no_log: True being ignored

Tom_Bamford · January 14, 2015, 2:54am

Hi

Running Ansible 1.8.2 and I am trying to prevent sensitive information for a task from reaching the log at ANSIBLE_LOG_PATH or the console where ansible-playbook is running.

My task:

- name: Dump database
  command: pg_dump -with -some -params
  environment:
    PGPASSWORD: mysecret
  no_log: True

When running with ANSIBLE_LOG_PATH=notsosecret.log ansible-playbook mybook.yml -vvv this is my console output:

TASK: [Dump database] **********************************************
<[ec2-x-x-x-x.us-west-2.compute.amazonaws.com](http://ec2-x-x-x-x.us-west-2.compute.amazonaws.com)> ESTABLISH CONNECTION FOR USER: ubuntu
<[ec2-x-x-x-x.us-west-2.compute.amazonaws.com](http://ec2-x-x-x-x.us-west-2.compute.amazonaws.com)> REMOTE_MODULE command pg_dump -with -some -params NO_LOG=True
<[ec2-x-x-x-x.us-west-2.compute.amazonaws.com](http://ec2-x-x-x-x.us-west-2.compute.amazonaws.com)> EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=4h -o ControlPath="/home/ubuntu/.ansible/cp/ansible-ssh-%h-%p-%r" -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 [ec2-x-x-x-x.us-west-2.compute.amazonaws.com](http://ec2-x-x-x-x.us-west-2.compute.amazonaws.com) /bin/sh -c 'LANG=C PGPASSWORD=mysecret LC_CTYPE=C /usr/bin/python'

And my log file:

2015-01-14 02:40:45,102 p=3055 u=ubuntu |  TASK: [Dump database] **********************************************
2015-01-14 02:40:45,108 p=3055 u=ubuntu |  <[ec2-x-x-x-x.us-west-2.compute.amazonaws.com](http://ec2-x-x-x-x.us-west-2.compute.amazonaws.com)> ESTABLISH CONNECTION FOR USER: ubuntu
2015-01-14 02:40:45,110 p=3055 u=ubuntu |  <[ec2-x-x-x-x.us-west-2.compute.amazonaws.com](http://ec2-x-x-x-x.us-west-2.compute.amazonaws.com)> REMOTE_MODULE command pg_dump -with -some -params NO_LOG=True
2015-01-14 02:40:45,121 p=3055 u=ubuntu |  <[ec2-x-x-x-x.us-west-2.compute.amazonaws.com](http://ec2-x-x-x-x.us-west-2.compute.amazonaws.com)> EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=4h -o ControlPath="/home/ubuntu/.ansible/cp/ansible-ssh-%h-%p-%r" -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 [ec2-x-x-x-x.us-west-2.compute.amazonaws.com](http://ec2-x-x-x-x.us-west-2.compute.amazonaws.com) /bin/sh -c 'LANG=C PGPASSWORD=mysecret LC_CTYPE=C /usr/bin/python'

Is this a bug/regression? I read https://github.com/ansible/ansible/issues/8647 which seems related and should be included in 1.8.2 if I’m not mistaken.

Regards
Tom

Brian_Coca · January 14, 2015, 12:52pm

currently no_log applies to module output and arguments, not to
environment variables.

Tom_Bamford · January 14, 2015, 8:13pm

Thanks, I think the docs could perhaps be clarified a little in this regard. From http://docs.ansible.com/faq.html#how-do-i-keep-secret-data-in-my-playbook - “if you have a task that you don’t want to show the results or command given to it when using -v (verbose) mode, the following task or playbook attribute can be useful” along with an example which implies that command line arguments are censored when in fact they are not.

It would be great if tasks could be completely censored in some way, environment variables and all. Often the reason that one passes environment variables instead of arguments is to avoid sensitive data showing up in log files and the likes of ps etc.

Regards
Tom

Tom_Bamford · January 15, 2015, 8:27pm

I wanted to test this in a more controlled fashion to be sure, so I used this playbook:

---
- hosts: localhost
  connection: local
  gather_facts: no
  tasks:
    - command: echo -e out in the open
    - command: echo -e blah my secret
      no_log: True

This is my console output

tom@hamlet:~/tmp/ansible  ANSIBLE_LOG_PATH=no_log.log ansible-playbook no_log.yml -vvv

PLAY [localhost] **************************************************************

TASK: [command echo -e out in the open] ***************************************
<localhost> REMOTE_MODULE command echo -e out in the open
<localhost> EXEC ['/bin/sh', '-c', 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017 && echo $HOME/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017']
<localhost> PUT /var/folders/4z/l8ng_d2n7mx61pfvhmf2r41m0000gn/T/tmpf6o4Mg TO /Users/tom/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017/command
<localhost> EXEC ['/bin/sh', '-c', u'LANG=C LC_CTYPE=C /usr/bin/python /Users/tom/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017/command; rm -rf /Users/tom/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017/ >/dev/null 2>&1']
changed: [localhost] => {"changed": true, "cmd": ["echo", "-e", "out", "in", "the", "open"], "delta": "0:00:00.006201", "end": "2015-01-15 22:21:47.848086", "rc": 0, "start": "2015-01-15 22:21:47.841885", "stderr": "", "stdout": "-e out in the open", "warnings": []}

