I'm trying to use a dedicated user to run playbooks requesting escalation of privilege via Rundeck. The user on the remote server (rundeck) is sudoers. And yet it doesn't work.
I generate the nodes via the Ansible inventory. No problem there. I configure my node source as follows:
On the Default Node Executor side, like this (all other values are empty) :
The job fails: FAILED! => {"msg": "Missing sudo password"}
If I add my user on the remote server in /etc/sudoers rundeck ALL=(ALL) NOPASSWD:ALL, it works. But this is not a solution that I am considering, for security reasons.
In the service.log I find this just before running the job:
/usr/lib/python3.10/getpass.py:91: GetPassWarning: Can not control echo on the terminal.
passwd = fallback_getpass(prompt, stream)
Warning: Password input may be echoed.
SSH password:
Warning: Password input may be echoed.
BECOME password[defaults to SSH password]:
PLAY [all] *********************************************************************
TASK [Ensure tmpdir data directory] ********************************************
changed: [SERVER -> localhost]
TASK [Template the gathered facts] *********************************************
changed: [SERVER -> localhost]
PLAY RECAP *********************************************************************
SERVER : ok=2 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
And when executing the job:
ERROR node.NodeStepPluginAdapter - Error executing node step.
com.dtolabs.rundeck.core.execution.workflow.steps.node.NodeStepException: ERROR: Ansible execution returned with non zero code.
at com.rundeck.plugins.ansible.plugin.AnsiblePlaybookWorflowNodeStep.executeNodeStep(AnsiblePlaybookWorflowNodeStep.java:95) ~[?:?]
at com.dtolabs.rundeck.core.execution.workflow.steps.node.NodeStepPluginAdapter.executeNodeStep(NodeStepPluginAdapter.java:169) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.executeNodeStep(ExecutionServiceImpl.java:207) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.dispatch.SequentialNodeDispatcher.dispatch(SequentialNodeDispatcher.java:130) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.dispatch.SequentialNodeDispatcher.dispatch(SequentialNodeDispatcher.java:61) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.dispatchToNodesWith(ExecutionServiceImpl.java:263) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.dispatchToNodes(ExecutionServiceImpl.java:234) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.steps.NodeDispatchStepExecutor.executeWorkflowStep(NodeDispatchStepExecutor.java:66) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.executeStep(ExecutionServiceImpl.java:111) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.BaseWorkflowExecutor.executeWFItem(BaseWorkflowExecutor.java:285) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.BaseWorkflowExecutor.executeWorkflowStep(BaseWorkflowExecutor.java:681) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.engine.StepCallable.apply(StepCallable.java:71) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.engine.StepOperation.apply(StepOperation.java:76) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.engine.StepOperation.apply(StepOperation.java:32) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.rules.WorkflowEngineOperationsProcessor.lambda$beginOperation$1(WorkflowEngineOperationsProcessor.java:323) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:131) [guava-32.0.1-jre.jar!/:?]
at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:75) [guava-32.0.1-jre.jar!/:?]
at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:82) [guava-32.0.1-jre.jar!/:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:829) [?:?]
[2024-03-05T11:46:56,700] ERROR services.ExecutionUtilService - Execution failed: 191 in project Ansible: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [SERVER: AnsibleNonZero: ERROR: Ansible execution returned with non zero code. + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, Node failures: {SERVER=[AnsibleNonZero: ERROR: Ansible execution returned with non zero code. + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, status: failed]
Hi,
I'm trying to use a dedicated user to run playbooks requesting escalation of privilege via Rundeck. The user on the remote server (rundeck) is sudoers. And yet it doesn't work.
I generate the nodes via the Ansible inventory. No problem there. I configure my node source as follows:
On the Default Node Executor side, like this (all other values are empty) :
The job fails:
FAILED! => {"msg": "Missing sudo password"}If I add my user on the remote server in /etc/sudoers
rundeck ALL=(ALL) NOPASSWD:ALL, it works. But this is not a solution that I am considering, for security reasons.In the service.log I find this just before running the job:
And when executing the job: