Ensure that the playbooks and roles can display debug data when enabled

This change will enable or disable no_log and debug options whenever the verbosity is set to an integer greater than 2. This will ensure operators and deployers are best equipped to troubleshoot issues by dynamically providing additional data in an expected way. To ensure we're able to differentiate between output masking and security masking, two options were used to enable or disable no_log across our roles and playbooks. > All debug options, without security implications, will now react to the `ansible_verbosity` built in by default. Changes have been made to our skeleton role to ensure this is enforced on all new roles created going forward. > An additional prefixed role option, `*_hide_sensitive_logs`, has been added to allow operators to easily toggle sensitive output when required. The role prefixed variables will respond to the global option `hide_sensitive_logs` as defined in THT which will ensure a consistent user experience. Depends-On: I84f3982811ade59bac5ebaf3a124f9bfa6fa22a4 Change-Id: Ia6658110326899107a0e277f0d2574c79a8a820b Signed-off-by: Kevin Carter <kecarter@redhat.com>
2020-03-25 12:02:01 -05:00 · 2020-03-25 12:02:01 -05:00 · 65e6e5b035
commit 65e6e5b035
parent c241070e4a
37 changed files with 156 additions and 106 deletions
--- a/_skeleton_role_/defaults/main.yml.j2
+++ b/_skeleton_role_/defaults/main.yml.j2
@ -18,4 +18,5 @@
 # All variables intended for modification should be placed in this file.

 # All variables within this role should have a prefix of "tripleo_{{ role_name | replace('tripleo-', '') | replace('-', '_') }}"
-tripleo_{{ role_name | replace('tripleo-', '') | replace('-', '_') }}_debug: false
+tripleo_{{ role_name | replace('tripleo-', '') | replace('-', '_') }}_debug: {% raw %}"{{ (ansible_verbosity | int) >= 2 | bool }}"{% endraw %}
+tripleo_{{ role_name | replace('tripleo-', '') | replace('-', '_') }}_hide_sensitive_logs: true
--- a/tripleo_ansible/playbooks/cli-create-deployment-plan.yaml
+++ b/tripleo_ansible/playbooks/cli-create-deployment-plan.yaml
@ -28,6 +28,7 @@
    default_templates_dir: '/usr/share/openstack-tripleo-heat-templates/'
    use_default_templates: false
    validate_stack: true
+    hide_sensitive_logs: true

  handlers:
    - name: Cleanup temp directory
@ -45,7 +46,7 @@
        os_password: "{{ lookup('env', 'OS_PASSWORD') }}"
        os_project_name: "{{ lookup('env', 'OS_PROJECT_NAME') }}"
      run_once: true
-      no_log: "{{ not ((ansible_verbosity | int) >= 2) | bool }}"
+      no_log: "{{ hide_sensitive_logs | bool }}"

  tasks:
    - name: crate container and upload templates
@ -58,7 +59,7 @@
            --os-project-name "{{ os_project_name }}"
            --auth-version "{{ auth_version }}"
            post "{{ container }}" --header 'x-container-meta-usage-tripleo:plan'
-          no_log: "{{ not ((ansible_verbosity | int) >= 2) | bool }}"
+          no_log: "{{ hide_sensitive_logs | bool }}"

        - name: Create temp directory
          tempfile:
@ -100,7 +101,7 @@
      tripleo_passwords_rotate:
        container: "{{ container }}"
      when: generate_passwords|bool
-      no_log: true
+      no_log: "{{ hide_sensitive_logs | bool }}"

    - name: Prepare Container images and update plan
      tripleo_image_params_prepare:
--- a/tripleo_ansible/playbooks/cli-undercloud-backup.yaml
+++ b/tripleo_ansible/playbooks/cli-undercloud-backup.yaml
@ -21,6 +21,7 @@
  any_errors_fatal: true
  vars:
    sources_path: "{{ lookup('env', 'HOME') }}"
+    hide_sensitive_logs: true
  handlers:
    # Perform some cleanup
    - name: cleanup the backup
@ -80,17 +81,17 @@
          slurp:
            src: "{{ ansible_home }}/tripleo-undercloud-passwords.yaml"
          register: tripleo_undercloud_passwords
-          no_log: true
+          no_log: "{{ hide_sensitive_logs | bool }}"

