rundeck: using sudo

86 views
Skip to first unread message

Diogène Mutombo

unread,
Sep 2, 2024, 6:13:34 AMSep 2
to rundeck-discuss
Hello,

I want to run a script as sudo.
sudo_rundeck.png
I want the password to be set when prompt, so
I have set this in my project configuration:

project.ssh-authentication=privateKey
project.sudo-command-enabled=true
project.sudo-password-option=option.sudo

the option job is defined
option_job.png

it is not wrking, is there a way to do it ?

Best regards,

rac...@rundeck.com

unread,
Sep 2, 2024, 10:46:26 AMSep 2
to rundeck-discuss

Hi!

Please add the following config:

sudo-command-enabled=true sudo-command-pattern=^sudo$ sudo-password-option=option.mypassword sudo-prompt-pattern=^[sudo] password for .+\: .*

Based on this answer.

I’ve tested this with the following job:

- defaultTab: nodes description: '' executionEnabled: true id: 06c06c14-3836-4d5c-871f-ed162ca5c0b6 loglevel: DEBUG name: HelloSUDOWorld nodeFilterEditable: false nodefilters: dispatch: excludePrecedence: true keepgoing: false rankOrder: ascending successOnEmptyNodeFilter: false threadcount: '1' filter: 'name: node00 ' nodesSelectedByDefault: true options: - name: mypassword secure: true storagePath: keys/sudopasswd valueExposed: true plugins: ExecutionLifecycle: {} scheduleEnabled: true sequence: commands: - exec: sudo cat /etc/shadow keepgoing: false strategy: node-first uuid: 06c06c14-3836-4d5c-871f-ed162ca5c0b6

My SSH node entry if you need an example

<?xml version="1.0" encoding="UTF-8"?> <project> <node name="node00" description="Ubuntu" tags="" hostname="192.168.56.10" osArch="amd64" osFamily="unix" osName="Linux" osVersion="5.14.0-284.30.1.el9_2.x86_64" username="vagrant" /> </project>

Hope it helps!

Diogène Mutombo

unread,
Sep 2, 2024, 10:53:55 AMSep 2
to rundeck-discuss
Hello,
Thanks for you answer.

sudo-command-enabled=true sudo-command-pattern=^sudo$ sudo-password-option=option.mypassword sudo-prompt-pattern=^[sudo] password for .+\: .*

Are to be added on project level ?

Best regards,

rac...@rundeck.com

unread,
Sep 2, 2024, 10:57:32 AMSep 2
to rundeck-discuss

Hi,

Are to be added on project level ?

That’s correct. Greetings.

Diogène Mutombo

unread,
Sep 4, 2024, 9:25:06 AMSep 4
to rundeck-discuss

Hello, 
I have tested and it is not working

sudo: un terminal est requis pour lire le mot de passe; utilisez soit l'option -S pour lire depuis l'entrée standard ou configurez un outil askpass de demande de mot de passe
sudo: il est nécessaire de saisir un mot de passe
Failed: Unknown: Remote command failed with exit status 1

```yaml
- defaultTab: nodes
  description: ''
  executionEnabled: true
  id: 7e4dd622-84b4-4796-88e6-78f4497cfeb1
  loglevel: INFO
  name: HelloSUDOWorld
  nodeFilterEditable: false
  nodefilters:
    dispatch:
      excludePrecedence: true
      keepgoing: false
      rankOrder: ascending
      successOnEmptyNodeFilter: false
      threadcount: '1'
    filter: 'name: a69sv01'
  nodesSelectedByDefault: true
  options:
  - name: sudo
    secure: true
    storagePath: keys/project/TEST/sudo
    valueExposed: true
  plugins:
    ExecutionLifecycle: null
  scheduleEnabled: true
  sequence:
    commands:
    - exec: whoami
    - fileExtension: .sh
      interpreterArgsQuoted: false
      script: |-
        #! /bin/bash

        echo "test sudo"
        cat /etc/passwd
      scriptInterpreter: sudo bash
    keepgoing: false
    strategy: node-first
  uuid: 7e4dd622-84b4-4796-88e6-78f4497cfeb1

```

Project level config

project.sudo-command-enabled=true
project.sudo-command-pattern=^sudo$
project.sudo-password-option=option.sudo
project.sudo-prompt-pattern=^[sudo] password for .+\: .*

rac...@rundeck.com

unread,
Sep 4, 2024, 10:06:39 AMSep 4
to rundeck-discuss

Hi,

It seems that you’re facing this. You probably need to change the sudo-prompt-pattern value depending on your target OS (probably using ^.*password.* according to this), this thread would help you. According to your target OS, use the right pattern in sudo-command-pattern and sudo-prompt-pattern which is well explained here.

Regards.

Diogène Mutombo

unread,
Sep 4, 2024, 10:41:24 AMSep 4
to rundeck-discuss
It seems to be ok for sudo patterns and thanks.
I have an other problem the execution stack here

[sshj-ssh] executing command sudo bash /tmp/30-944-a69sv-ns01-dispatch-script.tmp.sh 192.168.3.50
[net.schmizz.sshj.connection.channel.direct.SessionChannel] Sending channel request for `shell`
[net.schmizz.concurrent.Promise] Awaiting <<chan#0 / chanreq for shell>>
[net.schmizz.sshj.connection.channel.direct.SessionChannel] Received window adjustment for 2097152 bytes
[net.schmizz.sshj.connection.channel.Window$Remote] Increasing by 2097152 up to 2097152
[net.schmizz.concurrent.Promise] Setting <<chan#0 / chanreq for shell>> to `SOME`
private context 'option.sudoPassword' was null
[sshj-ssh]  executing command sudo bash /tmp/30-944-a69sv-ns01-dispatch-script.tmp.sh 192.168.3.50
[net.schmizz.sshj.connection.channel.direct.SessionChannel] Sending channel request for `shell`
[net.schmizz.concurrent.Promise] Awaiting <<chan#0 / chanreq for shell>>
[net.schmizz.sshj.connection.channel.direct.SessionChannel] Received window adjustment for 2097152 bytes
[net.schmizz.sshj.connection.channel.Window$Remote] Increasing by 2097152 up to 2097152
[net.schmizz.concurrent.Promise] Setting <<chan#0 / chanreq for shell>> to `SOME`
private context 'option.sudoPassword' was null

my job option name is sudo, so why is it calling for 'option.sudoPassword ? 
I have also tried by changing the job option name sudoPassword no luck it still stack. 

Best regards,

rac...@rundeck.com

unread,
Sep 4, 2024, 1:03:09 PMSep 4
to rundeck-discuss

Hi,

Could you share your remote node entry and project configuration? the sudo-password-option parameter must override that default option name. Please double-check your remote node entry/project config.

Ok, some things to consider:

  1. SSHJ is the “new” default SSH node executor but right now has some problems with sudo (like this).
  2. If you want to stay with SSHJ you must configure the user’s sudoers entry with NOPASSWD (it works on my end).
  3. Another good workaround is to switch the default node executor to JSCH, the sudo config works well. The problem with this node executor is that doesn’t support the ECDSA keys. So you need to re-admit “old” JSCH-supported keys on remote nodes like this answer.

Regards.

Diogène Mutombo

unread,
Sep 7, 2024, 12:23:48 PMSep 7
to rundeck-discuss
Hello,

here is the project configuration

project.name=EXPLOITATION
project.ssh-authentication=privateKey
project.sudo-command-enabled=true
project.sudo-command-pattern=^sudo.*
project.sudo-password-option=option.sudoPassword
project.sudo-prompt-pattern=^.*passe.*
resources.source.1.type=local
resources.source.2.config.ansible-gather-facts=true
resources.source.2.config.ansible-ignore-errors=true
resources.source.2.config.ansible-inventory=/opt/rundeck/ansible/inventaire/
resources.source.2.config.ansible-ssh-auth-type=privateKey
resources.source.2.config.ansible-ssh-keypath=/opt/rundeck/.ssh/id_rsa
resources.source.2.config.ansible-ssh-user=testuser
resources.source.2.type=com.batix.rundeck.plugins.AnsibleResourceModelSourceFactory
service.FileCopier.default.provider=sshj-scp
service.NodeExecutor.default.provider=sshj-ssh

I am using ansible inventory
[NODE1]
a69sv-ns01 ansible_host=192.168.30.150
node.png

Best regards,

rac...@rundeck.com

unread,
Sep 9, 2024, 8:16:36 AMSep 9
to rundeck-discuss
Hi,

In that case, the best approach is to use the Ansible privilege escalation config on the Ansbible Model Source.

Regards.

Diogène Mutombo

unread,
Sep 9, 2024, 11:58:38 AMSep 9
to rundeck-discuss
In this cas I dont use playbook, it is a simple shell script that a need to execute on a remote node but the node inventory is an ansible modele.

Best regards,

rac...@rundeck.com

unread,
Sep 9, 2024, 12:07:40 PMSep 9
to rundeck-discuss
Yes but if you look at the ansible model source, you can see the Privilege Escalation section. You can dispatch commands/script steps using the Ansible model source. 

Basically, you can delegate the sudo stuff to the ansible config/model source. Could you test this?

Regards.
Reply all
Reply to author
Forward
0 new messages