TASK: [command echo -e blah my secret] ****************************************
<localhost> REMOTE_MODULE command echo -e blah my secret NO_LOG=True
<localhost> EXEC ['/bin/sh', '-c', 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920 && echo $HOME/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920']
<localhost> PUT /var/folders/4z/l8ng_d2n7mx61pfvhmf2r41m0000gn/T/tmpabg4Bx TO /Users/tom/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920/command
<localhost> EXEC ['/bin/sh', '-c', u'LANG=C LC_CTYPE=C /usr/bin/python /Users/tom/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920/command; rm -rf /Users/tom/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920/ >/dev/null 2>&1']
changed: [localhost] => {"censored": "results hidden due to no_log parameter", "changed": true, "rc": 0}

PLAY RECAP ********************************************************************
localhost                  : ok=2    changed=2    unreachable=0    failed=0

and the contents of no_log.log

2015-01-15 22:21:47,596 p=1876 u=tom |
2015-01-15 22:21:47,596 p=1876 u=tom |  /usr/local/bin/ansible-playbook no_log.yml -vvv
2015-01-15 22:21:47,597 p=1876 u=tom |
2015-01-15 22:21:47,664 p=1876 u=tom |  PLAY [localhost] **************************************************************
2015-01-15 22:21:47,664 p=1876 u=tom |  TASK: [command echo -e out in the open] ***************************************
2015-01-15 22:21:47,677 p=1876 u=tom |  <localhost> REMOTE_MODULE command echo -e out in the open
2015-01-15 22:21:47,680 p=1876 u=tom |  <localhost> EXEC ['/bin/sh', '-c', 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017 && echo $HOME/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017']
2015-01-15 22:21:47,730 p=1876 u=tom |  <localhost> PUT /var/folders/4z/l8ng_d2n7mx61pfvhmf2r41m0000gn/T/tmpf6o4Mg TO /Users/tom/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017/command
2015-01-15 22:21:47,731 p=1876 u=tom |  <localhost> EXEC ['/bin/sh', '-c', u'LANG=C LC_CTYPE=C /usr/bin/python /Users/tom/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017/command; rm -rf /Users/tom/.ansible/tmp/ansible-tmp-1421353307.68-66582777801017/ >/dev/null 2>&1']
2015-01-15 22:21:47,859 p=1876 u=tom |  changed: [localhost] => {"changed": true, "cmd": ["echo", "-e", "out", "in", "the", "open"], "delta": "0:00:00.006201", "end": "2015-01-15 22:21:47.848086", "rc": 0, "start": "2015-01-15 22:21:47.841885", "stderr": "", "stdout": "-e out in the open", "warnings": []}
2015-01-15 22:21:47,860 p=1876 u=tom |  TASK: [command echo -e blah my secret] ****************************************
2015-01-15 22:21:47,861 p=1876 u=tom |  <localhost> REMOTE_MODULE command echo -e blah my secret NO_LOG=True
2015-01-15 22:21:47,863 p=1876 u=tom |  <localhost> EXEC ['/bin/sh', '-c', 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920 && echo $HOME/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920']
2015-01-15 22:21:47,872 p=1876 u=tom |  <localhost> PUT /var/folders/4z/l8ng_d2n7mx61pfvhmf2r41m0000gn/T/tmpabg4Bx TO /Users/tom/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920/command
2015-01-15 22:21:47,873 p=1876 u=tom |  <localhost> EXEC ['/bin/sh', '-c', u'LANG=C LC_CTYPE=C /usr/bin/python /Users/tom/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920/command; rm -rf /Users/tom/.ansible/tmp/ansible-tmp-1421353307.86-275694889373920/ >/dev/null 2>&1']
2015-01-15 22:21:48,008 p=1876 u=tom |  changed: [localhost] => {"censored": "results hidden due to no_log parameter", "changed": true, "rc": 0}
2015-01-15 22:21:48,009 p=1876 u=tom |  PLAY RECAP ********************************************************************
2015-01-15 22:21:48,009 p=1876 u=tom |  localhost                  : ok=2    changed=2    unreachable=0    failed=0

In conclusion, with no_log specified, the command and its arguments are still written to stdout and the log file.

Topic		Replies	Views
no_log doesn't prevent logging Ansible Project	0	0	August 14, 2015
1.8 update news: By popular demand, no_log True has increased censorship Ansible Project	0	1	August 12, 2014
Suppress output of task? Ansible Project	5	13	November 25, 2014
Prevent sensitive data from leaking to syslog when using e.g. the command module Ansible Project	4	0	September 6, 2013
expect module does not respect no_log Ansible Project	0	1	July 15, 2015

no_log: True being ignored

Related topics