Using Cpanel with Ansible
367 views
Skip to first unread message
Fayad
Jul 5, 2017, 6:54:11 PM7/5/17
to Ansible Project, Fayad Nazim
Hi,
Let me explain our environment first:
We have about 500 cpanel servers which are either openvz VEs or physical servers. We are now using puppet to manage and carry out any common system administration tasks on the servers. Direct ssh root login is disabled on ll these servers.
Requirement: We need to setup ansible to replace puppet.
What I've done:
Since direct ssh root login is disabled, I've created a new user in the client server and set up key based authentication from ansible master server. Also gave sudo privileges to this user so that the user has got sufficient privileges to execute commands as the root user.
I tried a few ansible adhoc commands and they worked for a few times, for eg:
[ih_ansible_user@ansible /]$ ansible -m shell -a '/etc/init.d/exim status' test.cpanelserver.com
test.cpanelserver.com | SUCCESS | rc=0 >>
exim (pid 28919 22473 21885 19961 19960 18016 16832 10399 10059 6131 3856 3657 3501 3431 2083 2012) is running...
[ih_ansible_user@ansible /]$ ansible -m shell -a '/etc/init.d/mysql status' test.cpanelserver.com
test.cpanelserver.com | SUCCESS | rc=0 >>
SUCCESS! MySQL running (13701)
[ih_ansible_user@ansible /]$ ansible -m shell -a 'df -h' test.cpanelserver.com
test.cpanelserver.com | SUCCESS | rc=0 >>
Filesystem Size Used Avail Use% Mounted on
/dev/simfs 2.0T 1.3T 598G 69% /
But after a few tries, I get the error:
[ih_ansible_user@ansible /]$ ansible -m shell -a '/etc/init.d/httpd status' test.cpanelserver.com
test.cpanelserver.com| FAILED! => {
"changed": false,
"failed": true,
"module_stderr": "Shared connection to test.cpanelserver.com closed.\r\n",
"module_stdout": "sudo: PERM_ROOT: setresuid(0, -1, -1): too many processes\r\n",
"msg": "MODULE FAILURE",
"rc": 1
}
I'm also getting a similar error when I execute the command from the client server as the ansible user:
ih_ansible_user@test [/root]# sudo httpd status
sudo: PERM_ROOT: setresuid(0, -1, -1): too many processes
Upon searching, I could see that the number of processes for users other than root is restricted in cpanel servers. The suggested fix is to disable shell fork bomb protection but it is not secure. Also I'm unable to increase the limit.
Currently I'm stuck at this point. Please let me know if this is the correct approach, like adding a new user for ansible etc.
Let me explain our environment first:
We have about 500 cpanel servers which are either openvz VEs or physical servers. We are now using puppet to manage and carry out any common system administration tasks on the servers. Direct ssh root login is disabled on ll these servers.
Requirement: We need to setup ansible to replace puppet.
What I've done:
Since direct ssh root login is disabled, I've created a new user in the client server and set up key based authentication from ansible master server. Also gave sudo privileges to this user so that the user has got sufficient privileges to execute commands as the root user.
I tried a few ansible adhoc commands and they worked for a few times, for eg:
[ih_ansible_user@ansible /]$ ansible -m shell -a '/etc/init.d/exim status' test.cpanelserver.com
test.cpanelserver.com | SUCCESS | rc=0 >>
exim (pid 28919 22473 21885 19961 19960 18016 16832 10399 10059 6131 3856 3657 3501 3431 2083 2012) is running...
[ih_ansible_user@ansible /]$ ansible -m shell -a '/etc/init.d/mysql status' test.cpanelserver.com
test.cpanelserver.com | SUCCESS | rc=0 >>
SUCCESS! MySQL running (13701)
[ih_ansible_user@ansible /]$ ansible -m shell -a 'df -h' test.cpanelserver.com
test.cpanelserver.com | SUCCESS | rc=0 >>
Filesystem Size Used Avail Use% Mounted on
/dev/simfs 2.0T 1.3T 598G 69% /
But after a few tries, I get the error:
[ih_ansible_user@ansible /]$ ansible -m shell -a '/etc/init.d/httpd status' test.cpanelserver.com
test.cpanelserver.com| FAILED! => {
"changed": false,
"failed": true,
"module_stderr": "Shared connection to test.cpanelserver.com closed.\r\n",
"module_stdout": "sudo: PERM_ROOT: setresuid(0, -1, -1): too many processes\r\n",
"msg": "MODULE FAILURE",
"rc": 1
}
I'm also getting a similar error when I execute the command from the client server as the ansible user:
ih_ansible_user@test [/root]# sudo httpd status
sudo: PERM_ROOT: setresuid(0, -1, -1): too many processes
Upon searching, I could see that the number of processes for users other than root is restricted in cpanel servers. The suggested fix is to disable shell fork bomb protection but it is not secure. Also I'm unable to increase the limit.
Currently I'm stuck at this point. Please let me know if this is the correct approach, like adding a new user for ansible etc.
Kai Stian Olstad
Jul 6, 2017, 1:01:20 PM7/6/17
to ansible...@googlegroups.com
On 05. juli 2017 07:12, Fayad wrote:
> Upon searching, I could see that the number of processes for users other
> than root is restricted in cpanel servers. The suggested fix is to disable
> shell fork bomb protection but it is not secure. Also I'm unable to
> increase the limit.
