From 67c1e91567a623a815e0c496a2d910044aa8876b Mon Sep 17 00:00:00 2001 From: Guillaume Abrioux Date: Mon, 9 Aug 2021 14:57:33 +0200 Subject: [PATCH] common: do not log keyring secret let's not display any keyring secret by default in ansible log. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1980744 Signed-off-by: Guillaume Abrioux (cherry picked from commit 7511195738e9d1e8f3d3ec77ad4473fa90d17d22) --- group_vars/all.yml.sample | 2 +- group_vars/rhcs.yml.sample | 2 +- roles/ceph-client/tasks/create_users_keys.yml | 6 +++--- roles/ceph-client/tasks/pre_requisite.yml | 3 ++- roles/ceph-crash/tasks/main.yml | 4 +++- roles/ceph-defaults/defaults/main.yml | 2 +- roles/ceph-iscsi-gw/tasks/common.yml | 3 ++- roles/ceph-mds/tasks/common.yml | 3 ++- roles/ceph-mds/tasks/non_containerized.yml | 1 + roles/ceph-mgr/tasks/common.yml | 5 ++++- roles/ceph-mon/tasks/ceph_keys.yml | 1 + roles/ceph-mon/tasks/deploy_monitors.yml | 4 ++++ roles/ceph-nfs/tasks/main.yml | 2 +- roles/ceph-nfs/tasks/pre_requisite_container.yml | 3 ++- roles/ceph-nfs/tasks/pre_requisite_non_container.yml | 4 +++- roles/ceph-osd/tasks/common.yml | 3 ++- roles/ceph-osd/tasks/openstack_config.yml | 4 +++- roles/ceph-rbd-mirror/tasks/common.yml | 4 +++- roles/ceph-rgw/tasks/common.yml | 3 ++- roles/ceph-rgw/tasks/pre_requisite.yml | 1 + 20 files changed, 42 insertions(+), 18 deletions(-) diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample index eab63c668e..a89244b1c3 100644 --- a/group_vars/all.yml.sample +++ b/group_vars/all.yml.sample @@ -887,7 +887,7 @@ dummy: #client_connections: {} - +#no_log_on_ceph_key_tasks: True ############### # DEPRECATION # diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample index b097952f0a..d9fa34889e 100644 --- a/group_vars/rhcs.yml.sample +++ b/group_vars/rhcs.yml.sample @@ -887,7 +887,7 @@ alertmanager_container_image: registry.redhat.io/openshift4/ose-prometheus-alert #client_connections: {} - +#no_log_on_ceph_key_tasks: True ############### # DEPRECATION # diff --git a/roles/ceph-client/tasks/create_users_keys.yml b/roles/ceph-client/tasks/create_users_keys.yml index 0c99fbb50b..76cf29c714 100644 --- a/roles/ceph-client/tasks/create_users_keys.yml +++ b/roles/ceph-client/tasks/create_users_keys.yml @@ -52,7 +52,7 @@ - cephx | bool - keys | length > 0 - inventory_hostname == groups.get('_filtered_clients') | first - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: slurp client cephx key(s) slurp: @@ -64,7 +64,7 @@ - cephx | bool - keys | length > 0 - inventory_hostname == groups.get('_filtered_clients') | first - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: pool related tasks when: @@ -172,5 +172,5 @@ group: "{{ ceph_uid }}" with_items: "{{ hostvars[groups['_filtered_clients'][0]]['slurp_client_keys']['results'] }}" when: not item.get('skipped', False) - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" diff --git a/roles/ceph-client/tasks/pre_requisite.yml b/roles/ceph-client/tasks/pre_requisite.yml index 1f144f7766..46cbcc05ad 100644 --- a/roles/ceph-client/tasks/pre_requisite.yml +++ b/roles/ceph-client/tasks/pre_requisite.yml @@ -11,6 +11,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -22,5 +23,5 @@ with_items: "{{ _client_keys.results }}" when: - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" when: cephx | bool diff --git a/roles/ceph-crash/tasks/main.yml b/roles/ceph-crash/tasks/main.yml index 89536f4d57..6db9028867 100644 --- a/roles/ceph-crash/tasks/main.yml +++ b/roles/ceph-crash/tasks/main.yml @@ -19,6 +19,7 @@ CEPH_CONTAINER_BINARY: "{{ container_binary }}" delegate_to: "{{ groups.get(mon_group_name, [])[0] }}" run_once: True + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: enforce container_binary on first monitor import_role: @@ -42,6 +43,7 @@ check_mode: False changed_when: False run_once: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -50,7 +52,7 @@ owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" mode: "{{ ceph_keyring_permissions }}" - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: start ceph-crash daemon when: containerized_deployment | bool diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml index 16bbf2f2e3..c3744d021f 100644 --- a/roles/ceph-defaults/defaults/main.yml +++ b/roles/ceph-defaults/defaults/main.yml @@ -879,7 +879,7 @@ rbd_devices: {} client_connections: {} - +no_log_on_ceph_key_tasks: True ############### # DEPRECATION # diff --git a/roles/ceph-iscsi-gw/tasks/common.yml b/roles/ceph-iscsi-gw/tasks/common.yml index c5f94ed02c..4517f535b4 100644 --- a/roles/ceph-iscsi-gw/tasks/common.yml +++ b/roles/ceph-iscsi-gw/tasks/common.yml @@ -9,6 +9,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -21,7 +22,7 @@ when: - cephx | bool - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: add mgr ip address to trusted list with dashboard - ipv4 set_fact: diff --git a/roles/ceph-mds/tasks/common.yml b/roles/ceph-mds/tasks/common.yml index 7d5f9c2811..50dcc19300 100644 --- a/roles/ceph-mds/tasks/common.yml +++ b/roles/ceph-mds/tasks/common.yml @@ -21,6 +21,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -33,5 +34,5 @@ when: - cephx | bool - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" diff --git a/roles/ceph-mds/tasks/non_containerized.yml b/roles/ceph-mds/tasks/non_containerized.yml index 0e2314d7a7..ac71a7aa01 100644 --- a/roles/ceph-mds/tasks/non_containerized.yml +++ b/roles/ceph-mds/tasks/non_containerized.yml @@ -26,6 +26,7 @@ creates: /var/lib/ceph/mds/{{ cluster }}-{{ mds_name }}/keyring changed_when: false when: cephx + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: set mds key permissions file: diff --git a/roles/ceph-mgr/tasks/common.yml b/roles/ceph-mgr/tasks/common.yml index 0c8ae8a04e..44f167252e 100644 --- a/roles/ceph-mgr/tasks/common.yml +++ b/roles/ceph-mgr/tasks/common.yml @@ -24,6 +24,7 @@ CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}" CEPH_CONTAINER_BINARY: "{{ container_binary }}" when: groups.get(mgr_group_name, []) | length == 0 # the key is present already since one of the mons created it in "create ceph mgr keyring(s)" + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: create and copy keyrings when: groups.get(mgr_group_name, []) | length > 0 @@ -46,6 +47,7 @@ with_items: "{{ groups.get(mgr_group_name, []) }}" run_once: True delegate_to: "{{ groups[mon_group_name][0] }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: set_fact _mgr_keys set_fact: @@ -61,6 +63,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -74,7 +77,7 @@ - cephx | bool - item is not skipped - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: set mgr key permissions file: diff --git a/roles/ceph-mon/tasks/ceph_keys.yml b/roles/ceph-mon/tasks/ceph_keys.yml index e55504ec9c..c35b2a15dc 100644 --- a/roles/ceph-mon/tasks/ceph_keys.yml +++ b/roles/ceph-mon/tasks/ceph_keys.yml @@ -28,5 +28,6 @@ CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}" CEPH_CONTAINER_BINARY: "{{ container_binary }}" CEPH_ROLLING_UPDATE: "{{ rolling_update }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" when: - cephx | bool diff --git a/roles/ceph-mon/tasks/deploy_monitors.yml b/roles/ceph-mon/tasks/deploy_monitors.yml index 37ce49c4b2..b988f764ee 100644 --- a/roles/ceph-mon/tasks/deploy_monitors.yml +++ b/roles/ceph-mon/tasks/deploy_monitors.yml @@ -16,6 +16,7 @@ run_once: True delegate_to: "{{ running_mon }}" failed_when: initial_mon_key.rc not in [0, 2] + no_log: "{{ no_log_on_ceph_key_tasks }}" when: running_mon is defined - name: generate monitor initial keyring @@ -25,6 +26,7 @@ delegate_to: localhost become: false run_once: true + no_log: "{{ no_log_on_ceph_key_tasks }}" when: - initial_mon_key is skipped or @@ -51,6 +53,7 @@ owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}" group: "{{ ceph_uid if containerized_deployment else 'ceph' }}" mode: "0400" + no_log: "{{ no_log_on_ceph_key_tasks }}" environment: CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}" CEPH_CONTAINER_BINARY: "{{ container_binary }}" @@ -97,6 +100,7 @@ CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}" CEPH_CONTAINER_BINARY: "{{ container_binary }}" register: create_custom_admin_secret + no_log: "{{ no_log_on_ceph_key_tasks }}" when: - cephx | bool - admin_secret != 'admin_secret' diff --git a/roles/ceph-nfs/tasks/main.yml b/roles/ceph-nfs/tasks/main.yml index 186fb0f529..164414c4c9 100644 --- a/roles/ceph-nfs/tasks/main.yml +++ b/roles/ceph-nfs/tasks/main.yml @@ -75,7 +75,7 @@ when: - not item.0.get('skipped', False) - item.0.item.name == 'client.' + ceph_nfs_ceph_user or item.0.item.name == rgw_client_name - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: include start_nfs.yml import_tasks: start_nfs.yml diff --git a/roles/ceph-nfs/tasks/pre_requisite_container.yml b/roles/ceph-nfs/tasks/pre_requisite_container.yml index 24d3121f90..a1e63618db 100644 --- a/roles/ceph-nfs/tasks/pre_requisite_container.yml +++ b/roles/ceph-nfs/tasks/pre_requisite_container.yml @@ -20,6 +20,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -32,7 +33,7 @@ when: - cephx | bool - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" when: groups.get(mon_group_name, []) | length > 0 - name: dbus related tasks diff --git a/roles/ceph-nfs/tasks/pre_requisite_non_container.yml b/roles/ceph-nfs/tasks/pre_requisite_non_container.yml index 4bf1b59be8..36ba2965d4 100644 --- a/roles/ceph-nfs/tasks/pre_requisite_non_container.yml +++ b/roles/ceph-nfs/tasks/pre_requisite_non_container.yml @@ -57,6 +57,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -69,7 +70,7 @@ when: - cephx | bool - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: nfs object gateway related tasks when: nfs_obj_gw | bool @@ -79,6 +80,7 @@ args: creates: /var/lib/ceph/radosgw/{{ cluster }}-rgw.{{ ansible_facts['hostname'] }}/keyring changed_when: false + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: set rados gateway key permissions file: diff --git a/roles/ceph-osd/tasks/common.yml b/roles/ceph-osd/tasks/common.yml index 40f01b6c23..8966645af4 100644 --- a/roles/ceph-osd/tasks/common.yml +++ b/roles/ceph-osd/tasks/common.yml @@ -19,6 +19,7 @@ - { name: "client.admin", path: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" } delegate_to: "{{ groups.get(mon_group_name)[0] }}" run_once: true + no_log: "{{ no_log_on_ceph_key_tasks }}" when: - cephx | bool - item.copy_key | bool @@ -35,5 +36,5 @@ - cephx | bool - item is not skipped - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" diff --git a/roles/ceph-osd/tasks/openstack_config.yml b/roles/ceph-osd/tasks/openstack_config.yml index 1b8c8d2be6..2e869d274b 100644 --- a/roles/ceph-osd/tasks/openstack_config.yml +++ b/roles/ceph-osd/tasks/openstack_config.yml @@ -100,6 +100,7 @@ CEPH_CONTAINER_BINARY: "{{ container_binary }}" with_items: "{{ openstack_keys }}" delegate_to: "{{ groups[mon_group_name][0] }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: get keys from monitors command: "{{ hostvars[groups[mon_group_name][0]]['container_exec_cmd'] | default('') }} ceph --cluster {{ cluster }} auth get {{ item.name }}" @@ -107,6 +108,7 @@ with_items: "{{ openstack_keys }}" run_once: true delegate_to: "{{ groups.get(mon_group_name)[0] }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -119,7 +121,7 @@ - "{{ _osp_keys.results }}" - "{{ groups[mon_group_name] }}" delegate_to: "{{ item.1 }}" - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" when: - cephx | bool - openstack_config | bool diff --git a/roles/ceph-rbd-mirror/tasks/common.yml b/roles/ceph-rbd-mirror/tasks/common.yml index 4de1bc7d19..978ccad84b 100644 --- a/roles/ceph-rbd-mirror/tasks/common.yml +++ b/roles/ceph-rbd-mirror/tasks/common.yml @@ -10,6 +10,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -22,7 +23,7 @@ when: - cephx | bool - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: create rbd-mirror keyring command: > @@ -43,4 +44,5 @@ owner: "ceph" group: "ceph" mode: "{{ ceph_keyring_permissions }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" when: not containerized_deployment | bool diff --git a/roles/ceph-rgw/tasks/common.yml b/roles/ceph-rgw/tasks/common.yml index e325ede5b9..9d9b3c6e3c 100644 --- a/roles/ceph-rgw/tasks/common.yml +++ b/roles/ceph-rgw/tasks/common.yml @@ -19,6 +19,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -32,4 +33,4 @@ - cephx | bool - item is not skipped - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" diff --git a/roles/ceph-rgw/tasks/pre_requisite.yml b/roles/ceph-rgw/tasks/pre_requisite.yml index cd489e0e49..eeabdc36ff 100644 --- a/roles/ceph-rgw/tasks/pre_requisite.yml +++ b/roles/ceph-rgw/tasks/pre_requisite.yml @@ -14,6 +14,7 @@ owner: "ceph" group: "ceph" mode: "0600" + no_log: "{{ no_log_on_ceph_key_tasks }}" environment: CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}" CEPH_CONTAINER_BINARY: "{{ container_binary }}"