        - name: Set mysql root password
          set_fact:
            MysqlRootPassword: "{{ (tripleo_undercloud_passwords['content'] | b64decode | from_yaml)['parameter_defaults']['MysqlRootPassword'] }}"
-          no_log: "{{ not ((ansible_verbosity | int) >= 2) | bool }}"
+          no_log: "{{ hide_sensitive_logs | bool }}"
      rescue:
        - name: Set mysql root password (fallback)
          set_fact:
            MysqlRootPassword: "{{ lookup('ini', 'undercloud_mysql_root_password section=auth file=' ~ ansible_home ~ '/undercloud-passwords.conf') }}"
-          no_log: "{{ not ((ansible_verbosity | int) >= 2) | bool }}"
+          no_log: "{{ hide_sensitive_logs | bool }}"

    - name: Create the names for the temporary backup files
      set_fact:
@ -109,7 +110,7 @@
                    -p{{ MysqlRootPassword }} \
                    --opt \
                    --all-databases | gzip > {{ db_path }}
-      no_log: true
+      no_log: "{{ hide_sensitive_logs | bool }}"

    - name: Backup the filesystem
      become: true
--- a/tripleo_ansible/playbooks/cli-update-deployment-plan.yaml
+++ b/tripleo_ansible/playbooks/cli-update-deployment-plan.yaml
@ -26,6 +26,7 @@
    generate_passwords: true
    reset_passwords: false
    validate_stack: true
+    hide_sensitive_logs: true

  handlers:
    - name: Cleanup temp directory
@ -64,8 +65,9 @@
      tripleo_passwords_rotate:
        container: "{{ container }}"
        rotate_passwords: "{{ reset_passwords }}"
-      when: generate_passwords|bool or reset_passwords|bool
-      no_log: true
+      when:
+        - (generate_passwords | bool) or (reset_passwords | bool)
+      no_log: "{{ hide_sensitive_logs | bool }}"

    - name: Prepare Container images and update plan
      tripleo_image_params_prepare:
--- a/tripleo_ansible/playbooks/rotate-fernet-keys.yaml
+++ b/tripleo_ansible/playbooks/rotate-fernet-keys.yaml
@ -22,13 +22,14 @@
  any_errors_fatal: true
  vars:
    container: overcloud
+    hide_sensitive_logs: true

  tasks:
    - name: Rotate keys and update plan
      tripleo_fernet_keys_rotate:
        container: "{{ container }}"
      register: fernet_keys
-      no_log: true
+      no_log: "{{ hide_sensitive_logs | bool }}"

 - name: Rotate fernet keys on controller nodes
  import_playbook: rotate-keys.yaml fernet_keys="{{ hostvars['undercloud']['fernet_keys']['fernet_keys'] }}"
--- a/tripleo_ansible/playbooks/rotate-keys.yaml
+++ b/tripleo_ansible/playbooks/rotate-keys.yaml
@ -1,75 +1,92 @@
 ---
+# Copyright 2019 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
 - hosts: keystone
+  vars:
+    hide_sensitive_logs: true
  tasks:
-  - name: Check for containerized keystone fernet repository
-    stat:
-      path: /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/
-    register: containerized_keystone_dir
+    - name: Check for containerized keystone fernet repository
+      stat:
+        path: /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/
+      register: containerized_keystone_dir

-  - name: populate service facts
-    service_facts:
+    - name: populate service facts
+      service_facts:

-  - name: Set container facts
-    set_fact:
-      is_container: "{{ containerized_keystone_dir.stat.isdir is defined and containerized_keystone_dir.stat.isdir }}"
-      podman_enabled: "{{ 'tripleo_keystone.service' in ansible_facts.services }}"
+    - name: Set container facts
+      set_fact:
+        is_container: "{{ containerized_keystone_dir.stat.isdir is defined and containerized_keystone_dir.stat.isdir }}"
+        podman_enabled: "{{ 'tripleo_keystone.service' in ansible_facts.services }}"

