| *** nicovs_be has joined #ara | 01:16 | |
| *** nicovs_be has quit IRC | 01:20 | |
| *** sshnaidm|ptg has joined #ara | 06:27 | |
| *** sshnaidm|ptg has quit IRC | 06:31 | |
| *** nicovs_be has joined #ara | 06:35 | |
| *** nicovs_be has quit IRC | 06:40 | |
| *** gvincent has joined #ara | 07:38 | |
| *** nicovs_be has joined #ara | 08:05 | |
| *** gvincent has quit IRC | 08:11 | |
| *** gvincent has joined #ara | 08:11 | |
| *** gvincent has quit IRC | 09:16 | |
| *** gvincent has joined #ara | 09:16 | |
| *** njohnston has quit IRC | 09:19 | |
| *** resmo has joined #ara | 09:19 | |
| *** njohnston has joined #ara | 09:23 | |
| *** rvgate has joined #ara | 09:48 | |
| *** rvgate has quit IRC | 12:13 | |
| *** rvgate has joined #ara | 12:23 | |
| *** myoung|ruck|off is now known as myoung|ruck | 13:27 | |
| *** bcoca has joined #ara | 13:32 | |
| *** bcoca has joined #ara | 13:32 | |
| *** rvgate has quit IRC | 13:35 | |
| *** tbielawa has joined #ara | 13:39 | |
| *** hwoarang has quit IRC | 13:47 | |
| *** hwoarang has joined #ara | 13:47 | |
| *** rvgate has joined #ara | 14:28 | |
| *** tbielawa is now known as tbielawa|mtg | 15:31 | |
| *** openstackgerrit has quit IRC | 15:34 | |
| *** rvgate has quit IRC | 16:30 | |
| *** tbielawa|mtg is now known as tbielawa | 16:41 | |
| *** nicovs_be has quit IRC | 16:52 | |
| *** nicovs_be has joined #ara | 16:58 | |
| *** resmo has quit IRC | 17:02 | |
| *** rvgate has joined #ara | 17:02 | |
| *** nicovs_be has quit IRC | 17:11 | |
| *** jrist has quit IRC | 17:33 | |
| *** tbielawa is now known as tbielawa|lunch | 17:36 | |
| *** jrist has joined #ara | 17:43 | |
| *** jrist has quit IRC | 17:43 | |
| *** jrist has joined #ara | 17:43 | |
| *** nicovs_be has joined #ara | 17:52 | |
| *** nicovs_be has quit IRC | 17:58 | |
| *** myoung|ruck is now known as myoung|ruck|food | 17:59 | |
| *** jrist has quit IRC | 18:14 | |
| *** myoung|ruck|food is now known as myoung|ruck | 18:26 | |
| *** harlowja has joined #ara | 18:49 | |
| *** tbielawa|lunch is now known as tbielawa | 19:00 | |
| *** jrist has joined #ara | 19:09 | |
| *** jrist has quit IRC | 19:09 | |
| *** jrist has joined #ara | 19:09 | |
| *** jrist has quit IRC | 19:14 | |
| *** jrist has joined #ara | 20:16 | |
| *** tbielawa has quit IRC | 21:34 | |
| *** myoung|ruck is now known as myoung|ruck|bbl | 21:41 | |
| harlowja | dmsimard do u know if ara understands the new loop control 'label' stuffs | 21:48 |
|---|---|---|
| * harlowja trying to use that to hide some passwords in kolla-ansible but it seems like ara still gets the full 'item' | 21:48 | |
| dmsimard | harlowja: ara doesn't need to understand anything, it just picks up whatever ansible gives it | 21:50 |
| dmsimard | harlowja: (that's the beauty of the thing) | 21:50 |
| dmsimard | harlowja: I remember spamaps asked about a password thing a few days ago | 21:51 |
| harlowja | lol | 21:51 |
| dmsimard | same thing ? | 21:51 |
| harlowja | perhaps :-P | 21:51 |
| dmsimard | harlowja: exhibit A http://eavesdrop.openstack.org/irclogs/%23zuul/%23zuul.2018-02-20.log.html#t2018-02-20T18:38:38 | 21:52 |
| dmsimard | harlowja: exhibit B http://eavesdrop.openstack.org/irclogs/%23zuul/%23zuul.2018-02-20.log.html#t2018-02-20T21:28:56 | 21:52 |
| harlowja | kk | 21:53 |
| dmsimard | harlowja: I'm happy to look if you have a simple reproducer (ideally without kolla_docker) | 21:53 |
| harlowja | ya, making one | 21:53 |
| dmsimard | /maybe/ there's something new that needs to be handled | 21:53 |
| dmsimard | like somewhere around here https://github.com/openstack/ara/blob/master/ara/plugins/callbacks/log_ara.py#L146-L159 | 21:54 |
| dmsimard | which calls this: https://github.com/ansible/ansible/blob/devel/lib/ansible/plugins/callback/__init__.py#L105-L125 | 21:55 |
| dmsimard | which calls this: https://github.com/ansible/ansible/blob/devel/lib/ansible/vars/clean.py#L25 | 21:55 |
| harlowja | ya, i'm just trying to get https://gist.github.com/harlowja/9cb1e62f2b9da71cc3beafc7acd38161 to work | 22:00 |
| harlowja | it's not supposed to show item.password, lol | 22:00 |
| harlowja | but it still appears to be doing that ... | 22:00 |
