10 comments

[ 4.7 ms ] story [ 33.2 ms ] thread
There is some interesting discussion in this LWN subscriber link (https://lwn.net/SubscriberLink/711791/5109edb099f55603/). I'm not sure about posting subscriber-only links, but this was pasted in a well-trafficked IRC channel on Freenode, and LWN seems to want these links spread far and wide as long as it isn't used to subvert their subscription model.
If someone was moving away from Ansible, what would be the best option(s) to consider?
What's the motivation for moving away from Ansible? Just wondering. Puppet and Chef are enormous and brittle in my experience. I've moved previously from Puppet to Chef, and then from Chef to Ansible. I tried Saltstack but it felt similar to Puppet and Chef. Ansible can be slow, but the complexity overhead is minimal comparatively.
You may also consider CFEngine. Each solution has its forces and weaknesses, what will you be using it for ?
I was asking just out of curiosity. I'm not really an Ansible user, but I was looking forward to learn it as part of my own devops education stuff.
Ideally, I would prefer a similar software written in a C syntax style script language like JavaScript/NodeJS or PHP, or Lua.
Odd. I reported this very same form of vulnerability to the Ansible team in the 1.5.4 series in 2014, where the code basically eval'd the "facts" discovered from a system under management.

There was this "safe_eval" function which filtered input in a way quite inconsistent with its name. The Ansible team was responsive and pleasant to work with.

https://groups.google.com/forum/#!topic/ansible-project/MUQx...

But I suspect lots of remote control and monitoring software products might have security bugs like this where they assume that the returned information from systems under management are trustworthy.

Edit to add: Here's the patch made to safe_eval. I had suggested using literal_eval instead but I think they didn't want to require Python 2.6+. https://github.com/ansible/ansible/commit/998793fd0ab55705d5...