What’s the execution model of ansible in terms of copying modules/variables to nodes?
Does it copy any data, and if so what?
Is the data only specific to the individual node, or is the entire set of vars set in the current playbook sent to each one?
Is it cached on nodes?
I’m mainly interested in whether this poses potential security issues with nodes able to access sensitive data about other nodes (e.g. some sort of third-party API key that can’t be hashed with passlib), and also how easy it is for nodes to access data about other nodes that I want them to have access to.
Ansible modules contain the arguments they are called with, but it’s a push based system, so they only get the arguments meant for them.
Each node does not get all the variables from all of the other nodes, ever, nor is there a file server it can request files from.
Modules are definitely copied to remote nodes and are removed once they are executed, and are not cached on nodes.
Basically this was a major design point, and lots of users are liking this for situations where they are working with confidential data and want the nodes to minimally know about the others.
If you want to pass data about one node to another, you have to reference that variable in a template meant for that node, or pass it as a parameter to the module, which must be done explicitly from the control machine that has that data.
(Of course, if you keep all your content in git, you need to control who can get to that content – and if using something like ansible-pull (which has ansible nodes waking up to pull the latest from git), you do have your nodes able to see that data. Most everyone runs push mode – a way for nodes to wake up an REQUEST a push is provided in our upcoming release of “AWX” and should be pretty popular)
Hope that helps and let me know if there are other related questions!