Hello all,
I don’t wanna sound like a security paranoid-freak (which I am not), but I wonder:
I read in the docs that ansible copies modules to the remote machine, do its magic, and removes them before finishing. Does it copy/removes playbooks and vars files (potentially containing sensitive data about other hosts) as well? Does ansible vault make a difference for that matter?
Thanks in advance!
First off, playbooks on the working tree never get transferred to the remote side.
What is happening with the modules is transfers the module and the rm command to clean it up gets sent along right with the command to execute the module.
There’s also the “no_log” attribute to surpress remote syslog (and in 1.8, also local output).
vault encrypts files on the control machine but does not affect what happens on the remotes.
(In the future, I’d like to see Runner refactorings ship JSON as stdin versus in the module data, which is likely to happen soonish and won’t require any module source code changes)