>
> Currently I'm stuck at this point. Please let me know if this is the
> correct approach, like adding a new user for ansible etc.
Is it not possible to lift this restriction on the user that runs Ansible?
> Upon searching, I could see that the number of processes for users other
> than root is restricted in cpanel servers. The suggested fix is to disable
> shell fork bomb protection but it is not secure. Also I'm unable to
> increase the limit.
>
> Currently I'm stuck at this point. Please let me know if this is the
> correct approach, like adding a new user for ansible etc.
There work in progress to make Ansible use thread instead for forking,
this might help your case.
https://groups.google.com/forum/#!topic/ansible-devel/2-yqn3zuWg8
--
Kai Stian Olstad
Fayad
Jul 6, 2017, 5:07:28 PM7/6/17
to ansible...@googlegroups.com
I tried increasing the limits but it won't take effect unless i disable shell fork bomb protection from WHM interface. And is not a good idea to disable it.
Fayad
Sent from my OnePlus One
Sent from my OnePlus One
On 06-Jul-2017 10:31 PM, "Kai Stian Olstad" <ansible-pr...@olstad.com> wrote:
On 05. juli 2017 07:12, Fayad wrote:
Upon searching, I could see that the num triedber of processes for users other
than root is restricted in cpanel servers. The suggested fix is to disable
shell fork bomb protection but it is not secure. Also I'm unable to
increase the limit.
Currently I'm stuck at this point. Please let me know if this is the
correct approach, like adding a new user for ansible etc.
Is it not possible to lift this restriction on the user that runs Ansible?
There work in progress to make Ansible use thread instead for forking, this might help your case.
https://groups.google.com/forum/#!topic/ansible-devel/2-yqn3zuWg8
--
Kai Stian Olstad
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6512805d-46b5-1c43-31d2-3f45f82ca562%40olstad.com.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
Fayad
Jul 17, 2017, 9:15:18 AM7/17/17
to ansible...@googlegroups.com
The issue was fixed by creating the ansible user on the client server with uid less than 500 which are meant for system accounts and the limit is not applicable for these accounts.
Fayad
Sent from my OnePlus One
Sent from my OnePlus One
On 07-Jul-2017 1:49 AM, "Fayad" <fayad...@gmail.com> wrote:
I tried increasing the limits but it won't take effect unless i disable shell fork bomb protection from WHM interface. And is not a good idea to disable it.
Fayad
Sent from my OnePlus One
Fayad
Jul 27, 2017, 11:50:43 PM7/27/17
to ansible...@googlegroups.com
Is it required to run ansible commands as the root user?
If running as another user, is there any privileges required to be given for this user?
Fayad
Sent from my OnePlus One
Sent from my OnePlus One
Kai Stian Olstad
Jul 28, 2017, 9:32:14 AM7/28/17
to ansible...@googlegroups.com
On 28.07.2017 05:50, Fayad wrote:
> Is it required to run ansible commands as the root user?
No.
> Is it required to run ansible commands as the root user?
> If running as another user, is there any privileges required to be
> given
> for this user?
But if a command or a action need privileges the user doesn't have it
will of course not work with Ansible either.
--
Kai Stian Olstad
Fayad
Jul 28, 2017, 11:12:33 AM7/28/17
to ansible...@googlegroups.com
Thanks Kai.
I've added the following line in the /etc/sudoers file on the client server:
ansible_user ALL=(root) NOPASSWD: ALL
Won't this provide enough privilege for the ansible user to execute commands as root?
Fayad
--
Kai Stian Olstad
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/69d3b2799e2c330b68f7d6119cf3997b%40olstad.com.
Kai Stian Olstad
Jul 28, 2017, 2:25:57 PM7/28/17
to ansible...@googlegroups.com
On 28. juli 2017 17:12, Fayad wrote:
> I've added the following line in the /etc/sudoers file on the client server:
>
> ansible_user ALL=(root) NOPASSWD: ALL
>
> Won't this provide enough privilege for the ansible user to execute
> commands as root?
Yes, it will, but you still has to tell ansible to use become, it won't
> I've added the following line in the /etc/sudoers file on the client server:
>
> ansible_user ALL=(root) NOPASSWD: ALL
>
> Won't this provide enough privilege for the ansible user to execute
> commands as root?
magically use sudo unless you specify become: true or use the option -b
on the command line.
--
Kai Stian Olstad
Fayad
Aug 4, 2017, 2:49:45 AM8/4/17
to ansible...@googlegroups.com
Hi,
Yes, I've already enabled it. Please see the below lines:
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
Fayad
--
Kai Stian Olstad
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e7a63a07-8c7c-fe33-71ca-73e6a799d748%40olstad.com.
Fayad
Aug 15, 2017, 11:21:22 PM8/15/17
to ansible...@googlegroups.com
Is this the correct method if root login is disabled?
Fayad
Sent from my OnePlus One
Sent from my OnePlus One
On 04-Aug-2017 12:19 PM, "Fayad" <fayad...@gmail.com> wrote:
Hi,Yes, I've already enabled it. Please see the below lines:[privilege_escalation]become=Truebecome_method=sudobecome_user=rootbecome_ask_pass=False
Fayad
Reply all
Reply to author
Forward
0 new messages