issue #581: expose mitogen_mask_remote_name variable.

ansible_mitogen/connection.py

@@ -58,6 +58,15 @@ import ansible_mitogen.transport_config
 LOG = logging.getLogger(__name__)
 
 
+def get_remote_name(spec):
+    """
+    Return the value to use for the "remote_name" parameter.
+    """
+    if spec.mitogen_mask_remote_name():
+        return 'ansible'
+    return None
+
+
 def optional_int(value):
     """
     Convert `value` to an integer if it is not :data:`None`, otherwise return
@@ -135,6 +144,7 @@ def _connect_ssh(spec):
             'connect_timeout': spec.ansible_ssh_timeout(),
             'ssh_args': spec.ssh_args(),
             'ssh_debug_level': spec.mitogen_ssh_debug_level(),
+            'remote_name': get_remote_name(spec),
         }
     }
 
@@ -150,6 +160,7 @@ def _connect_docker(spec):
             'container': spec.remote_addr(),
             'python_path': spec.python_path(),
             'connect_timeout': spec.ansible_ssh_timeout() or spec.timeout(),
+            'remote_name': get_remote_name(spec),
         }
     }
 
@@ -166,6 +177,7 @@ def _connect_kubectl(spec):
             'connect_timeout': spec.ansible_ssh_timeout() or spec.timeout(),
             'kubectl_path': spec.mitogen_kubectl_path(),
             'kubectl_args': spec.extra_args(),
+            'remote_name': get_remote_name(spec),
         }
     }
 
@@ -181,6 +193,7 @@ def _connect_jail(spec):
             'container': spec.remote_addr(),
             'python_path': spec.python_path(),
             'connect_timeout': spec.ansible_ssh_timeout() or spec.timeout(),
+            'remote_name': get_remote_name(spec),
         }
     }
 
@@ -196,6 +209,7 @@ def _connect_lxc(spec):
             'python_path': spec.python_path(),
             'lxc_attach_path': spec.mitogen_lxc_attach_path(),
             'connect_timeout': spec.ansible_ssh_timeout() or spec.timeout(),
+            'remote_name': get_remote_name(spec),
         }
     }
 
@@ -211,6 +225,7 @@ def _connect_lxd(spec):
             'python_path': spec.python_path(),
             'lxc_path': spec.mitogen_lxc_path(),
             'connect_timeout': spec.ansible_ssh_timeout() or spec.timeout(),
+            'remote_name': get_remote_name(spec),
         }
     }
 
@@ -254,6 +269,7 @@ def _connect_su(spec):
             'python_path': spec.python_path(),
             'su_path': spec.become_exe(),
             'connect_timeout': spec.timeout(),
+            'remote_name': get_remote_name(spec),
         }
     }
 
@@ -272,6 +288,7 @@ def _connect_sudo(spec):
             'sudo_path': spec.become_exe(),
             'connect_timeout': spec.timeout(),
             'sudo_args': spec.sudo_args(),
+            'remote_name': get_remote_name(spec),
         }
     }
 
@@ -289,6 +306,7 @@ def _connect_doas(spec):
             'python_path': spec.python_path(),
             'doas_path': spec.become_exe(),
             'connect_timeout': spec.timeout(),
+            'remote_name': get_remote_name(spec),
         }
     }
 
@@ -305,6 +323,7 @@ def _connect_mitogen_su(spec):
             'python_path': spec.python_path(),
             'su_path': spec.become_exe(),
             'connect_timeout': spec.timeout(),
+            'remote_name': get_remote_name(spec),
         }
     }
 
@@ -322,6 +341,7 @@ def _connect_mitogen_sudo(spec):
             'sudo_path': spec.become_exe(),
             'connect_timeout': spec.timeout(),
             'sudo_args': spec.sudo_args(),
+            'remote_name': get_remote_name(spec),
         }
     }
 
@@ -338,6 +358,7 @@ def _connect_mitogen_doas(spec):
             'python_path': spec.python_path(),
             'doas_path': spec.become_exe(),
             'connect_timeout': spec.timeout(),
+            'remote_name': get_remote_name(spec),
         }
     }
 

ansible_mitogen/transport_config.py

@@ -231,6 +231,15 @@ class Spec(with_metaclass(abc.ABCMeta, object)):
         The type of container to use with the "setns" transport.
         """
 
