search

rundeck-plugins / ansible-plugin

Ansible Integration for Rundeck
MIT License
331 stars 100 forks source link

Resource issues with privilege escalation #146

Open tanji opened 7 years ago

tanji commented 7 years ago

After upgrade, rundeck cannot collect new nodes from the ansible inventory. There are issues with the temporary directory that is created during facts collection, which for some reason has ownership root and results in the following errors:

ERROR ExceptionCatchingResourceModelSource: [ResourceModelSource: 1.source (com.batix.rundeck.plugins.AnsibleResourceModelSourceFactory), project: coinigy] 
com.dtolabs.rundeck.core.resources.ResourceModelSourceException: Error deleting temporary directory.
        at com.batix.rundeck.plugins.AnsibleResourceModelSource.getNodes(AnsibleResourceModelSource.java:409)

Caused by: java.nio.file.AccessDeniedException: /tmp/rundeck/ansible-hosts4096853159631196382/data/es-2
        at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84)
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
        at sun.nio.fs.UnixFileSystemProvider.implDelete(UnixFileSystemProvider.java:244)
        at sun.nio.fs.AbstractFileSystemProvider.delete(AbstractFileSystemProvider.java:103)
        at java.nio.file.Files.delete(Files.java:1126)
        at com.batix.rundeck.plugins.AnsibleResourceModelSource$1.visitFile(AnsibleResourceModelSource.java:398)
        at com.batix.rundeck.plugins.AnsibleResourceModelSource$1.visitFile(AnsibleResourceModelSource.java:395)
        at java.nio.file.Files.walkFileTree(Files.java:2670)
        at java.nio.file.Files.walkFileTree(Files.java:2742)
        at com.batix.rundeck.plugins.AnsibleResourceModelSource.getNodes(AnsibleResourceModelSource.java:395)
        ... 64 more
WARN  LoggingResourceModelSourceCache: [ResourceModelSource: 1.source (com.batix.rundeck.plugins.AnsibleResourceModelSourceFactory), project: coinigy] Returning cached model data

Examination of the temp dir reveals the following:

root@admin:/var/rundeck# ls -l /tmp/rundeck/ansible-hosts984220448956862214/
total 8
drwxr-xr-x 2 root    root    4096 Sep 10 10:40 data
-rw-rw-r-- 1 rundeck rundeck   52 Sep 10 10:40 host-tpl.j2
tanji commented 7 years ago

OK, it seems this issue is due to privilege escalation turned on, because Ansible will effectively run as root and the files won't be readable. So maybe that should be fixed by some workaround or be documented otherwise (if not the case)>

DerekTBrown commented 7 years ago

This is pretty well documented within Rundeck core- processes should not be run in sudo.

tanji commented 7 years ago

That has nothing to do with Rundeck, but with Ansible. If Ansible is run as root (e.g. privilege escalation turned on in /etc/ansible.conf) it will cause those files to be written as root.

DerekTBrown commented 7 years ago

@tanji @frozenice would disabling privilege escalation in the process arguments be worthwhile?

linuxmail commented 6 years ago

hi,

I'm new to Rundeck and Ansible and tested it on Friday with the same issues. Ansible is only allowed to work via Sudo. Su - and root login isn't an option because of CDE env / PCI DSS. A workaround or solution idea would be nice :-)

tanji commented 6 years ago

@linuxmail make sure you have the following setup in ansible.cfg:

[privilege_escalation]
become=False
become_method=sudo
become_user=root
become_ask_pass=False
linuxmail commented 6 years ago

hi @tanji

than it works for getting the nodes inventory, but fails with getting root. We need "sudo su -" before executing anything:

...
"module_stdout": "sudo: a password is required\r\n", 
"msg": "MODULE FAILURE"
...

My working ansible.cfg has a configuration like this:

[privilege_escalation]
become = True
become_exe = "sudo su -"
become_method = su

but then it fails with filling the nodes inventory.

cu denny

tanji commented 6 years ago

It will not work with such a configuration, because su always prompts for a password. Please look at "ansible-become-password-option" in rundeck ansible plugin

linuxmail commented 6 years ago

Hi @tanji

nope, it works because of "become_exe". It executes "sudo su -" what is allowed in sudo with nopasswd.

cu denny

mcassaniti commented 6 years ago

@DerekTBrown @frozenice @tanji Perhaps modifying the gather-facts.yml playbook to run the second step with become: false would resolve the issue? Thoughts?

frozenice commented 6 years ago

It might. I don't know if anything depends on being root when gathering the facts, but I guess it should work.

devopstales commented 5 years ago

Any update on dis? Because neither @tanji 's nor @linuxmail 's solution din not work.