Re: Ansible question
I just took a look at the keystone code. Unfortunately, I don't think this is coming from the module. It's being logged because they're in with_items here's a simpler playbook that shows that happening: $ cat test.yml *[devel] (08:12:25) --- - hosts: localhost gather_facts: False tasks: - name: test ping: data: {{ item.name }} with_items: - { name: kevin, password: example } - { name: laxathom, password: two } $ ansible-playbook test.yml*[devel] (08:14:30) PLAY [localhost] ** TASK: [test] ** ok: [localhost] = (item={'password': 'example', 'name': 'kevin'}) ok: [localhost] = (item={'password': 'two', 'name': 'laxathom'}) PLAY RECAP localhost : ok=1changed=0unreachable=0failed=0 There is a way to fix this though: no_log http://docs.ansible.com/faq.html#how-do-i-keep-secret-data-in-my-playbook no_log gives you the ability to make sure that tasks with passwords aren't logging their output rather than relying on the module to do the right thing. You are also able to turn no_log on and off -- for instance if you need to debug why a task isn't working and actually need to see what password is being substituted in for that. I would use no_log for any task that contains a secret value. Here's what the task looks like with no_log: --- - hosts: localhost gather_facts: no tasks: - name: test ping: data: {{ item.name }} no_log: True with_items: - { name: kevin, password: example } - { name: laxathom, password: two } And here's the task output with no_log: $ ansible-playbook test.yml*[devel] (08:17:01) PLAY [localhost] ** TASK: [test] ** ok: [localhost] ok: [localhost] PLAY RECAP localhost : ok=1changed=0unreachable=0failed=0 -Toshio On Thu, Jan 29, 2015 at 7:12 AM, Bill Nottingham nott...@splat.cc wrote: Kevin Fenzi (ke...@scrye.com) said: On Wed, 28 Jan 2015 16:57:56 +0100 Miroslav Suchý msu...@redhat.com wrote: ...snip... Is there way to mask the output (using -name or something) so the password is not print to console? Sadly, I don't know of any way to do that. ;( It does sound like something that would be a nice feature... Perhaps it could be done in a handler? It's generally up to the modules to mask sensitive output (the user module does this, as an example). File an issue in github against ansible-modules-core? Bill ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Great Infrastructure projects status roundup
On Thu, Jan 29, 2015 at 11:46:03AM +0100, Pierre-Yves Chibon wrote: On Wed, Jan 28, 2015 at 06:01:59PM +0100, Pierre-Yves Chibon wrote: On Mon, Jan 26, 2015 at 04:12:31PM +0100, Mathieu Bridon wrote: On Fri, 2015-01-23 at 14:10 +0100, Pierre-Yves Chibon wrote: Since it seems to us that all is now fixed and ready, we are re-building the host from scratch and then all that is left is: testing :) So Pierre-Yves finished rebuilding the host and syncing some git data on it from prod. And things just work. :) So far, I've tested: * shell access for admins (works for Pierre-Yves from sysadmin-main, works for me from sysadmin-noc) * fedpkg clone/push, verifying that push fails for packages I don't have acls on * git push of branches starting with origin/, which is supposed to fail (https://fedorahosted.org/rel-eng/ticket/4071) Still needs to be tested: * cgit seems to not see any package * fedpkg sources / new-sources fail (looking into this right now) After some more fighting: is working: - shell access for admins - fedpkg clone, pull, push - Fails on package on which user does not have the ACLs - Fails on branches not allowed - Fails on branches named origin/... - cgit: http://pkgs.stg.fedoraproject.org/cgit/ - fedpkg new-sources / sources All this with SELinux enabled. Fails: - fedmsg-genacls.sh This is now fixed. It was basically two permission issues, one for running genacls.sh which now needs to be run as root as it as to chown and chmod some files and the second was adjust the permissions to allow fedmsg to sudo as root to run genacls.sh Note: this is likely related to the fact that we pretty much dropped using the gen-acls user. Pierre ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Great Infrastructure projects status roundup
