From 634baa9b6340b7a5ee73e738b0cae831e1f2204b Mon Sep 17 00:00:00 2001 From: Guillaume Abrioux Date: Mon, 9 Aug 2021 14:57:33 +0200 Subject: [PATCH] common: do not log keyring secret let's not display any keyring secret by default in ansible log. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1980744 Signed-off-by: Guillaume Abrioux (cherry picked from commit 7511195738e9d1e8f3d3ec77ad4473fa90d17d22) --- group_vars/all.yml.sample | 2 +- group_vars/rhcs.yml.sample | 2 +- roles/ceph-client/tasks/create_users_keys.yml | 6 +++--- roles/ceph-client/tasks/pre_requisite.yml | 3 ++- roles/ceph-crash/tasks/main.yml | 4 +++- roles/ceph-defaults/defaults/main.yml | 2 +- roles/ceph-iscsi-gw/tasks/common.yml | 3 ++- roles/ceph-mds/tasks/common.yml | 3 ++- roles/ceph-mds/tasks/non_containerized.yml | 1 + roles/ceph-mgr/tasks/common.yml | 5 ++++- roles/ceph-mon/tasks/ceph_keys.yml | 1 + roles/ceph-mon/tasks/deploy_monitors.yml | 4 ++++ roles/ceph-nfs/tasks/main.yml | 2 +- roles/ceph-nfs/tasks/pre_requisite_container.yml | 3 ++- roles/ceph-nfs/tasks/pre_requisite_non_container.yml | 4 +++- roles/ceph-osd/tasks/common.yml | 3 ++- roles/ceph-osd/tasks/openstack_config.yml | 4 +++- roles/ceph-rbd-mirror/tasks/common.yml | 4 +++- roles/ceph-rgw/tasks/common.yml | 3 ++- roles/ceph-rgw/tasks/pre_requisite.yml | 1 + 20 files changed, 42 insertions(+), 18 deletions(-) diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample index 6044216e7b..3c745403ee 100644 --- a/group_vars/all.yml.sample +++ b/group_vars/all.yml.sample @@ -795,7 +795,7 @@ dummy: #client_connections: {} - +#no_log_on_ceph_key_tasks: True ############### # DEPRECATION # diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample index c799c4d5c9..2a556e7e59 100644 --- a/group_vars/rhcs.yml.sample +++ b/group_vars/rhcs.yml.sample @@ -795,7 +795,7 @@ alertmanager_container_image: registry.redhat.io/openshift4/ose-prometheus-alert #client_connections: {} - +#no_log_on_ceph_key_tasks: True ############### # DEPRECATION # diff --git a/roles/ceph-client/tasks/create_users_keys.yml b/roles/ceph-client/tasks/create_users_keys.yml index c9512175cd..33582899c6 100644 --- a/roles/ceph-client/tasks/create_users_keys.yml +++ b/roles/ceph-client/tasks/create_users_keys.yml @@ -39,7 +39,7 @@ - cephx | bool - keys | length > 0 - inventory_hostname == groups.get('_filtered_clients') | first - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: slurp client cephx key(s) slurp: @@ -51,7 +51,7 @@ - cephx | bool - keys | length > 0 - inventory_hostname == groups.get('_filtered_clients') | first - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: pool related tasks when: @@ -92,5 +92,5 @@ group: "{{ ceph_uid }}" with_items: "{{ hostvars[groups['_filtered_clients'][0]]['slurp_client_keys']['results'] }}" when: not item.get('skipped', False) - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" diff --git a/roles/ceph-client/tasks/pre_requisite.yml b/roles/ceph-client/tasks/pre_requisite.yml index e928c664be..92cce4c0b2 100644 --- a/roles/ceph-client/tasks/pre_requisite.yml +++ b/roles/ceph-client/tasks/pre_requisite.yml @@ -13,6 +13,7 @@ register: _admin_key delegate_to: "{{ groups.get(mon_group_name)[0] }}" run_once: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -21,7 +22,7 @@ owner: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}" group: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}" mode: "{{ ceph_keyring_permissions }}" - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" when: - cephx | bool - copy_admin_key | bool diff --git a/roles/ceph-crash/tasks/main.yml b/roles/ceph-crash/tasks/main.yml index 9723b2477d..51c4aeb58f 100644 --- a/roles/ceph-crash/tasks/main.yml +++ b/roles/ceph-crash/tasks/main.yml @@ -19,6 +19,7 @@ CEPH_CONTAINER_BINARY: "{{ container_binary }}" delegate_to: "{{ groups.get(mon_group_name, [])[0] }}" run_once: True + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: get keys from monitors ceph_key: @@ -32,6 +33,7 @@ register: _crash_keys delegate_to: "{{ groups.get(mon_group_name)[0] }}" run_once: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -40,7 +42,7 @@ owner: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}" group: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}" mode: "{{ ceph_keyring_permissions }}" - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: start ceph-crash daemon when: containerized_deployment | bool diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml index 5a6ee8441d..695e50d3c3 100644 --- a/roles/ceph-defaults/defaults/main.yml +++ b/roles/ceph-defaults/defaults/main.yml @@ -787,7 +787,7 @@ rbd_devices: {} client_connections: {} - +no_log_on_ceph_key_tasks: True ############### # DEPRECATION # diff --git a/roles/ceph-iscsi-gw/tasks/common.yml b/roles/ceph-iscsi-gw/tasks/common.yml index b43c0e02d1..3e9ff1ef9f 100644 --- a/roles/ceph-iscsi-gw/tasks/common.yml +++ b/roles/ceph-iscsi-gw/tasks/common.yml @@ -14,6 +14,7 @@ when: - cephx | bool - copy_admin_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -25,7 +26,7 @@ when: - cephx | bool - copy_admin_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: add mgr ip address to trusted list with dashboard - ipv4 set_fact: diff --git a/roles/ceph-mds/tasks/common.yml b/roles/ceph-mds/tasks/common.yml index d4c9b1f416..9e837ddcea 100644 --- a/roles/ceph-mds/tasks/common.yml +++ b/roles/ceph-mds/tasks/common.yml @@ -28,6 +28,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -40,5 +41,5 @@ when: - cephx | bool - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" diff --git a/roles/ceph-mds/tasks/non_containerized.yml b/roles/ceph-mds/tasks/non_containerized.yml index ad744ed303..cfe6b2703f 100644 --- a/roles/ceph-mds/tasks/non_containerized.yml +++ b/roles/ceph-mds/tasks/non_containerized.yml @@ -35,6 +35,7 @@ owner: ceph group: ceph mode: "{{ ceph_keyring_permissions }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" when: cephx | bool - name: ensure systemd service override directory exists diff --git a/roles/ceph-mgr/tasks/common.yml b/roles/ceph-mgr/tasks/common.yml index d0690d1317..4b59e4783e 100644 --- a/roles/ceph-mgr/tasks/common.yml +++ b/roles/ceph-mgr/tasks/common.yml @@ -24,6 +24,7 @@ CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment | bool else None }}" CEPH_CONTAINER_BINARY: "{{ container_binary }}" when: groups.get(mgr_group_name, []) | length == 0 # the key is present already since one of the mons created it in "create ceph mgr keyring(s)" + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: create and copy keyrings when: groups.get(mgr_group_name, []) | length > 0 @@ -46,6 +47,7 @@ with_items: "{{ groups.get(mgr_group_name, []) }}" run_once: True delegate_to: "{{ groups[mon_group_name][0] }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: set_fact _mgr_keys set_fact: @@ -68,6 +70,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -81,7 +84,7 @@ - cephx | bool - item is not skipped - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: set mgr key permissions file: diff --git a/roles/ceph-mon/tasks/ceph_keys.yml b/roles/ceph-mon/tasks/ceph_keys.yml index 02a694f4e1..7ec8c7d788 100644 --- a/roles/ceph-mon/tasks/ceph_keys.yml +++ b/roles/ceph-mon/tasks/ceph_keys.yml @@ -27,5 +27,6 @@ CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment | bool else None }}" CEPH_CONTAINER_BINARY: "{{ container_binary }}" CEPH_ROLLING_UPDATE: "{{ rolling_update }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" when: - cephx | bool diff --git a/roles/ceph-mon/tasks/deploy_monitors.yml b/roles/ceph-mon/tasks/deploy_monitors.yml index e057dd32f2..3c66dcb199 100644 --- a/roles/ceph-mon/tasks/deploy_monitors.yml +++ b/roles/ceph-mon/tasks/deploy_monitors.yml @@ -17,6 +17,7 @@ run_once: True delegate_to: "{{ running_mon }}" failed_when: initial_mon_key.rc not in [0, 2] + no_log: "{{ no_log_on_ceph_key_tasks }}" when: running_mon is defined - name: generate monitor initial keyring @@ -26,6 +27,7 @@ delegate_to: localhost become: false run_once: true + no_log: "{{ no_log_on_ceph_key_tasks }}" when: - initial_mon_key is skipped or @@ -52,6 +54,7 @@ owner: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}" group: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}" mode: "0400" + no_log: "{{ no_log_on_ceph_key_tasks }}" environment: CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment | bool else None }}" CEPH_CONTAINER_BINARY: "{{ container_binary }}" @@ -98,6 +101,7 @@ CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment | bool else None }}" CEPH_CONTAINER_BINARY: "{{ container_binary }}" register: create_custom_admin_secret + no_log: "{{ no_log_on_ceph_key_tasks }}" when: - cephx | bool - admin_secret != 'admin_secret' diff --git a/roles/ceph-nfs/tasks/main.yml b/roles/ceph-nfs/tasks/main.yml index 2169908aca..aa609d8c81 100644 --- a/roles/ceph-nfs/tasks/main.yml +++ b/roles/ceph-nfs/tasks/main.yml @@ -75,7 +75,7 @@ when: - not item.0.get('skipped', False) - item.0.item.name == 'client.' + ceph_nfs_ceph_user or item.0.item.name == rgw_client_name - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: include start_nfs.yml import_tasks: start_nfs.yml diff --git a/roles/ceph-nfs/tasks/pre_requisite_container.yml b/roles/ceph-nfs/tasks/pre_requisite_container.yml index 599f78f828..8c168f39cd 100644 --- a/roles/ceph-nfs/tasks/pre_requisite_container.yml +++ b/roles/ceph-nfs/tasks/pre_requisite_container.yml @@ -27,6 +27,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -39,7 +40,7 @@ when: - cephx | bool - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" when: groups.get(mon_group_name, []) | length > 0 - name: dbus related tasks diff --git a/roles/ceph-nfs/tasks/pre_requisite_non_container.yml b/roles/ceph-nfs/tasks/pre_requisite_non_container.yml index f197eec9d6..12e50874a9 100644 --- a/roles/ceph-nfs/tasks/pre_requisite_non_container.yml +++ b/roles/ceph-nfs/tasks/pre_requisite_non_container.yml @@ -62,6 +62,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -74,7 +75,7 @@ when: - cephx | bool - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: nfs object gateway related tasks when: nfs_obj_gw | bool @@ -93,3 +94,4 @@ owner: ceph group: ceph mode: "{{ ceph_keyring_permissions }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" \ No newline at end of file diff --git a/roles/ceph-osd/tasks/common.yml b/roles/ceph-osd/tasks/common.yml index 86087cec19..ac690e46fa 100644 --- a/roles/ceph-osd/tasks/common.yml +++ b/roles/ceph-osd/tasks/common.yml @@ -26,6 +26,7 @@ - { name: "client.admin", path: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" } delegate_to: "{{ groups.get(mon_group_name)[0] }}" run_once: true + no_log: "{{ no_log_on_ceph_key_tasks }}" when: - cephx | bool - item.copy_key | bool @@ -42,5 +43,5 @@ - cephx | bool - item is not skipped - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" diff --git a/roles/ceph-osd/tasks/openstack_config.yml b/roles/ceph-osd/tasks/openstack_config.yml index 254f86a18d..6b05d2c3a3 100644 --- a/roles/ceph-osd/tasks/openstack_config.yml +++ b/roles/ceph-osd/tasks/openstack_config.yml @@ -35,6 +35,7 @@ CEPH_CONTAINER_BINARY: "{{ container_binary }}" with_items: "{{ openstack_keys }}" delegate_to: "{{ groups[mon_group_name][0] }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: get keys from monitors ceph_key: @@ -48,6 +49,7 @@ register: _osp_keys with_items: "{{ openstack_keys }}" delegate_to: "{{ groups.get(mon_group_name)[0] }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -60,7 +62,7 @@ - "{{ _osp_keys.results }}" - "{{ groups[mon_group_name] }}" delegate_to: "{{ item.1 }}" - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" when: - cephx | bool - openstack_config | bool diff --git a/roles/ceph-rbd-mirror/tasks/common.yml b/roles/ceph-rbd-mirror/tasks/common.yml index a47da60e6d..a33147818e 100644 --- a/roles/ceph-rbd-mirror/tasks/common.yml +++ b/roles/ceph-rbd-mirror/tasks/common.yml @@ -17,6 +17,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -29,7 +30,7 @@ when: - cephx | bool - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: create rbd-mirror keyring ceph_key: @@ -45,4 +46,5 @@ owner: ceph group: ceph mode: "{{ ceph_keyring_permissions }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" when: not containerized_deployment | bool diff --git a/roles/ceph-rgw/tasks/common.yml b/roles/ceph-rgw/tasks/common.yml index 237f110f60..e25fb4d244 100644 --- a/roles/ceph-rgw/tasks/common.yml +++ b/roles/ceph-rgw/tasks/common.yml @@ -26,6 +26,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -39,7 +40,7 @@ - cephx | bool - item is not skipped - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy SSL certificate & key data to certificate path copy: diff --git a/roles/ceph-rgw/tasks/pre_requisite.yml b/roles/ceph-rgw/tasks/pre_requisite.yml index c10fbf5e36..af42f688f1 100644 --- a/roles/ceph-rgw/tasks/pre_requisite.yml +++ b/roles/ceph-rgw/tasks/pre_requisite.yml @@ -13,6 +13,7 @@ owner: "ceph" group: "ceph" mode: "0600" + no_log: "{{ no_log_on_ceph_key_tasks }}" environment: CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}" CEPH_CONTAINER_BINARY: "{{ container_binary }}"