no_log: True being ignored
420 views
Skip to first unread message
Tom Bamford
Jan 13, 2015, 9:55:20 PM1/13/15
to ansible...@googlegroups.com
Hi
Running Ansible 1.8.2 and I am trying to prevent sensitive information for a task from reaching the log at ANSIBLE_LOG_PATH or the console where ansible-playbook is running.
My task:
- name: Dump database
command: pg_dump -with -some -params
environment:
PGPASSWORD: mysecret
no_log: True
When running with ANSIBLE_LOG_PATH=notsosecret.log ansible-playbook mybook.yml -vvv this is my console output:
TASK: [Dump database] **********************************************
<ec2-x-x-x-x.us-west-2.compute.amazonaws.com> ESTABLISH CONNECTION FOR USER: ubuntu
<ec2-x-x-x-x.us-west-2.compute.amazonaws.com> REMOTE_MODULE command pg_dump -with -some -params NO_LOG=True
<ec2-x-x-x-x.us-west-2.compute.amazonaws.com> EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=4h -o ControlPath="/home/ubuntu/.ansible/cp/ansible-ssh-%h-%p-%r" -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 ec2-x-x-x-x.us-west-2.compute.amazonaws.com /bin/sh -c 'LANG=C PGPASSWORD=mysecret LC_CTYPE=C /usr/bin/python'
And my log file:
2015-01-14 02:40:45,102 p=3055 u=ubuntu | TASK: [Dump database] **********************************************
2015-01-14 02:40:45,108 p=3055 u=ubuntu | <ec2-x-x-x-x.us-west-2.compute.amazonaws.com> ESTABLISH CONNECTION FOR USER: ubuntu
2015-01-14 02:40:45,110 p=3055 u=ubuntu | <ec2-x-x-x-x.us-west-2.compute.amazonaws.com> REMOTE_MODULE command pg_dump -with -some -params NO_LOG=True
2015-01-14 02:40:45,121 p=3055 u=ubuntu | <ec2-x-x-x-x.us-west-2.compute.amazonaws.com> EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=4h -o ControlPath="/home/ubuntu/.ansible/cp/ansible-ssh-%h-%p-%r" -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 ec2-x-x-x-x.us-west-2.compute.amazonaws.com /bin/sh -c 'LANG=C PGPASSWORD=mysecret LC_CTYPE=C /usr/bin/python'
Is this a bug/regression? I read https://github.com/ansible/ansible/issues/8647 which seems related and should be included in 1.8.2 if I’m not mistaken.
Regards
Tom
Brian Coca
Jan 14, 2015, 7:52:56 AM1/14/15
to ansible...@googlegroups.com
currently no_log applies to module output and arguments, not to
environment variables.
--
Brian Coca
environment variables.
--
Brian Coca
Tom Bamford
Jan 14, 2015, 3:14:19 PM1/14/15
to ansible...@googlegroups.com
Thanks, I think the docs could perhaps be clarified a little in this regard. From http://docs.ansible.com/faq.html#how-do-i-keep-secret-data-in-my-playbook - “if you have a task that you don’t want to show the results or command given to it when using -v (verbose) mode, the following task or playbook attribute can be useful” along with an example which implies that command line arguments are censored when in fact they are not.
It would be great if tasks could be completely censored in some way, environment variables and all. Often the reason that one passes environment variables instead of arguments is to avoid sensitive data showing up in log files and the likes of ps etc.
