ansible now supports su as an alternative to sudo
6,442 views
Skip to first unread message
James Tanner
Jan 21, 2014, 1:03:22 PM1/21/14
to ansible...@googlegroups.com
Thanks to Paul for this one!
Basic usage is similar to sudo …
or pass as command line parameters …
ansible-playbook --su --su-user=root --ask-su-pass -i inventory site.yml
Begin forwarded message:
From: Paul Durivage <notifi...@github.com>Subject: [ansible] Add su support (#5694)Date: January 20, 2014 at 8:28:44 PM ESTTo: ansible/ansible <ans...@noreply.github.com>Reply-To: ansible/ansible <reply+i-25958790-3751e6bbbad5091...@reply.github.com>Continuing from PR #5325. This reverts the revert, and is therefore known as revertception. The su bug is resolved -- looks like I missed it when resolving the rebase/merge conflicts. :( Also, I had missed that there was now an additional paramiko lib, "paramiko_alt.py", so I've gone ahead and fixed that as well.
You can merge this Pull Request by running
git pull https://github.com/angstwad/ansible add-su-support-revertOr view, comment on, or merge it at:
https://github.com/ansible/ansible/pull/5694
Commit Summary
- Resolve su bug in paramiko libs
- Revert "Revert "Merge pull request #5325 from angstwad/add-su-support""
File Changes
- M bin/ansible (41)
- M bin/ansible-playbook (18)
- M lib/ansible/constants.py (6)
- M lib/ansible/playbook/__init__.py (85)
- M lib/ansible/playbook/play.py (20)
- M lib/ansible/playbook/task.py (20)
- M lib/ansible/runner/__init__.py (60)
- M lib/ansible/runner/connection_plugins/accelerate.py (5)
- M lib/ansible/runner/connection_plugins/chroot.py (5)
- M lib/ansible/runner/connection_plugins/fireball.py (6)
- M lib/ansible/runner/connection_plugins/funcd.py (7)
- M lib/ansible/runner/connection_plugins/jail.py (5)
- M lib/ansible/runner/connection_plugins/local.py (6)
- M lib/ansible/runner/connection_plugins/paramiko_alt.py (11)
- M lib/ansible/runner/connection_plugins/paramiko_ssh.py (16)
- M lib/ansible/runner/connection_plugins/ssh.py (33)
- M lib/ansible/runner/connection_plugins/ssh_old.py (31)
- M lib/ansible/utils/__init__.py (38)
Patch Links:
- https://github.com/ansible/ansible/pull/5694.patch
- https://github.com/ansible/ansible/pull/5694.diff
—
Reply to this email directly or view it on GitHub.
Brian Coca
Jan 21, 2014, 1:13:40 PM1/21/14
to ansible...@googlegroups.com
just curious, can sudo and su be used simultaneously?
Brian Coca
Stultorum infinitus est numerus
0110000101110010011001010110111000100111011101000010000001111001011011110111010100100000011100110110110101100001011100100111010000100001
Pedo mellon a minno
Serge van Ginderachter
Jan 21, 2014, 1:15:56 PM1/21/14
to ansible...@googlegroups.com
On 21 January 2014 19:13, Brian Coca <bria...@gmail.com> wrote:
just curious, can sudo and su be used simultaneously?
Is that suception?
ad...@brainfood.com
Jan 23, 2014, 8:38:12 PM1/23/14
to ansible...@googlegroups.com
This doesn't work with the git module. If I use sudo:true and sudo_user: {{item.owner}, then the git module does the correct thing. However, If I do su:true and su_user: {{item.owner}}, then the git module continues to run as root(I am connecting remotely as root for my playbook).
I haven't tested this on other modules.
I haven't tested this on other modules.
James Tanner
Jan 23, 2014, 10:36:54 PM1/23/14
to ansible...@googlegroups.com
> You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
Please show the -vvvv output from ansible-playbook and file a bug on github.
Matt Martz
Jan 24, 2014, 10:46:12 AM1/24/14
to ansible...@googlegroups.com, James Tanner
I'm looking at this as well, and believe that I may have identified and fixed the issue. I'm going to talk it over with Paul (angstwad) for validation and testing.
Adam Heath
Jan 24, 2014, 12:24:23 PM1/24/14
to ansible...@googlegroups.com
The following playbook doesn't do what I think it should. The su on the
task stays as root.
