Eliminate /bin/sh -c environment from any ssh command sending.

29 views
Skip to first unread message

Tom Van de Velde

unread,
Aug 21, 2019, 3:04:08 AM8/21/19
to Ansible Project
Hi,

I"m writing a module for Ansible, executing ssh commands on the a remote secured shell.
Python is not installed and the installation is not possible.
But It seams that there is always an attempt to discover the python on the remote.

<system> Attempting python interpreter discovery
<system> ESTABLISH SSH CONNECTION FOR USER: padmin
<system> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="padmin"' -o ConnectTimeout=10 -o ControlPath=/home/user/.ansible/cp/7c17f9a5a6 system '/bin/sh -c '"'"'echo PLATFORM; uname; echo FOUND; command -v '"'"'"'"'"'"'"'"'/usr/bin/python'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.7'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.6'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.5'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python2.7'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python2.6'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'/usr/libexec/platform-python'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'/usr/bin/python3'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python'"'"'"'"'"'"'"'"'; echo ENDFOUND && sleep 0'"'"''
<system> (1, b'', b'rksh: /bin/sh: 0403-019 The operation is not allowed in a restricted shell.\n')
<system> Failed to connect to the host via ssh: rksh: /bin/sh: 0403-019 The operation is not allowed in a restricted shell.

The error is there because even /bin/sh -c is not allowed.

By using the raw module, the "/bin/sh -c" is not used, so this might be an option, but the output using a raw is to complicated to be parsed in Ansible only so i would like to create a separate module for that.

Any suggestions here ??

Regards,
Tom Van de Velde

Stephen Maher

unread,
Aug 21, 2019, 5:02:40 AM8/21/19
to ansible...@googlegroups.com
Hi Tom,

How are you connecting to the VIOS ?? can you share a snippet of code - I'm looking at doing something similar for a storwize module for a platform refresh. My thoughts where to somehow use the connection module network_cli ansible_connection=network_cli

Regards

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/b9f1f45d-9e51-454f-b4ac-a0722c1c20a2%40googlegroups.com.


--

Regards,


Stephen Maher

stephe...@ocado.com | 0777 5832553

UNIX Engineer

Ocado Technology, Buildings One & Two, Trident Place, Mosquito Way, Hatfield, Hertfordshire, 

AL10 9UL


ocado.com


Need some work done by any of the Infrastructure Teams? Click here! 



Notice:
This email is confidential and may contain copyright material of members of the Ocado Group. Opinions and views expressed in this message may not necessarily reflect the opinions and views of the members of the Ocado Group.

If you are not the intended recipient, please notify us immediately and delete all copies of this message. Please note that it is your responsibility to scan this message for viruses.

References to the "Ocado Group" are to Ocado Group plc (registered in England and Wales with number 7098618) and its subsidiary undertakings (as that expression is defined in the Companies Act 2006) from time to time. The registered office of Ocado Group plc is Buildings One & Two, Trident Place, Mosquito Way, Hatfield, Hertfordshire, AL10 9UL.

Andrew Feller

unread,
Aug 21, 2019, 5:23:14 AM8/21/19
to ansible...@googlegroups.com
It might be prudent to study the Ansible modules in source code if you know you need to go this route:


Specifically the network category as most network devices don’t allow SSH access or have Python installed.

HTH, Andy

Sent from my iPhone

Tom Van de Velde

unread,
Aug 22, 2019, 2:12:18 AM8/22/19
to ansible...@googlegroups.com
Hi,

Currently this is very basic but working with raw and later parsing via yml template...

- name: RAW command
  raw: "ioscli lsrep"
  register: raw_library
  changed_when: false

- name: Parse raw output
  set_fact:
    library: "{{ raw_library.stdout | parse_cli('parsers/lsrep.yml') }}"

Regards,
Tom

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAAQBYysma2TaJn0we%3DHYEY0v%2ByrdF6ynN%2B3ZiDSn4LwK972G7Q%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages