Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

set_fact ansible_ssh_common_args fails #37535

Closed
corbinstuard opened this issue Mar 16, 2018 · 12 comments · Fixed by #37538
Closed

set_fact ansible_ssh_common_args fails #37535

corbinstuard opened this issue Mar 16, 2018 · 12 comments · Fixed by #37538
Assignees
@bcoca
Labels
affects_2.5 This issue/PR affects Ansible v2.5 bug This issue/PR relates to a bug. module This issue/PR relates to a module. support:core This issue/PR relates to code supported by the Ansible Engineering Team.

Comments

@corbinstuard
Copy link

ISSUE TYPE
  • Bug Report
COMPONENT NAME

set_fact

ANSIBLE VERSION
ansible 2.5.0b2 (stable-2.5 980b6a00e2) last updated 2018/02/22 12:15:16 (GMT -400)
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /home/seit31/ansible/lib/ansible
  executable location = /home/seit31/ansible/bin/ansible
  python version = 2.7.5 (default, Nov 20 2015, 02:00:19) [GCC 4.8.5 20150623 (Red Hat 4.8.5-4)]
CONFIGURATION

ANSIBLE_PIPELINING(/etc/ansible/ansible.cfg) = False
ANSIBLE_SSH_ARGS(/etc/ansible/ansible.cfg) = -C -o ControlMaster=auto -o ControlPersist=600s
ANSIBLE_SSH_CONTROL_PATH(/etc/ansible/ansible.cfg) = /tmp/%%h-%%p-%%r
ANSIBLE_SSH_CONTROL_PATH_DIR(/etc/ansible/ansible.cfg) = /tmp
DEFAULT_FILTER_PLUGIN_PATH(/etc/ansible/ansible.cfg) = [u'/etc/ansible/filter_plugins']
DEFAULT_FORKS(/etc/ansible/ansible.cfg) = 5
DEFAULT_LOG_PATH(/etc/ansible/ansible.cfg) = /var/log/ansible.log
DEFAULT_ROLES_PATH(/etc/ansible/ansible.cfg) = [u'/etc/ansible/roles', u'/usr/share/ansible/roles']
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
PERSISTENT_CONNECT_TIMEOUT(/etc/ansible/ansible.cfg) = 30
RETRY_FILES_ENABLED(/etc/ansible/ansible.cfg) = False

OS / ENVIRONMENT

N/A

SUMMARY

Attempting to set ansible_ssh_common_args mid-play using set_fact prints a warning and doesn't save the variable:

[WARNING]: Removed restricted key from module data: ansible_ssh_common_args = -o ProxyComma ... 0.104'

STEPS TO REPRODUCE
  - name: set ssh jump host args
    set_fact:
      ansible_ssh_common_args: "-o ProxyCommand='ssh -W %h:%p -q root@{{ hostvars[groups['router'][0]]['ansible_host'] }}'"
EXPECTED RESULTS
ACTUAL RESULTS
@ansibot
Copy link
Contributor

ansibot commented Mar 16, 2018

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot
Copy link
Contributor

ansibot commented Mar 16, 2018

cc @dagwieers
click here for bot help

@ansibot ansibot added affects_2.5 This issue/PR affects Ansible v2.5 bug This issue/PR relates to a bug. module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Mar 16, 2018
@corbinstuard
Copy link
Author

cc @agaffney

@agaffney
Copy link
Contributor

This appears to be happening as a side effect of the code to prevent malicious overriding of connection vars via facts returned from a compromised host. This happens in the _execute() function in lib/ansible/executor/task_executor.py when the returned facts are passed through clean_vars().

This could be fixed with an exception for set_fact (or maybe even all action plugins) in that code, but I'm not sure if that's the "right" way to do it.

@agaffney
Copy link
Contributor

agaffney commented Mar 16, 2018
edited

It looks like this may be a regression in 2.5/devel. I cannot reproduce this in 2.4.3, but I can reproduce with devel from a few weeks ago. However, with devel, I get the warning but it still sets the var.

@agaffney
Copy link
Contributor

agaffney commented Mar 16, 2018
edited

@corbinstuard are you positive that the var doesn't actually get saved? It looks like this bug is just the warning, but the value still gets set elsewhere in the code before the warning is triggered.

