vault password broken since f6a55a35525a6ca0b56ad856f2ab11bbd226c1b4

Archives Ansible Developer
1

Hi

After updating to 1.7.0, I was not able to use " ansible-playbook --vault-password-file" anymore, ansible returned always

ERROR: A vault password must be specified to decrypt data

I created a small test shell script and run git bisect, which identified

https://github.com/ansible/ansible/commit/f6a55a35525a6ca0b56ad856f2ab11bbd226c1b4

to be the first commit broke.

Can anyone confirm, I am not completely freaked out and ansible-playbook --vault-password-file and --ask-vault-password is really broken?

Thanks.

René

2

Please ignore, this is not the correct commit which broke the functionality.

3

This works for me, is your vault password file chmod +x?

If so, 1.7 will think it’s a script that should return the password.

4

Hi

no, my vault password file just has 0600 and works with ansible 1.6.10.
OS Ubuntu 14.04.

But with 1.7.0, even --ask-vault-pass fails. However. ansible-vault decrpyt and ansible-vault encrypt works with the very same password. Really weird.

5

Matt indicated today that he missed some common logic to allow vault password files to be scripts to ansible-vault CLI commands, which means parts of vault were using slightly different operations.

I can’t say this is related, I don’t know, but this is on my list to investigate to see if we can replicate this today.
If we find something, this would be included in a 1.7.1.

I’ll let you know if I have questions or what happens.

6

I just tested this on 1.7 and devel branches and was able to use --vault-password-file fine with both encrypted playbooks and vars_files items, so I’m having some trouble reproducing this one.

If you can supply a minimal playbook/file combo (and probably the vault password file) maybe we can see if we can reproduce this, but right now, I can’t make any problems happen.

7

Hi

Having some updates about this issue. I created a small setup repo https://github.com/resmo/ansible-vault-debug where you can just run “make”.

Tested it on 2 Ubuntu 14.04 workstations → failed
Tested on Debian 7.x → pass

Ansible was installed by using:

pip install ansible

At this point, it seems related to Ubuntu 14.04. It would help if anyone else could test this repo on his Ubuntu 14.04 workstation:

git clone https://github.com/resmo/ansible-vault-debug.git
cd ansible-vault-debug
make

Regards
René

8

We do have vault tests that run on Ubuntu, we can look at this hopefully today to see if we can replicate.

We did fix some vault-related items recently on devel, though this was mostly around making --vault-password-file allow scripts, which should not come into play here.

Thanks!

9

Hi René, I’ve tracked this issue down and pushed the following commit to address it:

https://github.com/ansible/ansible/commit/bea0845322715737c0b6326db22e3d1812a5ac35

Please let us know if you’re continuing to see any further problems regarding this.

Thanks!

10

Hi James

I can confirm bea0845322715737c0b6326db22e3d1812a5ac35 fixes the problem! Great job.

But can you explain, what the problem actually was? Why didn’t this caused any problem on other systems?

Regards
René

11

That function took positional arguments though the variable name being used wasn’t passed.

It appears to be a difference in Python versions.

–Michael