diff --git a/ansible/library/kolla_container.py b/ansible/library/kolla_container.py index c6a0ea5d1b..ad32369ba6 100644 --- a/ansible/library/kolla_container.py +++ b/ansible/library/kolla_container.py @@ -268,7 +268,8 @@ def generate_module(): # NOTE(r-krcek): arguments_spec should also be reflected in the list of # arguments in service-check-containers role argument_spec = dict( - common_options=dict(required=False, type='dict', default=dict()), + common_options=dict(required=False, type='dict', + default=dict(), no_log=True), action=dict(required=True, type='str', choices=['compare_container', 'compare_image', diff --git a/releasenotes/notes/bug-2120302-824ede145936a6eb.yaml b/releasenotes/notes/bug-2120302-824ede145936a6eb.yaml new file mode 100644 index 0000000000..3f9434272f --- /dev/null +++ b/releasenotes/notes/bug-2120302-824ede145936a6eb.yaml @@ -0,0 +1,13 @@ +--- +security: + - | + Added no_log=True to the ``common_options`` argument in generate_module() + to prevent the auth_password and other sensitive data from being printed + in Ansible logs during container operations when + ``docker_registry_password`` was set. This improves security by hiding + credentials from logs. + + This change addresses the issue where auth_password was visible in log + despite already having no_log=True on the auth_password parameter itself, + because it was nested inside common_options dict without no_log protection. + `LP#2120302 `__ diff --git a/tests/test_kolla_container.py b/tests/test_kolla_container.py index c1ea866c24..cb496ea39a 100644 --- a/tests/test_kolla_container.py +++ b/tests/test_kolla_container.py @@ -36,7 +36,8 @@ class ModuleArgsTest(base.BaseTestCase): def test_module_args(self): argument_spec = dict( - common_options=dict(required=False, type='dict', default=dict()), + common_options=dict(required=False, type='dict', default=dict(), + no_log=True), action=dict( required=True, type='str', choices=['compare_container',