+    @abc.abstractmethod
+    def mitogen_mask_remote_name(self):
+        """
+        Specifies whether to set a fixed "remote_name" field. The remote_name
+        is the suffix of `argv[0]` for remote interpreters. By default it
+        includes identifying information from the local process, which may be
+        undesirable in some circumstances.
+        """
+
     @abc.abstractmethod
     def mitogen_docker_path(self):
         """
@@ -385,6 +394,9 @@ class PlayContextSpec(Spec):
     def mitogen_kind(self):
         return self._connection.get_task_var('mitogen_kind')
 
+    def mitogen_mask_remote_name(self):
+        return self._connection.get_task_var('mitogen_mask_remote_name')
+
     def mitogen_docker_path(self):
         return self._connection.get_task_var('mitogen_docker_path')
 
@@ -593,6 +605,9 @@ class MitogenViaSpec(Spec):
     def mitogen_kind(self):
         return self._host_vars.get('mitogen_kind')
 
+    def mitogen_mask_remote_name(self):
+        return self._host_vars.get('mitogen_mask_remote_name')
+
     def mitogen_docker_path(self):
         return self._host_vars.get('mitogen_docker_path')
 

docs/ansible_detailed.rst

@@ -733,6 +733,11 @@ When used as a become method:
 * ``ansible_become_exe``: path to ``doas`` binary.
 * ``ansible_become_user`` (default: ``root``)
 * ``ansible_become_pass`` (default: assume passwordless)
+* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
+  Ansible controller process on remote machines. To simplify diagnostics,
+  Mitogen produces remote processes named like
+  `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
+  some circumstances.
 * ansible.cfg: ``timeout``
 
 When used as the ``mitogen_doas`` connection method:
@@ -754,6 +759,11 @@ connection delegation is supported.
 
 * ``ansible_host``: Name of Docker container (default: inventory hostname).
 * ``ansible_user``: Name of user within the container to execute as.
+* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
+  Ansible controller process on remote machines. To simplify diagnostics,
+  Mitogen produces remote processes named like
+  `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
+  some circumstances.
 
 
 .. _method-jail:
@@ -767,6 +777,11 @@ connection delegation is supported.
 
 * ``ansible_host``: Name of jail (default: inventory hostname).
 * ``ansible_user``: Name of user within the jail to execute as.
+* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
+  Ansible controller process on remote machines. To simplify diagnostics,
+  Mitogen produces remote processes named like
+  `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
+  some circumstances.
 
 
 .. _method-kubectl:
@@ -780,6 +795,11 @@ connection delegation is supported.
 
 * ``ansible_host``: Name of pod (default: inventory hostname).
 * ``ansible_user``: Name of user to authenticate to API as.
+* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
+  Ansible controller process on remote machines. To simplify diagnostics,
+  Mitogen produces remote processes named like
+  `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
+  some circumstances.
 
 
 Local
@@ -823,6 +843,11 @@ than the LXC Python bindings, as is usual with ``lxc``.
 * ``ansible_host``: Name of LXC container (default: inventory hostname).
 * ``mitogen_lxc_attach_path``: path to ``lxc-attach`` command if not available
     on the system path.
+* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
+  Ansible controller process on remote machines. To simplify diagnostics,
+  Mitogen produces remote processes named like
+  `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
+  some circumstances.
 
 
 .. _method-lxd:
@@ -839,6 +864,11 @@ the host machine.
 * ``ansible_host``: Name of LXC container (default: inventory hostname).
 * ``mitogen_lxc_path``: path to ``lxc`` command if not available on the system
   path.
+* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
+  Ansible controller process on remote machines. To simplify diagnostics,
+  Mitogen produces remote processes named like
+  `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
+  some circumstances.
 
 
 .. _machinectl:
@@ -855,6 +885,11 @@ connection delegation is supported. This is a light wrapper around the
 * ``ansible_user``: Name of user within the container to execute as.
 * ``mitogen_machinectl_path``: path to ``machinectl`` command if not available
   as ``/bin/machinectl``.
+* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
+  Ansible controller process on remote machines. To simplify diagnostics,
+  Mitogen produces remote processes named like
+  `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
+  some circumstances.
 
