Error: No file was found when using first_found on Ubuntu 20.04

[jramnani]

Description

I recently upgraded my Ansible from 3.x to 7.5 and ran my playbook against one of my web servers and got the following error:

TASK [devsec.hardening.os_hardening : Fetch OS dependent variables] ****************************************************************************************
fatal: [prod-web-02]: FAILED! => {"msg": "No file was found when using first_found."}

I looked in my requirements.yml file and noticed that I was also running an old version of devsec.hardening, so I upgraded to the latest version, 8.8.

However, after upgrading to 8.8 I got the same error.

When I downgraded the collection, devsec.hardening, to 8.6 it started working again.

Not sure what happened between 8.6 and 8.8 but there might be a regression.

Reproduction steps

---
- hosts: prod
  become: yes
  become_user: root
  roles:
    - devsec.hardening.os_hardening

Current Behavior

TASK [devsec.hardening.os_hardening : Fetch OS dependent variables] ****************************************************************************************
fatal: [prod-web-02]: FAILED! => {"msg": "No file was found when using first_found."}

Expected Behavior

The role applies to the server without error.

OS / Environment

Provide all relevant information below, e.g. target OS versions, network device firmware, etc.

Target OS: Ubuntu 20.04
Ansible Host: macOS 13.3.1 (Ventura)

Ansible Version

ansible [core 2.14.5]
  config file = $HOME/src/my-playbooks/ansible.cfg
  configured module search path = ['$HOME/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = $HOME/.local/share/virtualenvs/my-playbooks/lib/python3.11/site-packages/ansible
  ansible collection location = $HOME/.ansible/collections:/usr/share/ansible/collections
  executable location = $HOME/.local/share/virtualenvs/my-playbooks/bin/ansible
  python version = 3.11.3 (main, Apr  7 2023, 19:25:52) [Clang 14.0.0 (clang-1400.0.29.202)] ($HOME/.local/share/virtualenvs/my-playbooks/bin/python)
  jinja version = 3.1.2
  libyaml = True

Collection Version

collections:
  - name: ansible.posix
    version: 1.1.1
  - name: community.docker
    version: 2.7.0
  - name: community.general
    version: 3.2.0
  - name: containers.podman
    version: 1.9.4
  - name: devsec.hardening
    version: 8.8.0
  - name: nginxinc.nginx_core
    version: 0.3.0

Additional information

I added some debug tasks to my playbook to see what the variables were set to for the var file loading logic in hardening.yml.

Here is the playbook I used to test:

- hosts: prod
  become: yes
  become_user: root

  pre_tasks:
    - debug:
        var:
          ansible_facts.distribution
    - debug:
        var:
          ansible_facts.distribution_major_version
    - debug:
        var: ansible_facts.os_family

  roles:
    - devsec.hardening.os_hardening

And here is the relevant output:

TASK [Gathering Facts] *************************************************************************************************************************************
ok: [prod-web-02]

TASK [debug] ***********************************************************************************************************************************************
ok: [prod-web-02] => {
    "ansible_facts.distribution": "Ubuntu"
}

TASK [debug] ***********************************************************************************************************************************************
ok: [prod-web-02] => {
    "ansible_facts.distribution_major_version": "20"
}

TASK [debug] ***********************************************************************************************************************************************
ok: [prod-web-02] => {
    "ansible_facts.os_family": "Debian"
}

[rndmh3ro]

I have no idea what the problem is..

Can you check if the same happens on the ssh_hardening role?

[jramnani]

I can report that it does not happen with the ssh_hardening role.

Doing some more debugging on my end, this is triggered when I try to limit my play to specific tags that do not include the os_hardening role. For example:

ansible-playbook my-playbook.yml --limit prod-web-02 --ask-become-pass --tags backup

# my-playbook.yml
- hosts: prod
  become: yes
  become_user: root
  roles:
    - devsec.os_hardening
    - devsec.ssh_hardening
  tags:
    - common
    - hardening

- hosts: prod-web-02
   become: yes
   become_user: root
    roles:
      - backup

I use the following pattern in my roles so I can more easily use tags to limit my plays. This is useful when I'm iterating on developing a specific role:

# roles/backup/tasks/main.yml
---
- include: "backup.yml"
  tags:
    - backup

# roles/backup/tasks/backup.yml
---
- name: This is where all the backup tasks are
  package:
    name: hello
    state: present

So when I limit my play to just tasks tagged with,backup, is when the error gets triggered.

TASK [devsec.hardening.os_hardening : Include hardening tasks] *********************************************************************************************
included: $HOME/.ansible/collections/ansible_collections/devsec/hardening/roles/os_hardening/tasks/hardening.yml for prod-web-02

TASK [devsec.hardening.os_hardening : Fetch OS dependent variables] ****************************************************************************************
fatal: [prod-web-02]: FAILED! => {"msg": "No file was found when using first_found."}

[jramnani]

I can get a successful run by adding --skip-tags hardening to my ansbile-playbook invocation when I want to focus on running with --tags backup.

Since I have a successful workaround I'll close this ticket, also since it seems to be something on my end with my setup.

If I figure out what the root cause is, and there is a fix that might save other user's time, I'll open a new ticket with better information and possibly a PR.

Apologies for the inconvenience or if this ticket lost some of your time.

[rndmh3ro]

Glad you worked it out and if you find something to improve, we'd be glad to hear it!

[sulphur]

I had the same issue. Some machines fails during TASK [devsec.hardening.os_hardening : Fetch OS dependent variables] while using --tags.
It is linked to the gather_facts as I noticed that only hosts who fail are those form whom gather_facts wasn't triggered ealier on.

[schurzi]

This error is caused by Ansible not implicitly gathering facts, when tags are used (ansible/ansible#57529 (comment)) in combination with us having tags: [always] in our os_hardening role (#569)

@rndmh3ro we could add an explicit setup step in our roles, if the facts have not been gathered implicitly. What do you think?