Skip to content

Commit

Permalink
Terminate playbook execution if a vulnerable Ansible version is used
Browse files Browse the repository at this point in the history
  • Loading branch information
ypid committed Feb 8, 2017
1 parent ccb6198 commit cce66a4
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 0 deletions.
20 changes: 20 additions & 0 deletions CHANGES.rst
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,26 @@ Fixed
Ansible 2.1. This is a non-backwards compatible change and it breaks
compatibility with Ansible 2.0. [anzil]

Security
~~~~~~~~

- Terminate playbook execution as soon as possible if a vulnerable Ansible version is used.
The minimum Ansible version without known vulnerabilities is Ansible 2.1.4.
The check is run as part of the :file:`common.yml` playbook file in a
separate playbook which has ``gather_facts`` explicitly turned of and the
task being delegated to the Ansible controller to avoid possible connection
attempts to remote hosts before the check had the opportunity to terminate
a vulnerable Ansible instance.
This playbook is run with no limitation on remote hosts meaning it will also
run the check even if the current Ansible run is limited to a host which is
not even managed by DebOps.
This check became necessary because some distributions only provide Ansible
versions with known vulnerabilities and some users are unaware.
Note that you will need `stable-2.1 <https://github.com/ansible/ansible/tree/stable-2.1>`_
because some required fixes for advanced templating features which DebOps
uses have not made it into v2.1.4 (broke while fixing the CVEs).
Refer to `Ansible Security`_ for details. [ypid_]


`debops-playbooks v0.2.9`_ - 2016-07-07
---------------------------------------
Expand Down
16 changes: 16 additions & 0 deletions playbooks/common.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,21 @@
---

- name: Check for basic requirements
hosts: [ 'all' ]
gather_facts: False
become: False

tasks:

- name: Check for Ansible version without known vulnerabilities
assert:
that:
- 'ansible_version.full | version_compare("2.1.4.0", ">=")'
- '((ansible_version.minor == 2) and (ansible_version.full | version_compare("2.2.1.0", ">="))) or (ansible_version.minor != 2)'
msg: 'VULNERABLE Ansible version DETECTED, please update Ansible to the stable-2.1 branch (> v2.1.4) or a newer Ansible release (>= v2.2.1)! Check the debops-playbook changelog for details. Exiting.'
run_once: True
delegate_to: 'localhost'

- include: service/core.yml

- name: Common configuration for all hosts
Expand Down

0 comments on commit cce66a4

Please sign in to comment.