-  - name: Rotate fernet keys for keystone container
-    block:
-      - name: Set keystone facts
-        set_fact:
-          keystone_base: /var/lib/config-data/puppet-generated/keystone
+    - name: Rotate fernet keys for keystone container
+      block:
+        - name: Set keystone facts
+          set_fact:
+            keystone_base: /var/lib/config-data/puppet-generated/keystone

-      - name: Remove previous fernet keys
-        shell: rm -rf /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/*
-        args:
-          warn: false
+        - name: Remove previous fernet keys
+          shell: rm -rf /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/*
+          args:
+            warn: false

-      - name: Persist fernet keys to repository
-        copy:
-          dest: "{{ keystone_base }}{{ item.key }}"
-          content: "{{ item.value.content }}"
-          mode: 0600
-        with_dict: "{{ fernet_keys }}"
-        no_log: true
+        - name: Persist fernet keys to repository
+          copy:
+            dest: "{{ keystone_base }}{{ item.key }}"
+            content: "{{ item.value.content }}"
+            mode: 0600
+          with_dict: "{{ fernet_keys }}"
+          no_log: "{{ hide_sensitive_logs | bool }}"

-      - name: Set permissions to match container's user
-        shell: chown --reference={{ keystone_base }}/etc/keystone/fernet-keys {{ keystone_base }}{{ item.key }}
-        with_dict: "{{ fernet_keys }}"
-        no_log: true
+        - name: Set permissions to match container's user
+          shell: chown --reference={{ keystone_base }}/etc/keystone/fernet-keys {{ keystone_base }}{{ item.key }}
+          with_dict: "{{ fernet_keys }}"
+          no_log: "{{ not ((ansible_verbosity | int) >= 2) | bool }}"

-      - name: Restart keystone container with docker
-        shell: docker restart keystone
-        when: not podman_enabled
+        - name: Restart keystone container with docker
+          shell: docker restart keystone
+          when: not podman_enabled

-      - name: Restart keystone container
-        service:
-          name: tripleo_keystone
-          state: restarted
-        when: podman_enabled
-    when:
-      - is_container | bool
+        - name: Restart keystone container
+          service:
+            name: tripleo_keystone
+            state: restarted
+          when: podman_enabled
+      when:
+        - is_container | bool

-  - name: Rotate fernet keys for keystone (no container)
-    block:
-      - name: Remove previous fernet keys
-        shell: rm -rf /etc/keystone/fernet-keys/*
-        args:
-          warn: false
+    - name: Rotate fernet keys for keystone (no container)
+      block:
+        - name: Remove previous fernet keys
+          shell: rm -rf /etc/keystone/fernet-keys/*
+          args:
+            warn: false

-      - name: Persist fernet keys to repository
-        copy:
-          dest: "{{ item.key }}"
-          content: "{{ item.value.content }}"
-          mode: 0600
-          owner: keystone
-          group: keystone
-        with_dict: "{{ fernet_keys }}"
-        no_log: true
+        - name: Persist fernet keys to repository
+          copy:
+            dest: "{{ item.key }}"
+            content: "{{ item.value.content }}"
+            mode: 0600
+            owner: keystone
+            group: keystone
+          with_dict: "{{ fernet_keys }}"
+          no_log: "{{ hide_sensitive_logs | bool }}"

-      - name: Reload apache
-        service:
-          name: httpd
-          state: reloaded
-    when:
-      - not (is_container | bool)
+        - name: Reload apache
+          service:
+            name: httpd
+            state: reloaded
+      when:
+        - not (is_container | bool)
--- a/tripleo_ansible/playbooks/rotate-passwords.yaml
+++ b/tripleo_ansible/playbooks/rotate-passwords.yaml
@ -23,13 +23,13 @@
  vars:
    container: overcloud
    password_list: []
-
+    hide_sensitive_logs: true
  tasks:
    - name: Rotate passwords in plan
      tripleo_passwords_rotate:
        container: "{{ container }}"
        password_list: "{{ password_list }}"
-      no_log: true
+      no_log: "{{ hide_sensitive_logs | bool }}"

  tags:
    - rotate-passwords
--- a/tripleo_ansible/roles/aide/defaults/main.yml
+++ b/tripleo_ansible/roles/aide/defaults/main.yml
@ -19,6 +19,7 @@

