search

mitogen-hq / mitogen

Distributed self-replicating programs in Python
https://mitogen.networkgenomics.com/
BSD 3-Clause "New" or "Revised" License
2.34k stars 199 forks source link

sudo password required when using shell module #466

Open lconnell opened 5 years ago

lconnell commented 5 years ago

I am running Mitogen 0.2.3. It works very well except today I ran a playbook that executes the shell module and it ends up failing asking for a sudo password which should not be required. The same playbook works fine without Mitogen.

{"msg": "error occurred on host myhost: sudo password is required"

Controller

ansible 2.4.2.0
  config file = /Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/ansible.cfg
  configured module search path = [u'/Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/.library/ansible_iptables_raw_module']
  ansible python module location = /usr/local/lib/python2.7/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 2.7.15 (default, Oct  2 2018, 11:47:18) [GCC 4.2.1 Compatible Apple LLVM 10.0.0 (clang-1000.11.45.2)]

Target

Python 2.7.5

Dump

ANSIBLE_PIPELINING(/Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/ansible.cfg) = True
DEFAULT_CALLBACK_WHITELIST(/Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/ansible.cfg) = ['skippy', 'actionable', 'dense']
DEFAULT_FORKS(/Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/ansible.cfg) = 20
DEFAULT_GATHERING(/Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/ansible.cfg) = smart
DEFAULT_HOST_LIST(/Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/ansible.cfg) = [u'/Users/lconne203/Dev/git/ansible/plays/ansi
DEFAULT_JINJA2_EXTENSIONS(/Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/ansible.cfg) = jinja2.ext.do
DEFAULT_MODULE_NAME(/Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/ansible.cfg) = shell
DEFAULT_MODULE_PATH(/Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/ansible.cfg) = [u'/Users/lconne203/Dev/git/ansible/plays/an
DEFAULT_REMOTE_USER(/Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/ansible.cfg) = ansible
DEFAULT_ROLES_PATH(/Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/ansible.cfg) = [u'/Users/lconne203/Dev/git/ansible/plays/ans
DEFAULT_STDOUT_CALLBACK(/Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/ansible.cfg) = skippy
DEFAULT_STRATEGY(/Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/ansible.cfg) = mitogen_linear
DEFAULT_STRATEGY_PLUGIN_PATH(/Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/ansible.cfg) = [u'/app/mitogen-0.2.3/ansible_mitog
DEFAULT_TIMEOUT(/Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/ansible.cfg) = 300
HOST_KEY_CHECKING(/Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/ansible.cfg) = False
MERGE_MULTIPLE_CLI_TAGS(/Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/ansible.cg) = True
lconnell commented 5 years ago

So I just figured out that it only happens if the code is nested under a "block". It works fine if I take the shell commands and move them outside of the "block".

- name: Set cluster name - THIS WORKS
  shell: /usr/bin/docker exec rabbitmq rabbitmqctl set_cluster_name {{ rabbitmq_cluster_name }}

- block:
  - name: Set cluster name - THIS DOES NOT
    shell: /usr/bin/docker exec rabbitmq rabbitmqctl set_cluster_name {{ rabbitmq_cluster_name }}
dw commented 5 years ago

Very curious.. high level syntax details should not be leaking down into the connection layer, but Mitogen has some nasty hacks in some places to make things work, so it's definitely possible.

Please confirm:

Thanks for reporting

dw commented 5 years ago

If any of the following variables are set, can you please indicate where they are being set (maybe even in ansible.cfg or inventory):

Thanks

lconnell commented 5 years ago

On Fri, Jan 18, 2019 at 5:02 PM dw notifications@github.com wrote:

Very curious.. high level syntax details should not be leaking down into the connection layer, but Mitogen has some nasty hacks in some places to make things work, so it's definitely possible.

Please confirm:

  • Does the run otherwise typically need a sudo password to succeed?
  • Where is the become:true being set? Commandline/role/etc.

Thanks for reporting

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/dw/mitogen/issues/466#issuecomment-455702173, or mute the thread https://github.com/notifications/unsubscribe-auth/AADsnTXKvkL0Upc3ZNQvFd2ITNr0CLpZks5vEkRYgaJpZM4aGyHq .

lconnell commented 5 years ago

None of the variables you provided are set. Defaults are used.

