Ansible become-success command is logging variables
960 views
Skip to first unread message
Jonathan Nuñez Aguin
Oct 12, 2017, 11:17:13 AM10/12/17
to Ansible Project
Hello,
I have a small play that runs in a remote server as a user X, during the become process, Ansible seems to invoke a remote command (command.py) that gets logged in the remote machine syslog. If the task for this play contains an environment variable, like PASSWORD for example, it will also be included in such log. Syslog is owned by root and not world-readable, but still I would like to be prevented. Is there a way to tell Ansible to include that environment variable inside the command.py?
Example play:
- hosts: dms
gather_facts: no
become: true
become_user: remote_user
tasks:
- name: Test command
shell: echo hello
environment:
PASSWORD: "supersecretpassword"
Oct 12 15:13:39 remote-host sudo: myuser : TTY=pts/1 ; PWD=/home/myuser ; USER=remote_user ; COMMAND=/bin/bash -c echo BECOME-SUCCESS-gethoacihsravpsppeeepnhdcqkzgrpt; PASSWORD=supersecretpassword /usr/bin/python /tmp/ansible-tmp-1507821212.27-201142262398347/command.py Oct 12 15:13:39 remote-host ansible-command: Invoked with warn=True executable=None _uses_shell=True _raw_params=echo hello removes=None creates=None chdir=None stdin=None
Thanks!
Brian Coca
Oct 12, 2017, 11:51:18 AM10/12/17
to Ansible Project
No, you CAN use the shell module instead and define the var inline:
- shell: PASSWORD=xxx /run/stuff
Another option is to 'silence' that command via `no_log: True` or even
globally avoid logging on target via the 'no_target_syslog' setting.
-
----------
Brian Coca
- shell: PASSWORD=xxx /run/stuff
Another option is to 'silence' that command via `no_log: True` or even
globally avoid logging on target via the 'no_target_syslog' setting.
-
----------
Brian Coca
Jonathan Nuñez Aguin
Oct 12, 2017, 12:04:45 PM10/12/17
to Ansible Project
Hey Brian,
Unfortunately, "no_target_syslog" didn't make any difference, I am still seeing the become-success message on the syslog, however the other ansible-command line has gone, although that one didn't contain the password. The same behaviour was observed with no_log.
Moving the variable to be inline solves the issue partially as now the task output shows it.
Is there anything else I can try out?
Thanks!
Brian Coca
Oct 12, 2017, 12:18:17 PM10/12/17
to Ansible Project
Ah, sorry, I forgot that running sudo itself produces log entries
over which Ansible has no control. My previous email just lets you
turn off the ones Ansible creates directly.
--
----------
Brian Coca
over which Ansible has no control. My previous email just lets you
turn off the ones Ansible creates directly.
--
----------
Brian Coca
Reply all
Reply to author
Forward
0 new messages