Three changes:
* Add set_default_selinux_context() to module_common that sets
a file's context according to the defaults in the policy
* In atomic_replace(), set the default context for the file if
selinux is enabled and the destination file does not exist.
* In authorized_key, set the default context when creating
$HOME/.ssh and $HOME/.ssh/authorized_keys. If these already
exist, this won't touch them.
- Do not silently ignore malformed pip requirements files.
- Properly reports changed when removing packages.
- "latest" i.e. --upgrade is *not* incompatible with requirements files.
- Less branchy, simpler logic.
- Removed pointless variable "initializations", Python doesn't need that.
Other code simplifications.
- Fun fact; pip install is (kind of) case insensitive, pip freeze is not.
So, 'sqlalchemy' will be reported as installed by install, but missing
by freeze.
The perhaps controversial change and the one that led to finding /
fixing above issues...
Instead of adding command parameters 'index', and 'find', and 'mirrors',
and etc. Added 'extra_args' which are passed onto pip.
The use case for --index-url is having a private pypi repo, like
http://pypi.python.org/pypi/localshop, to which you publish private
packages. I'm sure most every pip option has a use case for someone.
extra_args handles all those. Can reserve ansible command parameters for
the most common.
Tested with pip 1.1.
Add HTML-escaping to code examples in rST tempate of module-formatter
Add support for specifying port, addresses with phrases and attaching files
Add support for custom headers and document version_added for new options
X-Mailer header added :)
protect empty address lists & attachment list, and add bcc
- Added username, password arguments.
- Documented existing revision argument.
- Corrected documentation/docstrings; removed git references, use svn
nomenclature, etc.
- Refactored duplicate code, redundant shell calls, filter abuse,
inconsistent formating, etc.
- Shell quoting so it doesn't break for one guy who has spaces in
pathnames.
- svn called with '--non-interactive' and '--no-auth-cache'.
Move operations that are dependant on a remote branch under a if
is_remote_branch() conditional. While at it, remove assignment to cmd
string in same block that wasn't used when calling _run().
The git module would not pull in updates to a branch when
version=<branch>. This updates that block to checkout the branch
and then do a git reset --hard <remote>/<branch>. This
should now track updates to a branch.
In a virtualenv, pip is called just pip. This fixes the pip module to
search for the virtualenv pip first before trying the pip-python and
python-pip variants. Without this, pip module would not install to the
virtualenv when that parameter is provided.
This updates _is_package_installed() to accept a requirements file
as an argument. This is used later in main() to check if python libs
specified in a requirements file are already installed. I updated
main() to consolidate the handling of install/uninstall in a single
block. This should help if someone wants to remove packages specified
by a requirements file.
This makes the line parsing a lot more robust (and easier to read).
Code supplied by @dhozac, thanks!
Remove re import because this is not used anywhere.
When trying to perform enabled=yes followed by enabled=no
against FreeBSD the module would die with the following error:
TypeError: sub() takes at most 4 arguments (5 given)
The target FreeBSD client (8.2) is running python 2.6.6. It seems the
extra 'flags' argument was added to re.sub() in 2.7.
In fixing this issue I have attempted to create a general atomic method
for modifying a rc.conf file. Hopefully this will make it easier to add
other rc based platorms. The strip/split magic was inspired by the user
module.
* Basically the moving parts from the original service module arranged in
subclasses.
* General structure and helper methods comes from the user module.
* Less forgiving to unsupported platforms: it requires a subclass per platform.
(This makes it easier to work on one platform without having to think about.
what other platform might be affected in unexpected ways).
* Now has basic OpenBSD support.
* Solaris support needs to be added.
Thanks to @dhozac for general advice and Linux testing.
Thanks to @bcoca for clearing up some FreeBSD questions.