On Fri, Jan 18, 2019 at 5:06 PM dw notifications@github.com wrote:

If any of the following variables are set, can you please indicate where they are being set (maybe even in ansible.cfg or inventory):

  • become_user
  • become_pass / ansible_become_password
  • ansible_python_interpreter
  • become_exe
  • sudo_args

Thanks

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/dw/mitogen/issues/466#issuecomment-455703146, or mute the thread https://github.com/notifications/unsubscribe-auth/AADsne9BiFHtQ-WH3yoqBgk7W5kimqjrks5vEkVKgaJpZM4aGyHq .

dw commented 5 years ago

Can you please provide ansible-playbook -vvv output snippets for both your runs (the example that works, and the example that does not). I am hoping it might reveal a parameter difference, or some output produced by sudo that is somehow confusing the library.

The interesting lines look like this:

[pid 22043] 12:07:40.919705 D mitogen.ctx.ssh.localhost: mitogen.sudo: sudo command line: ['sudo', '-u', u'root', '-H', '--', u'/usr/bin/python', '-c', u'import codecs,os,sys;_=codecs.decode;exec(_(_("eNqFkDFrwzAQhef4V3g7iYhYTp3FIGjJUDqUginN0IZgR3Ir6khCdqKmv74XpxA7Hbrdx3t373gFWwnbzpx2itDIszAgXccItfWfhObRBGe5d3PCWco5vXDBhuRRTc+8bWyrSDEEP4TVEAICBrZHjG/KDlN3sRAxyNIHbSAujexF9aW2+66sGtXLyb71SaVN4o7dhzWAf06ubFPRLx6Ub7U1r/nNuo9V5qA9MtwV9y8c1mK8dvYgNmQssDFOgex0Z9+VyeUu3KpG6iafz9NFRoFGeCN43SmSMnh8eH7inL8ZwOytlVgxjZZiQ04lS+uUwWrBV0BnXpWSpFm24JTBt3Z4qXbi4lsxCBWceq/db8Cyn89dXrnDf+6/X6ajL38AKNOr3w==".encode(),"base64"),"zip"))']
[pid 22043] 12:07:40.922871 D mitogen.ctx.ssh.localhost: mitogen: hybrid_tty_create_child() pid=22213 stdio=18, tty=17, cmd: sudo -u root -H -- /usr/bin/python -c "import codecs,os,sys;_=codecs.decode;exec(_(_(\"eNqFkDFrwzAQhef4V3g7iYhYTp3FIGjJUDqUginN0IZgR3Ir6khCdqKmv74XpxA7Hbrdx3t373gFWwnbzpx2itDIszAgXccItfWfhObRBGe5d3PCWco5vXDBhuRRTc+8bWyrSDEEP4TVEAICBrZHjG/KDlN3sRAxyNIHbSAujexF9aW2+66sGtXLyb71SaVN4o7dhzWAf06ubFPRLx6Ub7U1r/nNuo9V5qA9MtwV9y8c1mK8dvYgNmQssDFOgex0Z9+VyeUu3KpG6iafz9NFRoFGeCN43SmSMnh8eH7inL8ZwOytlVgxjZZiQ04lS+uUwWrBV0BnXpWSpFm24JTBt3Z4qXbi4lsxCBWceq/db8Cyn89dXrnDf+6/X6ajL38AKNOr3w==\".encode(),\"base64\"),\"zip\"))"
[pid 22043] 12:07:40.923133 D mitogen.ctx.ssh.localhost: mitogen: mitogen.sudo.Stream(u'local.22213').connect(): stdin=18, stdout=19, diag=17
[pid 22043] 12:07:40.927054 D mitogen.ctx.ssh.localhost: mitogen.sudo: mitogen.sudo.Stream(u'local.22213'): received '[sudo] password for dmw: '
[pid 22043] 12:07:40.927364 D mitogen.ctx.ssh.localhost: mitogen: mitogen.sudo.Stream(u'local.22213').on_disconnect()
[pid 22043] 12:07:40.927551 D mitogen.ctx.ssh.localhost: mitogen: mitogen.parent.DiagLogStream(fd=17, u'local.22213').on_disconnect()
[pid 22043] 12:07:40.927712 D mitogen.ctx.ssh.localhost: mitogen: mitogen.sudo.Stream(u'local.22213'): child process still alive, sending SIGTERM

Thanks again

lconnell commented 5 years ago

Here you go.

[pid 86544] 18:25:47.173603 D mitogen.ctx.ssh.localhost: mitogen.sudo: sudo command line: ['sudo', '-u', u'root', '-H', '/usr/bin/python', '-c', u'import codecs,os,sys;_=codecs.decode;exec(_(_("eNqFkcFLwzAYxc/rX9FbEpZ1yXQKhYKyg3gQoYg76JC0TTXYJSFJV+df77dOWDsPHgLfj/eS98iX03VmfGKVlZhEjnYDUnUMUBv3iUkaTWCuWrvAjHLGyIlzOiQHKj9y2RgvcT4EN4T1EDoACPR7iG9EgNRtnGUxqoTrlEax0FUvyi9ZtkEUjezleevdvFB6bvfhw2gEPSdntmnWX9xJ55XRL+nFpo+VeqccMLrN754Z2mTja0cPYIPHAh3jFOGtCuZd6rQpjdZywS5uvBbWiaJQYdZ6KXzgYsbg7GXTmC45yElptiUoiZYhXV7xJUEkgsjOqSAxp+jh/umRMfaqEVQtTQUbIdEqe8OHnVTGSg2bQK5AJHFSVJgvri85oehbWXipttnJt6aoK9BhTbX9DVj18/Hrz9zdf+6/Lfmo5Q/8c70U".encode(),"base64"),"zip"))']
[pid 86544] 18:25:47.176762 D mitogen.ctx.ssh.localhost: mitogen: hybrid_tty_create_child() pid=5816 stdio=67, tty=66, cmd: sudo -u root -H /usr/bin/python -c "import codecs,os,sys;_=codecs.decode;exec(_(_(\"eNqFkcFLwzAYxc/rX9FbEpZ1yXQKhYKyg3gQoYg76JC0TTXYJSFJV+df77dOWDsPHgLfj/eS98iX03VmfGKVlZhEjnYDUnUMUBv3iUkaTWCuWrvAjHLGyIlzOiQHKj9y2RgvcT4EN4T1EDoACPR7iG9EgNRtnGUxqoTrlEax0FUvyi9ZtkEUjezleevdvFB6bvfhw2gEPSdntmnWX9xJ55XRL+nFpo+VeqccMLrN754Z2mTja0cPYIPHAh3jFOGtCuZd6rQpjdZywS5uvBbWiaJQYdZ6KXzgYsbg7GXTmC45yElptiUoiZYhXV7xJUEkgsjOqSAxp+jh/umRMfaqEVQtTQUbIdEqe8OHnVTGSg2bQK5AJHFSVJgvri85oehbWXipttnJt6aoK9BhTbX9DVj18/Hrz9zdf+6/Lfmo5Q/8c70U\".encode(),\"base64\"),\"zip\"))"
[pid 86544] 18:25:47.177748 D mitogen.ctx.ssh.localhost: mitogen: mitogen.sudo.Stream(u'local.5816').connect(): child process stdin/stdout=67
[pid 86544] 18:25:47.218292 D mitogen.ctx.ssh.localhost: mitogen.sudo: mitogen.sudo.Stream(u'local.5816'): received '\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo] password for lconne203: '
[pid 86544] 18:25:47.219409 D mitogen.ctx.ssh.localhost: mitogen: mitogen.sudo.Stream(u'local.5816'): child process still alive, sending SIGTERM
[pid 86582] 18:25:47.221503 D mitogen: mitogen.core.Stream(u'unix_listener.86544').on_disconnect()
[pid 86544] 18:25:47.222382 D mitogen: mitogen.core.Stream(u'unix_client.86582').on_disconnect()
[pid 86582] 18:25:47.222574 D mitogen: Waker(Broker(0x10c2b7650) rfd=44, wfd=45).on_disconnect()
fatal: [localhost]: FAILED! => {
    "msg": "error occurred on host localhost: sudo password is required"

