feat: add role fingerprints to syslog

[richm]

Feature: Add a fingerprint string to the system log to indicate when the role began
successfully, and when the role finished successfully. The fingerprint string indicates
the role name, a timestamp, and the platform.

Reason: Users can see when the role was used and if it was used successfully. This
information from the system log can be collected by log scanners and aggregators
for further analysis.

Result: The role logs fingerprints to the system log.

This also adds a test to check if the fingerprints were written upon a successful
role invocation.

Signed-off-by: Rich Megginson rmeggins@redhat.com

Summary by Sourcery

Introduce role fingerprint logging via a new Ansible module and validate its presence in system logs during test runs.

New Features:

• Add an sr_fingerprint Ansible module to write structured fingerprint messages to syslog with timestamps.
• Record begin and success fingerprint messages for the sudo system role, including Ansible version and platform metadata.

Enhancements:

• Update the default test playbook to capture a start time and verify that role fingerprint messages appear in the system journal when syslog is available.
• Add Ansible sanity ignore marker files for multiple supported Ansible versions.

Documentation:

• Remove existing top-level README, role-specific READMEs, changelog, and contributing guide documentation files.

[sourcery-ai]

Reviewer's Guide

This PR introduces a new sr_fingerprint Ansible module that writes structured role "begin" and "success" fingerprints to syslog, wires it into the sudo system role, and adds a journal-based test that verifies the fingerprints are emitted when the role runs successfully, while also adjusting Ansible sanity ignores and removing several markdown documentation files from the collection.

Sequence diagram for sudo role fingerprints being written to syslog

sequenceDiagram
    actor Operator
    participant AnsibleController
    participant SudoRole
    participant sr_fingerprint
    participant Syslog

    Operator->>AnsibleController: Run sudo_system_role
    AnsibleController->>SudoRole: Execute tasks

    %% Begin fingerprint
    SudoRole->>sr_fingerprint: sr_message="begin system_role:sudo ..."
    activate sr_fingerprint
    sr_fingerprint->>sr_fingerprint: _local_iso8601_no_microseconds()
    sr_fingerprint->>Syslog: module.log("begin system_role:sudo ... <timestamp>")
    sr_fingerprint-->>SudoRole: exit_json(changed=False)
    deactivate sr_fingerprint

    SudoRole->>SudoRole: Configure sudo as usual

    %% Success fingerprint
    SudoRole->>sr_fingerprint: sr_message="success system_role:sudo ..."
    activate sr_fingerprint
    sr_fingerprint->>sr_fingerprint: _local_iso8601_no_microseconds()
    sr_fingerprint->>Syslog: module.log("success system_role:sudo ... <timestamp>")
    sr_fingerprint-->>SudoRole: exit_json(changed=False)
    deactivate sr_fingerprint

    SudoRole-->>AnsibleController: Role completed successfully
    AnsibleController-->>Operator: Report success and fingerprints available in syslog

Loading

Class diagram for the new sr_fingerprint Ansible module and its use in the sudo role

classDiagram
    class sr_fingerprint_module {
        +run_module()
        +main()
        +_local_iso8601_no_microseconds() str
    }

    class AnsibleModule {
        +log(message)
        +exit_json(changed, message)
    }

    class SudoRoleTasks {
        +task_Record_role_begin_fingerprint()
        +task_Record_role_success_fingerprint()
    }

    sr_fingerprint_module ..> AnsibleModule : uses
    SudoRoleTasks ..> sr_fingerprint_module : calls

    %% Details of run_module behavior
    class run_module_behavior {
        -sr_message str
        -log_message str
        +build_log_message(sr_message) str
        +handle_check_mode(sr_message)
        +write_to_syslog(log_message)
    }

    sr_fingerprint_module *-- run_module_behavior

Loading

File-Level Changes

Change	Details	Files
Introduce sr_fingerprint Ansible module to log fingerprint messages to syslog with a local ISO-8601 timestamp, and configure Ansible sanity ignores for it.	Add custom library/sr_fingerprint.py module that accepts a required sr_message parameter and logs it via module.log. Implement helper to generate local-time ISO-8601 timestamps without microseconds, with a fallback for older Python versions. Ensure module supports check mode without logging and always reports changed=False so fingerprints are not treated as changes. Add .sanity-ansible-ignore-* files for multiple Ansible versions to exclude the custom module from certain sanity checks.	library/sr_fingerprint.py .sanity-ansible-ignore-2.14.txt .sanity-ansible-ignore-2.16.txt .sanity-ansible-ignore-2.17.txt .sanity-ansible-ignore-2.18.txt .sanity-ansible-ignore-2.19.txt .sanity-ansible-ignore-2.20.txt .sanity-ansible-ignore-2.21.txt .sanity-ansible-ignore-2.22.txt
Emit role "begin" and "success" fingerprints from the sudo role using the new sr_fingerprint module.	Record a "begin system_role:sudo" fingerprint at variable setup time, including Ansible version and distribution/version in the message. Record a "success system_role:sudo" fingerprint at the end of the main task sequence with the same contextual information. Use role-specific sr_message strings so log scanners can attribute entries to this role and its status.	tasks/set_vars.yml tasks/main.yml
Add an integration-style test that asserts the sudo role writes the expected fingerprints to the system journal when syslog is available.	Introduce a stat task to conditionally detect /dev/log and gate fingerprint validation on syslog availability. Capture a __journal_start_time fact from ansible_facts.date_time before the role runs to bound the journalctl search window. Add a shell-based assertion that uses journalctl since the captured time and grep filters (excluding "Invoked with") to verify both "begin system_role:sudo" and "success system_role:sudo" fingerprints exist, without marking the play as changed. Guard the journal check so it is skipped during bootc validation and when /dev/log is absent.	tests/tests_default.yml
Remove several top-level markdown documentation files from the collection.	Delete CHANGELOG and multiple README variants, as well as contributing guidelines markdown, from the repository root.	CHANGELOG.md README-ansible.md README-ostree.md README.md contributing.md

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[richm]

[citest]

[sourcery-ai]

Hey - I've left some high level feedback:

• In sr_fingerprint._local_iso8601_no_microseconds, you call datetime.datetime.now() twice in different branches; consider capturing now = datetime.datetime.now() once and reusing it to avoid tiny inconsistencies and simplify the logic.
• The journal check shell task runs journalctl twice and chains multiple greps; you could simplify and speed this up by invoking journalctl once and using Ansible’s register + search filter (or a single grep -E pattern) to avoid duplicated processes and long shell pipelines.
• The sr_fingerprint module only logs and returns changed=False with no details; consider returning the composed log_message (or at least the timestamp) in exit_json so callers or debuggers can see exactly what was emitted without re-reading syslog.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `sr_fingerprint._local_iso8601_no_microseconds`, you call `datetime.datetime.now()` twice in different branches; consider capturing `now = datetime.datetime.now()` once and reusing it to avoid tiny inconsistencies and simplify the logic.
- The journal check shell task runs `journalctl` twice and chains multiple `grep`s; you could simplify and speed this up by invoking `journalctl` once and using Ansible’s `register` + `search` filter (or a single `grep -E` pattern) to avoid duplicated processes and long shell pipelines.
- The `sr_fingerprint` module only logs and returns `changed=False` with no details; consider returning the composed `log_message` (or at least the timestamp) in `exit_json` so callers or debuggers can see exactly what was emitted without re-reading syslog.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[codecov]

Codecov Report

❌ Patch coverage is 0% with 33 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (main@3cf11b1). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
library/sr_fingerprint.py	0.00%	33 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #113   +/-   ##
=======================================
  Coverage        ?   47.76%           
=======================================
  Files           ?        2           
  Lines           ?      381           
  Branches        ?        0           
=======================================
  Hits            ?      182           
  Misses          ?      199           
  Partials        ?        0           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[richm]

[citest]