search

ansible / ansible

Ansible is a radically simple IT automation platform that makes your applications and systems easier to deploy and maintain. Automate everything from code deployment to network configuration to cloud management, in a language that approaches plain English, using SSH, with no agents to install on remote systems. https://docs.ansible.com.
https://www.ansible.com/
GNU General Public License v3.0
63.15k stars 23.93k forks source link

gather_facts/setup fails with encrypted sudo password #57061

Open SadFaceSmith opened 5 years ago

SadFaceSmith commented 5 years ago
SUMMARY

When gather_facts is enabled in a playbook that has a vaulted sudo password, the gather_facts tasks fails. Ad hoc setup module commands with -K b -k work ( but not with the below playbook, even when all vault/become sections are commented out)

ISSUE TYPE
COMPONENT NAME

gather_facts setup ansible vault

ANSIBLE VERSION
ansible-playbook 2.7.10
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 2.7.5 (default, Sep 12 2018, 05:31:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
CONFIGURATION
DEFAULT_BECOME(/etc/ansible/ansible.cfg) = True
DEFAULT_BECOME_ASK_PASS(/etc/ansible/ansible.cfg) = False
DEFAULT_BECOME_METHOD(/etc/ansible/ansible.cfg) = sudo
DEFAULT_BECOME_USER(/etc/ansible/ansible.cfg) = root
DEFAULT_HOST_LIST(/etc/ansible/ansible.cfg) = [u'/etc/ansible/sat_inventory']
DEFAULT_LOG_PATH(/etc/ansible/ansible.cfg) = /var/log/ansible.log
DEFAULT_PRIVATE_KEY_FILE(/etc/ansible/ansible.cfg) = /home/users/svc_ansible/.ssh/id_rsa
DEFAULT_REMOTE_USER(/etc/ansible/ansible.cfg) = svc_ansible
DEFAULT_ROLES_PATH(/etc/ansible/ansible.cfg) = [u'/etc/ansible/roles', u'/usr/share/ansible/roles']
DEFAULT_VAULT_PASSWORD_FILE(/etc/ansible/ansible.cfg) = /etc/ansible/vaultpass
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
INVENTORY_ENABLED(/etc/ansible/ansible.cfg) = [u'foreman', u'ini', u'host_list', u'yaml', u'']
PARAMIKO_HOST_KEY_AUTO_ADD(/etc/ansible/ansible.cfg) = True
OS / ENVIRONMENT

Control host: RHEL 7.6 Target System: RHEL 7.6

STEPS TO REPRODUCE

Create playbook with vaulted ansible_become_pass and gather_facts: True

---

- name: Config 
  hosts: all
  become: yes
  gather_facts: True
  vars:
    ansible_become_password: !vault |
             $ANSIBLE_VAULT;1.2;AES256;

             < encrypted string blob >

  tasks:
   - name: include_vars
     include_vars: /etc/ansible/ansiblesudo.yml
   - import_role:
      name: network
   - import_role:
      name: sat_register7
   - import_role:
      name: sshkey
   - import_role:
      name: ldap
   - import_role:
      name: firewalld
   - import_role:
      name: ntp
   - import_role:
      name: config_files
EXPECTED RESULTS

gather_facts runs to populate host vars. Then roles are imported and ran.

ACTUAL RESULTS

inventory is parsed. Ansible ssh login is performed, but sudo fails with 'incorrect sudo password'

/var/log/secure on the target system shows "incorrect password attempt" (authentication failure)

When gather_facts is set to False, roles that require sudo run w/o issue.

manual ssh and sudo -i to target host works. ansible_error.txt

ansibot commented 5 years ago

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibot commented 5 years ago

cc @davidobrien1985 click here for bot help

myroslavrys commented 5 years ago

Have same issues. With encrypted ansible_become_pass receiving error: fatal: [node1]: FAILED! => {"msg": "Incorrect sudo password"}

Everything works with plaintext ansible_become_pass.

acolden commented 5 years ago

I have the same as @Smithe2413 but my vaulted passwords are in group_vars/*/vault.yml files.

Rolling back to 2.8.6 as it works fine.

jwrn3 commented 5 years ago

I have the same as @Smithe2413 but my vaulted passwords are in group_vars/*/vault.yml files.

Rolling back to 2.8.6 as it works fine.

I have found the same and reverted to 2.8.6 to fix the issue. Vaulted p/w stored individually in host_vars/$hostname.yaml. Example of failing playbook:

---
- hosts: "{{ host | default('all') }}"
  remote_user: root
  become: true
  tasks:
  - name: Checking for ping
    ping:
ansibot commented 4 years ago

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibot commented 4 years ago

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help