I added all known virtualization types from the virt-what project. However, the few virt types that rely on cpuid information have not been implemented lacking native python cpuid access. (hyperv)
Without this fix, generating documentation results in:
```
Traceback (most recent call last):
File "hacking/module_formatter.py", line 376, in <module>
main()
File "hacking/module_formatter.py", line 365, in main
text = template.render(doc)
File "/usr/lib64/python2.6/site-packages/jinja2/environment.py", line 669, in render
return self.environment.handle_exception(exc_info, True)
File "hacking/templates/man.j2", line 20, in top-level template code
{% for desc in v.description %}@{ desc | jpfunc }@{% endfor %}
File "hacking/module_formatter.py", line 94, in man_ify
t = _ITALIC.sub(r'\\fI' + r"\1" + r"\\fR", text)
TypeError: expected string or buffer
```
- Make sure exit_json() always returns a changed= value
- Modify the yum module to not return failed=False
- Modify install() and latest() similar to remove() in yum module
- Changed exit_json(failed=True, **res) into a fail_json(**res)
- Make sure yum rc= value reflects loop (similar to how we fixed remove())
Rewrote switch_version() to read .git/HEAD to find branch associated
with HEAD. If in a detached HEAD state, will read
.git/refs/remotes/<remote>/HEAD.
Rename pull() to fetch(). It does a git fetch and then a
git fetch --tags.
Add _run() method to handle all subprocess.Popen calls. Change
all previous calls to subprocess.Popen to use _run().
There is no need to require thirsty mode when the destination is a directory. We add the basename of the url to the destination directory and proceed with that. If that file exists in non-thirsty mode continue as expected.
I also cleaned up some of the logic that is no longer necessary if we simply rewrite the destination from the very start the way it is expected.
I had made and pushed this change after you already pulled the request.
@dhozac indicated that it would probably be better to use return codes > 255 for anything related to Ansible itself. Which makes sens :)
We use the lineinfile module to modify configuration files of a proprietary application. This application reads configuration options from files, but does not require those files to exist (if the default options are fine). However this application may modify the configuration file at will, so we cannot copy or template those files. And after a silent install the configuration may not exist (depending on the response file).
Whatever the case, during deployment we need to make sure some configuration options are set after the installation.
So the cleanest way to handle this situation is to allow the lineinfile module to create the file if it is missing (and this is the expected behavior). When I proposed this behavior, @sergevanginderachter needed the same functionality and was now working around it as well.
I had made and pushed this change after you already pulled the request.
@dhozac indicated that it would probably be better to use return codes > 255 for anything related to Ansible itself. Which makes sens :)
Split module into a main calling function, and a generic
(Linux useradd/usermod/userdel) User class.
Added a __new__ function that selects most appropriate superclass
Added a FreeBSD User class
Tested against FreeBSD 9.0
If this is not a certainty, playbooks will fail without an 'rc' and checking both if there is an rc, and whether the 'rc' is (not) 0 is very complicated. (especially because ${something.rc} will not be substituted and all that)
Detect when on a 'no branch' branch. If so, checkout the HEAD branch
as reported by 'git remote show <remote>'. That should put the repo
back on a branch such that git can then merge changes as necessary.
In addition, removed hard-coded references to origin and replaced
with remote var.
This allows one to create a SSH key for user. You may define:
ssh_key_type, ssh_key_bits, ssh_key_file, ssh_key_comment,
and ssh_key_passphrase. If no passphrase is provided, the
key will be passphrase-less. This will not overwrite an existing key.
In the JSON returned, it will provide the ssh_fingerprint and
ssh_key_file.
- fixed template (it was the template), adding indentation with Jinja2
- added description of code examples to man-page template (was missing)
- fixed fireball, cron, and debug module examples to confrom
On Red Hat, CentOS and Fedora systems, the pip binary will be called python-pip
instead of pip. This commit makes the pip module also check for python-pip.
The reason we check for python-pip *first*, is to have ansible fail on not
finding 'pip' and reporting *that*. This is consistent with current behaviour
and will not confuse users of Debian et al., where the 'python-pip' binary
never exists.
Tested on Fedora 18 and Ubuntu 12.04.
This commit improves the following items:
- Remove the 'match' functionality, this can now be achieve by using the `fail` module together with `only_if` after running the `hpilo_facts` module. Since this gives more functionality, e.g. comparing server names, but also serial numbers or uuids with other inventory information, this is prefered. An example is added to show how this is achieved.
- Clean up all C() calls in documentation
- Added state=poweroff in order to power off a server. The use-case is here that in general we do not want to provision systems that are already running (this enforcement can be disabled using force=yes) but for test systems we should be able to power them off so we can start the normal provisioning process. (We could also force boot them, but that's less elegant)
- The module now correctly indicates when something has changed. So if a server is powered off that was not off already, this is indicated, or when media boot-settings have been changed, this is also correctly indicated. Previously every call to hpilo_boot was (incorrectly) considered a change.