I was asked to file a bug; I could still do so. But if you think you
have a handle on it, then it might just be better to past this here.
cmd: ansible-playbook -i hosts.txt su-for-task-broken.yml -vvvv
== hosts.txt
localhost ansible_ssh_pass=xxxxxxxx current_user=adam
== su-for-task-broken.yml
- hosts: localhost
remote_user: root
tasks:
- name: sudo test
sudo: true
sudo_user: "{{ current_user }}"
shell: whoami
register: sudo_test_result
- name: su test
su: true
su_user: "{{ current_user }}"
shell: whoami
register: su_test_result
- name: debug
debug: var=sudo_test_result
- name: sudo test check
fail: msg="sudo didn't change to the correct user"
when: sudo_test_result.stdout != current_user
- name: su test check
fail: msg="su didn't change to the correct user"
when: sudo_test_result.stdout != current_user
==
task stays as root.
I was asked to file a bug; I could still do so. But if you think you
have a handle on it, then it might just be better to past this here.
cmd: ansible-playbook -i hosts.txt su-for-task-broken.yml -vvvv
== hosts.txt
localhost ansible_ssh_pass=xxxxxxxx current_user=adam
== su-for-task-broken.yml
- hosts: localhost
remote_user: root
tasks:
- name: sudo test
sudo: true
sudo_user: "{{ current_user }}"
shell: whoami
register: sudo_test_result
- name: su test
su: true
su_user: "{{ current_user }}"
shell: whoami
register: su_test_result
- name: debug
debug: var=sudo_test_result
- name: sudo test check
fail: msg="sudo didn't change to the correct user"
when: sudo_test_result.stdout != current_user
- name: su test check
fail: msg="su didn't change to the correct user"
when: sudo_test_result.stdout != current_user
==
Matt Martz
Jan 24, 2014, 12:37:09 PM1/24/14
to ansible...@googlegroups.com, Adam Heath
Adam,
See the pull request that was just submitted: https://github.com/ansible/ansible/pull/5751
That should resolve your issue. If you are up to testing it, please do so and let us know if it resolves your issue.
Paul Durivage
Jan 24, 2014, 12:42:25 PM1/24/14
to ansible...@googlegroups.com
Hi Adam,
Thanks for reporting this. I submitted a PR this morning based on your issue.
Adam Heath
Jan 24, 2014, 12:46:15 PM1/24/14
to Matt Martz, ansible...@googlegroups.com
Yup, see it, installed it, tried it, commented.
George Simpson
Apr 29, 2014, 9:52:09 PM4/29/14
to ansible...@googlegroups.com
Thanks for this feature, I absolutely need it. I do seem to have an issue using it.
I am using ansible 1.6 (devel eb090ad4a2) on RHEL 6. When I use su with the copy module I get a permission denied error.
I use a remote user to login to the server then su to another acccount. This is required in my environment. The remote user has no home directory so I have remote_tmp set in my ansible.cfg to /tmp/.ansible/tmp. It appears that the su user doesn't have permission to .ansible/tmp created by the remote user. I saw this issue that is similar, but I could not find anything specifically for su.
Should I file a bug for this?
