feat: add role fingerprints to syslog

[richm]

Feature: Add a fingerprint string to the system log to indicate when the role began
successfully, and when the role finished successfully. The fingerprint string indicates
the role name, a timestamp, and the platform.

Reason: Users can see when the role was used and if it was used successfully. This
information from the system log can be collected by log scanners and aggregators
for further analysis.

Result: The role logs fingerprints to the system log.

This also adds a test to check if the fingerprints were written upon a successful
role invocation.

Signed-off-by: Rich Megginson rmeggins@redhat.com

Summary by Sourcery

Add syslog fingerprinting for the keylime_server role and verify it via journal inspection in tests.

New Features:

• Introduce an sr_fingerprint Ansible module to write timestamped fingerprint messages to syslog.
• Emit begin and success fingerprint messages from the keylime_server role including role name, Ansible version, and platform information.

Tests:

• Extend the default role test to verify that begin and success fingerprint messages are written to the system journal when /dev/log is available.

Chores:

• Add Ansible sanity ignore files for multiple Ansible versions and link the role library directory for tests.

[sourcery-ai]

Reviewer's Guide

Adds a custom Ansible module to emit role fingerprint messages to syslog and wires it into the keylime_server role, along with a journal-based integration test and necessary sanity ignore configuration.

Sequence diagram for sr_fingerprint module logging to syslog

sequenceDiagram
    actor Operator
    participant AnsiblePlay
    participant AnsibleEngine
    participant SrFingerprintModule
    participant Syslog

    Operator->>AnsiblePlay: Run keylime_server role
    AnsiblePlay->>AnsibleEngine: Execute task sr_fingerprint
    AnsibleEngine->>SrFingerprintModule: Invoke with sr_message

    SrFingerprintModule->>SrFingerprintModule: _local_iso8601_no_microseconds()
    alt check_mode is true
        SrFingerprintModule-->>AnsibleEngine: exit_json(changed=false, message)
        AnsibleEngine-->>AnsiblePlay: Task ok (no syslog write)
    else check_mode is false
        SrFingerprintModule->>Syslog: module.log(sr_message + timestamp)
        SrFingerprintModule-->>AnsibleEngine: exit_json(changed=false)
        AnsibleEngine-->>AnsiblePlay: Task ok (fingerprint logged)
    end

    AnsiblePlay-->>Operator: Role run summary with fingerprints in syslog

Loading

Class diagram for sr_fingerprint Ansible module

classDiagram
    class SrFingerprintModule {
        - sr_message str
        + run_module()
        + _local_iso8601_no_microseconds() str
        + main()
    }

    class AnsibleModule {
        + params dict
        + check_mode bool
        + log(message str) void
        + exit_json(changed bool, message str)
    }

    class datetime_module {
        + datetime
        + timezone
    }

    class time_module {
        + strftime(format str, t) str
        + localtime() struct_time
    }

    SrFingerprintModule --> AnsibleModule : uses
    SrFingerprintModule --> datetime_module : uses
    SrFingerprintModule --> time_module : fallback uses

Loading

Flow diagram for keylime_server role fingerprints

flowchart TD
    A[Start keylime_server role] --> B[Task set_vars.yml]
    B --> C[Record role begin fingerprint using sr_fingerprint]
    C --> D[Other role tasks]
    D -->|All tasks succeed| E[Record role success fingerprint using sr_fingerprint]
    D -->|Any task fails| F[Role failure - success fingerprint not written]
    E --> G[End role]
    F --> G

Loading

File-Level Changes

Change	Details	Files
Introduce sr_fingerprint Ansible module to log fingerprint messages to syslog without reporting configuration changes.	Create library/sr_fingerprint.py implementing an AnsibleModule with required sr_message parameter. Format log messages as the provided fingerprint text plus a local ISO-8601 timestamp without microseconds. Support check_mode by skipping logging and returning a descriptive message while always reporting changed=False. Use module.log() to emit to syslog and always exit with changed=False to avoid noisy diffs.	library/sr_fingerprint.py
Emit begin/success fingerprints from the keylime_server role using the new module.	Record a 'begin' fingerprint at variable setup time, including role name, Ansible version, and OS distribution/version. Record a 'success' fingerprint at the end of the main task flow with the same contextual information. Ensure fingerprints are emitted only as log entries and do not affect idempotency reporting.	tasks/set_vars.yml tasks/main.yml
Add an integration test that validates fingerprints are written to the system journal when syslog is available.	Detect presence of /dev/log and skip fingerprint checks when absent. Capture a journal start timestamp before running the role to bound the journalctl query. Use journalctl piped through grep to assert that both 'begin' and 'success' fingerprints for system_role:keylime_server exist while filtering out generic 'Invoked with' noise. Mark the shell check as not changing state and conditionally run it only when syslog is available.	tests/tests_default.yml
Adjust testing/sanity config to account for the new custom module layout.	Add sanity ignore files for multiple Ansible versions to avoid sanity issues with the custom module and/or layout. Create tests/roles/linux-system-roles.keylime_server/library directory to satisfy Ansible test harness expectations for role-local modules.	.sanity-ansible-ignore-2.14.txt .sanity-ansible-ignore-2.16.txt .sanity-ansible-ignore-2.17.txt .sanity-ansible-ignore-2.18.txt .sanity-ansible-ignore-2.19.txt .sanity-ansible-ignore-2.20.txt .sanity-ansible-ignore-2.21.txt .sanity-ansible-ignore-2.22.txt tests/roles/linux-system-roles.keylime_server/library

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• The journalctl shell task in tests_default.yml is fairly brittle (stringly grep, repeated journalctl calls, hard-coded role name); consider factoring this into a small script or using more targeted filters/regex to reduce false positives and make it easier to adapt if the fingerprint format changes.
• The sr_fingerprint messages embed ansible_facts['distribution'] and ['distribution_version'], which can contain spaces or unexpected characters; consider normalizing or quoting these values so log scanners can reliably parse the fingerprint.
• The _local_iso8601_no_microseconds helper partly reimplements existing time handling; if possible, reuse Ansible’s existing time utilities or a single code path (e.g., always via astimezone() with a clear fallback) to simplify the function and avoid subtle timezone/locale differences across environments.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `journalctl` shell task in `tests_default.yml` is fairly brittle (stringly `grep`, repeated `journalctl` calls, hard-coded role name); consider factoring this into a small script or using more targeted filters/regex to reduce false positives and make it easier to adapt if the fingerprint format changes.
- The `sr_fingerprint` messages embed `ansible_facts['distribution']` and `['distribution_version']`, which can contain spaces or unexpected characters; consider normalizing or quoting these values so log scanners can reliably parse the fingerprint.
- The `_local_iso8601_no_microseconds` helper partly reimplements existing time handling; if possible, reuse Ansible’s existing time utilities or a single code path (e.g., always via `astimezone()` with a clear fallback) to simplify the function and avoid subtle timezone/locale differences across environments.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[richm]

[citest]