Commit graph

15691 commits

Author SHA1 Message Date
Vilmos Nebehaj
58cccce384 Use PBKDF2HMAC() from cryptography for vault keys.
When stretching the key for vault files, use PBKDF2HMAC() from the
cryptography package instead of pycrypto. This will speed up the opening
of vault files by ~10x.

The problem is here in lib/ansible/utils/vault.py:

    hash_function = SHA256

    # make two keys and one iv
    pbkdf2_prf = lambda p, s: HMAC.new(p, s, hash_function).digest()

    derivedkey = PBKDF2(password, salt, dkLen=(2 * keylength) + ivlength,
                        count=10000, prf=pbkdf2_prf)

`PBKDF2()` calls a Python callback function (`pbkdf2_pr()`) 10000 times.
If one has several vault files, this will cause excessive start times
with `ansible` or `ansible-playbook` (we experience ~15 second startup
times).

Testing the original implementation in 1.9.2 with a vault file:

In [2]: %timeit v.decrypt(encrypted_data)
1 loops, best of 3: 265 ms per loop

Having a recent OpenSSL version and using the vault.py changes in this commit:

In [2]: %timeit v.decrypt(encrypted_data)
10 loops, best of 3: 23.2 ms per loop
2015-07-28 14:51:36 +02:00
Brian Coca
77fc3ce759 removed unused import 2015-07-28 08:28:52 -04:00
Brian Coca
aa5bd8c2b5 added pam_limits to changelog 2015-07-28 08:23:31 -04:00
Lukas Pirl
d9aa14feea fixes remote code execution for su/sudo and strict remote umasks
* temporarily changes umask for creating temporary directories
    * otherwise parent directories may not get chmod'ed and end up
      unreadable
refs #9902
2015-07-28 19:24:23 +12:00
James Cammarata
e505a1b7c4 Fix variable precedence integrationt test 2015-07-28 00:51:58 -04:00
Brian Coca
c76a66694f fixed typo 2015-07-27 22:54:57 -04:00
Brian Coca
d9c63fb273 added openvz to inventory 2015-07-27 22:52:12 -04:00
Brian Coca
80ecab5317 Merge pull request #11761 from amenonsen/9843-rebase
Add pciid to LinuxNetwork interface fact
2015-07-27 22:20:04 -04:00
Hugh Saunders
f344ec463f Add LVM facts to setup module
This commit adds LinuxHardware.get_device_facts() and calls that from
.populate().

LVM facts are only gathered if the setup module is running as root and
the lvm utilities are available (tested by searching for 'vgs').

If the conditions are met, facts are set for each volume group and
logical volume.

Example:

Test LVM Data:
$ sudo vgs
  VG   #PV #LV #SN Attr   VSize VFree
  test   1   2   0 wz--n- 5.00g 2.00g
$ sudo lvs
  LV      VG   Attr      LSize Pool Origin Data%  Move Log Copy%  Convert
  testlv  test -wi-a---- 1.00g
  testlv2 test -wi-a---- 2.00g

Facts Returned:
$ ansible localhost -i /tmp/inv -m setup -a 'filter=ansible_lvm'
localhost | success >> {
    "ansible_facts": {
        "ansible_lvm": {
            "lvs": {
                "testlv": {
                    "size_g": "1.00",
                    "vg": "test"
                },
                "testlv2": {
                    "size_g": "2.00",
                    "vg": "test"
                }
            },
            "vgs": {
                "test": {
                    "free_g": "2.00",
                    "num_lvs": "2",
                    "num_pvs": "1",
                    "size_g": "5.00"
                }
            }
        }
    },
    "changed": false
}

Test as non-root:
$ ansible localhost -i /tmp/inv-user -m setup -a 'filter=ansible_lvm'
localhost | success >> {
    "ansible_facts": {},
    "changed": false
}

Test without lvm utilities available
$ sudo mv /sbin/vgs{,.bk}
$ ansible localhost -i /tmp/inv -m setup -a 'filter=ansible_lvm'
localhost | success >> {
    "ansible_facts": {},
    "changed": false
}
2015-07-28 07:46:01 +05:30
Brian Coca
5f8db9cd4b changed verbose_override to the new _ansible_verbose_override to keep in line with previous changes
output now defaults back to having indent=4
2015-07-27 22:15:44 -04:00
Trapier Marshall
250620f2ab Add pciid to LinuxNetwork interface fact
This commit adds pciid to the LinuxNetwork fact object.

pciid is gathered if the symlink /sys/class/net/*/device exists.

Example [>>>> emphasis <<<<]:

$ readlink /sys/class/net/eth0/device
../../../0000:01:00.0

$ ansible localhost --ask-pass -i /tmp/hosts -m setup -a "filter=ansible_eth0"
SSH password:
localhost | success >> {
    "ansible_facts": {
        "ansible_eth0": {
            "active": false,
            "device": "eth0",
            "macaddress": "0c:d2:92:5d:6e:8e",
            "module": "alx",
            "mtu": 1500,
       >>>> "pciid": "0000:01:00.0", <<<<
            "promisc": true,
            "type": "ether"
        }
    },
    "changed": false
}
2015-07-28 07:30:03 +05:30
Brian Coca
8746e692c1 changed check to allow for powerpc
fixes #11528
2015-07-27 21:44:17 -04:00
Brian Coca
0c21196633 moved openvz inventory script to new home 2015-07-27 20:53:53 -04:00
Brian Coca
164092a835 optimized module docs 2015-07-27 20:52:53 -04:00
Brian Coca
65c649aa3e added virt_net to changelog 2015-07-27 20:52:53 -04:00
Brian Coca
772841a0a2 added virt_pool module to changelog 2015-07-27 20:52:53 -04:00
Brian Coca
330aee33c5 Merge pull request #8358 from jordonr/devel
Added OpenVZ Inventory python script
2015-07-27 20:50:58 -04:00
Brian Coca
2575e1540a Merge pull request #11740 from amenonsen/8602-rebase
Encrypt the vault file after editing only if the contents changed
2015-07-27 20:45:03 -04:00
Toshio Kuratomi
d2346fd2e2 Python2.4 compat fix 2015-07-27 15:34:51 -07:00
Brian Coca
12e3a2a0c1 Merge pull request #11759 from resmo/fix/doc-changelog
changelog: fix typos
2015-07-27 18:02:55 -04:00
Rene Moser
41319dc202 changelog: fix typos 2015-07-28 00:00:14 +02:00
James Cammarata
d6cafff2f9 Additional changes to fix fileglob relative path lookups 2015-07-27 16:35:57 -04:00
Brian Coca
9416fc6271 Merge pull request #8977 from billwanjohi/add_package_classifiers
add distutils package classifiers
2015-07-27 15:42:51 -04:00
Brian Coca
010e58ebfa Merge pull request #9878 from ansible/handle-quoted-comma-dict-param
Handle quoting of values in dict parameters
2015-07-27 15:37:27 -04:00
billwanjohi
b2739cec6d add distutils package classifiers
I was particularly interested in the programming language ones,
but the others might be useful to others browsing PyPI.

Now with GPLv3+, and Utilities topic.
2015-07-27 19:33:54 +00:00
Toshio Kuratomi
6a68be4e28 Handle quoting of values in dict parameters 2015-07-27 12:31:05 -07:00
James Cammarata
cb262449c7 Reworking internal result flags and making sure include_vars hides vault data
Fixes #10194
2015-07-27 14:04:31 -04:00
James Cammarata
eebf437d87 Submodule pointer update 2015-07-27 12:51:58 -04:00
Brian Coca
b2b19a1dc4 Merge pull request #11751 from amenonsen/playwithoutbook
A better error message for «ansible playbook.yml»
2015-07-27 12:42:56 -04:00
James Cammarata
7d8afad28c Merge pull request #11750 from amenonsen/example-prompt
Fix incorrect example of vars_prompt
2015-07-27 10:44:51 -04:00
James Cammarata
49a6601856 Further cleanup of internal use of ansible_ssh_host 2015-07-27 10:42:39 -04:00
James Cammarata
ee835ff7ad Add a base-level get_basedir method for lookup plugins and fix relative lookups
Fixes #11746
2015-07-27 10:41:28 -04:00
bryan hunt
7a76fcb159 merged 2015-07-27 11:57:58 +01:00
Abhijit Menon-Sen
65d62090c2 A better error message for «ansible playbook.yml»
This is a very conservative change: we add the hint only if we're
definitely going to die already.
2015-07-27 12:43:21 +05:30
James Cammarata
3a4dd523d3 Fix bug where we calculated the relative path of recurisive copies wrong
Fixes #11470
2015-07-27 02:29:38 -04:00
Abhijit Menon-Sen
bb12121225 Fix incorrect example of vars_prompt 2015-07-27 11:08:39 +05:30
James Cammarata
a1a8997e89 Merge pull request #11663 from whereismyjetpack/fix_ansible_ssh_host
only set ansible_ssh_host if not already set
2015-07-26 23:46:21 -04:00
Brian Coca
a56ff7ae54 now it really is oneline 2015-07-26 23:14:07 -04:00
Brian Coca
5d1d9f1505 fixed diff output to be as it was in 1.x, copy and template now use the same
functions to do difs.
2015-07-26 22:29:56 -04:00
James Cammarata
c56a304ad9 Merge pull request #9195 from reedloden/add-dns-facts
Add several DNS-related facts by parsing /etc/resolv.conf
2015-07-26 14:59:55 -04:00
James Cammarata
ccb7fb3b4c Submodule pointer update 2015-07-26 14:41:49 -04:00
James Cammarata
034c766439 Fixing logic in template.py to not assume 'changed' is in the result 2015-07-26 13:57:25 -04:00
James Cammarata
a78ed39f93 Merge pull request #11743 from renard/regex_escape-filter
Regex escape filter
2015-07-26 13:52:01 -04:00
James Cammarata
db4b3544d7 Fix syntax error in action plugin template.py 2015-07-26 13:49:27 -04:00
Reed Loden
eb1fb41576 Add several DNS-related facts by parsing /etc/resolv.conf
Facts include nameservers, domain, search path, sortlist, and options.
2015-07-26 10:46:59 -07:00
Sébastien Gross
c0b7fcd304 Add documentation for regex_escape filter 2015-07-26 19:08:34 +02:00
Sébastien Gross
36534668f0 Change name from re_escape to regex_escape to fit existing function names. 2015-07-26 19:03:56 +02:00
Sébastien Gross
c1e4085251 Add regular expression escaping filter. 2015-07-26 19:03:27 +02:00
Brian Coca
0b6fadaad7 started implementing diff
diff now works with template
also fixed check mode for template and copy
2015-07-26 12:22:22 -04:00
James Cammarata
d11e07a0e5 Merge pull request #11738 from amenonsen/7485-rebase
Have ec2.py expand tilde and vars when looking up the EC2_INI_PATH env variable
2015-07-26 11:11:02 -04:00