search

ansible / ansible-modules-core

Ansible modules - these modules ship with ansible
1.3k stars 1.95k forks source link

copy module doesn't work when using sudo with sudo password #893

Closed moralloki closed 9 years ago

moralloki commented 9 years ago

upgrading from v1.8.2 to v1.8.4 the following error occurs when using the copy module and sudo:

fatal: [hostname] => ssh connection closed waiting for sudo or su password prompt

this only happens when running in a playbook. an ad hoc copy command doesn't exhibit this behavior.

bcoca commented 9 years ago

I just tested with a simple playbook and it worked normally, do you have a minimal test case that can reproduce it?

- hosts: test1
  gather_facts: False
  tasks:
    - copy:  src=test.txt  dest: /tmp/test.txt
      sudo: true
moralloki commented 9 years ago

tested with the following playbook

- hosts: testhost
  gather_facts: False
  tasks:
    - copy:  src=test.txt  dest=/tmp/test.txt
      sudo: true

Under ansible v1.8.2 it runs without error. After upgrading to v1.8.4 I get the fatal error mentioned above (with and without test.txt on the remote host).

Output with -vvv:

PLAY [testhost] ************************************************ 

TASK: [copy src=test.txt  dest=/tmp/test.txt] ********************************* 
<testhost> 
<testhost> ConnectTimeout=10 'sudo -k && sudo -H -S -p "[sudo via ansible, key=wzhfxuhysegzwsommrcvxylqzdzapcwq] password: " -u root /bin/sh -c '"'"'echo SUDO-SUCCESS-wzhfxuhysegzwsommrcvxylqzdzapcwq; rc=flag; [ -r '"'"'"'"'"'"'"'"'/tmp/test.txt'"'"'"'"'"'"'"'"' ] || rc=2; [ -f '"'"'"'"'"'"'"'"'/tmp/test.txt'"'"'"'"'"'"'"'"' ] || rc=1; [ -d '"'"'"'"'"'"'"'"'/tmp/test.txt'"'"'"'"'"'"'"'"' ] && rc=3; python -V 2>/dev/null || rc=4; [ x"$rc" != "xflag" ] && echo "${rc}"'"'"'"'"'"'"'"'"'  /tmp/test.txt'"'"'"'"'"'"'"'"' && exit 0; (python -c '"'"'"'"'"'"'"'"'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();
afile = open("/tmp/test.txt", "rb")
buf = afile.read(BLOCKSIZE)
while len(buf) > 0:
hasher.update(buf)
buf = afile.read(BLOCKSIZE)
afile.close()
print(hasher.hexdigest())'"'"'"'"'"'"'"'"' 2>/dev/null) || (python -c '"'"'"'"'"'"'"'"'import sha; BLOCKSIZE = 65536; hasher = sha.sha();
afile = open("/tmp/test.txt", "rb")
buf = afile.read(BLOCKSIZE)
while len(buf) > 0:
hasher.update(buf)
buf = afile.read(BLOCKSIZE)
afile.close()
print(hasher.hexdigest())'"'"'"'"'"'"'"'"' 2>/dev/null) || (echo '"'"'"'"'"'"'"'"'0  /tmp/test.txt'"'"'"'"'"'"'"'"')'"'"'' PasswordAuthentication=no KbdInteractiveAuthentication=no ControlPath=/home/user/.ansible/cp/ansible-ssh-%h-%p-%r PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey ControlMaster=auto ControlPersist=60s
fatal: [testhost] => ssh connection closed waiting for sudo or su password prompt
moralloki commented 9 years ago

I should also mention that this is using the ansible package provided by Fedora 20.

abadger commented 9 years ago

How is your /etc/sudoers setup for this user? If it requires a password for that user to sudo then you need to use ansible-playbook -K (aka --ask-sudo-pass) in order to use this playbook.

I have just tested on Fedora 21 and this is working there:

/etc/sudoers:

[...]
#includedir /etc/sudoers.d
badger  ALL=NOPASSWD:ALL
ansible-playbook sudo.yml -c ssh

PLAY [localhost] ************************************************************** 

TASK: [copy src=test.txt  dest=/tmp/test.txt] ********************************* 
ok: [localhost]

PLAY RECAP ******************************************************************** 
localhost                  : ok=1    changed=0    unreachable=0    failed=0  
[pts/8@roan /srv/ansible/ansible-friday]$ rpm -q ansible                                        *[devel]  (07:46:06)
ansible-1.8.4-1.fc21.noarch
[pts/8@roan /srv/ansible/ansible-friday]$ ansible --version                                     *[devel]  (07:46:10)
ansible 1.8.4
  configured module search path = None
moralloki commented 9 years ago

My apologies, I never showed how I was running the command. Here's the command used to generate the verbose output from the last run:

$ ansible-playbook t2.yml -K -vvv
sudo password: ***

we're not able to use the NOPASSWD option for sudoers in our environment.

abadger commented 9 years ago
okay, it's wise to not use NOPASSWD :-) That configuration works for me as well though: ``` $ sudo whoami [sudo] password for badger: ^C $ ansible-playbook sudo.yml -c ssh -K sudo password: **** PLAY [localhost] ************************************************************** TASK: [copy src=test.txt dest=/tmp/test.txt] ********************************* ok: [localhost] PLAY RECAP ******************************************************************** localhost : ok=1 changed=0 unreachable=0 failed=0 ``` Probably best to take this to the ansible-project mailing list at this point since it's likely a configuration issue with sudo. More people will have more ideas as to what might be wrong. I'll paste the mailing list information below. The only other thing I can think to check is that the user you're using to ssh to the remote box has permission to sudo on the remote box. If they don't have permission to sudo you could get this error message as well. # Cannot Reproduce Hi! Thanks very much for your submission to Ansible. It sincerely means a lot to us. Testing this on the version you have specified, we cannot reproduce this problem. As such, we are most likely going to close this ticket. Should you disagree with this conclusion, you may also wish to join our mailing lists, which are very active: - https://groups.google.com/forum/#!forum/ansible-project - for user questions, tips, and tricks - https://groups.google.com/forum/#!forum/ansible-devel - for strategy, future planning, and questions about writing code Thank you once again for this and your interest in Ansible!
moralloki commented 9 years ago

thanks for your help

matazar commented 9 years ago

I'm also running into this problem, which seems to effect the fetch modules as well. This is the results of the playbook @moralloki has above, first with ansible 1.8.4, followed by 1.8.2.

[mathewm:~/ansible]  ansible --version
ansible 1.8.4
  configured module search path = None
[mathewm:~/ansible]  ansible-playbook -K -i dev copy.yml
sudo password:

PLAY [ferra.sandbox.local] ****************************************************

TASK: [copy src=test.txt  dest=/tmp/test.txt] *********************************
fatal: [ferra.sandbox.local] =     ssh connection closed waiting for sudo or su password prompt

FATAL: all hosts have already failed -- aborting

PLAY RECAP ********************************************************************
           to retry, use: --limit @/home/mathewm/copy.retry

ferra.sandbox.local        : ok=0    changed=0    unreachable=1    failed=0

After uninstalling 1.8.4 and reinstalling 1.8.2:

[mathewm:~/ansible]  ansible --version
ansible 1.8.2
  configured module search path = None
[mathewm:~/ansible]  ansible-playbook -K -i dev copy.yml
sudo password:

PLAY [ferra.sandbox.local] ****************************************************

TASK: [copy src=test.txt  dest=/tmp/test.txt] *********************************
changed: [ferra.sandbox.local]

PLAY RECAP ********************************************************************
ferra.sandbox.local        : ok=1    changed=1    unreachable=0    failed=0

Ansible is being run on OpenSUSE 13.1. The host ferra.sandbox.local is FreeBSD 10.1