 # Packages installed on the local system. Allows user to define this list
 # otherwise it will inherit from the OS specific variable file(s).
+aide_debug: "{{ ((ansible_verbosity | int) >= 2) | bool }}"
 aide_system_packages: "{{ _aide_system_packages | default([]) }}"

 # A hash of Aide rules
--- a/tripleo_ansible/roles/aide/tasks/aide_config.yml
+++ b/tripleo_ansible/roles/aide/tasks/aide_config.yml
@ -39,7 +39,7 @@
  command: >-
    /usr/sbin/aide --init --config {{ aide_conf_path }}
  changed_when: false
-  no_log: true
+  no_log: "{{ not (aide_debug | bool) }}"
  args:
    creates: "{{ aide_db_path }}"

--- a/tripleo_ansible/roles/aide/tasks/aide_upgrade.yml
+++ b/tripleo_ansible/roles/aide/tasks/aide_upgrade.yml
@ -24,7 +24,7 @@
  command: >-
    /usr/sbin/aide --init --config {{ aide_conf_path }}
  changed_when: false
-  no_log: true
+  no_log: "{{ not (aide_debug | bool) }}"

 - name: Check for tmp aide db
  stat:
--- a/tripleo_ansible/roles/backup_and_restore/defaults/main.yml
+++ b/tripleo_ansible/roles/backup_and_restore/defaults/main.yml
@ -16,6 +16,8 @@


 # All variables intended for modification should be placed in this file.
+tripleo_backup_and_restore_hide_sensitive_logs: "{{ hide_sensitive_logs | default(true) }}"
+tripleo_backup_and_restore_debug: "{{ ((ansible_verbosity | int) >= 2) | bool }}"

 # Set the container command line entry-point
 tripleo_container_cli: "{{ container_cli | default('podman') }}"
@ -26,7 +28,6 @@ tripleo_backup_and_restore_service_manager: true
 tripleo_backup_and_restore_mysql_container: mysql

 # All variables within this role should have a prefix of "tripleo_backup_and_restore"
-tripleo_backup_and_restore_debug: false
 # By default this should be the Undercloud node
 tripleo_backup_and_restore_nfs_server: 192.168.24.1
 tripleo_backup_and_restore_nfs_storage_folder: /ctl_plane_backups
--- a/tripleo_ansible/roles/backup_and_restore/tasks/db_backup.yml
+++ b/tripleo_ansible/roles/backup_and_restore/tasks/db_backup.yml
@ -20,7 +20,7 @@
    hiera -c '{{ tripleo_backup_and_restore_hiera_config_file }}' 'mysql::server::root_password'
  when: mysql_password is undefined
  register: mysql_password
-  no_log: "{{ not ((ansible_verbosity | int) >= 2) | bool }}"
+  no_log: "{{ tripleo_backup_and_restore_hide_sensitive_logs | bool }}"
  become: true
  tags:
    - bar_create_recover_image
@ -76,7 +76,7 @@
  when: mysql_password.stderr is defined
  tags:
    - bar_create_recover_image
-  no_log: "{{ not ((ansible_verbosity | int) >= 2) | bool }}"
+  no_log: "{{ tripleo_backup_and_restore_hide_sensitive_logs | bool }}"

 - name: MySQL BBDDs backup
  shell: |
@ -89,7 +89,7 @@
  when: mysql_password.stderr is defined
  tags:
    - bar_create_recover_image
-  no_log: "{{ not ((ansible_verbosity | int) >= 2) | bool }}"
+  no_log: "{{ tripleo_backup_and_restore_hide_sensitive_logs | bool }}"

 - name: Pause mysql.
  command: "{{ tripleo_container_cli }} pause {{ tripleo_backup_and_restore_mysql_container }}"
--- a/tripleo_ansible/roles/login_defs/defaults/main.yml
+++ b/tripleo_ansible/roles/login_defs/defaults/main.yml
@ -14,7 +14,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.