ansible command line: ansible-playbook upgrade.yml -i hosts.yml -u remoteuser -k -S -R a_user --ask-su-pass
Output:
fatal: hostname] => failed to parse:
SUDO-SUCCESS-ulnzuflbdcdwddmombacdjeerhjdfgoy
{"msg": "Could not replace file: /tmp/.ansible/tmp/ansible-tmp-1398820873.22-273887835083885/source to /opt/local-data/apphome/caches/remove_me.txt: [Errno 13] Permission denied: '/tmp/.ansible/tmp/ansible-tmp-1398820873.22-273887835083885/source'", "failed": true}
Exception OSError: (2, 'No such file or directory', '/opt/local-data/apphome/caches/.ansible_tmpzRLO88remove_me.txt') in <bound method _TemporaryFileWrapper.__del__ of <closed file '<fdopen>', mode 'w+b' at 0x7fd090bbbdb0>> ignored
fatal: [vsin3u544.svr.us.jpmchase.net] => failed to parse: SUDO-SUCCESS-ulnzuflbdcdwddmombacdjeerhjdfgoy {"msg": "Could not replace file: /tmp/.ansible/tmp/ansible-tmp-1398820873.22-273887835083885/source to /opt/adtools-local-data/jira8/jira_home/c aches/remove_me.txt: [Errno 13] Permission denied: '/tmp/.ansible/tmp/ansible-tmp-1398820873.22-273887835083885/source'", "failed": true} Exception OSError: (2, 'No such file or directory', '/opt/adtools-local-data/jira8/jira_home/caches/.ansible_tmpzRLO88remove_me.txt') in <bound method _TemporaryFileWrapper.__del__ of <closed file '<fdopen>', mode 'w+b' at 0x7fd090bbbdb0>> ignored
fatal: [vsin3u544.svr.us.jpmchase.net] => failed to parse: SUDO-SUCCESS-ulnzuflbdcdwddmombacdjeerhjdfgoy {"msg": "Could not replace file: /tmp/.ansible/tmp/ansible-tmp-1398820873.22-273887835083885/source to /opt/adtools-local-data/jira8/jira_home/c aches/remove_me.txt: [Errno 13] Permission denied: '/tmp/.ansible/tmp/ansible-tmp-1398820873.22-273887835083885/source'", "failed": true} Exception OSError: (2, 'No such file or directory', '/opt/adtools-local-data/jira8/jira_home/caches/.ansible_tmpzRLO88remove_me.txt') in <bound method _TemporaryFileWrapper.__del__ of <closed file '<fdopen>', mode 'w+b' at 0x7fd090bbbdb0>> ignored
Paul Durivage
May 1, 2014, 9:56:44 AM5/1/14
to ansible...@googlegroups.com
Hi George,
Since I'm responsible for this feature, its edge cases, and bugs :( I'll see what I can do to replicate your issue. I may or may not be able to get to it before the weekend but I'll follow up.
I thought I tested for this scenario but I may have missed it.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2512a6c3-881d-4d76-bfd0-b94a4826fea7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
George Simpson
May 1, 2014, 5:11:39 PM5/1/14
to ansible...@googlegroups.com
Thanks for any help you can give. Let me know if you need any more info. I also see it happening in the template module:
{"msg": "Could not replace file: /tmp/.ansible/tmp/ansible-tmp-1398978322.77-92955034866020/source to /opt/adtools-local-data/jira8/atlassian-jira-6.2.3-standalone/conf/server.xml: [Errno 13] Permission denied: '/tmp/.ansible/tmp/ansible-tmp-1398978322.77-92955034866020/source'", "failed": true}
Exception OSError: (2, 'No such file or directory', '/opt/adtools-local-data/jira8/atlassian-jira-6.2.3-standalone/conf/.ansible_tmpf2zuKKserver.xml') in <bound method _TemporaryFileWrapper.__del__ of <closed file '<fdopen>', mode 'w+b' at 0x7f5225a3ad20>> ignored
Michael DeHaan
May 1, 2014, 5:17:24 PM5/1/14
to ansible...@googlegroups.com
This seems to be a reply to a post back on January 24th on commit that's already merged in.
I'm thinking this may be due to Google clearing out some spam backlog that wasn't spam.
Should be ignorable, yes?
Let me know if not and this was posted today.
Thanks!
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAK6JQEHUy3xpwo8h-sys9xWrHZa3oM2nMYvRfFCEOZEkjgj9%2Bg%40mail.gmail.com.
George Simpson
May 2, 2014, 9:21:58 AM5/2/14
to ansible...@googlegroups.com
Hi Michael,
I posted about a problem using copy and template module with su on Apr 29th with ansible 1.6.
I probably posted it wrong, I don't get out much.
Should I have replied to the last message in the thread instead of the first? I also wondered if it was ok to leave all the original quote in or if I should trim it down. My apologies for making you teach me how to use Google Groups.
George Simpson
May 9, 2014, 5:09:02 PM5/9/14
to ansible...@googlegroups.com
Hi Paul,
Anything I can do to help with this? I am starting a sprint next week and will be feeling the pain if I can't use ansible to support our work. I am happy to try and find the issue in source, not so happy to try and edit Python code. I didn't want to duplicate work if you were already looking at it.
Thanks again for your help!
On Thursday, May 1, 2014 8:56:44 AM UTC-5, Paul Durivage wrote:
George Simpson
May 21, 2014, 1:17:38 AM5/21/14
to ansible...@googlegroups.com
I have a workaround for this. Posted the details in ansible developer list since it involves code changes.
Reply all
Reply to author
Forward
0 new messages