Regards
Tom
--
Brian Coca
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8%3DfXE1BdEo9AiFHvyidbu23pP8HtekHxx9cvLDnoND4pQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Tom Bamford
Jan 15, 2015, 3:28:20 PM1/15/15
to ansible...@googlegroups.com
I wanted to test this in a more controlled fashion to be sure, so I used this playbook:
---
- hosts: localhost
connection: local
gather_facts: no
tasks:
- command: echo -e out in the open
- command: echo -e blah my secret
no_log: True
This is my console output
tom@hamlet:~/tmp/ansible ANSIBLE_LOG_PATH=no_log.log ansible-playbook no_log.yml -vvv
PLAY [localhost] **************************************************************
TASK: [command echo -e out in the open] ***************************************
<localhost> REMOTE_MODULE command echo -e out in the open
<localhost> EXEC ['/bin/sh', '-c', 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017 && echo $HOME/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017']
<localhost> PUT /var/folders/4z/l8ng_d2n7mx61pfvhmf2r41m0000gn/T/tmpf6o4Mg TO /Users/tom/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017/command
<localhost> EXEC ['/bin/sh', '-c', u'LANG=C LC_CTYPE=C /usr/bin/python /Users/tom/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017/command; rm -rf /Users/tom/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017/ >/dev/null 2>&1']
changed: [localhost] => {"changed": true, "cmd": ["echo", "-e", "out", "in", "the", "open"], "delta": "0:00:00.006201", "end": "2015-01-15 22:21:47.848086", "rc": 0, "start": "2015-01-15 22:21:47.841885", "stderr": "", "stdout": "-e out in the open", "warnings": []}
TASK: [command echo -e blah my secret] ****************************************
<localhost> REMOTE_MODULE command echo -e blah my secret NO_LOG=True
<localhost> EXEC ['/bin/sh', '-c', 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920 && echo $HOME/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920']
<localhost> PUT /var/folders/4z/l8ng_d2n7mx61pfvhmf2r41m0000gn/T/tmpabg4Bx TO /Users/tom/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920/command
<localhost> EXEC ['/bin/sh', '-c', u'LANG=C LC_CTYPE=C /usr/bin/python /Users/tom/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920/command; rm -rf /Users/tom/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920/ >/dev/null 2>&1']
changed: [localhost] => {"censored": "results hidden due to no_log parameter", "changed": true, "rc": 0}
PLAY RECAP ********************************************************************
localhost : ok=2 changed=2 unreachable=0 failed=0
and the contents of no_log.log
2015-01-15 22:21:47,596 p=1876 u=tom |
2015-01-15 22:21:47,596 p=1876 u=tom | /usr/local/bin/ansible-playbook no_log.yml -vvv
2015-01-15 22:21:47,597 p=1876 u=tom |
2015-01-15 22:21:47,664 p=1876 u=tom | PLAY [localhost] **************************************************************
2015-01-15 22:21:47,664 p=1876 u=tom | TASK: [command echo -e out in the open] ***************************************
2015-01-15 22:21:47,677 p=1876 u=tom | <localhost> REMOTE_MODULE command echo -e out in the open
2015-01-15 22:21:47,680 p=1876 u=tom | <localhost> EXEC ['/bin/sh', '-c', 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017 && echo $HOME/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017']
2015-01-15 22:21:47,730 p=1876 u=tom | <localhost> PUT /var/folders/4z/l8ng_d2n7mx61pfvhmf2r41m0000gn/T/tmpf6o4Mg TO /Users/tom/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017/command
2015-01-15 22:21:47,731 p=1876 u=tom | <localhost> EXEC ['/bin/sh', '-c', u'LANG=C LC_CTYPE=C /usr/bin/python /Users/tom/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017/command; rm -rf /Users/tom/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017/ >/dev/null 2>&1']
2015-01-15 22:21:47,859 p=1876 u=tom | changed: [localhost] => {"changed": true, "cmd": ["echo", "-e", "out", "in", "the", "open"], "delta": "0:00:00.006201", "end": "2015-01-15 22:21:47.848086", "rc": 0, "start": "2015-01-15 22:21:47.841885", "stderr": "", "stdout": "-e out in the open", "warnings": []}
2015-01-15 22:21:47,860 p=1876 u=tom | TASK: [command echo -e blah my secret] ****************************************
2015-01-15 22:21:47,861 p=1876 u=tom | <localhost> REMOTE_MODULE command echo -e blah my secret NO_LOG=True
2015-01-15 22:21:47,863 p=1876 u=tom | <localhost> EXEC ['/bin/sh', '-c', 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920 && echo $HOME/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920']
2015-01-15 22:21:47,872 p=1876 u=tom | <localhost> PUT /var/folders/4z/l8ng_d2n7mx61pfvhmf2r41m0000gn/T/tmpabg4Bx TO /Users/tom/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920/command
2015-01-15 22:21:47,873 p=1876 u=tom | <localhost> EXEC ['/bin/sh', '-c', u'LANG=C LC_CTYPE=C /usr/bin/python /Users/tom/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920/command; rm -rf /Users/tom/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920/ >/dev/null 2>&1']
2015-01-15 22:21:48,008 p=1876 u=tom | changed: [localhost] => {"censored": "results hidden due to no_log parameter", "changed": true, "rc": 0}
2015-01-15 22:21:48,009 p=1876 u=tom | PLAY RECAP ********************************************************************
2015-01-15 22:21:48,009 p=1876 u=tom | localhost : ok=2 changed=2 unreachable=0 failed=0
In conclusion, with no_log specified, the command and its arguments are still written to stdout and the log file.
Reply all
Reply to author
Forward
0 new messages