Commit Graph

464 Commits (42eba3ce257002378d630f8d608dd9c69e60cc66)

Author SHA1 Message Date
James Cammarata ed56f51f18 Fixing security issue with lookup returns not tainting the jinja2 environment
CVE-2017-7481

Lookup returns wrap the result in unsafe, however when used through the
standard templar engine, this does not result in the jinja2 environment being
marked as unsafe as a whole. This means the lookup result looses the unsafe
protection and may become simple unicode strings, which can result in bad
things being re-templated.

This also adds a global lookup param and cfg options for lookups to allow
unsafe returns, so users can force the previous (insecure) behavior.
8 years ago
Toshio Kuratomi 51e3390333 Document deprecation of fetch module validate_md5 and update --tags merging deprecation (#24022)
* Document deprecation of fetch module validate_md5 and update --tags merging deprecation

Update the default of --tags merging config option to merge by default

* Update CHANGELOG.md

Minor edit
8 years ago
Nicolas Simond a40450d40a ConfigureRemotingForAnsible: RSA 1024 to RSA 4096 (#23684) 8 years ago
John R Barker b9a48069f3 Link to module developing_modules_documenting.html 8 years ago
Brian Coca e10adc27cc commented out default options 8 years ago
Peter Sprygada ccfa464464 updates sample ansible.cfg (#23045)
* adds host_key_auto_add to paramiko section
* adds look_for_keys to paramiko section
* adds terminal_plugins to defaults section
* adds persistent_connection section and key/value enteries
8 years ago
Brian Coca dd8d699981 namespace facts (#18445)
* namespace facts

always namespace facts, make the polluting of 'main' conditional on config

* updated to 2.4

* Update intro_configuration.rst
8 years ago
Brian Coca 7ad6ce7ea1 moved network module magic from hardcoded to conf 8 years ago
Brian Coca ced73389de updated better yaml host examples 8 years ago
Anhad Jai Singh 13dd4b108c Add 9p to list of special filesystems for selinux
When trying to copy files onto a Virtio-9p filesystem[1][2] int the host
using something like the template module, ansible throws an error that
says something like:

    invalid selinux context: [Errno 95] Operation not supported

Adding 9p to the list of exceptional filesystems forces ansible to not
try to set an SELinux context on copied files.

[1] such as one mounted in a qemu VM, using:

    # http://www.linux-kvm.org/page/9p_virtio
    qemu-kvm [...] -virtfs local,id=apps_dev,path=/host/dir,security_model=passthrough,mount_tag=host_dir

[2] https://www.kernel.org/doc/Documentation/filesystems/9p.txt

Change-Id: Ia868dadce1ffd2b5bebf5ee1804501676e9d7e5f
8 years ago
David PHAM-VAN 6a0fb4e3b6 Remove useless # in comment (#21609) 8 years ago
Brian Coca b14c4b9f6e Revert "Add a config section for systemd-nspawn driver"
This reverts commit 1fc7211181.
8 years ago
Thomas Szymanski 1fc7211181 Add a config section for systemd-nspawn driver 8 years ago
Robin Schneider 3700bcb6dd Use HTTPS instead of legacy HTTP for ansible.com (#16870)
Mechanical edit done by this "one-liner":

```Shell
git ls-files -z "$(git rev-parse --show-toplevel)" | xargs --null -I '{}' find '{}' -type f -print0 | xargs --null sed --in-place --regexp-extended 's#http://(www\.|galaxy\.|)ansible\.com#https://\1ansible.com#g;'
```

Related to: https://github.com/ansible/ansible/issues/16869
8 years ago
Matt Davis ba353b0f8f fix ambiguous cert selection in WinRM enable script (#21263)
Rather than trying to guess which cert we just generated,   parse the generated cert data and extract the thumbprint directly.
8 years ago
John R Barker 959637ff59 How to document your module (#21021)
* How to document your module

* Remove blank lines

* note:: Versions should be strings

* requirements on the host that executes the module.

* option names & option values

* Feedback

* formatting

* Scott's final feedback
8 years ago
Pavlo Shchelokovskyy 6e875e81aa Fix docs re inventory_ignore_extensions config (#21132)
The list of ignored by default extensions is outdated in doc for dynamic
inventories, and this option is completely missing from configuration
file overview.
8 years ago
Andrea Tartaglia 2291163a7a Added DIFF_ALWAYS constant
When set to True, will always print the diff. Defaults to False.

Fixes #18416 #16073
8 years ago
Jordan Borean 719e1840da Added info on ntlm and credssp, updated configure script for credssp (#21175) 8 years ago
Dag Wieers 6de1f22c15 Add missing support for -CertValidityDays (#21009)
* Add missing support for -CertValidityDays

For some reason the -CertValidityDays option was not being used in the certificates we created.

This fixes #10439

* Possible fix

* We cannot use New-SelfSignedCertificate on 2012R2 and earlier

As suggested by @jhawkesworth
8 years ago
Dag Wieers 28060a4c47 Improve inline docs (#21029) 8 years ago
Toshio Kuratomi 1df7d95cec Module utils default path (#20913)
* Make the module_utils path configurable
* Add a config value to define the path site module_utils files
* Handle module_utils that do not have source as an error
* Make an integration test for module_utils envvar working
* Add documentation for the ANSIBLE_MODULE_UTILS config option/envvar
* Add it to the sample ansible.cfg
* Add it to intro_configuration.
* Also modify intro_configuration to place envvars on equal footing with
  the config options (will need to document the envvar names in the
  future)
* Also add the ANSIBLE_LIBRARY use case from
  https://github.com/ansible/ansible/issues/15432 so we can close out
  that bug.
8 years ago
jctanner ac78347f2b Use a -short- custom hash for controlpersist path by default (#20843)
* A method to validate and alter the ssh control path automatically.
* First tries %C to use the shortened hash
* On further failure, it removes section by section from the original path
* Fix hostname
* Implement bcoca's suggested changes
* Remove unused option
* Remove unused class var
* Use to_string to avoid unicode error
* Switch from to_text to to_bytes
* Update the example config for the new controlpath feature
8 years ago
Matt Clay 10d9318de7 PEP 8 indent cleanup. (#20800)
* PEP 8 E121 cleanup.

* PEP 8 E126 cleanup.

* PEP 8 E122 cleanup.
8 years ago
Dag Wieers c94c53e8a4 Ensure that the script is run with elevated privileges (#20669)
* Ensure that the script is run with elevated privileges

This fixes #20654

* Implement our own check for elevated privileges
8 years ago
Dag Wieers e64ef8b0ab Small fix for running using Invoke-Expression
A small fix suggested by a user for running ConfigureRemotingForAnsible.

This fixes #20512
8 years ago
Andrew Gaffney ac51266e8f Add pipeline-ish method using dd for file transfer over SSH (#18642) 8 years ago
Dag Wieers de21038feb Enable -Verbose and log to EventLog (#19909)
Instead of asking the user to type something prior to running the script, why not allow -Verbose on the command line directly.
Also log important events to EventLog, so that it can be traced e.g. when running via RunOnce mechanism.

The documentation is updated as well.
8 years ago
TaoBeier 6ec0369c26 fix indent (#20071) 8 years ago
Brian Coca 08e0f6ada5 allow modules to set custom stats (#18946)
can be per run or per host, also aggregate or not
set_stats action plugin as reference implementation
added doc stub
display stats in calblack
made custom stats showing configurable
8 years ago
Carlos E. Garcia 0b8011436d minor spelling changes 8 years ago
Matt Clay 75c281debc Fix compile errors in scripts. 8 years ago
Brian Coca 6dece90a57 change to ~ instead of $HOME to avoid undefined (#18551)
fixes #16032
8 years ago
Gael Pasgrimaud f94100aa87 make default strategy configurable (#18394) 8 years ago
Brian Coca aab80ac353 removed package from squash in examples 8 years ago
scottb abc9133cb6 Merge pull request #12712 from ananyacleetus/patch-1
Update DOCUMENTATION.yml
8 years ago
Andrea Tartaglia b18263cf36 ANSIBLE_SSH_CONTROL_PATH_DIR option added (#18342)
* ANSIBLE_SSH_CONTROL_PATH_DIR option added

This removes the hardcoded value ( $HOME/.ansible/cp ) from ssh.py.
User is able to change the ControlPath directory ( the one that replaces %(directory)s ).