On Wed, Jan 28, 2015 at 06:01:59PM +0100, Pierre-Yves Chibon wrote: On Mon, Jan 26, 2015 at 04:12:31PM +0100, Mathieu Bridon wrote: On Fri, 2015-01-23 at 14:10 +0100, Pierre-Yves Chibon wrote: Since it seems to us that all is now fixed and ready, we are re-building the host from scratch and then all that is left is: testing :) So Pierre-Yves finished rebuilding the host and syncing some git data on it from prod. And things just work. :) So far, I've tested: * shell access for admins (works for Pierre-Yves from sysadmin-main, works for me from sysadmin-noc) * fedpkg clone/push, verifying that push fails for packages I don't have acls on * git push of branches starting with origin/, which is supposed to fail (https://fedorahosted.org/rel-eng/ticket/4071) Still needs to be tested: * cgit seems to not see any package * fedpkg sources / new-sources fail (looking into this right now) After some more fighting: is working: - shell access for admins - fedpkg clone, pull, push - Fails on package on which user does not have the ACLs - Fails on branches not allowed - Fails on branches named origin/... - cgit: http://pkgs.stg.fedoraproject.org/cgit/ - fedpkg new-sources / sources All this with SELinux enabled. Fails: - fedmsg-genacls.sh This is now fixed. It was basically two permission issues, one for running genacls.sh which now needs to be run as root as it as to chown and chmod some files and the second was adjust the permissions to allow fedmsg to sudo as root to run genacls.sh - fedmsg messages sent after an upload Of the two, the last one at least is still SELinux related, no clue for the first one. Remains this one :) Pierre ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Great Infrastructure projects status roundup
On Thu, Jan 29, 2015 at 11:46:03AM +0100, Pierre-Yves Chibon wrote: On Wed, Jan 28, 2015 at 06:01:59PM +0100, Pierre-Yves Chibon wrote: On Mon, Jan 26, 2015 at 04:12:31PM +0100, Mathieu Bridon wrote: On Fri, 2015-01-23 at 14:10 +0100, Pierre-Yves Chibon wrote: Since it seems to us that all is now fixed and ready, we are re-building the host from scratch and then all that is left is: testing :) So Pierre-Yves finished rebuilding the host and syncing some git data on it from prod. And things just work. :) So far, I've tested: * shell access for admins (works for Pierre-Yves from sysadmin-main, works for me from sysadmin-noc) * fedpkg clone/push, verifying that push fails for packages I don't have acls on * git push of branches starting with origin/, which is supposed to fail (https://fedorahosted.org/rel-eng/ticket/4071) Still needs to be tested: * cgit seems to not see any package * fedpkg sources / new-sources fail (looking into this right now) After some more fighting: is working: - shell access for admins - fedpkg clone, pull, push - Fails on package on which user does not have the ACLs - Fails on branches not allowed - Fails on branches named origin/... - cgit: http://pkgs.stg.fedoraproject.org/cgit/ - fedpkg new-sources / sources All this with SELinux enabled. Fails: - fedmsg-genacls.sh This is now fixed. It was basically two permission issues, one for running genacls.sh which now needs to be run as root as it as to chown and chmod some files and the second was adjust the permissions to allow fedmsg to sudo as root to run genacls.sh - fedmsg messages sent after an upload Of the two, the last one at least is still SELinux related, no clue for the first one. Remains this one :) And with one last SELinux boolean tunning, this is working \ó/ pkgs01.stg has been rebuilt (again) and all seems to work fine. So if someone wants to review our change, I think we're good :) Pierre ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
[release] anitya 0.1.16
Hi everyone, I just made a small (but long awaited) release of anitya. Changelog: * Thu Jan 29 2015 Pierre-Yves Chibon pin...@pingoured.fr - 0.1.16-1 - Update to 0.1.16 - In the documentation (about page) adjust the code to store the url in a variable making it easier for people to copy/paste the code (Elan Ruusamäe) - Add api to query for a project by homepage. (Ralph Bean) - Typofix in the API docs generation. (Ralph Bean) This is already running at upstream-monitoring.org Nice day! Pierre pgp3wnPfGIv71.pgp Description: PGP signature ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Summary/Minutes from today's Fedora Infrastructure meeting (2015-01-29)
