issue #581: expose mitogen_mask_remote_name variable.

pull/595/head
David Wilson 5 years ago
parent 300c7344be
commit f30a4c05c8

@ -58,6 +58,15 @@ import ansible_mitogen.transport_config
LOG = logging.getLogger(__name__)
def get_remote_name(spec):
"""
Return the value to use for the "remote_name" parameter.
"""
if spec.mitogen_mask_remote_name():
return 'ansible'
return None
def optional_int(value):
"""
Convert `value` to an integer if it is not :data:`None`, otherwise return
@ -135,6 +144,7 @@ def _connect_ssh(spec):
'connect_timeout': spec.ansible_ssh_timeout(),
'ssh_args': spec.ssh_args(),
'ssh_debug_level': spec.mitogen_ssh_debug_level(),
'remote_name': get_remote_name(spec),
}
}
@ -150,6 +160,7 @@ def _connect_docker(spec):
'container': spec.remote_addr(),
'python_path': spec.python_path(),
'connect_timeout': spec.ansible_ssh_timeout() or spec.timeout(),
'remote_name': get_remote_name(spec),
}
}
@ -166,6 +177,7 @@ def _connect_kubectl(spec):
'connect_timeout': spec.ansible_ssh_timeout() or spec.timeout(),
'kubectl_path': spec.mitogen_kubectl_path(),
'kubectl_args': spec.extra_args(),
'remote_name': get_remote_name(spec),
}
}
@ -181,6 +193,7 @@ def _connect_jail(spec):
'container': spec.remote_addr(),
'python_path': spec.python_path(),
'connect_timeout': spec.ansible_ssh_timeout() or spec.timeout(),
'remote_name': get_remote_name(spec),
}
}
@ -196,6 +209,7 @@ def _connect_lxc(spec):
'python_path': spec.python_path(),
'lxc_attach_path': spec.mitogen_lxc_attach_path(),
'connect_timeout': spec.ansible_ssh_timeout() or spec.timeout(),
'remote_name': get_remote_name(spec),
}
}
@ -211,6 +225,7 @@ def _connect_lxd(spec):
'python_path': spec.python_path(),
'lxc_path': spec.mitogen_lxc_path(),
'connect_timeout': spec.ansible_ssh_timeout() or spec.timeout(),
'remote_name': get_remote_name(spec),
}
}
@ -254,6 +269,7 @@ def _connect_su(spec):
'python_path': spec.python_path(),
'su_path': spec.become_exe(),
'connect_timeout': spec.timeout(),
'remote_name': get_remote_name(spec),
}
}
@ -272,6 +288,7 @@ def _connect_sudo(spec):
'sudo_path': spec.become_exe(),
'connect_timeout': spec.timeout(),
'sudo_args': spec.sudo_args(),
'remote_name': get_remote_name(spec),
}
}
@ -289,6 +306,7 @@ def _connect_doas(spec):
'python_path': spec.python_path(),
'doas_path': spec.become_exe(),
'connect_timeout': spec.timeout(),
'remote_name': get_remote_name(spec),
}
}
@ -305,6 +323,7 @@ def _connect_mitogen_su(spec):
'python_path': spec.python_path(),
'su_path': spec.become_exe(),
'connect_timeout': spec.timeout(),
'remote_name': get_remote_name(spec),
}
}
@ -322,6 +341,7 @@ def _connect_mitogen_sudo(spec):
'sudo_path': spec.become_exe(),
'connect_timeout': spec.timeout(),
'sudo_args': spec.sudo_args(),
'remote_name': get_remote_name(spec),
}
}
@ -338,6 +358,7 @@ def _connect_mitogen_doas(spec):
'python_path': spec.python_path(),
'doas_path': spec.become_exe(),
'connect_timeout': spec.timeout(),
'remote_name': get_remote_name(spec),
}
}

@ -231,6 +231,15 @@ class Spec(with_metaclass(abc.ABCMeta, object)):
The type of container to use with the "setns" transport.
"""
@abc.abstractmethod
def mitogen_mask_remote_name(self):
"""
Specifies whether to set a fixed "remote_name" field. The remote_name
is the suffix of `argv[0]` for remote interpreters. By default it
includes identifying information from the local process, which may be
undesirable in some circumstances.
"""
@abc.abstractmethod
def mitogen_docker_path(self):
"""
@ -385,6 +394,9 @@ class PlayContextSpec(Spec):
def mitogen_kind(self):
return self._connection.get_task_var('mitogen_kind')
def mitogen_mask_remote_name(self):
return self._connection.get_task_var('mitogen_mask_remote_name')
def mitogen_docker_path(self):
return self._connection.get_task_var('mitogen_docker_path')
@ -593,6 +605,9 @@ class MitogenViaSpec(Spec):
def mitogen_kind(self):
return self._host_vars.get('mitogen_kind')
def mitogen_mask_remote_name(self):
return self._host_vars.get('mitogen_mask_remote_name')
def mitogen_docker_path(self):
return self._host_vars.get('mitogen_docker_path')