This commit improves the following items:
- Remove the 'match' functionality, this can now be achieve by using the `fail` module together with `only_if` after running the `hpilo_facts` module. Since this gives more functionality, e.g. comparing server names, but also serial numbers or uuids with other inventory information **and** a proper message, this is prefered. An example is added to show how this is achieved.
- Clean up all C() calls in documentation
- Remove trailing spaces in HP iLO's Serial Number output so that they can be compared to CMDB or other inventory information
Sending mails could be part of the workflow to have teams/responsibles perform specific task. Or simply to notify that a process has finished successfully (e.g. provisioning).
This workaround is recommended from HP iLO's documentation, but may not be sufficient in all cases. Time will tell.
I also made a few cosmetic changes with no impact.
Much like we currently have *setup* register the variable `module_setup`, we would like other facts-modules register their own namespace. This means that:
- *network_facts* registers `module_network`
- *hpilo_facts* registers `module_hw`
- *vsphere_facts* registers `module_hw`
In retrospect, it would have made more sense to have `setup` register `module_ansible` instead as the setup module uses the `ansible_` namesepace.
Having the `module_` namespace allows us to check whether a certain namespace has already been loaded so we can avoid running the facts module a second time using only_if.
```yaml
- action: network_facts host=${ansible_hostname_short}
only_if: is_unset('$module_network')
```
This module gathers facts from a VMWare vSphere guest by querying vSphere. The facts include OS, network info (vlan, macaddress) and system info (cpu, memory, uuid) information. Useful information for provisioning and management.
This module gathers facts from the hardware interface by querying HP iLO. The facts include network info (vlan, macaddress) and system info (cpu, memory, uuid) information. Useful information for provisioning and management.
This module was previously named ilo_facts and mentioned in #1080, #1085, #1125 and #1217.
After helping someone on IRC he was interested to have this debug module in upstream. This module simply 'prints' a message, and can be ordered to fail if needed. It helps to troubleshoot or understand inventory/facts issues and/or experiment with statements and conditions using only_if.
Here is a small example playbook:
```yaml
- hosts: all
tasks:
- local_action: debug msg="System $inventory_hostname has uuid ${ansible_product_uuid}"
- local_action: debug msg="System $inventory_hostname lacks a gateway" fail=yes
only_if: "is_unset('$ansible_default_ipv4.gateway')"
- local_action: debug msg="System $inventory_hostname has gateway ${ansible_default_ipv4.gateway}"
only_if: "is_set('$ansible_default_ipv4.gateway')"
```
outputting:
```
[root@moria ansible]# ansible-playbook -v -l localhost:x220 test6.yml
PLAY [all] *********************
GATHERING FACTS *********************
ok: [localhost]
ok: [x220]
TASK: [debug msg="System $inventory_hostname has uuid $ansible_product_uuid"] *********************
ok: [localhost] => {"msg": "System localhost has uuid d125a48c-364f-4e65-b225-fed42ed61fac"}
ok: [x220] => {"msg": "System x220 has uuid d125a48c-364f-4e65-b225-fed42ed61fac"}
TASK: [debug msg="System $inventory_hostname lacks a gateway" fail=yes] *********************
failed: [localhost] => {"failed": true, "msg": "System localhost lacks a gateway", "rc": 1}
ok: [x220] => {"msg": "System x220 has gateway 192.168.1.1"}
PLAY RECAP *********************
localhost : ok=2 changed=0 unreachable=0 failed=1
x220 : ok=3 changed=0 unreachable=0 failed=0
```
I had some other plans for the module, like displaying host inventory and complete inventory to help understand inventory and facts modules, but that would require an action-plugin for transfering inventory information etc... And I am not sure this is wanted/best done in a module.
In some cases you may want to deliberately fail the execution of a playbook. In our provisioning workflow we want to have safeguards in place to avoid provisioning systems that are already in production. Since we reboot physical and virtual systems, it is mandatory we take all the precautions to prevent accidental provisioning.
