious regressions - even minor annoyances have been rare.
Since Fedora already makes the effort to provide the current Ansible releases in EPEL, it would be a pity not to take advantage of that.
Regards, Laurențiu
On Feb 1, 2017 9:23 AM, "Laurentiu Pancescu" lpancescu@gmail.com wrote:
On 01/02/17 15:03, Jason DeTiberus wrote:
I don't think it is unreasonable to expect users that want to run 1.9 or other versions to use a virtualenv to do so.
Indeed (although migrating the playbooks to 2.x isn't that difficult). Upstream has an extensive test suite and is pretty fast in addressing the few bugs that occasionally slip through, not to mention the security fixes. I've been using Ansible's stable releases privately for quite a while (via MacPorts), without ever experiencing any serious regressions - even minor annoyances have been rare.
I would argue that is not the case for a sufficiently large project (such as openshift-ansible). We hit quite a few problems when migrating from 1.9 to 2.0 and to a lesser extent 2.0 to 2.1. The 2.1 to 2.2 migration went smoothly (we had previously fixed the templating deprecation warnings, otherwise we would have been bit), but we've hit regressions with 2.2.1.
I agree that the Ansible team is very responsive to fixing issues, but the architecture changes from 1.9 to 2.x introduced breaking changes that affected playbook parsing and breaking plugins.
Since Fedora already makes the effort to provide the current Ansible releases in EPEL, it would be a pity not to take advantage of that.
I agree, however there would need to be a transition period for projects that can't respond immediately for breakage related to an Ansible update (moving to using a locked version in a virtualenv) or have other extenuating circumstances (openshift-ansible for example has a callback plugin that provides a friendly error for Ansible < 2.2 or Ansible != 2.2.1.0, though it looks like we'll need to add a test for 2.2.1.1 now as well). That said, the OpenShift jobs already use a virtualenv.
-- Jason DeTiberus
Regards, Laurențiu
_______________________________________________ Ci-users mailing list Ci-users@centos.org https://lists.centos.org/mailman/listinfo/ci-users
-
Brian Stinson -
David Moreau Simard -
Jason DeTiberus -
Laurențiu Păncescu -
Nigel Babu