@bcoca bcoca removed the needs_triage Needs a first human triage before being processed. label Mar 16, 2018
bcoca added a commit to bcoca/ansible that referenced this issue Mar 16, 2018
@bcoca
Avoid 2nd processing of facts for actions
d97231f 
include_vars and set_fact are already updating hostvars in strategy
no need to 're add again' with lower priority the same data.

fixes ansible#37535, mostly by avoiding reprocessing and 'cleaning'
@bcoca bcoca self-assigned this Mar 16, 2018
@bcoca bcoca mentioned this issue Mar 16, 2018
Merged
@corbinstuard
Copy link
Author

No, I assumed that was the case since my script was failing but have since verified:

- name: test
  hosts: all
  gather_facts: false
  
  tasks:
  - name: set ssh jump host args
    set_fact:
      ansible_ssh_common_args: "-o ProxyCommand='ssh -W %h:%p -q root@{{ hostvars[groups['router'][0]]['ansible_host'] }}'"
 
  - name: test   
    debug:
      var: ansible_ssh_common_args
PLAY [test] **********************************************************************************************************

TASK [set ssh jump host args] ****************************************************************************************
 [WARNING]: Removed restricted key from module data: ansible_ssh_common_args = -o ProxyComma ... 0.104'

 [WARNING]: Removed restricted key from module data: ansible_ssh_common_args = -o ProxyComma ... 0.104'

ok: [dps1-test]
 [WARNING]: Removed restricted key from module data: ansible_ssh_common_args = -o ProxyComma ... 0.104'

 [WARNING]: Removed restricted key from module data: ansible_ssh_common_args = -o ProxyComma ... 0.104'

ok: [dps3-test]
 [WARNING]: Removed restricted key from module data: ansible_ssh_common_args = -o ProxyComma ... 0.104'

 [WARNING]: Removed restricted key from module data: ansible_ssh_common_args = -o ProxyComma ... 0.104'

ok: [gw-test]
 [WARNING]: Removed restricted key from module data: ansible_ssh_common_args = -o ProxyComma ... 0.104'

 [WARNING]: Removed restricted key from module data: ansible_ssh_common_args = -o ProxyComma ... 0.104'

ok: [df-test]
ok: [hal-test]
ok: [dps2-test]
 [WARNING]: Removed restricted key from module data: ansible_ssh_common_args = -o ProxyComma ... 0.104'

 [WARNING]: Removed restricted key from module data: ansible_ssh_common_args = -o ProxyComma ... 0.104'

ok: [dumbclient1-test]
 [WARNING]: Removed restricted key from module data: ansible_ssh_common_args = -o ProxyComma ... 0.104'

ok: [vtc-test]
ok: [dumbclient3-test]
 [WARNING]: Removed restricted key from module data: ansible_ssh_common_args = -o ProxyComma ... 0.104'

ok: [dumbclient2-test]
ok: [dumbclient4-test]
ok: [router-test]
 [WARNING]: Removed restricted key from module data: ansible_ssh_common_args = -o ProxyComma ... 0.104'

ok: [l2gw-test]
 [WARNING]: Removed restricted key from module data: ansible_ssh_common_args = -o ProxyComma ... 0.104'

ok: [l2mlx1-test]
 [WARNING]: Removed restricted key from module data: ansible_ssh_common_args = -o ProxyComma ... 0.104'

ok: [l2mlx2-test]

