Re: [ansible-project] no_log: True being ignored

Thu, 15 Jan 2015 12:29:13 -0800 

I wanted to test this in a more controlled fashion to be sure, so I used
this playbook:

---
- hosts: localhost
  connection: local
  gather_facts: no
  tasks:
    - command: echo -e out in the open
    - command: echo -e blah my secret
      no_log: True

This is my console output

tom@hamlet:~/tmp/ansible  ANSIBLE_LOG_PATH=no_log.log ansible-playbook
no_log.yml -vvv

PLAY [localhost] **************************************************************

TASK: [command echo -e out in the open] ***************************************
<localhost> REMOTE_MODULE command echo -e out in the open
<localhost> EXEC ['/bin/sh', '-c', 'mkdir -p
$HOME/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017 && chmod
a+rx $HOME/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017 &&
echo $HOME/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017']
<localhost> PUT
/var/folders/4z/l8ng_d2n7mx61pfvhmf2r41m0000gn/T/tmpf6o4Mg TO
/Users/tom/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017/command
<localhost> EXEC ['/bin/sh', '-c', u'LANG=C LC_CTYPE=C /usr/bin/python
/Users/tom/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017/command;
rm -rf /Users/tom/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017/
>/dev/null 2>&1']
changed: [localhost] => {"changed": true, "cmd": ["echo", "-e", "out",
"in", "the", "open"], "delta": "0:00:00.006201", "end": "2015-01-15
22:21:47.848086", "rc": 0, "start": "2015-01-15 22:21:47.841885",
"stderr": "", "stdout": "-e out in the open", "warnings": []}

TASK: [command echo -e blah my secret] ****************************************
<localhost> REMOTE_MODULE command echo -e blah my secret NO_LOG=True
<localhost> EXEC ['/bin/sh', '-c', 'mkdir -p
$HOME/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920 && chmod
a+rx $HOME/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920 &&
echo $HOME/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920']
<localhost> PUT
/var/folders/4z/l8ng_d2n7mx61pfvhmf2r41m0000gn/T/tmpabg4Bx TO
/Users/tom/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920/command
<localhost> EXEC ['/bin/sh', '-c', u'LANG=C LC_CTYPE=C /usr/bin/python
/Users/tom/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920/command;
rm -rf /Users/tom/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920/
>/dev/null 2>&1']
changed: [localhost] => {"censored": "results hidden due to no_log
parameter", "changed": true, "rc": 0}

PLAY RECAP ********************************************************************
localhost                  : ok=2    changed=2    unreachable=0    failed=0

and the contents of no_log.log

2015-01-15 22:21:47,596 p=1876 u=tom |
2015-01-15 22:21:47,596 p=1876 u=tom |
/usr/local/bin/ansible-playbook no_log.yml -vvv
2015-01-15 22:21:47,597 p=1876 u=tom |
2015-01-15 22:21:47,664 p=1876 u=tom |  PLAY [localhost]
**************************************************************
2015-01-15 22:21:47,664 p=1876 u=tom |  TASK: [command echo -e out in
the open] ***************************************
2015-01-15 22:21:47,677 p=1876 u=tom |  <localhost> REMOTE_MODULE
command echo -e out in the open
2015-01-15 22:21:47,680 p=1876 u=tom |  <localhost> EXEC ['/bin/sh',
'-c', 'mkdir -p
$HOME/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017 && chmod
a+rx $HOME/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017 &&
echo $HOME/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017']
2015-01-15 22:21:47,730 p=1876 u=tom |  <localhost> PUT
/var/folders/4z/l8ng_d2n7mx61pfvhmf2r41m0000gn/T/tmpf6o4Mg TO
/Users/tom/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017/command
2015-01-15 22:21:47,731 p=1876 u=tom |  <localhost> EXEC ['/bin/sh',
'-c', u'LANG=C LC_CTYPE=C /usr/bin/python
/Users/tom/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017/command;
rm -rf /Users/tom/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017/
>/dev/null 2>&1']
2015-01-15 22:21:47,859 p=1876 u=tom |  changed: [localhost] =>
{"changed": true, "cmd": ["echo", "-e", "out", "in", "the", "open"],
"delta": "0:00:00.006201", "end": "2015-01-15 22:21:47.848086", "rc":
0, "start": "2015-01-15 22:21:47.841885", "stderr": "", "stdout": "-e
out in the open", "warnings": []}
2015-01-15 22:21:47,860 p=1876 u=tom |  TASK: [command echo -e blah my
secret] ****************************************
2015-01-15 22:21:47,861 p=1876 u=tom |  <localhost> REMOTE_MODULE
command echo -e blah my secret NO_LOG=True
2015-01-15 22:21:47,863 p=1876 u=tom |  <localhost> EXEC ['/bin/sh',
'-c', 'mkdir -p
$HOME/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920 && chmod
a+rx $HOME/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920 &&
echo $HOME/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920']
2015-01-15 22:21:47,872 p=1876 u=tom |  <localhost> PUT
/var/folders/4z/l8ng_d2n7mx61pfvhmf2r41m0000gn/T/tmpabg4Bx TO
/Users/tom/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920/command
2015-01-15 22:21:47,873 p=1876 u=tom |  <localhost> EXEC ['/bin/sh',
'-c', u'LANG=C LC_CTYPE=C /usr/bin/python
/Users/tom/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920/command;
rm -rf /Users/tom/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920/
>/dev/null 2>&1']
2015-01-15 22:21:48,008 p=1876 u=tom |  changed: [localhost] =>
{"censored": "results hidden due to no_log parameter", "changed":
true, "rc": 0}
2015-01-15 22:21:48,009 p=1876 u=tom |  PLAY RECAP
********************************************************************
2015-01-15 22:21:48,009 p=1876 u=tom |  localhost                  :
ok=2    changed=2    unreachable=0    failed=0

In conclusion, with no_log specified, the command and its arguments are
still written to stdout and the log file.

On 14 January 2015 at 22:13, Tom Bamford <[email protected]> wrote:

Thanks, I think the docs could perhaps be clarified a little in this
> regard. From
> http://docs.ansible.com/faq.html#how-do-i-keep-secret-data-in-my-playbook
> - “if you have a task that you don’t want to show the results or command
> given to it when using -v (verbose) mode, the following task or playbook
> attribute can be useful” along with an example which implies that command
> line arguments are censored when in fact they are not.
>
> It would be great if tasks could be completely censored in some way,
> environment variables and all. Often the reason that one passes environment
> variables instead of arguments is to avoid sensitive data showing up in log
> files and the likes of ps etc.
>
> Regards
> Tom
> ​
>
> On 14 January 2015 at 14:52, Brian Coca <[email protected]> wrote:
>
>> currently no_log applies to module output and arguments, not to
>> environment variables.
>>
>> --
>> Brian Coca
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To post to this group, send email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/CAJ5XC8%3DfXE1BdEo9AiFHvyidbu23pP8HtekHxx9cvLDnoND4pQ%40mail.gmail.com
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>  ​

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAAnNz0P-W_SQ_Lvh_SQcwztmps7RNJD-f8ZGqoduEZ9FoPB%3DVg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to