Commit graph

409 commits

Author SHA1 Message Date
James Cammarata
a1886911fc Fixing security issue with lookup returns not tainting the jinja2 environment
CVE-2017-7481

Lookup returns wrap the result in unsafe, however when used through the
standard templar engine, this does not result in the jinja2 environment being
marked as unsafe as a whole. This means the lookup result looses the unsafe
protection and may become simple unicode strings, which can result in bad
things being re-templated.

This also adds a global lookup param and cfg options for lookups to allow
unsafe returns, so users can force the previous (insecure) behavior.

(cherry picked from commit 72dfb1570d22ac519350a8c09e76c458789120ed)
2017-05-08 11:11:47 -05:00
John R Barker
48f6af4907 updates sample ansible.cfg (#23045) (#23050)
* adds host_key_auto_add to paramiko section
* adds look_for_keys to paramiko section
* adds terminal_plugins to defaults section
* adds persistent_connection section and key/value enteries
(cherry picked from commit ccfa464464)
2017-03-28 19:08:32 +01:00
Brian Coca
7ad6ce7ea1 moved network module magic from hardcoded to conf 2017-03-09 21:49:02 -05:00
Brian Coca
ced73389de updated better yaml host examples 2017-03-08 14:51:52 -05:00
Anhad Jai Singh
13dd4b108c Add 9p to list of special filesystems for selinux
When trying to copy files onto a Virtio-9p filesystem[1][2] int the host
using something like the template module, ansible throws an error that
says something like:

    invalid selinux context: [Errno 95] Operation not supported

Adding 9p to the list of exceptional filesystems forces ansible to not
try to set an SELinux context on copied files.

[1] such as one mounted in a qemu VM, using:

    # http://www.linux-kvm.org/page/9p_virtio
    qemu-kvm [...] -virtfs local,id=apps_dev,path=/host/dir,security_model=passthrough,mount_tag=host_dir

[2] https://www.kernel.org/doc/Documentation/filesystems/9p.txt

Change-Id: Ia868dadce1ffd2b5bebf5ee1804501676e9d7e5f
2017-02-27 09:13:28 -05:00
David PHAM-VAN
6a0fb4e3b6 Remove useless # in comment (#21609) 2017-02-18 11:43:04 +00:00
Brian Coca
b14c4b9f6e Revert "Add a config section for systemd-nspawn driver"
This reverts commit 1fc7211181.
2017-02-17 16:35:47 -05:00
Thomas Szymanski
1fc7211181 Add a config section for systemd-nspawn driver 2017-02-17 12:39:48 -05:00
Robin Schneider
3700bcb6dd Use HTTPS instead of legacy HTTP for ansible.com (#16870)
Mechanical edit done by this "one-liner":

```Shell
git ls-files -z "$(git rev-parse --show-toplevel)" | xargs --null -I '{}' find '{}' -type f -print0 | xargs --null sed --in-place --regexp-extended 's#http://(www\.|galaxy\.|)ansible\.com#https://\1ansible.com#g;'
```

Related to: https://github.com/ansible/ansible/issues/16869
2017-02-15 16:09:33 -08:00
Matt Davis
ba353b0f8f fix ambiguous cert selection in WinRM enable script (#21263)
Rather than trying to guess which cert we just generated,   parse the generated cert data and extract the thumbprint directly.
2017-02-13 10:16:23 +01:00
John R Barker
959637ff59 How to document your module (#21021)
* How to document your module

* Remove blank lines

* note:: Versions should be strings

* requirements on the host that executes the module.

* option names & option values

* Feedback

* formatting

* Scott's final feedback
2017-02-10 12:15:55 +00:00
Pavlo Shchelokovskyy
6e875e81aa Fix docs re inventory_ignore_extensions config (#21132)
The list of ignored by default extensions is outdated in doc for dynamic
inventories, and this option is completely missing from configuration
file overview.
2017-02-10 00:32:22 -08:00
Andrea Tartaglia
2291163a7a Added DIFF_ALWAYS constant
When set to True, will always print the diff. Defaults to False.

Fixes #18416 #16073
2017-02-09 18:28:50 -05:00
Jordan Borean
719e1840da Added info on ntlm and credssp, updated configure script for credssp (#21175) 2017-02-08 17:00:58 -08:00
Dag Wieers
6de1f22c15 Add missing support for -CertValidityDays (#21009)
* Add missing support for -CertValidityDays

For some reason the -CertValidityDays option was not being used in the certificates we created.

This fixes #10439

* Possible fix

* We cannot use New-SelfSignedCertificate on 2012R2 and earlier

As suggested by @jhawkesworth
2017-02-06 08:14:42 +00:00
Dag Wieers
28060a4c47 Improve inline docs (#21029) 2017-02-04 08:52:01 +01:00
Toshio Kuratomi
1df7d95cec Module utils default path (#20913)
* Make the module_utils path configurable
* Add a config value to define the path site module_utils files
* Handle module_utils that do not have source as an error
* Make an integration test for module_utils envvar working
* Add documentation for the ANSIBLE_MODULE_UTILS config option/envvar
* Add it to the sample ansible.cfg
* Add it to intro_configuration.
* Also modify intro_configuration to place envvars on equal footing with
  the config options (will need to document the envvar names in the
  future)
* Also add the ANSIBLE_LIBRARY use case from
  https://github.com/ansible/ansible/issues/15432 so we can close out
  that bug.
2017-02-02 17:48:53 -08:00
jctanner
ac78347f2b Use a -short- custom hash for controlpersist path by default (#20843)
* A method to validate and alter the ssh control path automatically.
* First tries %C to use the shortened hash
* On further failure, it removes section by section from the original path
* Fix hostname
* Implement bcoca's suggested changes
* Remove unused option
* Remove unused class var
* Use to_string to avoid unicode error
* Switch from to_text to to_bytes
* Update the example config for the new controlpath feature
2017-02-01 10:39:40 -05:00
Matt Clay
10d9318de7 PEP 8 indent cleanup. (#20800)
* PEP 8 E121 cleanup.

* PEP 8 E126 cleanup.

* PEP 8 E122 cleanup.
2017-01-29 07:28:53 +00:00
Dag Wieers
c94c53e8a4 Ensure that the script is run with elevated privileges (#20669)
* Ensure that the script is run with elevated privileges

This fixes #20654

* Implement our own check for elevated privileges
2017-01-27 14:23:18 -08:00
Dag Wieers
e64ef8b0ab Small fix for running using Invoke-Expression
A small fix suggested by a user for running ConfigureRemotingForAnsible.

This fixes #20512
2017-01-26 04:10:14 -08:00
Andrew Gaffney
ac51266e8f Add pipeline-ish method using dd for file transfer over SSH (#18642) 2017-01-19 12:31:14 -05:00
Dag Wieers
de21038feb Enable -Verbose and log to EventLog (#19909)
Instead of asking the user to type something prior to running the script, why not allow -Verbose on the command line directly.
Also log important events to EventLog, so that it can be traced e.g. when running via RunOnce mechanism.

The documentation is updated as well.
2017-01-10 23:52:41 -08:00
TaoBeier
6ec0369c26 fix indent (#20071) 2017-01-10 18:47:03 -08:00
Brian Coca
08e0f6ada5 allow modules to set custom stats (#18946)
can be per run or per host, also aggregate or not
set_stats action plugin as reference implementation
added doc stub
display stats in calblack
made custom stats showing configurable
2017-01-05 16:38:36 -05:00
Carlos E. Garcia
0b8011436d minor spelling changes 2016-12-13 13:51:13 -05:00
Matt Clay
75c281debc Fix compile errors in scripts. 2016-12-08 11:35:20 -05:00
Brian Coca
6dece90a57 change to ~ instead of $HOME to avoid undefined (#18551)
fixes #16032
2016-11-21 07:31:50 -08:00
Gael Pasgrimaud
f94100aa87 make default strategy configurable (#18394) 2016-11-15 15:36:53 -05:00
Brian Coca
aab80ac353 removed package from squash in examples 2016-11-14 17:41:52 -05:00
scottb
abc9133cb6 Merge pull request #12712 from ananyacleetus/patch-1
Update DOCUMENTATION.yml
2016-11-10 01:08:51 -08:00
Andrea Tartaglia
b18263cf36 ANSIBLE_SSH_CONTROL_PATH_DIR option added (#18342)
* ANSIBLE_SSH_CONTROL_PATH_DIR option added

This removes the hardcoded value ( $HOME/.ansible/cp ) from ssh.py.
User is able to change the ControlPath directory ( the one that replaces %(directory)s ).

 Fixes #18325

* Added config option in ansible.cfg
2016-11-03 15:19:59 -07:00
Matt Clay
0d46805979 Clean up shebangs for various files.
- Remove shebangs from:
  - ini files
  - unit tests
  - module_utils
  - plugins
  - module_docs_fragments
  - non-executable Makefiles
- Change non-modules from '/usr/bin/python' to '/usr/bin/env python'.
- Change '/bin/env' to '/usr/bin/env'.

Also removed main functions from unit tests (since they no longer
have a shebang) and fixed a python 3 compatibility issue with
update_bundled.py so it does not need to specify a python 2 shebang.

A script was added to check for unexpected shebangs in files.
This script is run during CI on Shippable.
2016-11-02 17:00:27 -07:00
Toshio Kuratomi
5037dc4e69 Make the default Ansible_managed string static so it doesn't interfere with idempotency 2016-10-18 16:19:17 -04:00
Brian Coca
b169a61c20 toggle missing handler errors/warnings via config 2016-10-13 16:54:02 -04:00
Brian Coca
7b2f15453d make explicit the scope of config's gather_subset
it only affects the invocation of setup triggered by the gather_facts directive in plays (explicit or implicit)
2016-10-07 20:13:53 -04:00
Toshio Kuratomi
1efe782b46 Refactor parsing of CLI args so that we can modify them in the base class
Implement tag and skip_tag handling in the CLI() class.  Change tag and
skip_tag command line options to be accepted multiple times on the CLI
and add them together rather than overwrite.

* Make it configurable whether to merge or overwrite multiple --tags arguments
* Make the base CLI class an abstractbaseclass so we can implement
  functionality in parse() but still make subclasses implement it.
* Deprecate the overwrite feature of --tags with a message that the
  default will change in 2.4 and go away in 2.5.

* Add documentation for merge_multiple_cli_flags
* Fix galaxy search so its tags argument does not conflict with generic tags
* Unit tests and more integration tests for tags
2016-10-06 10:46:58 -04:00
Indrajit Raychaudhuri
becb4765c3 Add homebrew in squash_actions list (#16966)
`homebrew`, like other package modules in the existing `squash_actions` list can
benefit from `with_items` loops optimization.
2016-09-30 18:07:09 -04:00
jctanner
fff161f2f6 Smart mode for sftp+scp (#17813)
If the sftp fails, roll over to scp by default. This saves users
from having to know about the scp_if_ssh method when sftp is broken
on the remote host.
2016-09-29 17:44:54 -04:00
nitzmahone
ee080eddb5 adjust WinRM service configuration message text
fixes #17478
2016-09-09 09:47:46 -07:00
jlehtniemi-broadsoft
5864ae50c6 Start WinRM service automatically on reboot 2016-09-09 14:00:49 +03:00
Brian Coca
81a4164207 old yaml format has been long gone
script is not compatible with new yaml format so removing it to avoid confusion

(cherry picked from commit 52099224e632fe0a8b076774b22723fb73d19ea0)
2016-09-08 14:18:10 -04:00
Brian Coca
f59e8be428 linked cause people forget yaml and yml exist
(cherry picked from commit c769a966106cc01edd87f26a587238e954195d7d)
2016-09-08 14:18:10 -04:00
jctanner
fe8258a378 make timeout decorator for facts have a configurable duration (#16551)
* Add a gather_timeout parameter
* update example ansible.cfg
* fix play level fact gathering too
2016-07-08 17:46:41 -04:00
Shota
47f715fb37 Fix some typos (#16498) 2016-06-29 14:31:25 -04:00
Scott Mcdermott
007c20a28b Add missing {cache,inventory}_plugins to ansible.cfg (#16463) 2016-06-27 18:14:14 -04:00
Toshio Kuratomi
a3959644ee Change the default of module_set_locale to False. (#16313)
This makes Ansible no longer set LC_ALL for remote systems.  It is up to
the individual modules to set LC_ALL if they need it for screenscraping
the output from a program.

This is the 2.2 followup for #15138
2016-06-15 14:21:04 -04:00
Brian Coca
de18566882 made ssh compression configurable (#16214)
AIX ssh does not seem to like compression, moved it to ssh_args
to allow making it configurable. Note that those using ssh_args
already will need to add it explicitly to keep compression.
2016-06-10 13:17:49 -04:00
Matt Davis
5825958a5a Merge pull request #15275 from Cryptophobia/devel
Update ConfigureRemotingForAnsible.ps1
2016-05-20 17:15:46 -07:00
Dag Wieers
a485395b02 Fix small typo in ansible.cfg (#15912) 2016-05-18 12:21:30 -04:00