 
 .. _setns:
@@ -899,6 +934,11 @@ When used as a become method:
 * ``ansible_su_user``, ``ansible_become_user`` (default: ``root``)
 * ``ansible_su_pass``, ``ansible_become_pass`` (default: assume passwordless)
 * ``su_flags``, ``become_flags``
+* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
+  Ansible controller process on remote machines. To simplify diagnostics,
+  Mitogen produces remote processes named like
+  `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
+  some circumstances.
 * ansible.cfg: ``timeout``
 
 When used as the ``mitogen_su`` connection method:
@@ -924,6 +964,11 @@ When used as a become method:
 * ``ansible_sudo_user``, ``ansible_become_user`` (default: ``root``)
 * ``ansible_sudo_pass``, ``ansible_become_pass`` (default: assume passwordless)
 * ``sudo_flags``, ``become_flags``
+* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
+  Ansible controller process on remote machines. To simplify diagnostics,
+  Mitogen produces remote processes named like
+  `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
+  some circumstances.
 * ansible.cfg: ``timeout``
 
 When used as the ``mitogen_sudo`` connection method:
@@ -949,6 +994,11 @@ except connection delegation is supported.
 * ``ansible_ssh_private_key_file``
 * ``ansible_ssh_pass``, ``ansible_password`` (default: assume passwordless)
 * ``ssh_args``, ``ssh_common_args``, ``ssh_extra_args``
+* ``mitogen_mask_remote_name``: if :data:`True`, mask the identity of the
+  Ansible controller process on remote machines. To simplify diagnostics,
+  Mitogen produces remote processes named like
+  `"mitogen:user@controller.name:1234"`, however this may be a privacy issue in
+  some circumstances.
 * ``mitogen_ssh_debug_level``: integer between `0..3` indicating the SSH client
   debug level. Ansible must also be run with '-vvv' to view the output.
 * ``mitogen_ssh_compression``: :data:`True` to enable SSH compression,

docs/changelog.rst

@@ -39,6 +39,11 @@ Fixes
   startup on SuSE Linux 11, due to an incorrect version compatibility check in
   the Mitogen code.
 
+* `#581 <https://github.com/dw/mitogen/issues/58>`_: a
+  ``mitogen_mask_remote_name`` Ansible variable is exposed, to allow masking
+  the username, hostname and process ID of ``ansible-playbook`` running on the
+  controller machine.
+
 
