Hello,
I have a small play that runs in a remote server as a user X, during the
become process, Ansible seems to invoke a remote command (command.py) that
gets logged in the remote machine syslog. If the task for this play
contains an environment variable, like PASSWORD for example, it will also
be included in such log. Syslog is owned by root and not world-readable,
but still I would like to be prevented. Is there a way to tell Ansible to
include that environment variable inside the command.py?
Example play:
- hosts: dms
gather_facts: no
become: true
become_user: remote_user
tasks:
- name: Test command
shell: echo hello
environment:
PASSWORD: "supersecretpassword"
The logging observed on the syslog file (/var/log/messages):
Oct 12 15:13:39 remote-host sudo: myuser : TTY=pts/1 ; PWD=/home/myuser ;
USER=remote_user ; COMMAND=/bin/bash -c echo
BECOME-SUCCESS-gethoacihsravpsppeeepnhdcqkzgrpt; PASSWORD=supersecretpassword
/usr/bin/python /tmp/ansible-tmp-1507821212.27-201142262398347/command.py
Oct 12 15:13:39 remote-host ansible-command: Invoked with warn=True
executable=None _uses_shell=True _raw_params=echo hello removes=None
creates=None chdir=None stdin=None
Thanks!
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/672109d6-5ca3-43f7-bdd7-428a125f5d68%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
