diff --git a/ansible_mitogen/connection.py b/ansible_mitogen/connection.py index bd4330ff..b5f28d34 100644 --- a/ansible_mitogen/connection.py +++ b/ansible_mitogen/connection.py @@ -58,6 +58,15 @@ import ansible_mitogen.transport_config LOG = logging.getLogger(__name__) +def get_remote_name(spec): + """ + Return the value to use for the "remote_name" parameter. + """ + if spec.mitogen_mask_remote_name(): + return 'ansible' + return None + + def optional_int(value): """ Convert `value` to an integer if it is not :data:`None`, otherwise return @@ -135,6 +144,7 @@ def _connect_ssh(spec): 'connect_timeout': spec.ansible_ssh_timeout(), 'ssh_args': spec.ssh_args(), 'ssh_debug_level': spec.mitogen_ssh_debug_level(), + 'remote_name': get_remote_name(spec), } } @@ -150,6 +160,7 @@ def _connect_docker(spec): 'container': spec.remote_addr(), 'python_path': spec.python_path(), 'connect_timeout': spec.ansible_ssh_timeout() or spec.timeout(), + 'remote_name': get_remote_name(spec), } } @@ -166,6 +177,7 @@ def _connect_kubectl(spec): 'connect_timeout': spec.ansible_ssh_timeout() or spec.timeout(), 'kubectl_path': spec.mitogen_kubectl_path(), 'kubectl_args': spec.extra_args(), + 'remote_name': get_remote_name(spec), } } @@ -181,6 +193,7 @@ def _connect_jail(spec): 'container': spec.remote_addr(), 'python_path': spec.python_path(), 'connect_timeout': spec.ansible_ssh_timeout() or spec.timeout(), + 'remote_name': get_remote_name(spec), } } @@ -196,6 +209,7 @@ def _connect_lxc(spec): 'python_path': spec.python_path(), 'lxc_attach_path': spec.mitogen_lxc_attach_path(), 'connect_timeout': spec.ansible_ssh_timeout() or spec.timeout(), + 'remote_name': get_remote_name(spec), } } @@ -211,6 +225,7 @@ def _connect_lxd(spec): 'python_path': spec.python_path(), 'lxc_path': spec.mitogen_lxc_path(), 'connect_timeout': spec.ansible_ssh_timeout() or spec.timeout(), + 'remote_name': get_remote_name(spec), } } @@ -254,6 +269,7 @@ def _connect_su(spec): 'python_path': spec.python_path(), 'su_path': spec.become_exe(), 'connect_timeout': spec.timeout(), + 'remote_name': get_remote_name(spec), } } @@ -272,6 +288,7 @@ def _connect_sudo(spec): 'sudo_path': spec.become_exe(), 'connect_timeout': spec.timeout(), 'sudo_args': spec.sudo_args(), + 'remote_name': get_remote_name(spec), } } @@ -289,6 +306,7 @@ def _connect_doas(spec): 'python_path': spec.python_path(), 'doas_path': spec.become_exe(), 'connect_timeout': spec.timeout(), + 'remote_name': get_remote_name(spec), } } @@ -305,6 +323,7 @@ def _connect_mitogen_su(spec): 'python_path': spec.python_path(), 'su_path': spec.become_exe(), 'connect_timeout': spec.timeout(), + 'remote_name': get_remote_name(spec), } } @@ -322,6 +341,7 @@ def _connect_mitogen_sudo(spec): 'sudo_path': spec.become_exe(), 'connect_timeout': spec.timeout(), 'sudo_args': spec.sudo_args(), + 'remote_name': get_remote_name(spec), } } @@ -338,6 +358,7 @@ def _connect_mitogen_doas(spec): 'python_path': spec.python_path(), 'doas_path': spec.become_exe(), 'connect_timeout': spec.timeout(), + 'remote_name': get_remote_name(spec), } } diff --git a/ansible_mitogen/transport_config.py b/ansible_mitogen/transport_config.py index 8ef12165..ad1cab3e 100644 --- a/ansible_mitogen/transport_config.py +++ b/ansible_mitogen/transport_config.py @@ -231,6 +231,15 @@ class Spec(with_metaclass(abc.ABCMeta, object)): The type of container to use with the "setns" transport. """ + @abc.abstractmethod + def mitogen_mask_remote_name(self): + """ + Specifies whether to set a fixed "remote_name" field. The remote_name + is the suffix of `argv[0]` for remote interpreters. By default it + includes identifying information from the local process, which may be + undesirable in some circumstances. + """ + @abc.abstractmethod def mitogen_docker_path(self): """ @@ -385,6 +394,9 @@ class PlayContextSpec(Spec): def mitogen_kind(self): return self._connection.get_task_var('mitogen_kind') + def mitogen_mask_remote_name(self): + return self._connection.get_task_var('mitogen_mask_remote_name') + def mitogen_docker_path(self): return self._connection.get_task_var('mitogen_docker_path') @@ -593,6 +605,9 @@ class MitogenViaSpec(Spec): def mitogen_kind(self): return self._host_vars.get('mitogen_kind') + def mitogen_mask_remote_name(self): + return self._host_vars.get('mitogen_mask_remote_name') + def mitogen_docker_path(self): return self._host_vars.get('mitogen_docker_path') diff --git a/docs/ansible_detailed.rst b/docs/ansible_detailed.rst index 3cef1faf..5b541a14 100644 --- a/docs/ansible_detailed.rst +++ b/docs/ansible_detailed.rst @@ -733,6 +733,11 @@ When used as a become method: * ``ansible_become_exe``: path to ``doas`` binary. * ``ansible_become_user`` (default: ``root``) * ``ansible_become_pass`` (default: assume passwordless) +* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the + Ansible controller process on remote machines. To simplify diagnostics, + Mitogen produces remote processes named like + `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in + some circumstances. * ansible.cfg: ``timeout`` When used as the ``mitogen_doas`` connection method: @@ -754,6 +759,11 @@ connection delegation is supported. * ``ansible_host``: Name of Docker container (default: inventory hostname). * ``ansible_user``: Name of user within the container to execute as. +* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the + Ansible controller process on remote machines. To simplify diagnostics, + Mitogen produces remote processes named like + `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in + some circumstances. .. _method-jail: @@ -767,6 +777,11 @@ connection delegation is supported. * ``ansible_host``: Name of jail (default: inventory hostname). * ``ansible_user``: Name of user within the jail to execute as. +* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the + Ansible controller process on remote machines. To simplify diagnostics, + Mitogen produces remote processes named like + `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in + some circumstances. .. _method-kubectl: @@ -780,6 +795,11 @@ connection delegation is supported. * ``ansible_host``: Name of pod (default: inventory hostname). * ``ansible_user``: Name of user to authenticate to API as. +* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the + Ansible controller process on remote machines. To simplify diagnostics, + Mitogen produces remote processes named like + `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in + some circumstances. Local @@ -823,6 +843,11 @@ than the LXC Python bindings, as is usual with ``lxc``. * ``ansible_host``: Name of LXC container (default: inventory hostname). * ``mitogen_lxc_attach_path``: path to ``lxc-attach`` command if not available on the system path. +* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the + Ansible controller process on remote machines. To simplify diagnostics, + Mitogen produces remote processes named like + `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in + some circumstances. .. _method-lxd: @@ -839,6 +864,11 @@ the host machine. * ``ansible_host``: Name of LXC container (default: inventory hostname). * ``mitogen_lxc_path``: path to ``lxc`` command if not available on the system path. +* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the + Ansible controller process on remote machines. To simplify diagnostics, + Mitogen produces remote processes named like + `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in + some circumstances. .. _machinectl: @@ -855,6 +885,11 @@ connection delegation is supported. This is a light wrapper around the * ``ansible_user``: Name of user within the container to execute as. * ``mitogen_machinectl_path``: path to ``machinectl`` command if not available as ``/bin/machinectl``. +* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the + Ansible controller process on remote machines. To simplify diagnostics, + Mitogen produces remote processes named like + `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in + some circumstances. .. _setns: @@ -899,6 +934,11 @@ When used as a become method: * ``ansible_su_user``, ``ansible_become_user`` (default: ``root``) * ``ansible_su_pass``, ``ansible_become_pass`` (default: assume passwordless) * ``su_flags``, ``become_flags`` +* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the + Ansible controller process on remote machines. To simplify diagnostics, + Mitogen produces remote processes named like + `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in + some circumstances. * ansible.cfg: ``timeout`` When used as the ``mitogen_su`` connection method: @@ -924,6 +964,11 @@ When used as a become method: * ``ansible_sudo_user``, ``ansible_become_user`` (default: ``root``) * ``ansible_sudo_pass``, ``ansible_become_pass`` (default: assume passwordless) * ``sudo_flags``, ``become_flags`` +* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the + Ansible controller process on remote machines. To simplify diagnostics, + Mitogen produces remote processes named like + `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in + some circumstances. * ansible.cfg: ``timeout`` When used as the ``mitogen_sudo`` connection method: @@ -949,6 +994,11 @@ except connection delegation is supported. * ``ansible_ssh_private_key_file`` * ``ansible_ssh_pass``, ``ansible_password`` (default: assume passwordless) * ``ssh_args``, ``ssh_common_args``, ``ssh_extra_args`` +* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the + Ansible controller process on remote machines. To simplify diagnostics, + Mitogen produces remote processes named like + `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in + some circumstances. * ``mitogen_ssh_debug_level``: integer between `0..3` indicating the SSH client debug level. Ansible must also be run with '-vvv' to view the output. * ``mitogen_ssh_compression``: :data:`True` to enable SSH compression, diff --git a/docs/changelog.rst b/docs/changelog.rst index 8b5189cb..e8ee19b4 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -39,6 +39,11 @@ Fixes startup on SuSE Linux 11, due to an incorrect version compatibility check in the Mitogen code. +* `#581 `_: a + ``mitogen_mask_remote_name`` Ansible variable is exposed, to allow masking + the username, hostname and process ID of ``ansible-playbook`` running on the + controller machine. + Thanks! ~~~~~~~ @@ -46,8 +51,9 @@ Thanks! Mitogen would not be possible without the support of users. A huge thanks for bug reports, testing, features and fixes in this release contributed by `Orion Poplawski `_, -`Thibaut Barrère `_, and -`@Moumoutaru `_. +`Thibaut Barrère `_, +`@Moumoutaru `_, and +`@polski-g `_. v0.2.6 (2019-03-06) diff --git a/tests/ansible/integration/connection_delegation/delegate_to_template.yml b/tests/ansible/integration/connection_delegation/delegate_to_template.yml index 6e18ab6d..d7af7f81 100644 --- a/tests/ansible/integration/connection_delegation/delegate_to_template.yml +++ b/tests/ansible/integration/connection_delegation/delegate_to_template.yml @@ -40,6 +40,7 @@ 'password': null, 'port': null, 'python_path': ["/usr/bin/python"], + 'remote_name': null, 'ssh_args': [ '-o', 'UserKnownHostsFile=/dev/null', @@ -67,6 +68,7 @@ 'password': null, 'port': null, 'python_path': ["/usr/bin/python"], + 'remote_name': null, 'ssh_args': [ '-o', 'UserKnownHostsFile=/dev/null', diff --git a/tests/ansible/integration/connection_delegation/local_action.yml b/tests/ansible/integration/connection_delegation/local_action.yml index 9d2cb65c..91fb9739 100644 --- a/tests/ansible/integration/connection_delegation/local_action.yml +++ b/tests/ansible/integration/connection_delegation/local_action.yml @@ -24,6 +24,7 @@ 'kwargs': { 'connect_timeout': 10, 'python_path': ["{{ansible_playbook_python}}"], + 'remote_name': null, 'password': null, 'username': 'root', 'sudo_path': null, diff --git a/tests/ansible/integration/connection_delegation/osa_container_standalone.yml b/tests/ansible/integration/connection_delegation/osa_container_standalone.yml index d6483bd6..cf5eceaa 100644 --- a/tests/ansible/integration/connection_delegation/osa_container_standalone.yml +++ b/tests/ansible/integration/connection_delegation/osa_container_standalone.yml @@ -21,6 +21,7 @@ 'lxc_info_path': null, 'machinectl_path': null, 'python_path': ['/usr/bin/python'], + 'remote_name': null, 'username': null, }, 'method': 'setns', diff --git a/tests/ansible/integration/connection_delegation/stack_construction.yml b/tests/ansible/integration/connection_delegation/stack_construction.yml index 1b1f249d..50029569 100644 --- a/tests/ansible/integration/connection_delegation/stack_construction.yml +++ b/tests/ansible/integration/connection_delegation/stack_construction.yml @@ -44,6 +44,7 @@ "doas_path": null, "password": null, "python_path": ["/usr/bin/python"], + 'remote_name': null, "username": "normal-user", }, "method": "doas", @@ -73,6 +74,7 @@ 'password': null, 'port': null, "python_path": ["/usr/bin/python"], + 'remote_name': null, 'ssh_args': [ '-o', 'UserKnownHostsFile=/dev/null', @@ -113,6 +115,7 @@ 'password': null, 'port': null, "python_path": ["/usr/bin/python"], + 'remote_name': null, 'ssh_args': [ '-o', 'UserKnownHostsFile=/dev/null', @@ -148,6 +151,7 @@ 'doas_path': null, 'password': null, "python_path": ["/usr/bin/python"], + 'remote_name': null, 'username': 'normal-user', }, 'method': 'doas', @@ -163,6 +167,7 @@ 'password': null, 'port': null, "python_path": ["/usr/bin/python"], + 'remote_name': null, 'ssh_args': [ '-o', 'UserKnownHostsFile=/dev/null', @@ -203,6 +208,7 @@ 'password': null, 'port': null, "python_path": ["/usr/bin/python"], + 'remote_name': null, 'ssh_args': [ '-o', 'UserKnownHostsFile=/dev/null', @@ -230,6 +236,7 @@ 'password': null, 'port': null, "python_path": ["/usr/bin/python"], + 'remote_name': null, 'ssh_args': [ '-o', 'UserKnownHostsFile=/dev/null', @@ -265,6 +272,7 @@ 'doas_path': null, 'password': null, "python_path": ["/usr/bin/python"], + 'remote_name': null, 'username': 'normal-user', }, 'method': 'doas', @@ -280,6 +288,7 @@ 'password': null, 'port': null, "python_path": ["/usr/bin/python"], + 'remote_name': null, 'ssh_args': [ '-o', 'UserKnownHostsFile=/dev/null', @@ -321,6 +330,7 @@ 'password': null, 'port': null, "python_path": ["/usr/bin/python"], + 'remote_name': null, 'ssh_args': [ '-o', 'UserKnownHostsFile=/dev/null', @@ -375,6 +385,7 @@ 'doas_path': null, 'password': null, 'python_path': ["/usr/bin/python"], + 'remote_name': null, 'username': 'normal-user', }, 'method': 'doas', @@ -385,6 +396,7 @@ 'doas_path': null, 'password': null, 'python_path': ["/usr/bin/python"], + 'remote_name': null, 'username': 'newuser-doas-normal-user', }, 'method': 'doas', diff --git a/tests/ansible/integration/context_service/all.yml b/tests/ansible/integration/context_service/all.yml index 79148f7a..7770629a 100644 --- a/tests/ansible/integration/context_service/all.yml +++ b/tests/ansible/integration/context_service/all.yml @@ -1,3 +1,4 @@ - include: disconnect_cleanup.yml - include: lru_one_target.yml - include: reconnection.yml +- include: remote_name.yml diff --git a/tests/ansible/integration/context_service/remote_name.yml b/tests/ansible/integration/context_service/remote_name.yml new file mode 100644 index 00000000..827abaee --- /dev/null +++ b/tests/ansible/integration/context_service/remote_name.yml @@ -0,0 +1,27 @@ +# issue #581: ensure mitogen_mask_remote_name is respected. + +- name: integration/context_service/remote_name.yml + hosts: test-targets[0] + any_errors_fatal: true + tasks: + - meta: end_play + when: not is_mitogen + + - shell: 'cat /proc/$PPID/cmdline | tr \\0 \\n' + register: out + - debug: var=out + + - assert: + that: + - out.stdout is match('.*python([0-9.]+)?\(mitogen:[a-z]+@[^:]+:[0-9]+\)') + + - shell: 'cat /proc/$PPID/cmdline | tr \\0 \\n' + register: out + vars: + mitogen_mask_remote_name: true + - debug: var=out + + - assert: + that: + - out.stdout is match('.*python([0-9.]+)?\(mitogen:ansible\)') +