 Thanks!
 ~~~~~~~
@@ -46,8 +51,9 @@ Thanks!
 Mitogen would not be possible without the support of users. A huge thanks for
 bug reports, testing, features and fixes in this release contributed by
 `Orion Poplawski <https://github.com/opoplawski>`_,
-`Thibaut Barrère <https://github.com/thbar>`_, and
+`Thibaut Barrère <https://github.com/thbar>`_,
-`@Moumoutaru <https://github.com/Moumoutaru>`_.
+`@Moumoutaru <https://github.com/Moumoutaru>`_, and
+`@polski-g <https://github.com/polski-g>`_.
 
 
 v0.2.6 (2019-03-06)

tests/ansible/integration/connection_delegation/delegate_to_template.yml

@@ -40,6 +40,7 @@
               'password': null,
               'port': null,
               'python_path': ["/usr/bin/python"],
+              'remote_name': null,
               'ssh_args': [
                 '-o',
                 'UserKnownHostsFile=/dev/null',
@@ -67,6 +68,7 @@
               'password': null,
               'port': null,
               'python_path': ["/usr/bin/python"],
+              'remote_name': null,
               'ssh_args': [
                 '-o',
                 'UserKnownHostsFile=/dev/null',

tests/ansible/integration/connection_delegation/local_action.yml

@@ -24,6 +24,7 @@
             'kwargs': {
               'connect_timeout': 10,
               'python_path': ["{{ansible_playbook_python}}"],
+              'remote_name': null,
               'password': null,
               'username': 'root',
               'sudo_path': null,

tests/ansible/integration/connection_delegation/osa_container_standalone.yml

@@ -21,6 +21,7 @@
             'lxc_info_path': null,
             'machinectl_path': null,
             'python_path': ['/usr/bin/python'],
+            'remote_name': null,
             'username': null,
           },
           'method': 'setns',

tests/ansible/integration/connection_delegation/stack_construction.yml

@@ -44,6 +44,7 @@
               "doas_path": null,
               "password": null,
               "python_path": ["/usr/bin/python"],
+              'remote_name': null,
               "username": "normal-user",
             },
             "method": "doas",
@@ -73,6 +74,7 @@
                       'password': null,
                       'port': null,
                       "python_path": ["/usr/bin/python"],
+                      'remote_name': null,
                       'ssh_args': [
                           '-o',
                           'UserKnownHostsFile=/dev/null',
@@ -113,6 +115,7 @@
                       'password': null,
                       'port': null,
                       "python_path": ["/usr/bin/python"],
+                      'remote_name': null,
                       'ssh_args': [
                           '-o',
                           'UserKnownHostsFile=/dev/null',
@@ -148,6 +151,7 @@
                       'doas_path': null,
                       'password': null,
                       "python_path": ["/usr/bin/python"],
+                      'remote_name': null,
                       'username': 'normal-user',
                   },
                   'method': 'doas',
@@ -163,6 +167,7 @@
                       'password': null,
                       'port': null,
                       "python_path": ["/usr/bin/python"],
+                      'remote_name': null,
                       'ssh_args': [
                           '-o',
                           'UserKnownHostsFile=/dev/null',
@@ -203,6 +208,7 @@
                       'password': null,
                       'port': null,
                       "python_path": ["/usr/bin/python"],
+                      'remote_name': null,
                       'ssh_args': [
                           '-o',
                           'UserKnownHostsFile=/dev/null',
@@ -230,6 +236,7 @@
                       'password': null,
                       'port': null,
                       "python_path": ["/usr/bin/python"],
+                      'remote_name': null,
                       'ssh_args': [
                           '-o',
                           'UserKnownHostsFile=/dev/null',
@@ -265,6 +272,7 @@
                       'doas_path': null,
                       'password': null,
                       "python_path": ["/usr/bin/python"],
+                      'remote_name': null,
                       'username': 'normal-user',
                   },
                   'method': 'doas',
@@ -280,6 +288,7 @@
                       'password': null,
                       'port': null,
                       "python_path": ["/usr/bin/python"],
+                      'remote_name': null,
                       'ssh_args': [
                           '-o',
                           'UserKnownHostsFile=/dev/null',
@@ -321,6 +330,7 @@
                       'password': null,
                       'port': null,
                       "python_path": ["/usr/bin/python"],
+                      'remote_name': null,
                       'ssh_args': [
                           '-o',
                           'UserKnownHostsFile=/dev/null',
@@ -375,6 +385,7 @@
               'doas_path': null,
               'password': null,
               'python_path': ["/usr/bin/python"],
+              'remote_name': null,
               'username': 'normal-user',
             },
             'method': 'doas',
@@ -385,6 +396,7 @@
               'doas_path': null,
               'password': null,
               'python_path': ["/usr/bin/python"],
+              'remote_name': null,
               'username': 'newuser-doas-normal-user',
             },
             'method': 'doas',

tests/ansible/integration/context_service/all.yml

@@ -1,3 +1,4 @@
 - include: disconnect_cleanup.yml
 - include: lru_one_target.yml
 - include: reconnection.yml
+- include: remote_name.yml

tests/ansible/integration/context_service/remote_name.yml

@@ -0,0 +1,27 @@
+# issue #581: ensure mitogen_mask_remote_name is respected.
+
+- name: integration/context_service/remote_name.yml
+  hosts: test-targets[0]
+  any_errors_fatal: true
+  tasks:
+  - meta: end_play
+    when: not is_mitogen
+
+  - shell: 'cat /proc/$PPID/cmdline | tr \\0 \\n'
+    register: out
+  - debug: var=out
+
+  - assert:
+      that:
+      - out.stdout is match('.*python([0-9.]+)?\(mitogen:[a-z]+@[^:]+:[0-9]+\)')
+
+  - shell: 'cat /proc/$PPID/cmdline | tr \\0 \\n'
+    register: out
+    vars:
+      mitogen_mask_remote_name: true
+  - debug: var=out
+
+  - assert:
+      that:
+      - out.stdout is match('.*python([0-9.]+)?\(mitogen:ansible\)')
+