@ -733,6 +733,11 @@ When used as a become method:
* ``ansible_become_exe``: path to ``doas`` binary.
* ``ansible_become_user`` (default: ``root``)
* ``ansible_become_pass`` (default: assume passwordless)
* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
Ansible controller process on remote machines. To simplify diagnostics,
Mitogen produces remote processes named like
`"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
some circumstances.
* ansible.cfg: ``timeout``
When used as the ``mitogen_doas`` connection method:
@ -754,6 +759,11 @@ connection delegation is supported.
* ``ansible_host``: Name of Docker container (default: inventory hostname).
* ``ansible_user``: Name of user within the container to execute as.
* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
Ansible controller process on remote machines. To simplify diagnostics,
Mitogen produces remote processes named like
`"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
some circumstances.
.. _method-jail:
@ -767,6 +777,11 @@ connection delegation is supported.
* ``ansible_host``: Name of jail (default: inventory hostname).
* ``ansible_user``: Name of user within the jail to execute as.
* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
Ansible controller process on remote machines. To simplify diagnostics,
Mitogen produces remote processes named like
`"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
some circumstances.
.. _method-kubectl:
@ -780,6 +795,11 @@ connection delegation is supported.
* ``ansible_host``: Name of pod (default: inventory hostname).
* ``ansible_user``: Name of user to authenticate to API as.
* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
Ansible controller process on remote machines. To simplify diagnostics,
Mitogen produces remote processes named like
`"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
some circumstances.
Local
@ -823,6 +843,11 @@ than the LXC Python bindings, as is usual with ``lxc``.
* ``ansible_host``: Name of LXC container (default: inventory hostname).
* ``mitogen_lxc_attach_path``: path to ``lxc-attach`` command if not available
on the system path.
* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
Ansible controller process on remote machines. To simplify diagnostics,
Mitogen produces remote processes named like
`"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
some circumstances.
.. _method-lxd:
@ -839,6 +864,11 @@ the host machine.
* ``ansible_host``: Name of LXC container (default: inventory hostname).
* ``mitogen_lxc_path``: path to ``lxc`` command if not available on the system
path.
* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
Ansible controller process on remote machines. To simplify diagnostics,
Mitogen produces remote processes named like
`"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
some circumstances.
.. _machinectl:
@ -855,6 +885,11 @@ connection delegation is supported. This is a light wrapper around the
* ``ansible_user``: Name of user within the container to execute as.
* ``mitogen_machinectl_path``: path to ``machinectl`` command if not available
as ``/bin/machinectl``.
* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
Ansible controller process on remote machines. To simplify diagnostics,
Mitogen produces remote processes named like
`"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
some circumstances.
.. _setns:
@ -899,6 +934,11 @@ When used as a become method:
* ``ansible_su_user``, ``ansible_become_user`` (default: ``root``)
* ``ansible_su_pass``, ``ansible_become_pass`` (default: assume passwordless)
* ``su_flags``, ``become_flags``
* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
Ansible controller process on remote machines. To simplify diagnostics,
Mitogen produces remote processes named like
`"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
some circumstances.
* ansible.cfg: ``timeout``
When used as the ``mitogen_su`` connection method:
@ -924,6 +964,11 @@ When used as a become method:
* ``ansible_sudo_user``, ``ansible_become_user`` (default: ``root``)
* ``ansible_sudo_pass``, ``ansible_become_pass`` (default: assume passwordless)
* ``sudo_flags``, ``become_flags``
* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
Ansible controller process on remote machines. To simplify diagnostics,
Mitogen produces remote processes named like
`"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
some circumstances.
* ansible.cfg: ``timeout``
When used as the ``mitogen_sudo`` connection method:
@ -949,6 +994,11 @@ except connection delegation is supported.
* ``ansible_ssh_private_key_file``
* ``ansible_ssh_pass``, ``ansible_password`` (default: assume passwordless)
* ``ssh_args``, ``ssh_common_args``, ``ssh_extra_args``
* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
Ansible controller process on remote machines. To simplify diagnostics,
Mitogen produces remote processes named like
`"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
some circumstances.
* ``mitogen_ssh_debug_level``: integer between `0..3` indicating the SSH client
debug level. Ansible must also be run with '-vvv' to view the output.
* ``mitogen_ssh_compression``: :data:`True` to enable SSH compression,

@ -39,6 +39,11 @@ Fixes
startup on SuSE Linux 11, due to an incorrect version compatibility check in
the Mitogen code.
* `#581 <https://github.com/dw/mitogen/issues/58>`_: a
``mitogen_mask_remote_name`` Ansible variable is exposed, to allow masking
the username, hostname and process ID of ``ansible-playbook`` running on the
controller machine.
Thanks!
~~~~~~~
@ -46,8 +51,9 @@ Thanks!
Mitogen would not be possible without the support of users. A huge thanks for
bug reports, testing, features and fixes in this release contributed by
`Orion Poplawski <https://github.com/opoplawski>`_,
`Thibaut Barrère <https://github.com/thbar>`_, and
`@Moumoutaru <https://github.com/Moumoutaru>`_.
`Thibaut Barrère <https://github.com/thbar>`_,
`@Moumoutaru <https://github.com/Moumoutaru>`_, and
`@polski-g <https://github.com/polski-g>`_.
v0.2.6 (2019-03-06)

@ -40,6 +40,7 @@
'password': null,
'port': null,
'python_path': ["/usr/bin/python"],
'remote_name': null,
'ssh_args': [
'-o',
'UserKnownHostsFile=/dev/null',
@ -67,6 +68,7 @@
'password': null,
'port': null,
'python_path': ["/usr/bin/python"],
'remote_name': null,
'ssh_args': [
'-o',
'UserKnownHostsFile=/dev/null',

@ -24,6 +24,7 @@
'kwargs': {
'connect_timeout': 10,
'python_path': ["{{ansible_playbook_python}}"],
'remote_name': null,
'password': null,
'username': 'root',
'sudo_path': null,

@ -21,6 +21,7 @@
'lxc_info_path': null,
'machinectl_path': null,
'python_path': ['/usr/bin/python'],
'remote_name': null,
'username': null,
},
'method': 'setns',

@ -44,6 +44,7 @@
"doas_path": null,
"password": null,
"python_path": ["/usr/bin/python"],
'remote_name': null,
"username": "normal-user",
},
"method": "doas",
@ -73,6 +74,7 @@
'password': null,
'port': null,
"python_path": ["/usr/bin/python"],
'remote_name': null,
'ssh_args': [
'-o',
'UserKnownHostsFile=/dev/null',
@ -113,6 +115,7 @@
'password': null,
'port': null,
"python_path": ["/usr/bin/python"],
'remote_name': null,
'ssh_args': [
'-o',
'UserKnownHostsFile=/dev/null',
@ -148,6 +151,7 @@
'doas_path': null,
'password': null,
"python_path": ["/usr/bin/python"],
'remote_name': null,
'username': 'normal-user',
},
'method': 'doas',
@ -163,6 +167,7 @@
'password': null,
'port': null,
"python_path": ["/usr/bin/python"],
'remote_name': null,
'ssh_args': [
'-o',
'UserKnownHostsFile=/dev/null',
@ -203,6 +208,7 @@
'password': null,
'port': null,
"python_path": ["/usr/bin/python"],
'remote_name': null,
'ssh_args': [
'-o',
'UserKnownHostsFile=/dev/null',
@ -230,6 +236,7 @@
'password': null,
'port': null,
"python_path": ["/usr/bin/python"],
'remote_name': null,
'ssh_args': [
'-o',
'UserKnownHostsFile=/dev/null',
@ -265,6 +272,7 @@
'doas_path': null,
'password': null,
"python_path": ["/usr/bin/python"],
'remote_name': null,
'username': 'normal-user',
},
'method': 'doas',
@ -280,6 +288,7 @@
'password': null,
'port': null,
"python_path": ["/usr/bin/python"],
'remote_name': null,
'ssh_args': [
'-o',
'UserKnownHostsFile=/dev/null',
@ -321,6 +330,7 @@
'password': null,
'port': null,
"python_path": ["/usr/bin/python"],
'remote_name': null,
'ssh_args': [
'-o',
'UserKnownHostsFile=/dev/null',
@ -375,6 +385,7 @@
'doas_path': null,
'password': null,
'python_path': ["/usr/bin/python"],
'remote_name': null,
'username': 'normal-user',
},
'method': 'doas',
@ -385,6 +396,7 @@
'doas_path': null,
'password': null,
'python_path': ["/usr/bin/python"],
'remote_name': null,
'username': 'newuser-doas-normal-user',
},
'method': 'doas',

@ -1,3 +1,4 @@
- include: disconnect_cleanup.yml
- include: lru_one_target.yml
- include: reconnection.yml
- include: remote_name.yml

@ -0,0 +1,27 @@
# issue #581: ensure mitogen_mask_remote_name is respected.
- name: integration/context_service/remote_name.yml
hosts: test-targets[0]
any_errors_fatal: true
tasks:
- meta: end_play
when: not is_mitogen
- shell: 'cat /proc/$PPID/cmdline | tr \\0 \\n'
register: out
- debug: var=out
- assert:
that:
- out.stdout is match('.*python([0-9.]+)?\(mitogen:[a-z]+@[^:]+:[0-9]+\)')
- shell: 'cat /proc/$PPID/cmdline | tr \\0 \\n'
register: out
vars:
mitogen_mask_remote_name: true
- debug: var=out
- assert:
that:
- out.stdout is match('.*python([0-9.]+)?\(mitogen:ansible\)')
Loading…
Cancel
Save