 Fixes #18325

* Added config option in ansible.cfg
8 years ago
Matt Clay 0d46805979 Clean up shebangs for various files.
- Remove shebangs from:
  - ini files
  - unit tests
  - module_utils
  - plugins
  - module_docs_fragments
  - non-executable Makefiles
- Change non-modules from '/usr/bin/python' to '/usr/bin/env python'.
- Change '/bin/env' to '/usr/bin/env'.

Also removed main functions from unit tests (since they no longer
have a shebang) and fixed a python 3 compatibility issue with
update_bundled.py so it does not need to specify a python 2 shebang.

A script was added to check for unexpected shebangs in files.
This script is run during CI on Shippable.
8 years ago
Toshio Kuratomi 5037dc4e69 Make the default Ansible_managed string static so it doesn't interfere with idempotency 8 years ago
Brian Coca b169a61c20 toggle missing handler errors/warnings via config 8 years ago
Brian Coca 7b2f15453d make explicit the scope of config's gather_subset
it only affects the invocation of setup triggered by the gather_facts directive in plays (explicit or implicit)
8 years ago
Toshio Kuratomi 1efe782b46 Refactor parsing of CLI args so that we can modify them in the base class
Implement tag and skip_tag handling in the CLI() class.  Change tag and
skip_tag command line options to be accepted multiple times on the CLI
and add them together rather than overwrite.

* Make it configurable whether to merge or overwrite multiple --tags arguments
* Make the base CLI class an abstractbaseclass so we can implement
  functionality in parse() but still make subclasses implement it.
* Deprecate the overwrite feature of --tags with a message that the
  default will change in 2.4 and go away in 2.5.

* Add documentation for merge_multiple_cli_flags
* Fix galaxy search so its tags argument does not conflict with generic tags
* Unit tests and more integration tests for tags
8 years ago
Indrajit Raychaudhuri becb4765c3 Add homebrew in squash_actions list (#16966)
`homebrew`, like other package modules in the existing `squash_actions` list can
benefit from `with_items` loops optimization.
8 years ago
jctanner fff161f2f6 Smart mode for sftp+scp (#17813)
If the sftp fails, roll over to scp by default. This saves users
from having to know about the scp_if_ssh method when sftp is broken
on the remote host.
8 years ago
nitzmahone ee080eddb5 adjust WinRM service configuration message text
fixes #17478
8 years ago
jlehtniemi-broadsoft 5864ae50c6 Start WinRM service automatically on reboot 8 years ago
Brian Coca 81a4164207 old yaml format has been long gone
script is not compatible with new yaml format so removing it to avoid confusion

(cherry picked from commit 52099224e632fe0a8b076774b22723fb73d19ea0)
8 years ago
Brian Coca f59e8be428 linked cause people forget yaml and yml exist
(cherry picked from commit c769a966106cc01edd87f26a587238e954195d7d)
8 years ago
jctanner fe8258a378 make timeout decorator for facts have a configurable duration (#16551)
* Add a gather_timeout parameter
* update example ansible.cfg
* fix play level fact gathering too
8 years ago
Shota 47f715fb37 Fix some typos (#16498) 9 years ago
Scott Mcdermott 007c20a28b Add missing {cache,inventory}_plugins to ansible.cfg (#16463) 9 years ago
Toshio Kuratomi a3959644ee Change the default of module_set_locale to False. (#16313)
This makes Ansible no longer set LC_ALL for remote systems.  It is up to
the individual modules to set LC_ALL if they need it for screenscraping
the output from a program.

This is the 2.2 followup for #15138
9 years ago
Brian Coca de18566882 made ssh compression configurable (#16214)
AIX ssh does not seem to like compression, moved it to ssh_args
to allow making it configurable. Note that those using ssh_args
already will need to add it explicitly to keep compression.
9 years ago
Matt Davis 5825958a5a Merge pull request #15275 from Cryptophobia/devel
Update ConfigureRemotingForAnsible.ps1
9 years ago
Dag Wieers a485395b02 Fix small typo in ansible.cfg (#15912) 9 years ago
Cryptophobia 76a519fddc Update to ConfigureRemotingForAnsible.ps1 9 years ago
Toshio Kuratomi dcc5dfdf81 Controller-side module caching.
This makes our recursive, ast.parse performance measures as fast as
pre-ziploader baseline.

Since this unittest isn't testing that the returned module data is
correct we don't need to worry about os.rename not having any module
data.  Should devise a separate test for the module and caching code
9 years ago
Brian Coca 1942cd33dc draft add group merge priority and yaml inventory
* now you can specify a yaml invenotry file

* ansible_group_priority will now set this property on groups

* added example yaml inventory

* TODO: make group var merging depend on priority

  groups, child/parent relationships should remain unchanged.
9 years ago
James Cammarata 040893a677 Adding a config option to allow disabling locale settings upon module exec
Fixes #15138
9 years ago
Toshio Kuratomi 4b0aa1214c Ziploader
* Ziploader proof of concept (jimi-c)

* Cleanups to proof of concept ziploader branch:

* python3 compatible base64 encoding
* zipfile compression (still need to enable toggling this off for
  systems without zlib support in python)
* Allow non-wildcard imports (still need to make this recusrsive so that
  we can have module_utils code that imports other module_utils code.)
* Better tracebacks: module filename is kept and module_utils directory
  is kept so that tracebacks show the real filenames that the errors
  appear in.

* Make sure we import modules that are used into the module_utils files that they are used in.

* Set ansible version in a more pythonic way for ziploader than we were doing in module replacer

* Make it possible to set the module compression as an inventory var

This may be necessary on systems where python has been compiled without
zlib compression.

* Refactoring of module_common code:

* module replacer only replaces values that make sense for that type of
  file (example: don't attempt to replace python imports if we're in
  a powershell module).
* Implement configurable shebang support for ziploader wrapper
* Implement client-side constants (for SELINUX_SPECIAL_FS and SYSLOG)
  via environment variable.
* Remove strip_comments param as we're never going to use it (ruins line
  numbering)

* Don't repeat ourselves about detecting REPLACER

* Add an easy way to debug

* Port test-module to the ziploader-aware modify_module()

* strip comments and blank lines from the wrapper so we send less over the wire.

* Comments cleanup

* Remember to output write the module line itself in powershell modules

* for line in lines strips the newlines so we have to add them back in
9 years ago
Linus Arver 0814a37a76 examples/ansible.cfg: add vault_password_file 9 years ago
James Cammarata 2c20579a06 Add options to make includes 'static'
* Can be configured in the ansible.cfg for tasks/handlers individually
* If an included filename contains no vars or loops, it will be expanded
  in-place as if it were marked as static
9 years ago
Toshio Kuratomi 52e9209491 Don't create world-readable module and tempfiles without explicit user permission 9 years ago
Matthew Gamble 7b06ec79e3 Add documentation for squash_actions configuration setting 9 years ago
Toshio Kuratomi 512825455e Make ohai and facter work via module_utils Fact classes rather than in the setup module 9 years ago
Yannig Perré 88772b6003 Add a way to restrict gathered facts in Ansible:
- Using gather_subset options
- By ignoring ohai/chef or facter/puppet facts
9 years ago
Matt Clay ba1bcdfc17 Add noseclabel support to libvirt_lxc plugin. 9 years ago
Brian Coca e74ab3ecdd draft 1st release of ansible-console
porting @dominis 's ansible-shell tool from 1.9 and integrating it into ansible
added verbosity control
made more resilitent to several errors
added highlight color, to configurable colors
more resilient on exception and interruptions
prompt coloring, goes red and changes to # when using become = true and root
become setting is now explicit and not a toggle
9 years ago
Kishin Yagami 299c18d700 Support strategy_plugins setting in a configuration file 9 years ago
Brian Coca c24249c57d made max diff size configurable 9 years ago
Matt Davis 840cda741d Merge pull request #12363 from breathe/devel
allow ConfigureRemotingForAnsible.ps1 script from public zone
9 years ago
Michael Crilly e9fe5f201f $SubjectName variable unused; clean up
Having used this script several times today, I came to notice the $SubjectName variable, being passed in via the CLI, is essentially ignored when generating the SSL certificates, rendering it useless. I believe it's a good idea to have it in place, so I've updated the script to reflect this.

I also cleaned up some random new lines throughout the file, and expanded on a comment.

