pam_limits: check mode creates empty file

[urmarkvall]

Summary

If dest is set and the destination file does not exist, running pam_limits in check mode creates it.

Issue Type

Bug Report

Component Name

pam_limits

Ansible Version

ansible [core 2.16.4]
  config file = /Users/mpv/.ansible.cfg
  configured module search path = ['/Users/mpv/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/9.3.0/libexec/lib/python3.12/site-packages/ansible
  ansible collection location = /Users/mpv/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.12.2 (main, Feb  6 2024, 20:19:44) [Clang 15.0.0 (clang-1500.1.0.2.5)] (/usr/local/Cellar/ansible/9.3.0/libexec/bin/python)
  jinja version = 3.1.3
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general

# /Users/mpv/.ansible/collections/ansible_collections
Collection        Version
----------------- -------
community.general 7.0.1  

# /usr/local/Cellar/ansible/9.3.0/libexec/lib/python3.12/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 8.4.0  

Configuration

$ ansible-config dump --only-changed
CACHE_PLUGIN(/Users/mpv/.ansible.cfg) = jsonfile
CACHE_PLUGIN_CONNECTION(/Users/mpv/.ansible.cfg) = ~/.ansible/cache/fact
COLOR_ERROR(/Users/mpv/.ansible.cfg) = bright red
CONFIG_FILE() = /Users/mpv/.ansible.cfg
DEFAULT_HOST_LIST(env: ANSIBLE_INVENTORY) = ['/Users/mpv/sysop/ansible/inventory/devlabs']
DEFAULT_STDOUT_CALLBACK(/Users/mpv/.ansible.cfg) = yaml
DEFAULT_VAULT_PASSWORD_FILE(/Users/mpv/.ansible.cfg) = /Users/mpv/bin/av-client
DEPRECATION_WARNINGS(/Users/mpv/.ansible.cfg) = False
DISPLAY_SKIPPED_HOSTS(/Users/mpv/.ansible.cfg) = False
EDITOR(env: EDITOR) = vim
INTERPRETER_PYTHON(/Users/mpv/.ansible.cfg) = auto_silent
PLAYBOOK_DIR(env: ANSIBLE_PLAYBOOK_DIR) = /Users/mpv/sysop/ansible/playbooks

OS / Environment

Target hosts Oracle Linux 7-9.

Steps to Reproduce

- hosts: mytesthost

  tasks:

  - name: set limit
    become: true

    community.general.pam_limits:
      domain: checkmode
      limit_item: nproc
      limit_type: soft
      value: 1024
      dest: /etc/security/limits.d/checkmode.conf

    check_mode: true

$ ansible-playbook pam_limit.yml 

PLAY [mytesthost] ***************************************************************************

TASK [Gathering Facts] *****************************************************************************
ok: [mytesthost]

TASK [set limit] ***********************************************************************************
changed: [mytesthost]

PLAY RECAP *****************************************************************************************
mytesthost                      : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

Expected Results

Playbook will report what it would do without actually doing anything.

Actual Results

Playbook creates an empty configuration file on host:

mytesthost:~ $ ls -l /etc/security/limits.d/checkmode.conf
-rw-r--r--. 1 root root 0 Mar  1 10:02 /etc/security/limits.d/checkmode.conf

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• plugins/modules/pam_limits.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @giovannisciortino
click here for bot help

[felixfontein]

This is caused by https://github.com/ansible-collections/community.general/blob/main/plugins/modules/pam_limits.py#L211, which is run also in check mode.

[felixfontein]

#8057 should fix this.