feat: add role fingerprints to syslog

[richm]

Feature: Add a fingerprint string to the system log to indicate when the role began
successfully, and when the role finished successfully. The fingerprint string indicates
the role name, a timestamp, and the platform.

Reason: Users can see when the role was used and if it was used successfully. This
information from the system log can be collected by log scanners and aggregators
for further analysis.

Result: The role logs fingerprints to the system log.

This also adds a test to check if the fingerprints were written upon a successful
role invocation.

Signed-off-by: Rich Megginson rmeggins@redhat.com

Summary by Sourcery

Add syslog fingerprinting for the timesync role and verify fingerprints via journal inspection in tests.

New Features:

• Introduce sr_fingerprint Ansible module to log fingerprint messages to syslog with timestamps.
• Record begin and success fingerprint messages for the linux-system-roles.timesync role including Ansible and platform metadata.

Tests:

• Add integration test that verifies role fingerprint messages are written to the system journal when syslog is available.

[sourcery-ai]

Reviewer's Guide

Adds a new sr_fingerprint Ansible module and wires it into the timesync role to emit begin/success fingerprints to syslog, along with a test that validates fingerprints were written using journalctl, plus sanity-ignore updates for the new module.

Sequence diagram for sr_fingerprint logging during timesync role execution

sequenceDiagram
    actor Admin
    participant AnsibleController
    participant TimesyncRole_SetVars
    participant TimesyncRole_Main
    participant SrFingerprintModule
    participant Syslog

    Admin->>AnsibleController: Run playbook with timesync role

    AnsibleController->>TimesyncRole_SetVars: Execute set_vars tasks
    TimesyncRole_SetVars->>SrFingerprintModule: sr_fingerprint(sr_message=begin system_role:timesync ...)
    activate SrFingerprintModule
    SrFingerprintModule->>SrFingerprintModule: _local_iso8601_no_microseconds()
    SrFingerprintModule->>Syslog: module.log(begin ... <timestamp>)
    SrFingerprintModule-->>TimesyncRole_SetVars: exit_json(changed=false)
    deactivate SrFingerprintModule

    AnsibleController->>TimesyncRole_Main: Execute main tasks
    TimesyncRole_Main->>TimesyncRole_Main: Configure timesync
    TimesyncRole_Main->>SrFingerprintModule: sr_fingerprint(sr_message=success system_role:timesync ...)
    activate SrFingerprintModule
    SrFingerprintModule->>SrFingerprintModule: _local_iso8601_no_microseconds()
    SrFingerprintModule->>Syslog: module.log(success ... <timestamp>)
    SrFingerprintModule-->>TimesyncRole_Main: exit_json(changed=false)
    deactivate SrFingerprintModule

    TimesyncRole_Main-->>AnsibleController: Role completed
    AnsibleController-->>Admin: Report role success

Loading

Class diagram for the sr_fingerprint Ansible module

classDiagram
    class SrFingerprintModule {
        <<module>>
        +run_module()
        +main()
        -_local_iso8601_no_microseconds() str
    }

    class AnsibleModule {
        +params dict
        +check_mode bool
        +log(message)
        +exit_json(changed, message)
    }

    SrFingerprintModule ..> AnsibleModule : uses

Loading

Flow diagram for begin and success fingerprints in the timesync role

flowchart TD
    A[Start timesync role] --> B[Run set_vars.yml]
    B --> C[Call sr_fingerprint with begin system_role:timesync ...]
    C --> D[Write begin fingerprint to syslog]
    D --> E[Run main.yml tasks]
    E --> F[Configure timesync services]
    F --> G[Call sr_fingerprint with success system_role:timesync ...]
    G --> H[Write success fingerprint to syslog]
    H --> I[End timesync role]

Loading

File-Level Changes

Change	Details	Files
Introduce sr_fingerprint Ansible module to log fingerprint messages to syslog with a local ISO-8601 timestamp, without reporting changes.	Create custom module sr_fingerprint with required sr_message argument and documentation metadata. Implement timestamp helper _local_iso8601_no_microseconds to generate local-time ISO-8601 timestamps with seconds precision and TZ offset, with a fallback for older Python. Use AnsibleModule with check_mode support, formatting log_message as '<sr_message> ' and logging via module.log while always exiting with changed=False.	library/sr_fingerprint.py
Emit role begin and success fingerprints from the timesync role using sr_fingerprint, including role name, Ansible version, and distribution information.	Add a 'Record role begin fingerprint' task early in set_vars.yml that calls sr_fingerprint with a begin system_role:timesync message including ansible_version.full and distribution facts. Add a 'Record role success fingerprint' task at the end of main.yml that calls sr_fingerprint with a success system_role:timesync message including ansible_version.full and distribution facts. Ensure fingerprints include platform identifier formatted as '-<distribution_version>'.	tasks/set_vars.yml tasks/main.yml
Add an integration-style test that verifies role fingerprints appear in the system journal when /dev/log is available.	Extend tests_default.yml to stat /dev/log and conditionally set a __journal_start_time fact based on ansible_facts['date_time'] before running the role. Add a shell-based assertion that uses journalctl --since __journal_start_time and grep filters (excluding 'Invoked with') to require both begin and success sr_fingerprint messages for system_role:timesync, without marking the task as changed. Guard the journal check task with the same /dev/log existence condition to avoid failures on systems without syslog socket.	tests/tests_default.yml
Update Ansible sanity ignore lists for multiple versions to accommodate the new library module.	Modify the .sanity-ansible-ignore-2.x.txt files to ignore or otherwise account for the new sr_fingerprint module in sanity checks across supported Ansible versions.	.sanity-ansible-ignore-2.9.txt .sanity-ansible-ignore-2.10.txt .sanity-ansible-ignore-2.11.txt .sanity-ansible-ignore-2.12.txt .sanity-ansible-ignore-2.13.txt .sanity-ansible-ignore-2.14.txt .sanity-ansible-ignore-2.15.txt .sanity-ansible-ignore-2.16.txt .sanity-ansible-ignore-2.17.txt .sanity-ansible-ignore-2.18.txt .sanity-ansible-ignore-2.19.txt .sanity-ansible-ignore-2.20.txt .sanity-ansible-ignore-2.21.txt .sanity-ansible-ignore-2.22.txt

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[richm]

[citest]

[sourcery-ai]

Hey - I've left some high level feedback:

• sr_fingerprint.py has a duplicated shebang (#!/usr/bin/python) at the top; you can drop the second one to avoid confusion.
• The journalctl fingerprint check in tests_default.yml is a long bash one-liner; consider splitting it into separate tasks or using register/failed_when to make the logic (BEGIN vs SUCCESS checks, grep filters) easier to read and maintain.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- sr_fingerprint.py has a duplicated shebang (`#!/usr/bin/python`) at the top; you can drop the second one to avoid confusion.
- The journalctl fingerprint check in tests_default.yml is a long bash one-liner; consider splitting it into separate tasks or using `register`/`failed_when` to make the logic (BEGIN vs SUCCESS checks, grep filters) easier to read and maintain.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[richm]

[citest]