So in our use-case we have the following at the very start of the provisioning playbook:
### Safeguard to protect production systems
- local_action: fail msg="System is not ready to be staged according to CMDB"
only_if: "'$cmdb_status' != 'to-be-staged'"
and we repeat the same task in the (separate included) play that takes care of (re)booting the system using our own boot-media, so that it cannot be accidentally separately run by someone.
pipes.quote is a bit overzealous for what we want to do, quoting ;
and other characters that you most likely want to use in your shell
invocations. The regexp is the best I could come up with to be able
to only replace the parts of the arguments that shouldn't be
executed.
- .rst now supresses default if none is set (looks better in HTML)
- .rst now handles empty options list
- Fixed postgresql_user and mysql_user because YAML contained colons
- docs for facter
This gathers LSB facts via lsb_release. This complements the
platform facts collected via the platform module. This reoprts
release, id, description, release, and codename. It also adds
'major_release', which is the major version number of a distribution.
In some cases (see issue #1067) with state=restarted, a failure to stop
the service (which wasn't running) would appear to the module to be a
failure to restart the service even though it successfully started the
service. This changes the behavior of the service module to focus
on the return code of the start command. If the rc of stop is not
0 and the rc of start does equal 0, it considers the service
successfully restarted. It then ignores the rc, stdout, and stderr
from the unsuccessful stop command.
This change includes:
- (on possibly older python versions ?) a string variable test using the 'is' operator fails (so it always return ok immediately after initial delay)
- add a missing socket.settimeout() for the state=started case (if the machine does not exist, timeout defaults to 60 seconds)
- add a connect_timeout option to customize the default connection timeout
- use socket.shutdown(2) to close immediately
- return the elapsed time
The check for the destination being a directory is now done before
checking if the file exists, that way the user is informed that the
thirsty argument is required.
If I create a database from scratch and assign permissions by doing:
- name: ensure database is created
action: postgresql_db db=$dbname
- name: ensure django user has access
action: postgresql_user db=$dbname user=$dbuser priv=ALL password=$dbpassword
Then it fails with the error:
File "/tmp/ansible-1347048449.32-29998829936529/postgresql_user", line 565, in <module>
main()
File "/tmp/ansible-1347048449.32-29998829936529/postgresql_user", line 273, in main
changed = grant_privileges(cursor, user, privs) or changed
File "/tmp/ansible-1347048449.32-29998829936529/postgresql_user", line 174, in grant_privileges
changed = grant_func(cursor, user, name, privilege)\
File "/tmp/ansible-1347048449.32-29998829936529/postgresql_user", line 132, in grant_database_privilege
prev_priv = get_database_privileges(cursor, user, db)
File "/tmp/ansible-1347048449.32-29998829936529/postgresql_user", line 118, in get_database_privileges
r = re.search('%s=(C?T?c?)/[a-z]+\,?' % user, datacl)
File "/usr/lib/python2.7/re.py", line 142, in search
return _compile(pattern, flags).search(string)
TypeError: expected string or buffer
This fix fixes the problem by not executing the regex if the
db query on pg_database returns None.
The use-case here is that based on information in the /proc/cmdline certain actions can be taken.
A practical example in our case is that we have a play at the end of the provisioning phase that reboots the system. Since we don't want to accidentally reboot a system (or restart the network) on a production machine, having a way to separate an Anaconda post-install (sshd in chroot) with a normal system is a good way to make that distinction.
---
- name: reboot
hosts: all
tasks:
- action: command init 6
only_if: "not '${ansible_cmdline.BOOT_IMAGE}'.startswith('$')"
A practical problem here is the fact that we cannot simply check whether it is set or empty:
---
- name: reboot
hosts: all
tasks:
- action: command init 6
only_if: "'${ansible_cmdline.BOOT_IMAGE}'"
If ansible_cmdline was a string, a simple only_if: "'${ansible_cmdline}'.find(' BOOT_IMAGE=')" was an option, but still not very "beautiful" :-/
This implementation uses shlex.split() and uses split(sep, maxsplit=1).
This allows the use of ~ in the chdir argument of the command module
I know the later change is absolutely necessary as the first change
was not sufficient. It may be that the first change fixes shell and
the second fixes command.
Added required as optional argument to get_bin_path(). It defaults to
false. Updated following modules to use required=True when calling
get_bin_path(): apt_repository, easy_install, group, pip,
supervisorctl, and user.
Also removed _find_supervisorctl() from supervisorctl module and updated
_is_running() to not need it.
Will manage values of seboolean on a host. Options are name (name of
boolean), state (on or off), and persistent (on or off). Persistent
defaults to no.
