From 7511195738e9d1e8f3d3ec77ad4473fa90d17d22 Mon Sep 17 00:00:00 2001 From: Guillaume Abrioux Date: Mon, 9 Aug 2021 14:57:33 +0200 Subject: [PATCH] common: do not log keyring secret let's not display any keyring secret by default in ansible log. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1980744 Signed-off-by: Guillaume Abrioux --- group_vars/all.yml.sample | 2 +- group_vars/rhcs.yml.sample | 2 +- roles/ceph-client/tasks/create_users_keys.yml | 6 +++--- roles/ceph-client/tasks/pre_requisite.yml | 3 ++- roles/ceph-crash/tasks/main.yml | 4 +++- roles/ceph-defaults/defaults/main.yml | 2 +- roles/ceph-iscsi-gw/tasks/common.yml | 3 ++- roles/ceph-mds/tasks/common.yml | 3 ++- roles/ceph-mds/tasks/non_containerized.yml | 1 + roles/ceph-mgr/tasks/common.yml | 5 ++++- roles/ceph-mon/tasks/ceph_keys.yml | 1 + roles/ceph-mon/tasks/deploy_monitors.yml | 4 ++++ roles/ceph-nfs/tasks/main.yml | 2 +- roles/ceph-nfs/tasks/pre_requisite_container.yml | 3 ++- roles/ceph-nfs/tasks/pre_requisite_non_container.yml | 4 +++- roles/ceph-osd/tasks/common.yml | 3 ++- roles/ceph-osd/tasks/openstack_config.yml | 4 +++- roles/ceph-rbd-mirror/tasks/common.yml | 4 +++- roles/ceph-rgw/tasks/common.yml | 3 ++- roles/ceph-rgw/tasks/pre_requisite.yml | 1 + 20 files changed, 42 insertions(+), 18 deletions(-) diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample index 20f5e0f5a..bbed2c8bd 100644 --- a/group_vars/all.yml.sample +++ b/group_vars/all.yml.sample @@ -789,7 +789,7 @@ dummy: #client_connections: {} - +#no_log_on_ceph_key_tasks: True ############### # DEPRECATION # diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample index fe664b30a..f30e4e972 100644 --- a/group_vars/rhcs.yml.sample +++ b/group_vars/rhcs.yml.sample @@ -789,7 +789,7 @@ alertmanager_container_image: registry.redhat.io/openshift4/ose-prometheus-alert #client_connections: {} - +#no_log_on_ceph_key_tasks: True ############### # DEPRECATION # diff --git a/roles/ceph-client/tasks/create_users_keys.yml b/roles/ceph-client/tasks/create_users_keys.yml index ed208a1b2..b85fd59b6 100644 --- a/roles/ceph-client/tasks/create_users_keys.yml +++ b/roles/ceph-client/tasks/create_users_keys.yml @@ -28,7 +28,7 @@ - cephx | bool - keys | length > 0 - inventory_hostname == groups.get('_filtered_clients') | first - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: slurp client cephx key(s) slurp: @@ -40,7 +40,7 @@ - cephx | bool - keys | length > 0 - inventory_hostname == groups.get('_filtered_clients') | first - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: pool related tasks when: @@ -81,5 +81,5 @@ group: "{{ ceph_uid }}" with_items: "{{ hostvars[groups['_filtered_clients'][0]]['slurp_client_keys']['results'] }}" when: not item.get('skipped', False) - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" diff --git a/roles/ceph-client/tasks/pre_requisite.yml b/roles/ceph-client/tasks/pre_requisite.yml index e928c664b..92cce4c0b 100644 --- a/roles/ceph-client/tasks/pre_requisite.yml +++ b/roles/ceph-client/tasks/pre_requisite.yml @@ -13,6 +13,7 @@ register: _admin_key delegate_to: "{{ groups.get(mon_group_name)[0] }}" run_once: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -21,7 +22,7 @@ owner: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}" group: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}" mode: "{{ ceph_keyring_permissions }}" - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" when: - cephx | bool - copy_admin_key | bool diff --git a/roles/ceph-crash/tasks/main.yml b/roles/ceph-crash/tasks/main.yml index 9723b2477..51c4aeb58 100644 --- a/roles/ceph-crash/tasks/main.yml +++ b/roles/ceph-crash/tasks/main.yml @@ -19,6 +19,7 @@ CEPH_CONTAINER_BINARY: "{{ container_binary }}" delegate_to: "{{ groups.get(mon_group_name, [])[0] }}" run_once: True + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: get keys from monitors ceph_key: @@ -32,6 +33,7 @@ register: _crash_keys delegate_to: "{{ groups.get(mon_group_name)[0] }}" run_once: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -40,7 +42,7 @@ owner: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}" group: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}" mode: "{{ ceph_keyring_permissions }}" - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: start ceph-crash daemon when: containerized_deployment | bool diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml index c4cf1aa08..cc0aa54ee 100644 --- a/roles/ceph-defaults/defaults/main.yml +++ b/roles/ceph-defaults/defaults/main.yml @@ -781,7 +781,7 @@ rbd_devices: {} client_connections: {} - +no_log_on_ceph_key_tasks: True ############### # DEPRECATION # diff --git a/roles/ceph-iscsi-gw/tasks/common.yml b/roles/ceph-iscsi-gw/tasks/common.yml index b43c0e02d..3e9ff1ef9 100644 --- a/roles/ceph-iscsi-gw/tasks/common.yml +++ b/roles/ceph-iscsi-gw/tasks/common.yml @@ -14,6 +14,7 @@ when: - cephx | bool - copy_admin_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -25,7 +26,7 @@ when: - cephx | bool - copy_admin_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: add mgr ip address to trusted list with dashboard - ipv4 set_fact: diff --git a/roles/ceph-mds/tasks/common.yml b/roles/ceph-mds/tasks/common.yml index d4c9b1f41..9e837ddce 100644 --- a/roles/ceph-mds/tasks/common.yml +++ b/roles/ceph-mds/tasks/common.yml @@ -28,6 +28,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -40,5 +41,5 @@ when: - cephx | bool - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" diff --git a/roles/ceph-mds/tasks/non_containerized.yml b/roles/ceph-mds/tasks/non_containerized.yml index ad744ed30..cfe6b2703 100644 --- a/roles/ceph-mds/tasks/non_containerized.yml +++ b/roles/ceph-mds/tasks/non_containerized.yml @@ -35,6 +35,7 @@ owner: ceph group: ceph mode: "{{ ceph_keyring_permissions }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" when: cephx | bool - name: ensure systemd service override directory exists diff --git a/roles/ceph-mgr/tasks/common.yml b/roles/ceph-mgr/tasks/common.yml index d0690d131..4b59e4783 100644 --- a/roles/ceph-mgr/tasks/common.yml +++ b/roles/ceph-mgr/tasks/common.yml @@ -24,6 +24,7 @@ CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment | bool else None }}" CEPH_CONTAINER_BINARY: "{{ container_binary }}" when: groups.get(mgr_group_name, []) | length == 0 # the key is present already since one of the mons created it in "create ceph mgr keyring(s)" + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: create and copy keyrings when: groups.get(mgr_group_name, []) | length > 0 @@ -46,6 +47,7 @@ with_items: "{{ groups.get(mgr_group_name, []) }}" run_once: True delegate_to: "{{ groups[mon_group_name][0] }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: set_fact _mgr_keys set_fact: @@ -68,6 +70,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -81,7 +84,7 @@ - cephx | bool - item is not skipped - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: set mgr key permissions file: diff --git a/roles/ceph-mon/tasks/ceph_keys.yml b/roles/ceph-mon/tasks/ceph_keys.yml index 02a694f4e..7ec8c7d78 100644 --- a/roles/ceph-mon/tasks/ceph_keys.yml +++ b/roles/ceph-mon/tasks/ceph_keys.yml @@ -27,5 +27,6 @@ CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment | bool else None }}" CEPH_CONTAINER_BINARY: "{{ container_binary }}" CEPH_ROLLING_UPDATE: "{{ rolling_update }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" when: - cephx | bool diff --git a/roles/ceph-mon/tasks/deploy_monitors.yml b/roles/ceph-mon/tasks/deploy_monitors.yml index e057dd32f..3c66dcb19 100644 --- a/roles/ceph-mon/tasks/deploy_monitors.yml +++ b/roles/ceph-mon/tasks/deploy_monitors.yml @@ -17,6 +17,7 @@ run_once: True delegate_to: "{{ running_mon }}" failed_when: initial_mon_key.rc not in [0, 2] + no_log: "{{ no_log_on_ceph_key_tasks }}" when: running_mon is defined - name: generate monitor initial keyring @@ -26,6 +27,7 @@ delegate_to: localhost become: false run_once: true + no_log: "{{ no_log_on_ceph_key_tasks }}" when: - initial_mon_key is skipped or @@ -52,6 +54,7 @@ owner: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}" group: "{{ ceph_uid if containerized_deployment | bool else 'ceph' }}" mode: "0400" + no_log: "{{ no_log_on_ceph_key_tasks }}" environment: CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment | bool else None }}" CEPH_CONTAINER_BINARY: "{{ container_binary }}" @@ -98,6 +101,7 @@ CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment | bool else None }}" CEPH_CONTAINER_BINARY: "{{ container_binary }}" register: create_custom_admin_secret + no_log: "{{ no_log_on_ceph_key_tasks }}" when: - cephx | bool - admin_secret != 'admin_secret' diff --git a/roles/ceph-nfs/tasks/main.yml b/roles/ceph-nfs/tasks/main.yml index 2169908ac..aa609d8c8 100644 --- a/roles/ceph-nfs/tasks/main.yml +++ b/roles/ceph-nfs/tasks/main.yml @@ -75,7 +75,7 @@ when: - not item.0.get('skipped', False) - item.0.item.name == 'client.' + ceph_nfs_ceph_user or item.0.item.name == rgw_client_name - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: include start_nfs.yml import_tasks: start_nfs.yml diff --git a/roles/ceph-nfs/tasks/pre_requisite_container.yml b/roles/ceph-nfs/tasks/pre_requisite_container.yml index 599f78f82..8c168f39c 100644 --- a/roles/ceph-nfs/tasks/pre_requisite_container.yml +++ b/roles/ceph-nfs/tasks/pre_requisite_container.yml @@ -27,6 +27,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -39,7 +40,7 @@ when: - cephx | bool - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" when: groups.get(mon_group_name, []) | length > 0 - name: dbus related tasks diff --git a/roles/ceph-nfs/tasks/pre_requisite_non_container.yml b/roles/ceph-nfs/tasks/pre_requisite_non_container.yml index f197eec9d..12e50874a 100644 --- a/roles/ceph-nfs/tasks/pre_requisite_non_container.yml +++ b/roles/ceph-nfs/tasks/pre_requisite_non_container.yml @@ -62,6 +62,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -74,7 +75,7 @@ when: - cephx | bool - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: nfs object gateway related tasks when: nfs_obj_gw | bool @@ -93,3 +94,4 @@ owner: ceph group: ceph mode: "{{ ceph_keyring_permissions }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" \ No newline at end of file diff --git a/roles/ceph-osd/tasks/common.yml b/roles/ceph-osd/tasks/common.yml index 86087cec1..ac690e46f 100644 --- a/roles/ceph-osd/tasks/common.yml +++ b/roles/ceph-osd/tasks/common.yml @@ -26,6 +26,7 @@ - { name: "client.admin", path: "/etc/ceph/{{ cluster }}.client.admin.keyring", copy_key: "{{ copy_admin_key }}" } delegate_to: "{{ groups.get(mon_group_name)[0] }}" run_once: true + no_log: "{{ no_log_on_ceph_key_tasks }}" when: - cephx | bool - item.copy_key | bool @@ -42,5 +43,5 @@ - cephx | bool - item is not skipped - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" diff --git a/roles/ceph-osd/tasks/openstack_config.yml b/roles/ceph-osd/tasks/openstack_config.yml index 254f86a18..6b05d2c3a 100644 --- a/roles/ceph-osd/tasks/openstack_config.yml +++ b/roles/ceph-osd/tasks/openstack_config.yml @@ -35,6 +35,7 @@ CEPH_CONTAINER_BINARY: "{{ container_binary }}" with_items: "{{ openstack_keys }}" delegate_to: "{{ groups[mon_group_name][0] }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: get keys from monitors ceph_key: @@ -48,6 +49,7 @@ register: _osp_keys with_items: "{{ openstack_keys }}" delegate_to: "{{ groups.get(mon_group_name)[0] }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -60,7 +62,7 @@ - "{{ _osp_keys.results }}" - "{{ groups[mon_group_name] }}" delegate_to: "{{ item.1 }}" - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" when: - cephx | bool - openstack_config | bool diff --git a/roles/ceph-rbd-mirror/tasks/common.yml b/roles/ceph-rbd-mirror/tasks/common.yml index a47da60e6..a33147818 100644 --- a/roles/ceph-rbd-mirror/tasks/common.yml +++ b/roles/ceph-rbd-mirror/tasks/common.yml @@ -17,6 +17,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -29,7 +30,7 @@ when: - cephx | bool - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: create rbd-mirror keyring ceph_key: @@ -45,4 +46,5 @@ owner: ceph group: ceph mode: "{{ ceph_keyring_permissions }}" + no_log: "{{ no_log_on_ceph_key_tasks }}" when: not containerized_deployment | bool diff --git a/roles/ceph-rgw/tasks/common.yml b/roles/ceph-rgw/tasks/common.yml index 237f110f6..e25fb4d24 100644 --- a/roles/ceph-rgw/tasks/common.yml +++ b/roles/ceph-rgw/tasks/common.yml @@ -26,6 +26,7 @@ when: - cephx | bool - item.copy_key | bool + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy ceph key(s) if needed copy: @@ -39,7 +40,7 @@ - cephx | bool - item is not skipped - item.item.copy_key | bool - no_log: true + no_log: "{{ no_log_on_ceph_key_tasks }}" - name: copy SSL certificate & key data to certificate path copy: diff --git a/roles/ceph-rgw/tasks/pre_requisite.yml b/roles/ceph-rgw/tasks/pre_requisite.yml index c10fbf5e3..af42f688f 100644 --- a/roles/ceph-rgw/tasks/pre_requisite.yml +++ b/roles/ceph-rgw/tasks/pre_requisite.yml @@ -13,6 +13,7 @@ owner: "ceph" group: "ceph" mode: "0600" + no_log: "{{ no_log_on_ceph_key_tasks }}" environment: CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}" CEPH_CONTAINER_BINARY: "{{ container_binary }}"