#fedora-meeting: Infrastructure (2015-01-29) Meeting started by nirik at 18:00:03 UTC. The full logs are available at http://meetbot.fedoraproject.org/fedora-meeting/2015-01-29/infrastructure.2015-01-29-18.00.log.html . Meeting summary --- * aloha (nirik, 18:00:03) * New folks introductions and Apprentice tasks (nirik, 18:02:36) * Applications status / discussion (nirik, 18:07:34) * new anitya just hit prod, 0.1.16 (pingou, 18:08:58) * new koji release sending fedmsg message when a package is signed in sigul (our signing server) (pingou, 18:09:50) * new fedmsg_meta release to handle this new message (pingou, 18:10:06) * new FMN release to be able to include/exclude these new messages (pingou, 18:10:25) * new python-fedmsg-genacls release to be used on RHEL7 with gitolite3 (pingou, 18:11:06) * new the-new-hotness release in staging that auto-adds packages to release-monitoring.org when they're added to Fedora (threebean, 18:11:38) * copr now signs new package builds. (nirik, 18:12:14) * new mirrormanager2 based mirrorlist server (pingou, 18:12:37) * LINK: http://aurelien.bompard.org/post/2015/01/23/News-of-the-Mailman3-front (threebean, 18:19:10) * Sysadmin status / discussion (nirik, 18:27:29) * short mirrorlist outage on tuesday. We think cause was a bad pkl, but not sure. (nirik, 18:27:59) * glibc updated for ghost and all servers rebooted on tuesday. (nirik, 18:28:15) * pingou and bochecha have been working on pkgs01.stg and it's ready for wide testing now! Hurray! (nirik, 18:28:46) * fedoramagazine had some dns issues, but they should be all cleared up (nirik, 18:29:27) * proxy03 and proxy04 were reinstalled rhel7/ansible and so far seem to be working well. (nirik, 18:29:47) * koji01/02 were installed as rhel7/ansible and we switched to them in production. (nirik, 18:30:10) * all builders and hubs were updated to latest git head koji packages (nirik, 18:30:28) * letoto has loaded all fedora folks gpg keys into dns now. (nirik, 18:31:16) * down to just 44 hosts in puppet. (nirik, 18:32:12) * relrod fixed up ntp on hosts (nirik, 18:32:36) * DNS zones have been cleaned up so they all refer to the same set of proxies. (smooge, 18:36:38) * DNS templates code has been fixed so that zones don't give this serial is out of bounds rejecting zone. (smooge, 18:37:07) * LINK: http://paste.fedoraproject.org/177673/42255665 is all the hosts left in puppet. (nirik, 18:37:57) * torrent setup needs a redesign. (nirik, 18:40:00) * Upcoming Tasks/Items (nirik, 18:45:52) * LINK: https://apps.fedoraproject.org/calendar/list/infrastructure/ (nirik, 18:45:52) * learn an app - github2fedmsg (nirik, 18:49:09) * LINK: https://apps.fedoraproject.org/github2fedmsg (threebean, 18:49:47) * Open Floor (nirik, 18:56:38) Meeting ended at 19:02:24 UTC. Action Items Action Items, by person --- * **UNASSIGNED** * (none) People Present (lines said) --- * nirik (115) * threebean (44) * Corey84 (35) * dgilmore (25) * pingou (19) * puiterwijk (14) * tflink (14) * smooge (10) * lmacken (8) * zodbot (5) * mirek-hm (5) * taedori (4) * michel_slm (4) * sborza (1) * janeznemanic (1) * fale (1) * abadger1999 (0) * mdomsch (0) * relrod (0) -- 18:00:03 nirik #startmeeting Infrastructure (2015-01-29) 18:00:03 zodbot Meeting started Thu Jan 29 18:00:03 2015 UTC. The chair is nirik. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:03 zodbot Useful Commands: #action #agreed #halp #info #idea #link #topic. 18:00:03 nirik #meetingname infrastructure 18:00:03 nirik #topic aloha 18:00:03 nirik #chair smooge relrod nirik abadger1999 lmacken dgilmore mdomsch threebean pingou puiterwijk 18:00:03 zodbot The meeting name has been set to 'infrastructure' 18:00:03 zodbot Current chairs: abadger1999 dgilmore lmacken mdomsch nirik pingou puiterwijk relrod smooge threebean 18:00:10 * pingou here 18:00:14 * sborza here 18:00:20 * fale here 18:00:25 * lmacken 18:00:34 * puiterwijk here 18:00:37 * michel_slm here 18:00:38 dgilmore hola 18:00:41 taedori here 18:01:05 Corey84 .hello corey84 18:01:09 zodbot Corey84: corey84 'Corey84' sheldon.co...