* Migraed easy_install, pip, service, setup, and user.
* Updated fail_json message in apt_repository
* Fixed easy_install to not hardcode location of virtualenv in
/usr/local/bin/.
* Made handling of virtualenv more consistent between easy_install and
pip.
Most of it worked already, except for the enable parameter, because it
tried to use chkconfig which only sees SysV services. First look for
systemctl and use that if it exists.
This takes started, stopped and restarted.
Started returns when connecting is possible.
Stopped when connecting is not possible.
Restarted first waits for connecting to be impossible and returns when it is
possible again.
Use a different method to query for current
privileges at the table and database level.
This method is more robust if newer privileges
are added in future versions and also supports the
ALL wildcard.
fail_on_user option can be used to ignore silently
if the user cannot be removed because of remaining
privilege dependencies to other objects in the
database. By default it will fail, so that this new
behavior won't surprise unsuspecting users.
The postgresql_user module has several drawbacks:
* No granularity for privileges
* PostgreSQL semantics force working on one
database at time, at least for Tables. Which
means that a single call can't remove all the
privileges for a user, and a user can't be
removed until all the privileges are removed,
forcing a module failure with no way to
work around the issue.
Changes:
* Added the ability to specify granular privileges
for database and tables within the database
* Report if user was removed, and add an option to
disable failing if user is not removed.
whether to download it every time or not -- will replace only on change, or decide to not download. The default
is thirsty=no which will not download every time by default.
mpdehaan requested in ansible/ansible#795 that globals be removed.
The response was to remove the lines with the word 'global', but not
the actual use of global variables. Which makes the module break silently.
Updated to use local variables.
When initalizing a connection to psycopg2, in order to use the default
values, the keywords must be missing. So we use a dictionary as a kwarg
and include only the keywords that do not have an empty value on the
module parameters.
it is possible those folks w/o yum-utils installed but with rhn-plugin
installed but w/o any rhn-certificates will still see an error msg.
they have 3 options:
1. remove rhn-plugin
2. enable some channels w/rhn certs
3. install yum-utils
If ip is not found in either /sbin or /usr/sbin, this will return
an empty result. It seems extremely unlikely that a linux system will
not have iproute2 installed
This updates set_owner_if_different() and set_group_if_different()
to not implicitly recurse when setting ownership (whether user or
group). It drops the os.system() call and replaces it with os.chown().
Resolves issue #825.
The recursion should be explicit. A recurse=yes|no option should be
added to the file module.
This adds user_password() to abstract how the user's password is looked
up. If spwd is not available, this will read the shadow file for the
user's shadow entry. This will then facilitate idempotent password
changes on hosts without spwd.
git module used to check stderr for the string 'error' after calling
switch_version(). This changes that to just look at the return code to
determine whether the command failed. If the rc is not zero, the git
module will call fail_json().
The problem is that git checkout will summarize the commit message,
such as:
HEAD is now at ea38409... removing artificial error
When the string 'error' is the commit message, this check will
erroneously think the command failed.
This also removes the method switchLocalBranch() since it is no longer
used.
operations in the correct order, so the file module results overlay the original module results, not the other way
around (which keeps any failure msg's intact)
Although library/copy can be corrected to understand that dest is
a directory, I can't see how to let _execute_copy know this and let the
file module know.
As a better solution than before #733, the copy module now explicitly (rather
than silently) fails when dest is a directory.
Allow use of service module with just enable parameter, per issue #755.
Also fixed two other issues:
- fixed parameter to be 'enabled' per docs, not 'enable'.
- fixed if block that checks whether to run _do_enable() to check
whether the parameter is set, not the value of the enable value which
may be None or False. If enabled=no, the service would never be
disabled.
Convert git module to module magic.
Drop cruft no longer needed.
Standardize indent to 4 spaces in methods switchLocalBranch, reset,
clone, and get_version.
Update is_local_branch to also handle '* branch' format.
Add is_current branch method()
Update pull() method to use is_current_branch()
passwd -> password
loginpass -> login_password
loginuser -> login_user
loginhost -> login_host
Add an example playbook that shows how to use the modules.
These modules are based on the mysql_db and mysql_user modules.
Currently, the postgresql_user module can only grant all permissions
on a database, fine-grained access has not been implemented yet.
