Sudo issues... again

[Makimoto Marakatti]

Hi all

I had few sudo issues in the past, and those got solved. Now after updating to latest release (1.5.3) the problem has resurfaced again.
My master box has an ansible user. Which connects through ssh certs and has sudo rights to root on each of the remote boxes.
I've got 62 boxes that are failing if I sudo to them with ansible. Those 62 are a mixture to rhel/centos 5.?/6.? 32/64. Nothing in common.
Examples below are shown using a single box.

So if I do not use sudo, it works:

$ ansible commando -om ping
commando | success >> {"changed": false, "ping": "pong"}

Now with sudo:

$ ansible commando -sKom ping
sudo password:
commando | FAILED => ssh connection closed waiting for sudo or su password prompt

and yet:

$ ssh commando
Last login: Thu Mar 20 12:02:12 2014 from ansible_master.passmark.net
[ansible@commando ~]$ sudo su -
[sudo] password for ansible:
[root@commando ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

I actually updated to dev as I was told that my previous sudo issues had been solved in the dev branch. Unfortunately no difference. (It got rid of the nagging "previous host file not found" message thou)

Any help to try to clear this issue for once and for all would be very welcome indeed.

Thanks

[Matt Martz]

Makimoto,

Have you enabled 'pipelining = True' in your ansible.cfg file?

If so, this is potentially the cause.  Regardless, it would be nice to see the output of ansible -vvvv as that would help identify if pipelining is being used or not, or any other potential issues.

-- 
Matt Martz
ma...@sivel.net

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/74e9609c-e50e-46ea-8d34-ae331d47f52e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Makimoto Marakatti]

Hi

Pipelining is most definitely on. The speed advantage is great. I tried disabling it and see, but the end result is the same.

with pipelining on:

$ ansible commando -sKom ping -vvvv                                                            
sudo password:
<commando> ESTABLISH CONNECTION FOR USER: ansible
<commando> REMOTE_MODULE ping
<commando> EXEC ['ssh', '-C', '-vvv', '-o', 'PasswordAuthentication=no', '-o', 'ControlMaster=auto', '-o', 'ControlPath=~/tmp/ansible-ssh-%h-%p-%r', '-o', 'Port=22', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'ConnectTimeout=30', 'commando', '/bin/sh -c \'sudo -k && sudo -H -S -p "[sudo via ansible, key=eitjzleioedwxwlkwhlcyyraqeqvqzxk] password: " -u root /bin/sh -c \'"\'"\'echo SUDO-SUCCESS-eitjzleioedwxwlkwhlcyyraqeqvqzxk; /usr/bin/python\'"\'"\'\'']
EXEC previous known host file not found for commando
commando | FAILED => ssh connection closed waiting for sudo or su password prompt

without pipelining:

$ ansible commando -sKom ping -vvvvv
sudo password:
<commando> ESTABLISH CONNECTION FOR USER: ansible
<commando> REMOTE_MODULE ping
<commando> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'PasswordAuthentication=no', '-o', 'ControlMaster=auto', '-o', 'ControlPath=~/tmp/ansible-ssh-%h-%p-%r', '-o', 'Port=22', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'ConnectTimeout=30', 'commando', "/bin/sh -c 'mkdir -p /tmp/ansible-tmp-1395325848.27-139028944178673 && chmod a+rx /tmp/ansible-tmp-1395325848.27-139028944178673 && echo /tmp/ansible-tmp-1395325848.27-139028944178673'"]
EXEC previous known host file not found for commando
commando | FAILED => Authentication or permission failure.  In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in "/tmp". Failed command was: mkdir -p /tmp/ansible-tmp-1395325848.27-139028944178673 && chmod a+rx /tmp/ansible-tmp-1395325848.27-139028944178673 && echo /tmp/ansible-tmp-1395325848.27-139028944178673, exited with result 1: mkdir: cannot create directory `/tmp/ansible-tmp-1395325848.27-139028944178673': Permission denied

[Makimoto Marakatti]

For the record I do have this on ansible.cfg:

remote_tmp     = /tmp

[Makimoto Marakatti]

By the way, I did forget to mention that I tried to give a passwordless sudo access to the 'ansible' user.
And did not work. Got the same output.
Which leads me to think that sudo does not get called properly.
Just speculating thou....

[James Cammarata]

What was the last official release that worked for you? Also, are there any other ansible.cfg settings you've changed from their defaults?

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ed4c47a9-ec1f-4256-9bfc-4d45a54bfa5f%40googlegroups.com.

[Makimoto Marakatti]

Hi

Last working one was 1.5.1.
And yes few changes to the cfg. Here the comments stripped version:

[defaults]
hostfile       = /ansible/etc/hosts
library        = /usr/share/ansible
remote_tmp     = /tmp
pattern        = *
forks          = 5
poll_interval  = 15
sudo_user      = root
transport      = ssh
remote_port    = 22
connection     = ssh
timeout = 30
log_path = /ansible/log/ansible.log
ansible_managed = Mantained by Ansible. Please refer to {host} to make changes in {file}. Direct edits to this file WILL BE overwritten.
display_skipped_hosts = True
error_on_undefined_vars = True
action_plugins     = /usr/share/ansible_plugins/action_plugins
callback_plugins   = /usr/share/ansible_plugins/callback_plugins
connection_plugins = /usr/share/ansible_plugins/connection_plugins
lookup_plugins     = /usr/share/ansible_plugins/lookup_plugins
vars_plugins       = /usr/share/ansible_plugins/vars_plugins
filter_plugins     = /usr/share/ansible_plugins/filter_plugins
[paramiko_connection]
[ssh_connection]
ssh_args = -o PasswordAuthentication=no -o ControlMaster=auto -o ControlPath=~/tmp/ansible-ssh-%h-%p-%r
scp_if_ssh = True
[accelerate]

Normally pipelining is there also, but I just disabled it per advice on this thread.

[James Cammarata]

I see you've set you're setting the transport to ssh rather than smart, when you're using EL 5/6, does the same issue occur if you set the transport to paramiko or smart?

[Makimoto Marakatti]

that's a good point. haven't tried.
Will try tomorrow at work and report back.

thanks!

[Makimoto Marakatti]

Same result unfortunately. :(
paramiko is a no go for me though, as I've got a number of boxes behind a jumpbox. And I use ssh config to get direct access to those.
I'll try to think out of the box and see what happens...

[Makimoto Marakatti]

solved!

At the end it was something simple (isn't it always...)
On the client machines, /etc/sudoers had this fateful line:

Defaults    requiretty

That has been commented out. And no issues.
But I feel ambivalent about the security side of things. Is there no way for ansible to log with a tty???