Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Different values from group_vars between plain and Packer Ansible runs #193

Open
palacsint opened this issue Jun 27, 2024 · 1 comment
Open

Different values from group_vars between plain and Packer Ansible runs #193

palacsint opened this issue Jun 27, 2024 · 1 comment
Labels
bug

Comments

@palacsint
Copy link

Overview of the Issue

When using Ansible with Packer's Ansible provisioner, overridden values in group_vars are not applied correctly, causing potential security risks.

Reproduction Steps

Consider the following Ansible inventory (inventory-testing/inventory.yml):

---
all:
  children:
    jenkins:
      hosts:
        jenkinsserver1:
        jenkinsserver2:
    testing:
      children:
        jenkins:
      hosts:
        testserver1:
        testserver2:

And two group_vars:

inventory-testing/group_vars/jenkins.yml:

---
auth: "jenkins_auth_value"

inventory-testing/group_vars/testing.yml:

---
auth: "testing_auth_value"

A playbook which prints the auth variable:

---
- name: Print auth variable for all hosts
  hosts: all
  gather_facts: no
  tasks:
    - name: Print the auth variable
      delegate_to: localhost
      debug:
        msg: "The value of auth is: {{ auth }}"

When I run

ansible-playbook -i inventory-testing/ print_auth.yml

it prints the overridden jenkins_auth_value for the jenkins hosts properly:

ok: [jenkinsserver1 -> localhost] => {
    "msg": "The value of auth is: jenkins_auth_value"
}
ok: [jenkinsserver2 -> localhost] => {
    "msg": "The value of auth is: jenkins_auth_value"
}
ok: [testserver1 -> localhost] => {
    "msg": "The value of auth is: testing_auth_value"
}
ok: [testserver2 -> localhost] => {
    "msg": "The value of auth is: testing_auth_value"
}

So far, so good.

Now, let's create a packer-ansible inventory file, similar to one which is used by Packer Ansible plugin:

default 

[jenkins]
default

[testing]
default

As far as I see the Ansible Packer provisioner does not support group hierarchies (and I would not like to duplicate our group hierarchy in the HCL too).

According to output of Packer the Ansible Packer provisioner runs a similar command for Ansible with the additional inventory file:

ansible-playbook -i inventory-testing/packer-ansible-inventory print_auth.yml

It uses the inventory file (not the whole inventory directory). This prints:

ok: [default -> localhost] => {
    "msg": "The value of auth is: testing_auth_value"
}

I would expect jenkins_auth_value here.

While using the whole inventory directory:

ansible-playbook -i inventory-testing/ --limit=default print_auth.yml

prints the correct jenkins_auth_value value:

ok: [default -> localhost] => {
    "msg": "The value of auth is: jenkins_auth_value"
}

Plugin and Packer version

  • Packer v1.11.0
  • ansible-playbook [core 2.13.10]
  • python version = 3.10.12
    ansible = {
      version = ">= 1.1.1"
      source = "github.com/hashicorp/ansible"
    }

Potential Impact

It is concerning that overridden values in group_vars are not respected when using the Packer Ansible provisioner. I'm afraid this issue can lead to significant security risks, such as users gaining unintended access to servers due to incorrect variable values. For instance, a user might gain access to a server that was meant to be inaccessible based on the intended configuration in the group_vars hierarchy.

Additionally, this discrepancy can result in inconsistencies between servers created with Packer and those configured with plain Ansible, making debugging and maintaining infrastructure more challenging. Any insights or suggestions on how to address this issue would be greatly appreciated.

Might be related issues
@palacsint palacsint added the bug label Jun 27, 2024
@palacsint
Copy link
Author

I've found a workaround, although it's not very convenient:

  • Omit the inventory_directory setting.
  • Add the current inventory to the extra_arguments parameter: "-i", "inventory-testing".
  • Add a --limit to the extra_arguments parameter as well: "--limit=default". (!) Be careful, without this Ansible could run on other hosts.

This approach leverages the fact that ansible-playbook can handle multiple inventories correctly. In this setup, Packer runs a command similar to:

ansible-playbook [...] -i inventory-testing --limit=default [...] \
    -i /tmp/packer-provisioner-ansible412187266 [...]_container.yml

This ensures that the inventory hierarchy is respected and the variable values are correctly overridden as intended.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@palacsint