-tripleo_login_defs_debug: false
+tripleo_login_defs_debug: "{{ (ansible_verbosity | int) >= 2 | bool }}"

 # The maximum number of days a password may be used
 tripleo_login_defs_password_max_days: 60
--- a/tripleo_ansible/roles/tripleo_cellv2/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_cellv2/defaults/main.yml
@ -17,7 +17,7 @@

 # All variables intended for modification should be placed in this file.

-tripleo_cellv2_debug: false
+tripleo_cellv2_debug: "{{ (ansible_verbosity | int) >= 2 | bool }}"
 tripleo_cellv2_cell_name: ""
 # containercli can be tropped when we fully switched to podman
 tripleo_cellv2_containercli: "docker"
--- a/tripleo_ansible/roles/tripleo_ceph_run_ansible/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_ceph_run_ansible/defaults/main.yml
@ -0,0 +1,20 @@
+---
+# Copyright 2020 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+
+# All variables intended for modification should be placed in this file.
+tripleo_ceph_run_ansible_hide_sensitive_logs: "{{ hide_sensitive_logs | default(true) }}"
+tripleo_ceph_run_ansible_debug: "{{ ((ansible_verbosity | int) >= 2) | bool }}"
--- a/tripleo_ansible/roles/tripleo_ceph_run_ansible/tasks/main.yml
+++ b/tripleo_ansible/roles/tripleo_ceph_run_ansible/tasks/main.yml
@ -119,7 +119,7 @@
  shell: "{{ item }}"
  # We want the output chunked into bits to prevent
  # overflowing Zaqar message size
-  no_log: true
+  no_log: "{{ not (tripleo_ceph_run_ansible_debug | bool) }}"
  failed_when: false
  register: outputs
  tags: run_ceph_ansible
@ -129,7 +129,7 @@
 - name: search output of ceph-ansible run(s) non-zero return codes
  set_fact:
    ceph_ansible_std_out_err: "{{ item.stdout_lines | default([]) | union(item.stderr_lines | default([])) }}"
-  no_log: true
+  no_log: "{{ tripleo_ceph_run_ansible_hide_sensitive_logs | bool }}"
  when:
    - item.rc is defined
    - item.rc != 0
--- a/tripleo_ansible/roles/tripleo_container_image_prepare/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_container_image_prepare/defaults/main.yml
@ -18,7 +18,7 @@
 # All variables intended for modification should be placed in this file.

 # All variables within this role should have a prefix of "tripleo_container_image_prepare"
-tripleo_container_image_prepare_debug: false
+tripleo_container_image_prepare_debug: "{{ (ansible_verbosity | int) >= 2 | bool }}"
 tripleo_container_image_prepare_content: {}
 tripleo_container_image_prepare_roles: []
 tripleo_container_image_prepare_log_file: /var/log/tripleo-container-image-prepare.log
--- a/tripleo_ansible/roles/tripleo_container_image_prepare/tasks/main.yml
+++ b/tripleo_ansible/roles/tripleo_container_image_prepare/tasks/main.yml
@ -57,7 +57,7 @@
        {% if (tripleo_container_image_prepare_debug | bool) %}
        --debug
        {% endif %}
-      no_log: "{{ not (tripleo_container_image_prepare_debug | bool) }}"
+      no_log: "{{ not tripleo_container_image_prepare_debug | bool }}"
      when:
        - (tripleo_container_image_prepare_content | dict2items | length) > 0
        - (tripleo_container_image_prepare_roles | length) > 0
--- a/tripleo_ansible/roles/tripleo_container_manage/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_container_manage/defaults/main.yml
@ -16,6 +16,8 @@


 # All variables intended for modification should place placed in this file.
+tripleo_container_manage_hide_sensitive_logs: "{{ hide_sensitive_logs | default(true) }}"
+tripleo_container_manage_debug: "{{ ((ansible_verbosity | int) >= 2) | bool }}"

