Re: Ansible question

2015-01-30 Thread Miroslav Suchý 
On 01/29/2015 05:30 PM, Toshio Kuratomi wrote:
   no_log: True

That did the job. Thanks!

-- 
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: Ansible question

2015-01-29 Thread Toshio Kuratomi 
I just took a look at the keystone code.  Unfortunately, I don't think
this is coming from the module.  It's being logged because they're in
with_items  here's a simpler playbook that shows that happening:

$ cat test.yml *[devel]  (08:12:25)
---
- hosts: localhost
  gather_facts: False
  tasks:
- name: test
  ping:
data: {{ item.name }}
  with_items:
- { name: kevin, password: example }
- { name: laxathom, password: two }

$ ansible-playbook test.yml*[devel]  (08:14:30)

PLAY [localhost] **

TASK: [test] **
ok: [localhost] = (item={'password': 'example', 'name': 'kevin'})
ok: [localhost] = (item={'password': 'two', 'name': 'laxathom'})

PLAY RECAP 
localhost  : ok=1changed=0unreachable=0failed=0


There is a way to fix this though: no_log
http://docs.ansible.com/faq.html#how-do-i-keep-secret-data-in-my-playbook

no_log gives you the ability to make sure that tasks with passwords
aren't logging their output rather than relying on the module to do
the right thing.  You are also able to turn no_log on and off -- for
instance if you need to debug why a task isn't working and actually
need to see what password is being substituted in for that.  I would
use no_log for any task that contains a secret value.


Here's what the task looks like with no_log:

---
- hosts: localhost
  gather_facts: no
  tasks:
- name: test
  ping:
data: {{ item.name }}
  no_log: True
  with_items:
- { name: kevin, password: example }
- { name: laxathom, password: two }


And here's the task output with no_log:

$ ansible-playbook test.yml*[devel]  (08:17:01)

PLAY [localhost] **

TASK: [test] **
ok: [localhost]
ok: [localhost]

PLAY RECAP 
localhost  : ok=1changed=0unreachable=0failed=0


-Toshio

On Thu, Jan 29, 2015 at 7:12 AM, Bill Nottingham nott...@splat.cc wrote:
 Kevin Fenzi (ke...@scrye.com) said:
 On Wed, 28 Jan 2015 16:57:56 +0100
 Miroslav Suchý msu...@redhat.com wrote:

 ...snip...

  Is there way to mask the output (using -name or something) so the
  password is not print to console?


 Sadly, I don't know of any way to do that. ;(

 It does sound like something that would be a nice feature...
 Perhaps it could be done in a handler?

 It's generally up to the modules to mask sensitive output (the user module
 does this, as an example). File an issue in github against 
 ansible-modules-core?

 Bill
 ___
 infrastructure mailing list
 infrastructure@lists.fedoraproject.org
 https://admin.fedoraproject.org/mailman/listinfo/infrastructure
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: Ansible question

2015-01-28 Thread Kevin Fenzi 
On Wed, 28 Jan 2015 23:12:02 +0100
Maciej Lasyk docent@gmail.com wrote:

 Wouldn't it be more secure to use Vault here?

We don't actually use vault at all. It would require (as far as I know)
everyone to know the password. Instead we keep private stuff in private
vars files. 

kevin


pgpNPZ0XJIaP_.pgp
Description: OpenPGP digital signature
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: Ansible question

2015-01-28 Thread Kevin Fenzi 
On Wed, 28 Jan 2015 16:57:56 +0100
Miroslav Suchý msu...@redhat.com wrote:

...snip...

 Is there way to mask the output (using -name or something) so the
 password is not print to console?


Sadly, I don't know of any way to do that. ;( 

It does sound like something that would be a nice feature... 
Perhaps it could be done in a handler?

kevin


pgpHeET5RdGlv.pgp
Description: OpenPGP digital signature
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: Ansible question

2015-01-28 Thread Maciej Lasyk 
Wouldn't it be more secure to use Vault here?

Cheers,
Maciej Lasyk

GPG key ID: 4FED49C5
GPG public key: http://maciek.lasyk.info/gpg_maciej_lasyk.asc

On Wed, Jan 28, 2015 at 4:57 PM, Miroslav Suchý msu...@redhat.com wrote:

 I have this ansible snippet:
   - name: Create users
 keystone_user:
   login_user=admin login_password={{ ADMIN_PASS }}
 login_tenant_name=admin
   user={{ item.name }}
   email={{ item.email }}
   tenant={{ item.tenant }}
   password={{ item.password }}
   state=present
 with_items:
   - { name: kevin, email: 'ke...@fedoraproject.org', tenant:
 infrastructure, password: {{kevin_password}} }
   - { name: laxathom, email: 'laxat...@fedoraproject.org', tenant:
 infrastructure, password: {{laxathom_password}} }


 But when I run it it produce:
 TASK: [Create users]
 **
 changed: [fed-cloud09.cloud.fedoraproject.org] = (item={'password':
 u'', 'name': 'kevin', 'tenant':
 'infrastructure', 'email': 'ke...@fedoraproject.org'})

 changed: [fed-cloud09.cloud.fedoraproject.org] = (item={'password':
 u'', 'name': 'laxathom', 'tenant':
 'infrastructure', 'email': 'laxat...@fedoraproject.org'})



 Is there way to mask the output (using -name or something) so the password
 is not print to console?
 --
 Miroslav Suchy, RHCE, RHCDS
 Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
 ___
 infrastructure mailing list
 infrastructure@lists.fedoraproject.org
 https://admin.fedoraproject.org/mailman/listinfo/infrastructure
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

Re: Ansible question

2013-12-09 Thread Miroslav Suchý 

On 12/07/2013 10:28 AM, Michael Scherer wrote:

Le vendredi 06 décembre 2013 à 18:01 +0100, Miroslav Suchy a écrit :

Working on Copr, I want to replace/add one line in file. I spent more
then hour trying various things, but I'm out of ideas.

What I'm trying to do is:

self.conn.module_name = lineinfile
self.conn.module_args = dest=/etc/mock/%s.cfg
line=\config_opts['chroot_setup_cmd'] = 'install @build %s'\
regexp=\^.*chroot_setup_cmd.*$\ % (self.chroot, self.buildroot_pkgs)

Which in yaml language should be (with placeholders expanded):

- name: putting scl-utils-build into minimal buildroot of fedora-19-i386
lineinfile:
  dest=/etc/mock/fedora-19-i386.cfg
  line=config_opts['chroot_setup_cmd'] = 'install @build
scl-utils-build'
  regexp=^.*chroot_setup_cmd.*$

I tried several things - among all:
- change regexp
- do not use regexp at all as that should put $line at the end of
file, which would work as well
- use command module with sed, but there is too much of escaping and
it is unreadable

Can somebody advise me what should be correct form to replace or add
that line to mock config please?

I tested the following playbook, and it work. So I think we may need
more information on what you try and how.


I found it.
For the record: It was permission problem. The connection was made as copr user and not as root user. And copr user 
obviously can't modify /etc/mock/* files.



--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Software Engineer, #brno, #devexp, #fedora-buildsys
___
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure