How to temporarily disable logging to nornir.log

[DarkSplash]

Hi, I have been using Nornir to transfer files via SCP to switches, and all has been going well except for one caveat. During the SCP command on the switches, it asks for a password which when passed, shows up in the nornir.log file as plaintext. For obvious security reasons, I would like to turn off the logging function when I pass the password to the switch, but still keep logging functional otherwise.

Currently, my SCP code looks like this:

print("\nBeginning SCP transfer...")
command = f"copy scp://{username}@192.168.0.10//tftpboot/{filename} flash:/{filename}"
output = filter.run(netmiko_send_command, command_string=command, expect_string=r'Destination filename')
output2 = filter.run(netmiko_send_command, command_string="", expect_string=r"Password")
output3 = filter.run(netmiko_send_command, command_string=password, expect_string=r"copied", max_loops=maxLoopsEstimate(filesize), cmd_verify=False)

The above code works perfectly fine, and I have tried adding filter.config.logging.enabled = False to this function and have confirmed that the variable is updating, but it doesn't seem to affect logging output whatsoever. I am initializing my Nornir object using a YAML config file, and have seen that the configuration preference is “configuration file” -> “env variable” -> “code”, but don't see any glaring issues that would stop me from updating this variable on the fly during code execution.

Ideally, my code would look something like this when working:

print("\nBeginning SCP transfer...")
command = f"copy scp://{username}@192.168.0.10//tftpboot/{filename} flash:/{filename}"
output = filter.run(netmiko_send_command, command_string=command, expect_string=r'Destination filename')
output2 = filter.run(netmiko_send_command, command_string="", expect_string=r"Password")

filter.config.logging.enabled = False
output3 = filter.run(netmiko_send_command, command_string=password, expect_string=r"copied", 
filter.config.logging.enabled = True

max_loops=maxLoopsEstimate(filesize), cmd_verify=False)

Is there some way to turn off logging for a few tasks and then resume logging after a certain point in Nornir without reinitializing a new Nornir object?

[dmfigol]

@DarkSplash there is a way by turning off a specific logger that emits a message. Could you show the log message you want to suppress (obviously remove sensitive information yourself)?
generally it would look like this:

logger = logging.getLogger("<logger name, probably netmiko>")
logger.disabled = True
# your task
logger.disabled = False

However, it might worth having a discussion and ask underling library maintainers to remove sensitive information from logs by default? Not sure.

[DarkSplash]

That did the trick! The logger name ended up being "nornir.core".

Working code:

print("\nBeginning SCP transfer...")
command = f"copy scp://{username}@192.168.0.10//tftpboot/{filename} flash:/{filename}"
output = filter.run(netmiko_send_command, command_string=command, expect_string=r'Destination filename')
output2 = filter.run(netmiko_send_command, command_string="", expect_string=r"Password")
    
nornirLogger = logging.getLogger("nornir.core")
nornirLogger.disabled = True
output3 = filter.run(netmiko_send_command, command_string=password, expect_string=r"copied", max_loops=maxLoopsEstimate(filesize), cmd_verify=False)
nornirLogger.disabled = False

[ktbyers]

Isn't the issue due to Nornir logging the arguments in the Nornir .run() call? So whatever Netmiko, NAPALM, Scrapli does here would not be relevant (i.e. the logging would have happened before then)?

Another workaround is to make a custom Nornir task and not pass any arguments with sensitive information so that nr.run() logging of arguments would not be relevant. You can always bind information to the Nornir host object and access it inside the Nornir custom task. In other words, you should be able to avoid needing to pass sensitive information like passwords via argument calls (that get logged).

[DarkSplash]

Yep that's pretty much what's happening, I'm passing the password as an argument within the nornir .run() call, which always gets logged within nornir.log. I don't really see this as an issue as you said, as if I managed to do this with some other Nornir connection task, this plaintext credential problem would still be an issue.

Hadn't even thought of grabbing Nornir data like that within a custom task, so will definitely keep that in mind for the future.