Ansible 1.5.3 fixes this, thanks! On Friday, March 14, 2014 7:37:32 AM UTC-7, Michael DeHaan wrote: > > 1.5.3 is in PyPi now and this contains some improvements to check > additional files and locations, let us know if you are still seeing any > problems. > > (Ubuntu users may also wish to run update-ca-certs to get the latest files) > > --Michael > > > > > On Wed, Mar 12, 2014 at 6:02 PM, <[email protected] <javascript:>> wrote: > >> I'm doing this: >> >> - name: Ensure Google Protocol Buffers source downloaded >> get_url: url= >> https://protobuf.googlecode.com/files/protobuf-2.5.0.tar.bz2 dest={{ tmp >> }}/protobuf.tar.bz2 >> >> >> which worked fine with 1.5 - but with 1.5.2 from PyPi, I now get this: >> >> failed: [default] => {"failed": true, "item": ""} >> msg: failed to validate the SSL certificate for >> protobuf.googlecode.com:443. You can use validate_certs=no, however this >> is unsafe and not recommended >> >> FATAL: all hosts have already failed -- aborting >> >> >> Adding validate_certs=no to the get_url fixes this, but it's Google Code >> and seems to have a valid cert - according to my browsers - any idea why >> ansible doesn't like it? >> >> I'm also getting this with bitbucket. >> >> On Monday, March 10, 2014 4:23:45 PM UTC-7, Michael DeHaan wrote: >>> >>> Ansible 1.5.1 Release Notes >>> >>> Today we’re releasing Ansible 1.5.1 which contains three security >>> fixes/upgrades as well as a few assorted bugfixes that have been applied >>> since the 1.5 release. An upgrade is suggested for all users using vault, >>> interacting with web-properties over https://, or those users allowing >>> outside untrusted input to be passed as variables to their ansible >>> playbooks. >>> >>> The security improvements are as follows: >>> >>> Ansible Vault has been updated in terms of how the cipher logic has been >>> implemented to make the content harder to brute force. Using the “edit” or >>> “rekey” functions in vault will automatically upgrade an existing >>> vault-encrypted file to the new format, and the new format is also the >>> method used for any new files that vault creates. Users are encouraged to >>> upgrade their content as follows, and should also consider changing any >>> passwords or keys in vault-encrypted files to take advantage of security >>> upgrades, as the previous versions would still exist in SCM history or may >>> have been copied by another party. >>> >>> cd your_playbook_directory/ >>> >>> find . -type f | xargs grep -l '$ANSIBLE_VAULT;1.0;AES' | xargs >>> ansible-vault rekey >>> >>> Note that the version of pycrypto Vault now needs is newer than what is >>> carried in the base channel of Red Hat and CentOS, so if you are using this >>> distribution you may benefit from: >>> >>> yum install python-devel >>> >>> rpm -e --nodeps python-crypto >>> >>> pip install pycrypto >>> >>> If you have a downlevel version the system will warn you about this. If >>> you are using vault, you need not worry about this dependency. >>> >>> Core ansible modules (other than the shell module) have been upgraded to >>> avoid running user input through the shell. Some ansible users have >>> proxied ansible behind a wrapper script or web proxy (including Ansible >>> Tower), that allows users who do not personally have access to machines to >>> be able to supply variables as input into playbook executions. This >>> includes doing things such as providing a value to “--extra-args” that >>> might contain a semicolon, allowing them to run commands as a remote user. >>> Removing the ability to use the shell in all of these modules prevents >>> command injection in this case. The shell module by design executes >>> commands through the shell, so if user supplied variables are being fed to >>> things executed by the shell module, consider using the “command” module >>> instead or whether users supplying input are trustworthy. User developed >>> modules can take advantage of these upgrades by using the “run_command” >>> function in “module_utils”, which will by default not allow any form of >>> shell usage, which is now standard and required for all ansible modules in >>> core. Regardless of this fix application, users of ansible should realize >>> that any user that is allowed to write playbooks can control the systems >>> upon which the playbooks are applied, which is intentional and by design. >>> >>> Finally, code that performs URL downloads of https:// URLs has been >>> upgraded to validate the certificates where possible, unless a new >>> parameter “validate_certs=no” is passed to the module. This ensures that >>> web servers that are interacted with are signed by a known certificate >>> authority. It is very likely that this may require playbook alteration to >>> add a “validate_certs=no” to any modules like “get_url” that interact with >>> self-signed web services, such as continuous integration servers. In the >>> event that this should occur, the playbook will report an appropriate error >>> message and reference the ability to add “validate_certs=no” to get around >>> the error message. >>> >>> Ansible 1.5.1 is available now on http://releases.ansible.com as well >>> as the python package index, via “pip install ansible”. It is anticipated >>> that distribution copies of the package, as well as other repositories, >>> will pick this up soon. >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected]<javascript:> >> . >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/f3832d5a-e3f6-4052-be65-06e1409ea504%40googlegroups.com<https://groups.google.com/d/msgid/ansible-project/f3832d5a-e3f6-4052-be65-06e1409ea504%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > >
-- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/adbb1ec8-f364-436a-9f91-21c4c648e660%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
