Expand comment describing why we use follow=false

Co-authored-by: Nick <[email protected]>
cisagov · May 3, 2024 · 530bce8 · 530bce8
1 parent 7c3af64
commit 530bce8
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -21,7 +21,21 @@
 
 - name: Create /etc/resolv.conf symlink
   ansible.builtin.file:
-    # Do not apply any group, owner, or mode changes to src.
+    # Note that group, owner, and mode can modify src when follow=true
+    # and state=link are used:
+    # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/file_module.html#parameter-follow
+    #
+    # In fact, I found this to be exactly the case when testing.  In
+    # other words, if I set follow=true (or left it as the default)
+    # without specifying group, owner, or mode then the group and
+    # owner of src (i.e., /run/systemd/resolve/stub-resolv.conf) would
+    # both be changed from systemd-resolved to root.
+    #
+    # In this case we definitely _do not_ want to modify the group,
+    # owner, or mode of src, and we do not need to follow any
+    # filesystem links to arrive at /etc/resolv.conf, so we simply
+    # override the default and set follow equal to false.  This will
+    # ensure that no group, owner, or mode changes are applied to src.
     follow: false
     # If a file is already present at /etc/resolv.conf then just
     # delete it.