1. Passing the module to the various functions so that they can use module.fail_json and module.exit_json methods inside.
2. Because of point 1, install and remove methods do not return anything. Instead, they use the module functions itself.
3. Move the import statement (for apt and apt_pkg) inside main function so on import error, we can use module.fail_json to print the error.
This drops the branch option. The version option is overloaded
to mean either a sha1, branch, or tag. This also adds the option
'remote' which defaults to 'origin'.
clone() was simplified by removing the checkout operation. That
happens later when switch_version() is called.
Added the methods get_branches(), is_remote_branch(), and
is_local_branch(). get_branches() returns an array listing all
of the branches for the git repository. is_remote_branch() checks
whether the arguments supplied correspond to a remote branch.
Similarly, is_local_branch() checks for a local branch.
The pull() method now checks to see if it is on the desired branch.
If not, it checks out the requested branch and then does a pull.
This should keep issue #604 still fixed.
switch_version(), formerly switchver(), looks to see if it is
checking out a branch. If a branch, it checks it out with the --track
option. This type of checkout was in pull() before.
Updated pull, clone, and switch_version to return (rc, out, err).
Module consumers using the API don't have to know how this works. base64 stuff is only there
because escaping a docstring inside a docstring was a bit of a challenge :)
get module (with new module-magic-code!)
Usage: ansible -m get -a "url=http://xxxxxxx dest=fileordirctory"
all cleanups as per @mpdehaan's suggestions
add daisychain
added example playbook (get_url.yml) with URLencode example
get_interfaces() updated to read /proc/net/dev. This means it no
longer provides only interfaces that are up.
get_iface_hwaddr() updated to read from /sys/class/net/<iface>/address.
Added get_interface_facts() to pull in mac address and interface mtu.
Can be used later for additional interface-facts.
Added get_ipv6_facts(), which reads from /proc/net/if_inet6.
get_network_facts() renamed to get_ipv4_facts(). It still calls
ifconfig to determine ipv4 facts.
The Facts class and subclasses no longer take a dict argument for
instantiation. populate() now returns self.facts.
Other changes:
- Facts.__init__() takes over most of the work from populate() so that
subclasses can benefit from its knowledge.
- Drop setting unknown facts to 'NA' in __init__() in various
subclasses.
- Check for presence of facts in get_virtual_facts()
- Update ansible_facts() to use facts.update(<classname>().populate())
This changes and organizes facts into a base class Facts and several
sub classes that implement the necessary functionality. The classes
are:
- Facts: base class. Implements basic facts that should be common to a
number of platforms. It is also where SSH keys and SELinux facts are
set.
- Hardware: A subclass of Facts that should be further
subclassed per platform for CPU, memory, and related facts.
- LinuxHardware: subclass of Hardware for Linux platforms
- SunOSHardware: subclass of Hardware for SunOS platforms
- FreeBSDHardware: subclass of Hardware for FreeBSD
- Network: A subclass of Facts that that should be further
subclassed per platform for IP, both IPv4 and IPv6, information.
- LinuxNetwork: Currently only implementation for determining network
facts.
- Virtual: A subclass of Facts that that should be further
subclassed per platform to determine virtual environment facts.
- LinuxVirtual: Currently only implementation for determining virtual
facts.
If facts are needed for additional platforms, one of the above classes
(eg Network) can be further subclassed and implement the necessary
functionality.
In addition, it fixes get_network_facts() to work on Fedora17. That
broke due to changes to ifconfig output.
should be a huge reduction of total ansible source, at a slight cost of difficulty in original module development.
We need to apply this now to all modules, but may need to have some exemptions to things like command, which should
subclass this module.
The service module was printing stuff to stderr, returning two
JSON dicts, not using consistent 'failed' values, had dead code
and unused variables. Added detection for the case when service
status returns 'xxx is dead and pid file exists' and made the
code a bit easier to read.
(Also a fix for the user module error handling when the user
is not present at the time of the return. This can only really be caused by multiple ansible executions).
Takes a lot of the fixes to the user module and applies them to the
group module: provide stdout/stderr in result if available and call
fail_json() if the attempted action fails.
The user module now returns the output, both stdout and stderr, from
useradd, usermod, and userdel. This should help debug cases why one of
those commands fail. In addition, the user module will now call
fail_json() when the attempted command failed so as to properly
communicate a failure in a playbook.