[openstack-dev] [tripleo] [tripleo-validations] using using top-level fact vars will deprecated in future Ansible versions

Sam Doran sdoran at redhat.com
Fri Jul 27 14:52:38 UTC 2018


> so if, for convenience, we do this:
> vars:
>  a_mounts: "{{ hostvars[inventory_hostname].ansible_facts.mounts }}"
> 
> That's completely acceptable and correct, and won't create any security
> issue, right?


Yes, that will work, but you don't need to use the hostvars dict. You can simply use ansible_facts.mounts.

Using facts in no way creates security issues. The attack vector is a managed node setting local facts, or a malicious playbook author setting a fact that contains executable and malicious code. Ansible uses an UnsafeProxy class to ensure text from untrusted sources is properly handled to defend against this.

> I think the last thing we want is to break TripleO + Ceph integration so we will maintain Ansible 2.5.x in TripleO Rocky and upgrade to 2.6.x in Stein when ceph-ansible 3.2 is used and working well.

This sounds like a good plan.

---

Respectfully,

Sam Doran
Senior Software Engineer
Ansible by Red Hat
sdoran at redhat.com <mailto:sdoran at redhat.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180727/7ab9a910/attachment.html>


More information about the OpenStack-dev mailing list