Fedora - Use new auto ansible_python_interpreter for dnf

[jaredledvina]

Docs: https://docs.ansible.com/ansible/latest/reference_appendices/interpreter_discovery.html

Noticed this in https://travis-ci.org/dev-sec/ansible-os-hardening/jobs/597153020, looks like Ansible can't find python2-dnf and thus Fedora is angry. Some digging found ansible/ansible#49362 (comment) which makes sense to me.

This is a quick attempt to configure ansible_python_interpreter to use the newer auto setting, which should be the new default in 2.12 just for Fedora.

Opening this to verify the TravisCI build passes. If so, good to merge!

[jaredledvina]

Hrm, nope...would need to pass that env through to the container. Going to try another approach.

[jaredledvina]

Hrm, so, the Docker images are using a few different Ansible versions it seems.

• CentOS 6: 2.7.9
• OracleLinux 6: 2.6.17
• Everyone else: 2.8.5

This is a feature added in 2.8 - https://github.com/ansible/ansible/blob/stable-2.8/changelogs/CHANGELOG-v2.8.rst#major-changes, so we'd either need to upgrade the Docker images to use at least 2.8 (which is probably worth it regardless) or be more clever.

EDIT:

Digging in further I see that the CentOS 6 image is configured to install Ansible from https://releases.ansible.com/ansible/rpm/release/epel-6-x86_64/ which is in-fact missing a 2.8 RPM. OracleLinux 6 uses https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm to configure EPEL and I think, because it only has Python 2.6, ends up w/ the latest Ansible 2.6 release.

Darn.....

[rndmh3ro]

Good idea!

[rndmh3ro]

Hey @jaredledvina,

thanks for your PR!

Digging in further I see that the CentOS 6 image is configured to install Ansible from https://releases.ansible.com/ansible/rpm/release/epel-6-x86_64/ which is in-fact missing a 2.8 RPM. OracleLinux 6 uses https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm to configure EPEL and I think, because it only has Python 2.6, ends up w/ the latest Ansible 2.6 release.

This is exactly the problem.. I'm hesitant to require Ansible 2.8 on these systems because of this. I personally realy on using the packaged versions on these systems and don't want to mingle with pip there.

What we could try here is to set the fact with a pre_task if ansible is in version 2.8 or greater:

    - name: set ansible_python_interpreter to auto on systems with ansible 2.8
      set_fact:                                                                                
        ansible_python_interpreter: "auto"
      when: ansible_version.full is version('2.8', '>')