Public Ansible Project Meeting Agenda - December 2019

[jillr]

Please leave a comment regarding any agenda item you wish to discuss. If you don't show up for the meeting, your item will be skipped. If your IRC nick is different from your Github username, leave that as well.

See https://github.com/ansible/community/blob/master/meetings/README.md for the schedule

Once an item has been addressed it should get strike-through/check mark.

If you just want reviewers for your contribution try the #ansible-devel irc channel on freenode.

[jillr]

Carry over from November:

• [x] https://github.com/ansible/ansible/pull/64959 @bidord

[ghost]

• [x] https://github.com/ansible/ansible/pull/55268 - Update OpenBSD bcrypt algorithm
• [x] https://github.com/ansible/ansible/pull/65112 - Make test formatter script more portable

Just wanted to also verify which meeting these are included in so I am present for the correct one.

IRC nick: keylemon

[jillr]

@evitalis The Core Team meetings are Tuesdays at 1900UTC and Thursdays at 1500UTC. You can show up to either one you prefer. https://github.com/ansible/community/tree/master/meetings

[jillr]

Meeting ended Tue Dec 3 19:33:22 2019 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . Minutes: https://meetbot.fedoraproject.org/ansible-meeting/2019-12-03/ansible_core_public_irc_meeting.2019-12-03-19.03.html Minutes (text): https://meetbot.fedoraproject.org/ansible-meeting/2019-12-03/ansible_core_public_irc_meeting.2019-12-03-19.03.txt Log: https://meetbot.fedoraproject.org/ansible-meeting/2019-12-03/ansible_core_public_irc_meeting.2019-12-03-19.03.log.html

[nitzmahone]

• [x] Would like to discuss the safety of https://github.com/ansible/ansible/pull/64436 - the change seems awfully dangerous to me without being opt-in, since a screwed up Ansible config or mistyped password now has the potential to lock one out of a whole bunch of systems by regenerating the key. I think @samdoran and @mattclay agree with me that this behavior should be explicitly "opt-in".

cc @felixfontein

[felixfontein]

@nitzmahone I won't be around on Thursday, so here are my thoughts on this (and basically why I wanted the behavior to be as ansible/ansible#64436 now enforces it in devel):

The situation for openssh_keypair is in my opinion comparable to that of openssl_privatekey. There, the behavior is similar: if the key does not meet the requirements set by the module options (and its implicit expectations, like key format), it will be regenerated. In particular, if passphrase doesn't match, or the existence of a passphrase, it will be regenerated. opensshkeypair reacts similarly: if a parameter doesn't match, it will regenerate. This is (before 64436) true for all parameters, except passphrase existence. (The module does not allow setting a passphrase, i.e. it indirectly assumes that private keys have no passphrase.) 64436 makes the behavior consistent so that passphrase existence is taken into account. (We had similar discussions about the openssl* modules, in particular openssl_privatekey; see ansible/ansible#53535 and ansible/ansible#32038.)

So the dangerous behavior (overwriting a key) is already present (if you specify the wrong size or type), this PR only improves handling of passphrase protected keys. Right now, these keys are also destroyed - it clears the .pub file, and some ssh-keygen implementations apparently can't properly identify the encrypted key without the .pub file (https://github.com/ansible/ansible/issues/63910#issuecomment-546322773).

Finally, this can only lock you out of systems if you let the module operate on the only copy of the private key you have (i.e. you don't have any backup). As long as you have a backup, you can restore it from backup and still access all systems where the key is installed in authorized_keys. (It would still be nice if openssh_keypair would have a backup option, though.)

[samdoran]

@nitzmahone This is the issue I was thinking of related to SSH keys being generated that we rejected. https://github.com/ansible/ansible/pull/61669

Too much magic around managing SSH keys is just asking for trouble.

[samdoran]

Minutes: https://meetbot.fedoraproject.org/ansible-meeting/2019-12-05/ansible_core_public_irc_meeting_https:github.comansiblecommunityissues507.2019-12-05-15.09.html 11:00 Minutes (text): https://meetbot.fedoraproject.org/ansible-meeting/2019-12-05/ansible_core_public_irc_meeting_https:github.comansiblecommunityissues507.2019-12-05-15.09.txt 11:00 Log: https://meetbot.fedoraproject.org/ansible-meeting/2019-12-05/ansible_core_public_irc_meeting_https:github.comansiblecommunityissues507.2019-12-05-15.09.log.html

[jillr]

Meeting ended Tue Dec 10 19:37:07 2019 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . Minutes: https://meetbot.fedoraproject.org/ansible-meeting/2019-12-10/ansible_core_public_irc_meeting.2019-12-10-19.03.html Minutes (text): https://meetbot.fedoraproject.org/ansible-meeting/2019-12-10/ansible_core_public_irc_meeting.2019-12-10-19.03.txt Log: https://meetbot.fedoraproject.org/ansible-meeting/2019-12-10/ansible_core_public_irc_meeting.2019-12-10-19.03.log.html

[ghost]

I won't be able to join the meeting tomorrow but I was able to resolve #65112 and it is now merged.

• [x] For https://github.com/ansible/ansible/pull/55268 I think I am going to need some help. I was pointed to the right part of the code where the change should be, but currently I am not sure of the best way to solve it. I also committed an attempt but it did not pass CI. Would it be possible to get some help from the team to get this PR resolved?

IRC nick: keylemon

[samdoran]

Nothing was discussed due to low attendance.

Minutes: https://meetbot.fedoraproject.org/ansible-meeting/2019-12-12/ansible_core_public_irc_meeting_https:github.comansiblecommunityissues507.2019-12-12-15.05.html 10:35 Minutes (text): https://meetbot.fedoraproject.org/ansible-meeting/2019-12-12/ansible_core_public_irc_meeting_https:github.comansiblecommunityissues507.2019-12-12-15.05.txt 10:35 Log: https://meetbot.fedoraproject.org/ansible-meeting/2019-12-12/ansible_core_public_irc_meeting_https:github.comansiblecommunityissues507.2019-12-12-15.05.log.html

[jtyr]

I would liek to discuss the following PRs on Thursday 19th Dec:

• [ ] https://github.com/ansible/ansible/pull/62662
• [ ] https://github.com/ansible/ansible/pull/65799
• [ ] https://github.com/ansible/ansible/pull/65801

[jillr]

Low attendance so no discussion Meeting ended Tue Dec 17 19:21:15 2019 UTC. Information about MeetBot at http://wiki.debian.org/MeetBot . Minutes: https://meetbot.fedoraproject.org/ansible-meeting/2019-12-17/ansible_core_public_irc_meeting_https:github.comansiblecommunityissues507.2019-12-17-19.00.html Minutes (text): https://meetbot.fedoraproject.org/ansible-meeting/2019-12-17/ansible_core_public_irc_meeting_https:github.comansiblecommunityissues507.2019-12-17-19.00.txt Log: https://meetbot.fedoraproject.org/ansible-meeting/2019-12-17/ansible_core_public_irc_meeting_https:github.comansiblecommunityissues507.2019-12-17-19.00.log.html

[Akasurde]

• [ ] https://github.com/ansible/ansible/pull/57574