New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
set_fact ansible_ssh_common_args fails #37535
Comments
Files identified in the description: If these files are inaccurate, please update the |
cc @agaffney |
This appears to be happening as a side effect of the code to prevent malicious overriding of connection vars via facts returned from a compromised host. This happens in the This could be fixed with an exception for |
It looks like this may be a regression in 2.5/devel. I cannot reproduce this in 2.4.3, but I can reproduce with |
@corbinstuard are you positive that the var doesn't actually get saved? It looks like this bug is just the warning, but the value still gets set elsewhere in the code before the warning is triggered. |
include_vars and set_fact are already updating hostvars in strategy no need to 're add again' with lower priority the same data. fixes ansible#37535, mostly by avoiding reprocessing and 'cleaning'
No, I assumed that was the case since my script was failing but have since verified: - name: test
hosts: all
gather_facts: false
tasks:
- name: set ssh jump host args
set_fact:
ansible_ssh_common_args: "-o ProxyCommand='ssh -W %h:%p -q root@{{ hostvars[groups['router'][0]]['ansible_host'] }}'"
- name: test
debug:
var: ansible_ssh_common_args
|
so the problem was due to x2 processing of set_fact/include_vars, the cleaning is supposed to happen only when inserting see PR linked above, it should remove the 2nd processing of the |
include_vars and set_fact are already updating hostvars in strategy no need to 're add again' with lower priority the same data. fixes #37535, mostly by avoiding reprocessing and 'cleaning'
@corbinstuard can you check if #38316 would meet your needs as an alternative? |
Hi, still present in ansible 2.5.0 |
I'm still getting the same warning using ansible 2.5.0 and 2.5.1
Any way I can disable warnings? Even a globally is acceptable at this point. These warnings are clearly exposing sensitive information. |
Quick update: Just tested the new 2.5.2 release and the warning no longer appears. Congrats! |
ISSUE TYPE
COMPONENT NAME
set_fact
ANSIBLE VERSION
CONFIGURATION
ANSIBLE_PIPELINING(/etc/ansible/ansible.cfg) = False
ANSIBLE_SSH_ARGS(/etc/ansible/ansible.cfg) = -C -o ControlMaster=auto -o ControlPersist=600s
ANSIBLE_SSH_CONTROL_PATH(/etc/ansible/ansible.cfg) = /tmp/%%h-%%p-%%r
ANSIBLE_SSH_CONTROL_PATH_DIR(/etc/ansible/ansible.cfg) = /tmp
DEFAULT_FILTER_PLUGIN_PATH(/etc/ansible/ansible.cfg) = [u'/etc/ansible/filter_plugins']
DEFAULT_FORKS(/etc/ansible/ansible.cfg) = 5
DEFAULT_LOG_PATH(/etc/ansible/ansible.cfg) = /var/log/ansible.log
DEFAULT_ROLES_PATH(/etc/ansible/ansible.cfg) = [u'/etc/ansible/roles', u'/usr/share/ansible/roles']
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
PERSISTENT_CONNECT_TIMEOUT(/etc/ansible/ansible.cfg) = 30
RETRY_FILES_ENABLED(/etc/ansible/ansible.cfg) = False
OS / ENVIRONMENT
N/A
SUMMARY
Attempting to set ansible_ssh_common_args mid-play using set_fact prints a warning and doesn't save the variable:
[WARNING]: Removed restricted key from module data: ansible_ssh_common_args = -o ProxyComma ... 0.104'
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: