Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #7288 from sdodson/no-log-openshift-version
Automatic merge from submit-queue. Remove no_log: True from openshift_version calls #6519 set `no_log: True` on several plays and tasks in order to prevent logging credentials that come over from the inventory. However that's led to openshift_version role being invoked in a manner that it omits required debugging information like the following. I think we need to be very careful not to apply `no_log: True` at the playbook level and instead only use it on specific tasks that are known to emit sensitive information. I think it's also worth considering that the ansible logs simply need to be treated as sensitive data and handled appropriately rather than omitting potentially useful debugging data. ``` # ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_9/upgrade.yml TASK [openshift_version : Get available atomic-openshift version] ************************************************************************************************************************************************* task path: /usr/share/ansible/openshift-ansible/roles/openshift_version/tasks/check_available_rpms.yml:2 Using module file /usr/share/ansible/openshift-ansible/roles/lib_utils/library/repoquery.py TASK [openshift_version : fail] *********************************************************************************************************************************************************************************** task path: /usr/share/ansible/openshift-ansible/roles/openshift_version/tasks/check_available_rpms.yml:8 fatal: [host-xxxx.redhat.com]: FAILED! => { "censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", "changed": false } ```
- Loading branch information
