Просмотр исходного кода
Merge pull request #7288 from sdodson/no-log-openshift-version
Automatic merge from submit-queue.
Remove no_log: True from openshift_version calls
#6519 set `no_log: True` on several plays and tasks in order to prevent logging credentials that come over from the inventory. However that's led to openshift_version role being invoked in a manner that it omits required debugging information like the following. I think we need to be very careful not to apply `no_log: True` at the playbook level and instead only use it on specific tasks that are known to emit sensitive information.
I think it's also worth considering that the ansible logs simply need to be treated as sensitive data and handled appropriately rather than omitting potentially useful debugging data.
```
# ansible-playbook /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/upgrades/v3_9/upgrade.yml
TASK [openshift_version : Get available atomic-openshift version] *************************************************************************************************************************************************
task path: /usr/share/ansible/openshift-ansible/roles/openshift_version/tasks/check_available_rpms.yml:2
Using module file /usr/share/ansible/openshift-ansible/roles/lib_utils/library/repoquery.py
TASK [openshift_version : fail] ***********************************************************************************************************************************************************************************
task path: /usr/share/ansible/openshift-ansible/roles/openshift_version/tasks/check_available_rpms.yml:8
fatal: [host-xxxx.redhat.com]: FAILED! => {
"censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result",
"changed": false
}
```
OpenShift Merge Robot
1 измененных файлов с 0 добавлено и 1 удалено
+ 0
- 1
playbooks/init/version.yml
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||