feat: add role fingerprints to syslog

[richm]

Feature: Add a fingerprint string to the system log to indicate when the role began
successfully, and when the role finished successfully. The fingerprint string indicates
the role name, a timestamp, and the platform.

Reason: Users can see when the role was used and if it was used successfully. This
information from the system log can be collected by log scanners and aggregators
for further analysis.

Result: The role logs fingerprints to the system log.

This also adds a test to check if the fingerprints were written upon a successful
role invocation.

Signed-off-by: Rich Megginson rmeggins@redhat.com

Summary by Sourcery

Add syslog fingerprinting for the network system role and verify it via tests.

New Features:

• Introduce an sr_fingerprint Ansible module to write timestamped fingerprint messages to syslog for diagnostic use.
• Emit begin and success fingerprint messages from the network role including Ansible version and distribution information.

Tests:

• Extend the default role test playbook to capture a journal start time and assert that the expected begin and success fingerprint messages are written to the system journal.

[sourcery-ai]

Reviewer's Guide

Adds a new sr_fingerprint Ansible module to emit timestamped role fingerprints to syslog, integrates it at role begin and success points in the network role, and introduces a journalctl-based test that validates the fingerprints are written when syslog is available, along with associated sanity-ignore updates.

Sequence diagram for role fingerprints being written to syslog

sequenceDiagram
    actor Admin
    participant AnsibleController
    participant NetworkRole
    participant SrFingerprintModule
    participant Syslog

    Admin->>AnsibleController: Run playbook using network role
    AnsibleController->>NetworkRole: Execute tasks

    rect rgb(235, 245, 255)
        NetworkRole->>SrFingerprintModule: Record role begin fingerprint
        SrFingerprintModule->>SrFingerprintModule: _local_iso8601_no_microseconds
        alt check_mode enabled
            SrFingerprintModule-->>AnsibleController: exit_json changed=False, message (not logged)
        else normal execution
            SrFingerprintModule->>Syslog: module.log(begin fingerprint + timestamp)
            SrFingerprintModule-->>AnsibleController: exit_json changed=False
        end
    end

    AnsibleController->>NetworkRole: Continue network configuration tasks
    NetworkRole->>NetworkRole: Configure network, re-test connectivity

    rect rgb(235, 245, 255)
        NetworkRole->>SrFingerprintModule: Record role success fingerprint
        SrFingerprintModule->>SrFingerprintModule: _local_iso8601_no_microseconds
        alt check_mode enabled
            SrFingerprintModule-->>AnsibleController: exit_json changed=False, message (not logged)
        else normal execution
            SrFingerprintModule->>Syslog: module.log(success fingerprint + timestamp)
            SrFingerprintModule-->>AnsibleController: exit_json changed=False
        end
    end

    Syslog-->>Admin: Fingerprint entries visible via journalctl or log aggregator

Loading

Class diagram for the new sr_fingerprint Ansible module

classDiagram
    class SrFingerprintModule {
        +_local_iso8601_no_microseconds() str
        +run_module() void
        +main() void
    }

    class AnsibleModule {
        +params dict
        +check_mode bool
        +log(message str) void
        +exit_json(changed bool, message str) void
    }

    class DatetimeModule {
        +datetime
        +timezone
    }

    class TimeModule {
        +strftime(format str, t) str
        +localtime() tuple
    }

    SrFingerprintModule ..> AnsibleModule : uses
    SrFingerprintModule ..> DatetimeModule : uses
    SrFingerprintModule ..> TimeModule : fallback uses

    SrFingerprintModule : +_local_iso8601_no_microseconds() str
    SrFingerprintModule : +run_module() void
    SrFingerprintModule : +main() void

