search

ansible / molecule

Molecule aids in the development and testing of Ansible content: collections, playbooks and roles
https://ansible.readthedocs.io/projects/molecule/
MIT License
3.88k stars 663 forks source link

Inventory output gets censored with ******** #3204

Closed Nightreaver closed 2 years ago

Nightreaver commented 3 years ago

Issue Type

Molecule and Ansible details

ansible 2.10.12
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/s/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/s/.local/lib/python3.6/site-packages/ansible
  executable location = /home/s/.local/bin/ansible
  python version = 3.6.9 (default, Jan 26 2021, 15:33:00) [GCC 8.4.0]
molecule 3.3.4 using python 3.6 
    ansible:2.10.12
    delegated:3.3.4 from molecule
    docker:0.2.4 from molecule_docker
    vmware:0.3.6 from molecule_vmware

Molecule installation method (one of):

Ansible installation method (one of):

Detail any linters or test runners used:

Desired Behavior

print uncensored values

Actual Behaviour

Im running molecule with molecule vmware on vsphere esx 6.7 I have different roles which are linux and windows ones. Surprisingly, for linux hosts everything works well, and inventoy or lets say the - debug: msg: "{{server}}" output in that role looks fine

"item="{
   "changed":true,
   "failed":false,
   "instance":{
      "module_hw":true,
      "hw_name":"VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
      "hw_power_status":"poweredOn",
      "hw_guest_full_name":"",
      "hw_guest_id":"None",
      "hw_product_uuid":"42045cb0-5d80-7abe-4b5f-141a11ed89d4",
      "hw_processor_count":4,
      "hw_cores_per_socket":1,
      "hw_memtotal_mb":4048,
      "hw_interfaces":[
         "eth0"
      ],
      "hw_datastores":[
         "VMFS_11"
      ],
[...]

On the windows role however it gets censored like crazy

"item="{
   "changed":true,
   "failed":false,
   "instance":{
      "module_hw":true,
      "hw_name":"VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
      "hw_power_status":"poweredOn",
      "hw_guest_full_name":"Microsoft Windows Server 20********9 (64-bit)",
      "hw_guest_id":"windows20********9srv_64Guest",
      "hw_product_uuid":"420498****************-dd28-0c4d-e7e4-9df5b348204a",
      "hw_processor_count":4,
      "hw_cores_per_socket":"VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
      "hw_memtotal_mb":4048,
      "hw_interfaces":[
         "eth0"
      ],
      "hw_datastores":[
         "VMFS_****************"
      ],
[...]

So overall, every 1 in that early log get censored, which of course includes IP address

[...]
         "ipaddresses":[
            "fe80::8d28:a9bc:f********b6:d957",
            "********0.42.********87.********32"
         ],
[...]

which of course ends up in the inventory (only for win role)

all:
  hosts:
    molecule-win: &id001
      ansible_connection: winrm
      ansible_host: '********0.42.********87.********32'
      ansible_password: 5uper5ecret
      ansible_port: '5986'
      ansible_user: Administrator
      ansible_winrm_server_cert_validation: ignore
      ansible_winrm_transport: ntlm
[...]

I was wondering if this is because hw_cores_per_socket (which is 1) get censored on windows but no on linux, but I couldnt find any reference to this in molecule_vmware plugin

In molecule I have no idea where to start looking, any suggestions welcome

tadeboro commented 3 years ago

Hi. I am looking through the vmware_guest module and the only two fields that are marked as sensitive are customization.domainadminpassword and customization.password. The create playbook only utilizes the password option (https://github.com/ansible-community/molecule-vmware/blob/d731aaa3bcd862251d7a1a05a408b68bab4daebb/molecule_vmware/cookiecutter/%7B%7Bcookiecutter.molecule_directory%7D%7D/%7B%7Bcookiecutter.scenario_name%7D%7D/tasks/create_windows_instance.yml#L25), which comes from the driver section of the Molecule's configuration.

This may sound silly, but did you by any chance set your driver.vm_password to 1?

Nightreaver commented 3 years ago

Hello

the password is not even close to be, or contain a 1 as digit. As I mentioned, the only thing i can think of is, that hw_cores_per_socket is getting censored after being "marked" as "NO_LOG" parameter. After this the 1 gets censored everywhere. But I don't get why the hw_cores_per_socket is getting this at all, and why its only sensitive on windows, not on linux.

ssbarnea commented 3 years ago

@Nightreaver Can you please produce a simple playbook that reproduce this error. I do think molecule has anything to do with this because there is no code in molecule or its driver that does something special about passwords.

Keep in mind that if you use a password of "1" anywhere in your playbooks you may endup with some messed output like this. That is because the secret-string (1) is replaced everywhere with the censored text ********.