This is without Mitogen on the same play

task path: /Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/roles/ansible_adr_rabbitmq_role/tasks/cluster.yml:13
Using module file /Users/lconne203/Dev/git/ansible/plays/ansible_pss_snap_play/.venv/lib/python2.7/site-packages/ansible/modules/commands/command.py
<localhost> ESTABLISH SSH CONNECTION FOR USER: ansible
<localhost> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=300 -o ControlPath=/Users/lconne203/.ansible/cp/05c5f8b286 localhost '/bin/sh -c '"'"'sudo -H -S -n -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-rzmoupkjjpjpduryygrcavblvhouuzje; /usr/bin/python'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation succeeded
<localhost> (0, '\n{"changed": true, "end": "2019-01-23 17:20:10.605098", "stdout": "Setting cluster name to snap ...", "cmd": "/usr/bin/docker exec rabbitmq rabbitmqctl set_cluster_name snap", "rc": 0, "start": "2019-01-23 17:20:09.486514", "stderr": "", "delta": "0:00:01.118584", "invocation": {"module_args": {"warn": true, "executable": null, "_uses_shell": true, "_raw_params": "/usr/bin/docker exec rabbitmq rabbitmqctl set_cluster_name snap", "removes": null, "argv": null, "creates": null, "chdir": null, "stdin": null}}}\n', '') 
changed: [localhost -> localhost] => { 
    "changed": true, 
    "cmd": "/usr/bin/docker exec rabbitmq rabbitmqctl set_cluster_name snap", 
    "delta": "0:00:01.118584", 
    "end": "2019-01-23 17:20:10.605098", 
    "invocation": {
        "module_args": {
            "_raw_params": "/usr/bin/docker exec rabbitmq rabbitmqctl set_cluster_name snap", 
            "_uses_shell": true, 
            "argv": null, 
            "chdir": null, 
            "creates": null, 
            "executable": null, 
            "removes": null, 
            "stdin": null, 
            "warn": true 
        }    
    },   
    "rc": 0, 
    "start": "2019-01-23 17:20:09.486514", 
    "stderr": "",  
    "stderr_lines": [],  
    "stdout": "Setting cluster name to snap ...", 
    "stdout_lines": [
        "Setting cluster name to snap ..."
dw commented 5 years ago

Hi Lee,

Sorry, I'm going braindead :) From looking at your log, it is the local machine (localhost) where sudo is running. Is that correct? In your comment you mention a placeholder myhost, which suggests maybe a remote machine.

If the sudo invocation was indeed running on the wrong machine, this is a manifestation of a major bug that was present in 0.2.3. Would it be possible to re-test using the current master and report if the problem persists?

Also, just to be clear, you said with vanilla Ansible it does not ask for a password, but you did not say whether you have configured a become password in vanilla Ansible. If you indeed have a password configured, it should appear in the output of the mitogen_get_stack action. If the password is missing from this output, it indicates the extension failed to extract the password from Ansible correctly, rather than failed to supply it to sudo correctly.

edit: note the mitogen_get_stack action was not available in 0.2.3, only current master

lconnell commented 5 years ago

My apologies. I replaced my hostnames during sanitation. I am executing the playbook against a remote host. I will try running this again tomorrow with the latest code and send you an update. Sudo doesn't require a password for the user, it shouldn't be asking for one and it's not set in the playbook either.

Thanks for looking into this.

On Sun, Jan 27, 2019 at 11:31 AM dw notifications@github.com wrote:

Hi Lee,

Sorry, I'm going braindead :) From looking at your log, it is the local machine (localhost) where sudo is running. Is that correct? In your comment you mention a placeholder myhost, which suggests maybe a remote machine.

If the sudo invocation was indeed running on the wrong machine, this is a manifestation of a major bug that was present in 0.2.3. Would it be possible to re-test using the current master and report if the problem persists?

Also, just to be clear, you said with vanilla Ansible it does not ask for a password, but you did not say whether you have configured a become password in vanilla Ansible. If you indeed have a password configured, it should appear in the output of the mitogen_get_stack action https://mitogen.readthedocs.io/en/latest/ansible.html#the-mitogen-get-stack-action. If the password is missing from this output, it indicates the extension failed to extract the password from Ansible correctly, rather than failed to supply it to sudo correctly.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/dw/mitogen/issues/466#issuecomment-457932494, or mute the thread https://github.com/notifications/unsubscribe-auth/AADsneHrTlXK4i8f5nYvJhRSQvv2iRMDks5vHdREgaJpZM4aGyHq .

lconnell commented 5 years ago

@dw This works fine now when running against dev version. :)

FR-Solution commented 6 months ago

[WARNING]: Unhandled error in Python interpreter discovery for host swarm-hbf-01.dl.wb.ru: error occurred on host swarm-hbf-01.dl.wb.ru: sudo password is required fatal: [swarm-hbf-01.dl.wb.ru]: FAILED! => msg: 'error occurred on host swarm-hbf-01.dl.wb.ru: sudo password is required'

I have a similar problem on versions 0.3.7 and 0.3.5.

ansible --version

/usr/lib/python3/dist-packages/paramiko/transport.py:237: CryptographyDeprecationWarning: Blowfish has been deprecated "class": algorithms.Blowfish, ansible 2.10.8 config file = /home/dk/workspace/wb/swarm/swarmops/ansible/ansible.cfg configured module search path = ['/home/dk/workspace/wb/swarm/swarmops/ansible/library'] ansible python module location = /usr/lib/python3/dist-packages/ansible executable location = /usr/bin/ansible python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0]