Merge pull request #3679 from holta/ansible-core-2.16.1

Recommend ansible-core 2.16.1

iiab-install

@@ -11,7 +11,7 @@ CWD=`pwd`
 OS=`grep ^ID= /etc/os-release | cut -d= -f2`
 OS=${OS//\"/}    # Remove all '"'
 MIN_RPI_KERN=5.4.0         # Do not use 'rpi-update' unless absolutely necessary: https://github.com/iiab/iiab/issues/1993
-MIN_ANSIBLE_VER=2.14.11    # 2023-05-22: ansible-core 2.12 EOL per https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix  2022-11-09: Raspberry Pi 3 (and 3 B+ etc?) apparently install (and require?) ansible-core 2.11 for now -- @deldesir can explain more on PR #3419.  Historical: Ansible 2.8.3 and 2.8.6 had serious bugs, preventing their use with IIAB.
+MIN_ANSIBLE_VER=2.14.12    # 2023-05-22: ansible-core 2.12 EOL per https://docs.ansible.com/ansible/latest/reference_appendices/release_and_maintenance.html#ansible-core-support-matrix  2022-11-09: Raspberry Pi 3 (and 3 B+ etc?) apparently install (and require?) ansible-core 2.11 for now -- @deldesir can explain more on PR #3419.  Historical: Ansible 2.8.3 and 2.8.6 had serious bugs, preventing their use with IIAB.
 
 REINSTALL=false
 DEBUG=false

roles/0-init/tasks/validate_vars.yml

@@ -158,12 +158,10 @@
   when: item != 'mysql' and item != 'postgresql' and item != 'mongodb' and item != 'nodejs' and item != 'yarn'    # Exclude auto-installed dependencies
   loop: "{{ vars_checklist }}"
 
-- name: 'DISALLOW "XYZ_install: True" if deprecated'
-  assert:
-    that: "{{ item }}_install is undefined or not {{ item }}_install"
-    fail_msg: "DISALLOWED: '{{ item }}_install: True' (e.g. in /etc/iiab/local_vars.yml)"
-    quiet: yes
-  with_items:
+
+- name: Set vars_deprecated_list for 4+ vars ("XYZ_install") to be checked
+  set_fact:
+    vars_deprecated_list:
       - dhcpd               # Deprecated
       - named               # Deprecated
       - wondershaper        # Deprecated
@@ -175,3 +173,23 @@
       #- dokuwiki           # Unmaintained
       #- ejabberd           # Unmaintained
       #- elgg               # Unmaintained
+
+- name: 'DISALLOW "XYZ_install: True" if deprecated'
+  assert:
+    that: "{{ item }}_install is undefined or not {{ item }}_install"
+    fail_msg: "DISALLOWED: '{{ item }}_install: True' (e.g. in /etc/iiab/local_vars.yml)"
+    quiet: yes
+  loop: "{{ vars_deprecated_list }}"
+  # 2023-12-04: ansible-core 2.16.1 suddenly no longer allows 'assert' with
+  # 'with_items' below (whereas 'loop' construct above works!)  BACKGROUND:
+  #
+  #  'due to mitigation of security issue CVE-2023-5764 in ansible-core 2.16.1,
+  #  conditional expressions with embedded template blocks can fail with the
+  #  message “Conditional is marked as unsafe, and cannot be evaluated.”'
+  #  https://docs.ansible.com/ansible-core/2.16/porting_guides/porting_guide_core_2.16.html#playbook
+  #
+  # with_items:
+  #   - dhcpd               # Deprecated
+  #   - named               # Deprecated
+  #   - wondershaper        # Deprecated
+  #   - dansguardian        # Deprecated

scripts/ansible

@@ -7,8 +7,8 @@
 # https://github.com/iiab/iiab/wiki/Technical-Contributors-Guide#female_detective-understanding-ansible
 
 APT_PATH=/usr/bin     # Avoids problematic /usr/local/bin/apt on Linux Mint
-CURR_VER=undefined    # Ansible version you have installed, e.g. [core 2.16.0]
-GOOD_VER=2.16.0       # Orig for 'yum install [rpm]' & XO laptops (pip install)
+CURR_VER=undefined    # Ansible version you have installed, e.g. [core 2.16.1]
+GOOD_VER=2.16.1       # Orig for 'yum install [rpm]' & XO laptops (pip install)
 
 # 2021-06-22: The apt approach (with PPA source in /etc/apt/sources.list.d/ and
 # .gpg key etc) are commented out with ### below.  Associated guidance/comments