unfortunate reload/restart handling

[kbucheli]

Little Visibility that Reload/Restart is Needed

Actual Behaviour

When vault_service_restart and/or vault_service_reload are disabled, then it is very hidden in the output that a reload/restart is required after:

TASK [vault : Vault SSL Certificate and Key] *************************************************************************
changed: [vault01.test.com] => (item={'src': 'tls/vault01.test.com.crt.pem', 'dest': '/etc/vault/tls/vault01.test.com.crt.pem', 'mode': '0644'})
...
RUNNING HANDLER [vault : Restart vault] ******************************************************************************
skipping: [vault01.test.com]

RUNNING HANDLER [vault : Reload vault] *******************************************************************************
skipping: [vault01.test.com]
...
PLAY RECAP ***********************************************************************************************************
vault01.test.com        : ok=19   changed=1    unreachable=0    failed=0    skipped=57   rescued=0    ignored=0   

as there are rightly that many skips (irrelevant) the relevant skip gets not looked at and reported.

Expected Behaviour

It should report it as a rather visible warning. I guess the easiest impementation in Ansible would be an ignored error. It is an error as it was not allowed to bring the system into the desired state, still it has been ignored as the user wished so. But it would be way more visible than currently:

PLAY RECAP ***********************************************************************************************************
vault01.test.com        : ok=19   changed=1    unreachable=0    failed=0    skipped=55   rescued=0    ignored=2   

Double Reload/Restart

Actual Behaviour

no need to reload when there is a restart:

RUNNING HANDLER [vault : Restart vault] ******************************************************************************
changed: [vault01.test.com]

RUNNING HANDLER [vault : Reload vault] *******************************************************************************
changed: [vault01.test.com]

Note that both vault_service_restart and vault_service_reload are set true. The documentation does not state how they relate.

Expected Behaviour

It should only do the minimal required action to bring the system in the desired state.

If a reload is sufficient, it should only do a reload and not a restart, even when allowed, because the downtime is less and no need to unseal. The configuration should tell how far it can go (nothing, reload, restart), not what it actually does.

Versions

• ansible-vault role: current master branch (dddc74c)
• ansible 2.10.8
• OS: Ubuntu 21.10

[boldandbusted]

@kbucheli So, this does in no way really solves the root problem, but using a different Ansible output callback like unixy has made my Ansible life a bit more bearable, and help surface important messages.

[boldandbusted]

I'd also like to see a way to restart standbys first. Or restart or reload standbys only, leaving the leader in a cluster to be manually restarted. If you have forks=40 or other high concurrency settings in ansible.cfg, you can very easily cause a Vault service outage that wasn't really required.

However, it's probably more appropriate to have 'utility' playbooks that handle a 'low-impact reload/restart run' across a cluster.