 # All variables within this role should have a prefix of "tripleo_container_manage"
 tripleo_container_manage_check_puppet_config: false
@ -25,7 +27,6 @@ tripleo_container_manage_config: "/var/lib/tripleo-config/"
 tripleo_container_manage_config_id: tripleo
 tripleo_container_manage_config_overrides: {}
 tripleo_container_manage_config_patterns: '*.json'
-tripleo_container_manage_debug: false
 # Some containers where Puppet is run, can take up to 10 minutes to finish
 # in slow environments.
 tripleo_container_manage_create_retries: 120
--- a/tripleo_ansible/roles/tripleo_container_manage/tasks/delete_orphan.yml
+++ b/tripleo_ansible/roles/tripleo_container_manage/tasks/delete_orphan.yml
@ -17,7 +17,7 @@
 - name: Gather podman infos
  podman_container_info: {}
  register: podman_containers
-  no_log: "{{ not tripleo_container_manage_debug }}"
+  no_log: "{{ not (tripleo_container_manage_debug | bool) }}"
  when:
    - tripleo_container_manage_cli == 'podman'

--- a/tripleo_ansible/roles/tripleo_container_manage/tasks/podman/create.yml
+++ b/tripleo_ansible/roles/tripleo_container_manage/tasks/podman/create.yml
@ -27,7 +27,7 @@
      config_id=tripleo_container_manage_config_id, clean_orphans=False) }}

 - name: "Async container create/run"
-  no_log: "{{ not tripleo_container_manage_debug }}"
+  no_log: "{{ tripleo_container_manage_hide_sensitive_logs | bool }}"
  async: "{{ (not ansible_check_mode | bool) | ternary('600', omit) }}"
  poll: "{{ (not ansible_check_mode | bool) | ternary('0', omit) }}"
  register: create_async_results
@ -84,7 +84,7 @@
    volumes_from: "{{ lookup('dict', container_data).value.volumes_from | default([]) }}"

 - name: "Check podman create status"
-  no_log: "{{ not tripleo_container_manage_debug }}"
+  no_log: "{{ not (tripleo_container_manage_debug | bool) }}"
  async_status:
    jid: "{{ create_async_result_item.ansible_job_id }}"
  loop: "{{ create_async_results.results }}"
--- a/tripleo_ansible/roles/tripleo_container_manage/tasks/podman/exec.yml
+++ b/tripleo_ansible/roles/tripleo_container_manage/tasks/podman/exec.yml
@ -22,7 +22,7 @@
  when: not ansible_check_mode|bool

 - name: "Async container exec"
-  no_log: "{{ not tripleo_container_manage_debug }}"
+  no_log: "{{ not (tripleo_container_manage_debug | bool) }}"
  command:
    argv: "{{ lookup('dict', container_exec_data).value | container_exec_cmd(cli=tripleo_container_manage_cli) }}"
  async: "{{ (not ansible_check_mode | bool) | ternary('60', omit) }}"
@ -34,7 +34,7 @@
  when: not ansible_check_mode|bool

 - name: "Check podman exec status"
-  no_log: "{{ not tripleo_container_manage_debug }}"
+  no_log: "{{ not (tripleo_container_manage_debug | bool) }}"
  async_status:
    jid: "{{ exec_async_result_item.ansible_job_id }}"
  loop: "{{ exec_async_results.results }}"
--- a/tripleo_ansible/roles/tripleo_container_manage/tasks/podman/get_commands_exec.yml
+++ b/tripleo_ansible/roles/tripleo_container_manage/tasks/podman/get_commands_exec.yml
@ -15,7 +15,7 @@
 # under the License.

 - name: "Create a list of podman exec commands that are run"
-  no_log: "{{ not tripleo_container_manage_debug }}"
+  no_log: "{{ not (tripleo_container_manage_debug | bool) }}"
  set_fact:
    containers_commands: >-
      {{ (containers_commands | default([])) + ([lookup('dict', container_exec_data).value |
--- a/tripleo_ansible/roles/tripleo_container_manage/tasks/podman/start_order.yml
+++ b/tripleo_ansible/roles/tripleo_container_manage/tasks/podman/start_order.yml
@ -17,7 +17,7 @@
 - name: Gather podman infos
  podman_container_info: {}
  register: podman_containers
-  no_log: "{{ not tripleo_container_manage_debug }}"
+  no_log: "{{ tripleo_container_manage_hide_sensitive_logs | bool }}"
  when:
    - tripleo_container_manage_cli == 'podman'

--- a/tripleo_ansible/roles/tripleo_hosts_entries/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_hosts_entries/defaults/main.yml
@ -18,7 +18,7 @@
 # All variables intended for modification should be placed in this file.