Loading

File-Level Changes

Change	Details	Files
Introduce a reusable Ansible module to log fingerprint messages to syslog with a local ISO-8601 timestamp and support check mode without reporting changes.	Add new custom module sr_fingerprint.py implementing an sr_message parameter and using AnsibleModule Generate a local wall-clock ISO-8601 timestamp without microseconds, with graceful fallback for older Python versions Construct a combined fingerprint log message from the provided text and timestamp and send it to syslog using module.log Ensure the module supports check mode by not writing logs and always reports changed=False to avoid marking role runs as changed	library/sr_fingerprint.py
Emit begin and success fingerprints from the network role using the new module, including Ansible version and platform information.	Call sr_fingerprint near the start of the role to record a begin system_role:network message including ansible_version and distribution-distribution_version Call sr_fingerprint at the end of the main task flow to record a success system_role:network message with the same metadata Keep these calls logically placed so they bracket the main role execution without affecting idempotency or change reporting	tasks/set_facts.yml tasks/main.yml
Add an integration-style test that validates role fingerprints appear in the system journal when syslog is present, while avoiding false positives from Ansible’s own logging.	Check for existence of /dev/log and conditionally run fingerprint verification only when syslog is available Capture the current date_time facts before role execution to use as the starting point for journalctl queries After running the role, invoke journalctl from the captured start time and grep for sr_fingerprint begin and success messages for system_role:network, filtering out lines containing 'Invoked with' Mark the shell-based verification task as not changed and fail with explicit error messages if fingerprints are missing	tests/tests_default.yml
Update Ansible sanity ignore lists to accommodate the new custom module across supported Ansible versions.	Modify multiple .sanity-ansible-ignore-* versioned files to ignore issues related to the new sr_fingerprint module as needed	.sanity-ansible-ignore-2.9.txt .sanity-ansible-ignore-2.11.txt .sanity-ansible-ignore-2.12.txt .sanity-ansible-ignore-2.13.txt .sanity-ansible-ignore-2.14.txt .sanity-ansible-ignore-2.15.txt .sanity-ansible-ignore-2.16.txt .sanity-ansible-ignore-2.17.txt .sanity-ansible-ignore-2.18.txt .sanity-ansible-ignore-2.19.txt .sanity-ansible-ignore-2.20.txt .sanity-ansible-ignore-2.21.txt .sanity-ansible-ignore-2.22.txt

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• The role name string system_role:network is hard-coded in multiple places (fingerprint tasks and tests); consider centralizing it in a variable to avoid divergence if the role name ever changes.
• The sr_fingerprint module’s _local_iso8601_no_microseconds helper calls datetime.datetime.now() twice; you can reuse the initial now object to avoid redundant system calls and keep the logic simpler.
• The journal check shell command chains grep and custom error messages; you might want to factor this into a small helper script or a command template variable to make it easier to maintain and less fragile if the grep patterns need to evolve.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The role name string `system_role:network` is hard-coded in multiple places (fingerprint tasks and tests); consider centralizing it in a variable to avoid divergence if the role name ever changes.
- The `sr_fingerprint` module’s `_local_iso8601_no_microseconds` helper calls `datetime.datetime.now()` twice; you can reuse the initial `now` object to avoid redundant system calls and keep the logic simpler.
- The journal check shell command chains `grep` and custom error messages; you might want to factor this into a small helper script or a command template variable to make it easier to maintain and less fragile if the grep patterns need to evolve.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[codecov]

Codecov Report

❌ Patch coverage is 0% with 33 lines in your changes missing coverage. Please review.
✅ Project coverage is 42.71%. Comparing base (1b57520) to head (cd8d0de).
⚠️ Report is 87 commits behind head on main.

Files with missing lines	Patch %	Lines
library/sr_fingerprint.py	0.00%	33 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #861      +/-   ##
==========================================
- Coverage   43.11%   42.71%   -0.41%     
==========================================
  Files          12       13       +1     
  Lines        3124     3158      +34     
==========================================
+ Hits         1347     1349       +2     
- Misses       1777     1809      +32     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[richm]

[citest]