TASK [test] **********************************************************************************************************
ok: [dps1-test] => {
    "ansible_ssh_common_args": "-o ProxyCommand='ssh -W %h:%p -q root@10.1.0.104'"
}
ok: [gw-test] => {
    "ansible_ssh_common_args": "-o ProxyCommand='ssh -W %h:%p -q root@10.1.0.104'"
}
ok: [df-test] => {
    "ansible_ssh_common_args": "-o ProxyCommand='ssh -W %h:%p -q root@10.1.0.104'"
}
ok: [dps2-test] => {
    "ansible_ssh_common_args": "-o ProxyCommand='ssh -W %h:%p -q root@10.1.0.104'"
}
ok: [vtc-test] => {
    "ansible_ssh_common_args": "-o ProxyCommand='ssh -W %h:%p -q root@10.1.0.104'"
}
ok: [dps3-test] => {
    "ansible_ssh_common_args": "-o ProxyCommand='ssh -W %h:%p -q root@10.1.0.104'"
}
ok: [dumbclient1-test] => {
    "ansible_ssh_common_args": "-o ProxyCommand='ssh -W %h:%p -q root@10.1.0.104'"
}
ok: [hal-test] => {
    "ansible_ssh_common_args": "-o ProxyCommand='ssh -W %h:%p -q root@10.1.0.104'"
}
ok: [dumbclient2-test] => {
    "ansible_ssh_common_args": "-o ProxyCommand='ssh -W %h:%p -q root@10.1.0.104'"
}
ok: [dumbclient3-test] => {
    "ansible_ssh_common_args": "-o ProxyCommand='ssh -W %h:%p -q root@10.1.0.104'"
}
ok: [dumbclient4-test] => {
    "ansible_ssh_common_args": "-o ProxyCommand='ssh -W %h:%p -q root@10.1.0.104'"
}
ok: [router-test] => {
    "ansible_ssh_common_args": "-o ProxyCommand='ssh -W %h:%p -q root@10.1.0.104'"
}
ok: [l2gw-test] => {
    "ansible_ssh_common_args": "-o ProxyCommand='ssh -W %h:%p -q root@10.1.0.104'"
}
ok: [l2mlx1-test] => {
    "ansible_ssh_common_args": "-o ProxyCommand='ssh -W %h:%p -q root@10.1.0.104'"
}
ok: [l2mlx2-test] => {
    "ansible_ssh_common_args": "-o ProxyCommand='ssh -W %h:%p -q root@10.1.0.104'"
}

@bcoca
Copy link
Member

bcoca commented Mar 16, 2018

so the problem was due to x2 processing of set_fact/include_vars, the cleaning is supposed to happen only when inserting ansible_facts, but these 2 plugins 'overload it' and short circuit it at the same time.

see PR linked above, it should remove the 2nd processing of the ansible_facts key and avoid the warning, but still remove these keys from other 'facts' modules.

bcoca added a commit that referenced this issue Mar 22, 2018
@bcoca
Avoid 2nd processing of facts for actions
3bec76f 
include_vars and set_fact are already updating hostvars in strategy
no need to 're add again' with lower priority the same data.

fixes #37535, mostly by avoiding reprocessing and 'cleaning'
nitzmahone pushed a commit that referenced this issue Mar 29, 2018
@bcoca @nitzmahone
Avoid 2nd processing of facts for actions
663400b 
include_vars and set_fact are already updating hostvars in strategy
no need to 're add again' with lower priority the same data.

fixes #37535, mostly by avoiding reprocessing and 'cleaning'

(cherry picked from commit 3bec76f)
@willthames willthames mentioned this issue Apr 5, 2018
Closed
@willthames
Copy link
Contributor

@corbinstuard can you check if #38316 would meet your needs as an alternative?

@kladiv
Copy link

kladiv commented Apr 9, 2018

Hi, still present in ansible 2.5.0

@bcoca bcoca mentioned this issue Apr 12, 2018
Closed
@bcoca bcoca mentioned this issue Apr 23, 2018
Closed
@juliohm1978
Copy link

juliohm1978 commented Apr 26, 2018
edited

I'm still getting the same warning using ansible 2.5.0 and 2.5.1

ansible 2.5.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.12 (default, Dec  4 2017, 14:50:18) [GCC 5.4.0 20160609]

include_vars task prints warning revealing passwords from a protected vault!

TASK [basic-config : include_vars] ***********************************************************************************************************************************************************
 [WARNING]: Removed restricted key from module data: ansible_become_pass = ***REDACTED***

Any way I can disable warnings? Even a globally is acceptable at this point. These warnings are clearly exposing sensitive information.

@juliohm1978
Copy link

Quick update: Just tested the new 2.5.2 release and the warning no longer appears. Congrats!

@ansible ansible locked and limited conversation to collaborators Apr 27, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bcoca bcoca

Labels
affects_2.5 This issue/PR affects Ansible v2.5 bug This issue/PR relates to a bug. module This issue/PR relates to a module. support:core This issue/PR relates to code supported by the Ansible Engineering Team.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Avoid 2nd processing of facts for actions bcoca/ansible
7 participants
@willthames @agaffney @bcoca @kladiv @juliohm1978 @ansibot @corbinstuard