 # All variables within this role should have a prefix of "tripleo_hosts_entries"
-tripleo_hosts_entries_debug: false
+tripleo_hosts_entries_debug: "{{ (ansible_verbosity | int) >= 2 | bool }}"
 tripleo_hosts_entries_hosts_path: /etc/hosts
 tripleo_hosts_entries_undercloud_hosts_entries: ""
 tripleo_hosts_entries_extra_hosts_entries: ""
--- a/tripleo_ansible/roles/tripleo_nova_image_cache/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_nova_image_cache/defaults/main.yml
@ -18,7 +18,7 @@
 # All variables intended for modification should place placed in this file.

 # All variables within this role should have a prefix of "tripleo_nova_image_cache"
-tripleo_nova_image_cache_debug: false
+tripleo_nova_image_cache_debug: "{{ (ansible_verbosity | int) >= 2 | bool }}"
 tripleo_nova_image_cache_images: []
 tripleo_nova_image_cache_use_proxy: false
 tripleo_nova_image_cache_proxy_hostname: "{{ ansible_play_batch[0] }}"
--- a/tripleo_ansible/roles/tripleo_nvdimm/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_nvdimm/defaults/main.yml
@ -18,4 +18,4 @@
 # All variables intended for modification should be placed in this file.

 # All variables within this role should have a prefix of "tripleo_tripleo_nvdimm"
-tripleo_tripleo_nvdimm_debug: false
+tripleo_tripleo_nvdimm_debug: "{{ (ansible_verbosity | int) >= 2 | bool }}"
--- a/tripleo_ansible/roles/tripleo_ovs_dpdk/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_ovs_dpdk/defaults/main.yml
@ -18,7 +18,7 @@
 # All variables intended for modification should place placed in this file.

 # All variables within this role should have a prefix of "tripleo_ovs_dpdk"
-tripleo_ovs_dpdk_debug: false
+tripleo_ovs_dpdk_debug: "{{ (ansible_verbosity | int) >= 2 | bool }}"
 tripleo_ovs_dpdk_pmd_core_list: ""
 tripleo_ovs_dpdk_lcore_list: ""
 tripleo_ovs_dpdk_memory_channels: 4
--- a/tripleo_ansible/roles/tripleo_packages/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_packages/defaults/main.yml
@ -60,7 +60,7 @@ tripleo_packages_fast_forward_custom_repo_script_content: |
 tripleo_packages_upgrade_leapp_enabled: true

 # Print debugging output when running Leapp
-tripleo_packages_upgrade_leapp_debug: true
+tripleo_packages_upgrade_leapp_debug: "{{ (ansible_verbosity | int) >= 2 | bool }}"

 # Skip RHSM when running Leapp in development/testing.
 tripleo_packages_upgrade_leapp_devel_skip_rhsm: false
--- a/tripleo_ansible/roles/tripleo_podman/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_podman/defaults/main.yml
@ -16,6 +16,8 @@


 # All variables intended for modification should be placed in this file.
+tripleo_podman_hide_sensitive_logs: "{{ hide_sensitive_logs | default(true) }}"
+tripleo_podman_debug: "{{ ((ansible_verbosity | int) >= 2) | bool }}"

 tripleo_container_registry_insecure_registries: []
 tripleo_container_registry_login: false
@ -23,7 +25,6 @@ tripleo_container_registry_logins: {}
 tripleo_podman_packages: "{{ _tripleo_podman_packages | default([]) }}"
 tripleo_podman_purge_packages: "{{ _tripleo_podman_purge_packages | default([]) }}"
 tripleo_podman_tls_verify: true
-tripleo_podman_debug: false
 tripleo_podman_unqualified_search_registries:
  - registry.redhat.io
  - registry.access.redhat.com
--- a/tripleo_ansible/roles/tripleo_podman/tasks/tripleo_podman_login.yml
+++ b/tripleo_ansible/roles/tripleo_podman/tasks/tripleo_podman_login.yml
@ -26,6 +26,6 @@
    REGISTRY_USERNAME: "{{ lookup('dict', item.value).key }}"
    REGISTRY_PASSWORD: "{{ lookup('dict', item.value).value }}"
    REGISTRY: "{{ item.key }}"
-  no_log: "{{ not tripleo_podman_debug|bool }}"
+  no_log: "{{ tripleo_podman_hide_sensitive_logs | bool }}"
  loop: "{{ query('dict', tripleo_container_registry_logins) }}"
  register: registry_login_podman
--- a/tripleo_ansible/roles/tripleo_puppet_cache/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_puppet_cache/defaults/main.yml
@ -16,8 +16,11 @@


 # All variables intended for modification should be placed in this file.
+tripleo_puppet_hide_sensitive_logs: "{{ hide_sensitive_logs | default(true) }}"
+tripleo_puppet_debug: "{{ ((ansible_verbosity | int) >= 2) | bool }}"

 # All variables within this role should have a prefix of "tripleo_puppet_cache"
+tripleo_puppet_cache_debug: "{{ ((ansible_verbosity | int) >= 2) | bool }}"
 tripleo_puppet_cache_base_dir: /var/lib/container-puppet/puppetlabs
 tripleo_puppet_cache_config: |
    facts : {
--- a/tripleo_ansible/roles/tripleo_puppet_cache/tasks/main.yml
+++ b/tripleo_ansible/roles/tripleo_puppet_cache/tasks/main.yml
@ -82,7 +82,7 @@
  shell: facter --config "{{ tripleo_puppet_cache_base_dir }}/facter.conf"
  retries: 5
  delay: 5
-  no_log: true
+  no_log: "{{ tripleo_puppet_hide_sensitive_logs | bool }}"
  failed_when: false
  register: _facter_cache_run

--- a/tripleo_ansible/roles/tripleo_redhat_enforce/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_redhat_enforce/defaults/main.yml
@ -18,7 +18,7 @@
 # All variables intended for modification should be placed in this file.

 # All variables within this role should have a prefix of "tripleo_redhat_enforce"
-tripleo_redhat_enforce_debug: false
+tripleo_redhat_enforce_debug: "{{ (ansible_verbosity | int) >= 2 | bool }}"
 tripleo_redhat_enforce: false
 tripleo_redhat_enforce_osp: ''
 tripleo_redhat_enforce_os: ''
--- a/tripleo_ansible/roles/tripleo_systemd_wrapper/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_systemd_wrapper/defaults/main.yml
@ -18,5 +18,5 @@
 # All variables intended for modification should be placed in this file.

 # All variables within this role should have a prefix of "tripleo_systemd_wrapper"
-tripleo_systemd_wrapper_debug: false
+tripleo_systemd_wrapper_debug: "{{ (ansible_verbosity | int) >= 2 | bool }}"
 tripleo_systemd_wrapper_container_cli: podman
--- a/tripleo_ansible/roles/tripleo_transfer/defaults/main.yml
+++ b/tripleo_ansible/roles/tripleo_transfer/defaults/main.yml
@ -23,7 +23,7 @@
 #   * `tripleo_transfer_src_dir` -- directory on the source host to transfer from
 #   * `tripleo_transfer_dest_host` -- the inventory name of the destination host
 #   * `tripleo_transfer_dest_dir` -- directory on the destination host to transfer to
-
+tripleo_transfer_debug: "{{ ((ansible_verbosity | int) >= 2) | bool }}"
 tripleo_transfer_storage_root_dir: /var/lib/mistral/tripleo-transfer
 tripleo_transfer_storage_root_become: false
 tripleo_transfer_src_become: true
--- a/tripleo_ansible/roles/tripleo_transfer/tasks/main.yml
+++ b/tripleo_ansible/roles/tripleo_transfer/tasks/main.yml
@ -44,7 +44,7 @@

 # Using the "archive" module lists lists all tarred files in module
 # output, if there's too many files, it can crash ansible even with
-# "no_log: true".
+# "no_log: "{{ not tripleo_transfer_debug | bool }}"".
 - name: create the archive
  shell: |-
    set -euo pipefail