Re: Ansible question
On 01/29/2015 05:30 PM, Toshio Kuratomi wrote: > no_log: True That did the job. Thanks! -- Miroslav Suchy, RHCE, RHCDS Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Ansible question
I just took a look at the keystone code. Unfortunately, I don't think this is coming from the module. It's being logged because they're in with_items here's a simpler playbook that shows that happening: $ cat test.yml *[devel] (08:12:25) --- - hosts: localhost gather_facts: False tasks: - name: test ping: data: "{{ item.name }}" with_items: - { name: kevin, password: example } - { name: laxathom, password: two } $ ansible-playbook test.yml*[devel] (08:14:30) PLAY [localhost] ** TASK: [test] ** ok: [localhost] => (item={'password': 'example', 'name': 'kevin'}) ok: [localhost] => (item={'password': 'two', 'name': 'laxathom'}) PLAY RECAP localhost : ok=1changed=0unreachable=0failed=0 There is a way to fix this though: no_log http://docs.ansible.com/faq.html#how-do-i-keep-secret-data-in-my-playbook no_log gives you the ability to make sure that tasks with passwords aren't logging their output rather than relying on the module to do the right thing. You are also able to turn no_log on and off -- for instance if you need to debug why a task isn't working and actually need to see what password is being substituted in for that. I would use no_log for any task that contains a secret value. Here's what the task looks like with no_log: --- - hosts: localhost gather_facts: no tasks: - name: test ping: data: "{{ item.name }}" no_log: True with_items: - { name: kevin, password: example } - { name: laxathom, password: two } And here's the task output with no_log: $ ansible-playbook test.yml*[devel] (08:17:01) PLAY [localhost] ** TASK: [test] ** ok: [localhost] ok: [localhost] PLAY RECAP localhost : ok=1changed=0unreachable=0failed=0 -Toshio On Thu, Jan 29, 2015 at 7:12 AM, Bill Nottingham wrote: > Kevin Fenzi (ke...@scrye.com) said: >> On Wed, 28 Jan 2015 16:57:56 +0100 >> Miroslav Suchý wrote: >> >> ...snip... >> >> > Is there way to mask the output (using -name or something) so the >> > password is not print to console? >> >> >> Sadly, I don't know of any way to do that. ;( >> >> It does sound like something that would be a nice feature... >> Perhaps it could be done in a handler? > > It's generally up to the modules to mask sensitive output (the user module > does this, as an example). File an issue in github against > ansible-modules-core? > > Bill > ___ > infrastructure mailing list > infrastructure@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/infrastructure ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Ansible question
Kevin Fenzi (ke...@scrye.com) said: > On Wed, 28 Jan 2015 16:57:56 +0100 > Miroslav Suchý wrote: > > ...snip... > > > Is there way to mask the output (using -name or something) so the > > password is not print to console? > > > Sadly, I don't know of any way to do that. ;( > > It does sound like something that would be a nice feature... > Perhaps it could be done in a handler? It's generally up to the modules to mask sensitive output (the user module does this, as an example). File an issue in github against ansible-modules-core? Bill ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Ansible question
On Wed, 28 Jan 2015 16:57:56 +0100 Miroslav Suchý wrote: ...snip... > Is there way to mask the output (using -name or something) so the > password is not print to console? Sadly, I don't know of any way to do that. ;( It does sound like something that would be a nice feature... Perhaps it could be done in a handler? kevin pgpHeET5RdGlv.pgp Description: OpenPGP digital signature ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Ansible question
On Wed, 28 Jan 2015 23:12:02 +0100 Maciej Lasyk wrote: > Wouldn't it be more secure to use Vault here? We don't actually use vault at all. It would require (as far as I know) everyone to know the password. Instead we keep private stuff in private vars files. kevin pgpNPZ0XJIaP_.pgp Description: OpenPGP digital signature ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Ansible question
Wouldn't it be more secure to use Vault here? Cheers, Maciej Lasyk GPG key ID: 4FED49C5 GPG public key: http://maciek.lasyk.info/gpg_maciej_lasyk.asc On Wed, Jan 28, 2015 at 4:57 PM, Miroslav Suchý wrote: > I have this ansible snippet: > - name: Create users > keystone_user: > login_user="admin" login_password="{{ ADMIN_PASS }}" > login_tenant_name="admin" > user="{{ item.name }}" > email="{{ item.email }}" > tenant="{{ item.tenant }}" > password="{{ item.password }}" > state=present > with_items: > - { name: kevin, email: 'ke...@fedoraproject.org', tenant: > infrastructure, password: "{{kevin_password}}" } > - { name: laxathom, email: 'laxat...@fedoraproject.org', tenant: > infrastructure, password: "{{laxathom_password}}" } > > > But when I run it it produce: > TASK: [Create users] > ** > changed: [fed-cloud09.cloud.fedoraproject.org] => (item={'password': > u'', 'name': 'kevin', 'tenant': > 'infrastructure', 'email': 'ke...@fedoraproject.org'}) > > changed: [fed-cloud09.cloud.fedoraproject.org] => (item={'password': > u'', 'name': 'laxathom', 'tenant': > 'infrastructure', 'email': 'laxat...@fedoraproject.org'}) > > > > Is there way to mask the output (using -name or something) so the password > is not print to console? > -- > Miroslav Suchy, RHCE, RHCDS > Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys > ___ > infrastructure mailing list > infrastructure@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/infrastructure ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Ansible question
I have this ansible snippet: - name: Create users keystone_user: login_user="admin" login_password="{{ ADMIN_PASS }}" login_tenant_name="admin" user="{{ item.name }}" email="{{ item.email }}" tenant="{{ item.tenant }}" password="{{ item.password }}" state=present with_items: - { name: kevin, email: 'ke...@fedoraproject.org', tenant: infrastructure, password: "{{kevin_password}}" } - { name: laxathom, email: 'laxat...@fedoraproject.org', tenant: infrastructure, password: "{{laxathom_password}}" } But when I run it it produce: TASK: [Create users] ** changed: [fed-cloud09.cloud.fedoraproject.org] => (item={'password': u'', 'name': 'kevin', 'tenant': 'infrastructure', 'email': 'ke...@fedoraproject.org'}) changed: [fed-cloud09.cloud.fedoraproject.org] => (item={'password': u'', 'name': 'laxathom', 'tenant': 'infrastructure', 'email': 'laxat...@fedoraproject.org'}) Is there way to mask the output (using -name or something) so the password is not print to console? -- Miroslav Suchy, RHCE, RHCDS Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Ansible question
On 12/07/2013 10:28 AM, Michael Scherer wrote: Le vendredi 06 décembre 2013 à 18:01 +0100, Miroslav Suchy a écrit : >Working on Copr, I want to replace/add one line in file. I spent more >then hour trying various things, but I'm out of ideas. > >What I'm trying to do is: > >self.conn.module_name = "lineinfile" >self.conn.module_args = "dest=/etc/mock/%s.cfg >line=\"config_opts['chroot_setup_cmd'] = 'install @build %s'\" >regexp=\"^.*chroot_setup_cmd.*$\"" % (self.chroot, self.buildroot_pkgs) > >Which in yaml language should be (with placeholders expanded): > >- name: putting scl-utils-build into minimal buildroot of fedora-19-i386 >lineinfile: > dest=/etc/mock/fedora-19-i386.cfg > line="config_opts['chroot_setup_cmd'] = 'install @build >scl-utils-build'" > regexp="^.*chroot_setup_cmd.*$" > >I tried several things - among all: >- change regexp >- do not use regexp at all as that should put $line at the end of >file, which would work as well >- use command module with sed, but there is too much of escaping and >it is unreadable > >Can somebody advise me what should be correct form to replace or add >that line to mock config please? I tested the following playbook, and it work. So I think we may need more information on what you try and how. I found it. For the record: It was permission problem. The connection was made as copr user and not as root user. And copr user obviously can't modify /etc/mock/* files. -- Miroslav Suchy, RHCE, RHCDS Red Hat, Software Engineer, #brno, #devexp, #fedora-buildsys ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Re: Ansible question
Le vendredi 06 décembre 2013 à 18:01 +0100, Miroslav Suchy a écrit : > Working on Copr, I want to replace/add one line in file. I spent more > then hour trying various things, but I'm out of ideas. > > What I'm trying to do is: > > self.conn.module_name = "lineinfile" > self.conn.module_args = "dest=/etc/mock/%s.cfg > line=\"config_opts['chroot_setup_cmd'] = 'install @build %s'\" > regexp=\"^.*chroot_setup_cmd.*$\"" % (self.chroot, self.buildroot_pkgs) > > Which in yaml language should be (with placeholders expanded): > > - name: putting scl-utils-build into minimal buildroot of fedora-19-i386 >lineinfile: > dest=/etc/mock/fedora-19-i386.cfg > line="config_opts['chroot_setup_cmd'] = 'install @build > scl-utils-build'" > regexp="^.*chroot_setup_cmd.*$" > > I tried several things - among all: >- change regexp >- do not use regexp at all as that should put $line at the end of > file, which would work as well >- use command module with sed, but there is too much of escaping and > it is unreadable > > Can somebody advise me what should be correct form to replace or add > that line to mock config please? I tested the following playbook, and it work. So I think we may need more information on what you try and how. -- Michael Scherer e.yml Description: application/yaml ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
Ansible question
Working on Copr, I want to replace/add one line in file. I spent more then hour trying various things, but I'm out of ideas. What I'm trying to do is: self.conn.module_name = "lineinfile" self.conn.module_args = "dest=/etc/mock/%s.cfg line=\"config_opts['chroot_setup_cmd'] = 'install @build %s'\" regexp=\"^.*chroot_setup_cmd.*$\"" % (self.chroot, self.buildroot_pkgs) Which in yaml language should be (with placeholders expanded): - name: putting scl-utils-build into minimal buildroot of fedora-19-i386 lineinfile: dest=/etc/mock/fedora-19-i386.cfg line="config_opts['chroot_setup_cmd'] = 'install @build scl-utils-build'" regexp="^.*chroot_setup_cmd.*$" I tried several things - among all: - change regexp - do not use regexp at all as that should put $line at the end of file, which would work as well - use command module with sed, but there is too much of escaping and it is unreadable Can somebody advise me what should be correct form to replace or add that line to mock config please? -- Miroslav Suchy, RHCE, RHCDS Red Hat, Software Engineer, #brno, #devexp, #fedora-buildsys ___ infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure