feat: add role fingerprints to syslog

[richm]

Feature: Add a fingerprint string to the system log to indicate when the role began
successfully, and when the role finished successfully. The fingerprint string indicates
the role name, a timestamp, and the platform.

Reason: Users can see when the role was used and if it was used successfully. This
information from the system log can be collected by log scanners and aggregators
for further analysis.

Result: The role logs fingerprints to the system log.

This also adds a test to check if the fingerprints were written upon a successful
role invocation.

Signed-off-by: Rich Megginson rmeggins@redhat.com

Summary by Sourcery

Add syslog fingerprinting for the nbde_server role and verify it via journal-based tests.

New Features:

• Introduce an sr_fingerprint Ansible module to write timestamped fingerprint messages to syslog.
• Record begin and success fingerprint messages for the nbde_server system role including role name, Ansible version, and platform metadata.

Tests:

• Extend default role tests to capture a start time and verify that expected begin and success fingerprints appear in the system journal when syslog is available.

Chores:

• Update Ansible sanity ignore configuration files to accommodate the new sr_fingerprint module across supported Ansible versions.

[sourcery-ai]

Reviewer's Guide

Adds a new Ansible module sr_fingerprint to log role lifecycle fingerprints to syslog and wires it into the nbde_server role, along with a test that validates begin/success fingerprints via journalctl when syslog is available.

Sequence diagram for role fingerprint logging to syslog

sequenceDiagram
    actor Admin
    participant AnsibleController
    participant Role_nbde_server
    participant Module_sr_fingerprint
    participant SyslogService

    Admin->>AnsibleController: Run playbook using nbde_server role
    AnsibleController->>Role_nbde_server: Execute tasks/set_vars.yml
    Role_nbde_server->>Module_sr_fingerprint: Task Record_role_begin_fingerprint
    Module_sr_fingerprint->>Module_sr_fingerprint: _local_iso8601_no_microseconds
    alt check_mode_enabled
        Module_sr_fingerprint-->>Role_nbde_server: exit_json changed=false message=Check_mode_message
    else normal_mode
        Module_sr_fingerprint->>SyslogService: module.log(sr_message + timestamp)
        Module_sr_fingerprint-->>Role_nbde_server: exit_json changed=false
    end

    AnsibleController->>Role_nbde_server: Execute provider specific tasks main_nbde_server_provider.yml

    AnsibleController->>Role_nbde_server: Execute tasks/main.yml
    Role_nbde_server->>Module_sr_fingerprint: Task Record_role_success_fingerprint
    Module_sr_fingerprint->>Module_sr_fingerprint: _local_iso8601_no_microseconds
    alt check_mode_enabled
        Module_sr_fingerprint-->>Role_nbde_server: exit_json changed=false message=Check_mode_message
    else normal_mode
        Module_sr_fingerprint->>SyslogService: module.log(sr_message + timestamp)
        Module_sr_fingerprint-->>Role_nbde_server: exit_json changed=false
    end

    Role_nbde_server-->>AnsibleController: Role execution finished
    AnsibleController-->>Admin: Report role completed successfully

Loading

Class diagram for the new sr_fingerprint Ansible module

classDiagram
    class Module_sr_fingerprint {
        +run_module()
        +main()
        +_local_iso8601_no_microseconds() str
    }

    class AnsibleModule {
        +dict params
        +bool check_mode
        +log(message)
        +exit_json(changed, message)
    }

    class datetime {
        +datetime now()
        +timezone utc
    }

    class time_module {
        +str strftime(format, tuple)
        +tuple localtime()
    }

    Module_sr_fingerprint ..> AnsibleModule : uses
    Module_sr_fingerprint ..> datetime : uses
    Module_sr_fingerprint ..> time_module : fallback_implementation

    Module_sr_fingerprint : run_module()
    Module_sr_fingerprint : main()
    Module_sr_fingerprint : _local_iso8601_no_microseconds()

    AnsibleModule : params
    AnsibleModule : check_mode
    AnsibleModule : log(message)
    AnsibleModule : exit_json(changed, message)

Loading

Flow diagram for nbde_server role with begin and success fingerprints

flowchart TD
    Start[Start nbde_server role] --> GatherFacts[Gather required ansible_facts]
    GatherFacts --> CheckMissingFacts{Missing required facts?}
    CheckMissingFacts -->|Yes| LoadFacts[Load missing facts]
    CheckMissingFacts -->|No| AfterFacts[Facts ready]
    LoadFacts --> AfterFacts

    AfterFacts --> BeginFingerprint[Call sr_fingerprint with begin system_role_nbde_server]
    BeginFingerprint --> CheckModeBegin{Ansible check mode?}
    CheckModeBegin -->|Yes| SkipLogBegin[Skip syslog write, exit_json changed=false]
    CheckModeBegin -->|No| LogBegin[Write begin fingerprint to syslog via module.log]
    SkipLogBegin --> ProviderTasks
    LogBegin --> ProviderTasks[Include provider tasks main_nbde_server_provider.yml]

    ProviderTasks --> SuccessFingerprint[Call sr_fingerprint with success system_role_nbde_server]
    SuccessFingerprint --> CheckModeSuccess{Ansible check mode?}
    CheckModeSuccess -->|Yes| SkipLogSuccess[Skip syslog write, exit_json changed=false]
    CheckModeSuccess -->|No| LogSuccess[Write success fingerprint to syslog via module.log]

    SkipLogSuccess --> End[End nbde_server role]
    LogSuccess --> End

Loading

File-Level Changes

Change	Details	Files
Introduce sr_fingerprint Ansible module to log timestamped fingerprint messages to syslog without reporting changes.	Create custom module that accepts a required sr_message string parameter. Generate an ISO-8601 local timestamp without microseconds via helper function for broad Python compatibility. Compose log message from sr_message and timestamp and write it using module.log. Respect check mode by not logging and returning a descriptive message. Ensure module always exits with changed=False so fingerprint logging is non-intrusive to idempotency.	library/sr_fingerprint.py
Emit role begin and success fingerprint messages from the nbde_server role using the new module.	Add a begin fingerprint task early in set_vars to record role start with role name, Ansible version, distribution, and version. Add a success fingerprint task at the end of main task file to record successful completion with the same metadata. Use consistent sr_message format: 'begin/success system_role:nbde_server ansible_version= -<distro_version>'.	tasks/set_vars.yml tasks/main.yml
Extend default tests to verify fingerprint messages are written to the system journal when syslog is present.	Check for existence of /dev/log and skip fingerprint assertions if missing. Capture the current date/time fact before running the role to bound the journal search window. After running the role, use journalctl from the captured start time and grep to assert begin and success fingerprint log entries, filtering out 'Invoked with' noise. Mark the shell-based verification task as not changing Ansible state.	tests/tests_default.yml
Update Ansible sanity ignore lists for multiple Ansible versions (likely to accommodate the new custom module).	Modify per-version .sanity-ansible-ignore files to adjust or extend ignored sanity issues related to the new module.	.sanity-ansible-ignore-2.9.txt .sanity-ansible-ignore-2.10.txt .sanity-ansible-ignore-2.11.txt .sanity-ansible-ignore-2.12.txt .sanity-ansible-ignore-2.13.txt .sanity-ansible-ignore-2.14.txt .sanity-ansible-ignore-2.15.txt .sanity-ansible-ignore-2.16.txt .sanity-ansible-ignore-2.17.txt .sanity-ansible-ignore-2.18.txt .sanity-ansible-ignore-2.19.txt .sanity-ansible-ignore-2.20.txt .sanity-ansible-ignore-2.21.txt .sanity-ansible-ignore-2.22.txt

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[richm]

[citest]

[sourcery-ai]

Hey - I've left some high level feedback:

• The journal-based test assumes both /dev/log and journalctl are available; consider adding an explicit guard for journalctl’s presence (e.g., a journalctl --version probe with failed_when: false) so the test cleanly skips or degrades on non-systemd or minimal environments.
• In the sr_fingerprint module, it could be useful to return the constructed log message (and timestamp) in exit_json (e.g., logged_message/logged_at) so callers and tests can introspect what was emitted without having to rely solely on external log inspection.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The journal-based test assumes both /dev/log and journalctl are available; consider adding an explicit guard for journalctl’s presence (e.g., a `journalctl --version` probe with `failed_when: false`) so the test cleanly skips or degrades on non-systemd or minimal environments.
- In the `sr_fingerprint` module, it could be useful to return the constructed log message (and timestamp) in `exit_json` (e.g., `logged_message`/`logged_at`) so callers and tests can introspect what was emitted without having to rely solely on external log inspection.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}