It might be worth going a step further and commenting the file fully, as most people reviewing this file won't be familiar with PowerShell (like I wasn't unitl a few days ago). It could be helpful.
9 years ago
Gabriel Burkholder c4ecbad663 Cleans up extra whitespace in ansible.cfg 9 years ago
James Cammarata 9112f5af3a Merge pull request #14535 from b4ldr/update_uptime_for_api_2
update uptime script to use version 2.0 of the api
9 years ago
Toshio Kuratomi 86b8dc0e79 Add a configuration setting that allows the user to specify printing of task arguments in the header.
Fixes #14554
9 years ago
Brian Coca 0a4642fcc2 added examples for new diff color configs 9 years ago
b4ldr 439baf004e update uptime script to use version 2.0 of the api 9 years ago
Brian Coca d3deb24ead output color is now configurable 9 years ago
Brian Coca 2bfb13bfb3 removed unused 'pattern' from ansible.cfg
also moved the config param to a 'deprecated' list in constants.py
added TODO for producing a deprecation warning for such vars
9 years ago
Luca Berruti 8ea45e8608 Make no_target_syslog consistent.
no_target_syslog = False --> do log on target
9 years ago
“Brice e8954e556a comment examples in default hosts file 9 years ago
Toshio Kuratomi 9caa2b0452 Revert "Update docs and example config for requiretty + pipelining change"
This reverts commit f873cc0fb5.

Reverting pipelining change for now due to hard to pin down bugs: #13410  #13411
9 years ago
Toshio Kuratomi f873cc0fb5 Update docs and example config for requiretty + pipelining change 9 years ago
James Cammarata efbc6054a4 Add variable compression option 9 years ago
Brian Coca 0712ec756b commented out all settings in exampmle ansible.cfg as we really only want to set when diff from defaults 9 years ago
bastianharren b39b474def stdout_callback instead of callback_stdout 9 years ago
Brian Coca b2fc5142eb moved sudo -S and -n into configurable flags as they might be absent in much older systems
if password is supplied exsiting -n would get remove from flags
9 years ago
Toshio Kuratomi cd9d6c8b5b Remove unused ca_file_path as it has not been hooked up to code for a long time (if ever) and is confusing people For instance, #12884 9 years ago
James Cammarata dce58a78c9 Make random cowsay truly random
Also adds a cowsay whitelist config option, because there are some
truly NSFW stencils that come with cowsay by default.
9 years ago
Ananya W Cleetus 45258b113d Update DOCUMENTATION.yml 9 years ago
Greg DeKoenigsberg 0a21e2ab4d Add github ID to documentation example 9 years ago
Brian Coca bb6141ec41 renamed managed_syslog to no_target_syslog 9 years ago
Brian Coca 37a918438b task logging revamp
* allow global no_log setting, no need to set at play or task level, but can be overriden by them
 * allow turning off syslog only on task execution from target host (manage_syslog), overlaps with no_log functionality
 * created log function for task modules to use, now we can remove all syslog references, will use systemd journal if present
 * added debug flag to modules, so they can make it call new log function conditionally
 * added debug logging in module's run_command
9 years ago
Nathaniel Cohen 8b6f8ff928 Document -SkipNetworkProfileCheck switch 9 years ago
Paul Freeman 87fc5640d4 Comments to explain retry_files_enabled and retry_files_save_path 9 years ago
Brian Coca 4aea1f6568 normalized plugin paths and names and configs 9 years ago
Nathaniel Cohen be452c1b27 allow ConfigureRemotingForAnsible.ps1 script to function from 'public' adapters
The current script fails on machines which have network interfaces designated
as connected to "Public" networks (choices for network designation being
Private, Domain, Public).  This commit changes the script to NOT prevent winrm
initialization when device is connected to a "Public" network.
9 years ago
Marius Gedminas 823677b490 Replace .iteritems() with six.iteritems()
Replace .iteritems() with six.iteritems() everywhere except in
module_utils (because there's no 'six' on the remote host).  And except
in lib/ansible/galaxy/data/metadata_template.j2, because I'm not sure
six is available there.
9 years ago
nitzmahone 74694b2b0d moved WinRM setup script test after config 9 years ago
Brian Coca 49eb95e2d1 some fixes to become/sudo
* now it uses -n to get immediate error if no password is supplied and one is needed,
   this should fix the issue with sudo hanging waiting for input.
 * made -k configurable, this can break changing become_users in play if left out,
   but opens up the possiblity of OTP support.
9 years ago