Since python bytecode can be easily converted back to python source, there
isn't any security there.
That aside, and I don't recommend this, you could create a python stub
loader which loaded embedded python bytecode. Here's a quick proof of
concept (again, I don't recommend this):
#!/usr/bin/python
import base64
import marshal
# with open('module.pyc') as fd:
# bytecode = base64.b64encode(fd.read()[8:])
bytecode = 'INSERT YOUR BYTECODE HERE, SEE COMMENT ABOVE'
exec marshal.loads(base64.b64decode(bytecode))
- Matt
On Wednesday, February 15, 2017 at 5:10:12 PM UTC-8, tkuratomi wrote:
>
> Ansible is not designed to handle this case. There's too many things that
> become impossible. I can think of a work around, though.
>
> The workaround is to make your modules into a binary modue. Something
> like cx_freeze will create a single file executable with all of the things
> necessary to execute the code ( I'd recommend looking at this page, picking
> a tool that might do what you need and then reading that tool's
> documetation for more information:
> http://docs.python-guide.org/en/latest/shipping/freezing/ ) The single
> file executable can then be used by ansible as a binary module (one that
> can be executed directly from the shell on the remote machine) rather than
> having to try pushing it through an interpreter.
>
> As for some of the reasons Ansible cannot support directly executing a
> byte compiled file:
> * We can't scan .pyos or .pycs to determine what module_utils files need
> to be included when we send the module over the wire.
> * byte compiled files aren't directly executable so they need to be run by
> an interpreter. But the byte compiled file doesn't have a shebang line so
> we can't detect what interpreter to use.
> * byte compiled files are restricted to the python major version so we
> can't know whether they'll actually run on the remote machine's python
> * .pycs and .pyos don't actually provide any security... at best they're a
> mild, reversible obfuscation. Someone who's taken the trouble to acquire
> the byte compiled files can easily reverse them to find out what's going on.
>
> -Toshio
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/b680e69f-fcc7-4b5e-8d24-3c04ac45445a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
