*** jparrill has quit IRC | 01:39 | |
*** jparrill has joined #ara | 01:39 | |
*** bcoca has quit IRC | 01:43 | |
*** njt has quit IRC | 07:07 | |
*** njt has joined #ara | 07:21 | |
ara-slack | <yaroslav.shabalin> Do ARA respect no_log parameter for tasks? Seems there is still Results JSON with sensitive information even if no_log: True. | 08:08 |
---|---|---|
ara-slack | <yaroslav.shabalin> I call "shell" module to be more specific. | 08:09 |
ara-slack | <yaroslav.shabalin> ARA 0.14.5 Ansible 2.4.1 | 08:12 |
*** jparrill has quit IRC | 08:23 | |
*** jparrill has joined #ara | 08:38 | |
*** jparrill has quit IRC | 08:50 | |
*** jparrill has joined #ara | 08:54 | |
*** rvgate has quit IRC | 09:58 | |
*** rvgate has joined #ara | 09:58 | |
ara-slack | <yaroslav.shabalin> One more thing. I get following message when calling include_role in a loop: [WARNING]: Failure using method (v2_runner_on_ok) in callback plugin (<ansible.plugins.callback.log_ara.CallbackModule object at 0x7f34f9100f90>): TASK: Import all *.dat files found in repository directory is not JSON serializable | 11:01 |
ara-slack | <yaroslav.shabalin> Is it known issue? Should I provide more details or reproducible example? | 11:02 |
*** weshay_pto is now known as weshay | 12:48 | |
ara-slack | <dmsimard> @yaroslav.shabalin ARA records whatever Ansible sends, if there is still sensitive information, it might be the module/action itself that does not respect no_log or sends data in a field that isn't wiped by Ansible | 13:48 |
ara-slack | <dmsimard> For the include/import error you are getting, it seems you are running into https://github.com/ansible/ansible/issues/30385 which is an Ansible issue that is worked around in ARA, it seems the workaround does not cover all cases though. | 13:49 |
ara-slack | <dmsimard> It would be helpful if you could provider a reproducer if you're hitting it in 0.14.5, I thought that was addressed. | 13:50 |
ara-slack | <yaroslav.shabalin> @dmsimard Thanks. Maybe I have to look into no_log issue more thoroughly. Concerning include_role warning: I will try to make minimal playbook to reproduce this. | 13:55 |
ara-slack | <dmsimard> @yaroslav.shabalin okay, let me know if you need help for the no_log thing. I've filed a CVE about this kind of stuff before ( https://bugzilla.redhat.com/show_bug.cgi?id=1440912 ) so I know how it works :slightly_smiling_face: | 13:57 |
openstack | bugzilla.redhat.com bug 1440912 in vulnerability "CVE-2017-7473 ansible: Potential information disclosure via no_log directive" [Medium,New] - Assigned to security-response-team | 13:57 |
*** rvgate has quit IRC | 14:39 | |
*** sshnaidm has quit IRC | 14:46 | |
*** sshnaidm has joined #ara | 14:48 | |
*** bcoca has joined #ara | 14:49 | |
*** bcoca has joined #ara | 14:49 | |
ara-slack | <yaroslav.shabalin> @dmsimard Seems that warning is environment specific. I have made an example that reproduces it, but the message occurs only when playbook run in docker container. We use containers to run ansible in stable environment with all dependencies installed. It is very minimal setup based on Ubuntu 17.10. On my laptop (Arch Linux) having the same ARA and Ansible versions warning is not shown. I will investigate it further but seems that th | 14:49 |
ara-slack | issue is not very common. | 14:49 |
ara-slack | <yaroslav.shabalin> Or I could share Dockerfile to run playbook in container. Just doubting if that really worths it. Let me know if you plan to spend some time and I will upload it somewhere. | 14:55 |
ara-slack | <dmsimard> @yaroslav.shabalin if you have a reproducer I can totally spend some time on it, it's a legitimate bug | 14:57 |
ara-slack | <yaroslav.shabalin> OK. Will send you the links then. | 14:59 |
*** rvgate has joined #ara | 15:10 | |
*** harlowja has joined #ara | 18:15 | |
*** jparrill has quit IRC | 19:37 | |
*** openstack has joined #ara | 19:42 | |
*** ChanServ sets mode: +o openstack | 19:42 | |
*** jparrill has joined #ara | 19:43 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!