@gmail.com 18:01:11 Corey84 may be afk at times 18:01:13 janeznemanic hi 18:02:36 nirik #topic New folks introductions and Apprentice tasks 18:02:46 nirik any new folks like to introduce themselves? 18:02:52 nirik or apprentices with questions or comments? 18:03:07 * threebean waves 18:03:19 Corey84 o/ 18:03:19 smooge here 18:03:37 puiterwijk zimbr 18:03:42 Corey84 no need to raise hands here new comers 18:04:19 nirik :) 18:04:32 puiterwijk errr, sorry for the spam :) 18:05:11 taedori Nice meeting you guys. I am from C# .Net world. actually transitioning to linux
Re: Request to become apprentice
On Thu, 29 Jan 2015 22:50:00 +0100 Mikolaj Izdebski mizde...@redhat.com wrote: I would like to become Fedora Infrastructure apprentice. Welcome. ;) I am Mikolaj Izdebski - a Fedora developer, who primarily works in Java SIG on maintaining different Java build systems and libraries. You can find a bit more information about me on my user page [1] on the wiki. My primary interest in infrastructure area is improving infrastructure for Fedora developers, especially ones that work with large number of related or similar packages. This includes topics such as build systems, continuous integration and automated package testing. Some of short-term things I would like to do: * learn more about infra internals (how to use bastion to log into other machines, how Ansible playbooks work in Fedora, how backups are done, and much more) * work on completing Koschei playbook (currently it sets up only basic system, but a lot of other stuff has to be done manually) * migrate Koschei from Fedora 20 to RHEL 7 Long term goals: * make Koschei an official Fedora service (RFR is already filled) Sounds great! What are next steps I need to follow to become apprentice? I've added you to the group, and it should be live in 20-30min. See the apprentice wiki page for a link to the ssh sop to get logged in and look around. Welcome again! kevin pgpLtShyuPfzH.pgp Description: OpenPGP digital signature ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Request to become apprentice
On 01/29/2015 11:32 PM, Kevin Fenzi wrote: On Thu, 29 Jan 2015 22:50:00 +0100 Mikolaj Izdebski mizde...@redhat.com wrote: I would like to become Fedora Infrastructure apprentice. Welcome. ;) [...] What are next steps I need to follow to become apprentice? I've added you to the group, and it should be live in 20-30min. See the apprentice wiki page for a link to the ssh sop to get logged in and look around. Thank you! -- Mikolaj Izdebski Software Engineer, Red Hat IRC: mizdebsk ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Request to become apprentice
I would like to become Fedora Infrastructure apprentice. I am Mikolaj Izdebski - a Fedora developer, who primarily works in Java SIG on maintaining different Java build systems and libraries. You can find a bit more information about me on my user page [1] on the wiki. My primary interest in infrastructure area is improving infrastructure for Fedora developers, especially ones that work with large number of related or similar packages. This includes topics such as build systems, continuous integration and automated package testing. Some of short-term things I would like to do: * learn more about infra internals (how to use bastion to log into other machines, how Ansible playbooks work in Fedora, how backups are done, and much more) * work on completing Koschei playbook (currently it sets up only basic system, but a lot of other stuff has to be done manually) * migrate Koschei from Fedora 20 to RHEL 7 Long term goals: * make Koschei an official Fedora service (RFR is already filled) What are next steps I need to follow to become apprentice? -- Mikolaj Izdebski Software Engineer, Red Hat IRC: mizdebsk [1] https://fedoraproject.org/wiki/User:Mizdebsk ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure