[openstack-dev] [tripleo] [tripleo-validations] using using top-level fact vars will deprecated in future Ansible versions
Sam Doran
sdoran at redhat.com
Fri Jul 27 14:52:38 UTC 2018
> so if, for convenience, we do this:
> vars:
> a_mounts: "{{ hostvars[inventory_hostname].ansible_facts.mounts }}"
>
> That's completely acceptable and correct, and won't create any security
> issue, right?
Yes, that will work, but you don't need to use the hostvars dict. You can simply use ansible_facts.mounts.
Using facts in no way creates security issues. The attack vector is a managed node setting local facts, or a malicious playbook author setting a fact that contains executable and malicious code. Ansible uses an UnsafeProxy class to ensure text from untrusted sources is properly handled to defend against this.
> I think the last thing we want is to break TripleO + Ceph integration so we will maintain Ansible 2.5.x in TripleO Rocky and upgrade to 2.6.x in Stein when ceph-ansible 3.2 is used and working well.
This sounds like a good plan.
---
Respectfully,
Sam Doran
Senior Software Engineer
Ansible by Red Hat
sdoran at redhat.com <mailto:sdoran at redhat.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180727/7ab9a910/attachment.html>
More information about the OpenStack-dev
mailing list