| dmsimard | harlowja: needs no_log: true | 22:01 |
| harlowja | but i want it to log | 22:01 |
| harlowja | just not the full item, ,lol | 22:01 |
| dmsimard | then it depends on the module implementation | 22:01 |
| harlowja | hmmmm, damn | 22:01 |
| dmsimard | I remember bcoca has this optimistic heuristic to try and filter out password fields by default | 22:02 |
| dmsimard | (it's really glorious) | 22:02 |
| bcoca | its mostly a poor attempt to match commonly used 'secret containing' field names, but it really should be done at module/param level using no_log | 22:03 |
| dmsimard | found it \o/ | 22:03 |
| dmsimard | https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/basic.py#L176 | 22:03 |
| harlowja | hmmmmm | 22:04 |
| dmsimard | harlowja: seriously though, ara picks up whatever the module sends back to ansible -- if you want to filter just one thing, it needs to be handled at the module level | 22:04 |
| harlowja | poop | 22:04 |
| bcoca | but that only gets applied to module returns and logging, what you do in a debug ... well, its up 2 u | 22:04 |
| dmsimard | harlowja: https://github.com/openstack/kolla-ansible/blob/master/ansible/library/kolla_docker.py#L739 | 22:05 |
| dmsimard | bcoca: ^ is that no_log=True in the module spec supposed to make it so that never ends up being printed in the result ? | 22:05 |
| bcoca | harlowja: when using a password= option in a module, we probably obscure that, but we dont have any facility to obscure 'debug' or direct var usage | 22:05 |
| bcoca | dmsimard: yep | 22:05 |
| dmsimard | bcoca: hm, I think it doesn't work for them but I've never used that particular module/feature before | 22:05 |
| bcoca | we even had issues with people user=admin password=admin as we scrub the 'no_log value' from all fields | 22:06 |
| bcoca | which module specifically? | 22:06 |
| dmsimard | the one I linked above just now | 22:06 |
| bcoca | debug? that has nothing flagged as no_log ... also makes no sense to do so | 22:06 |
| dmsimard | bcoca: you're looking at the wrong link, this is the one: https://github.com/openstack/kolla-ansible/blob/master/ansible/library/kolla_docker.py#L739 | 22:07 |
| bcoca | no, i just stopped reading at 'generate_module' and immediatly erased rest from memory ... | 22:07 |
| dmsimard | bcoca: don't look at me, I have never touched that code before :p | 22:08 |
| bcoca | auth_password should not be logged by ansible, prior to 2.5 a 'bad callback' could log it, ansible itself will avoid that | 22:08 |
| dmsimard | bcoca: oh? are things scrubbed before making it to the callbacks now ? | 22:09 |
| bcoca | yes, since 'scrubbing at callback' was 'optional to callback' and people were complaining their callbacks were seeing secrets ... while they wrote them to avoid teh scrubbing?!?!? | 22:09 |
| dmsimard | bcoca: you should totally add a comment in https://bugzilla.redhat.com/show_bug.cgi?id=1440912 and go like "fixed btw" | 22:12 |
| bcoca | i seem to be alergic to rh bugzilla ... | 22:13 |
| bcoca | dmsimard: what toshio posted is still true, this is just to avoid 'lazy' cb authors, but not a way to restrict 'private info' from callbacks, they can access this info if they want, we just dont 'give it for free' anymore | 22:16 |
| harlowja | dmsimard https://review.openstack.org/#/c/549858/ and https://review.openstack.org/#/c/546467/ (bigger spec) i've been doing/trying | 22:33 |
| harlowja | just right now running it via our CI, seeing whats in ara ... repeat | 22:33 |
| harlowja | various secrets pop out a lot, because i guess people have really been running kolla-ansible via laptops | 22:34 |
| harlowja | and not via CI (or anything with ara tracking things) | 22:34 |
| harlowja | so ya, chopping them out as i go... | 22:35 |
| *** jparrill has quit IRC | 22:53 | |
| *** jparrill has joined #ara | 22:59 | |
| *** openstackgerrit has joined #ara | 23:13 | |
| openstackgerrit | Paul Belanger proposed openstack/ara master: Update to fedora-27 for testing https://review.openstack.org/549882 | 23:13 |
| *** jparrill has quit IRC | 23:33 | |
| *** jparrill has joined #ara | 23:39 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!