sudo password required when using shell module #466
Comments
|
So I just figured out that it only happens if the code is nested under a "block". It works fine if I take the shell commands and move them outside of the "block". |
|
Very curious.. high level syntax details should not be leaking down into the connection layer, but Mitogen has some nasty hacks in some places to make things work, so it's definitely possible. Please confirm:
Thanks for reporting |
|
If any of the following variables are set, can you please indicate where they are being set (maybe even in ansible.cfg or inventory):
Thanks |
|
* The run does work fine without modifications if Mitogen is removed as the
connection manager. It does not fail asking for a sudo password.
* become: true is set at the play level
…On Fri, Jan 18, 2019 at 5:02 PM dw ***@***.***> wrote:
Very curious.. high level syntax details should not be leaking down into
the connection layer, but Mitogen has some nasty hacks in some places to
make things work, so it's definitely possible.
Please confirm:
- Does the run otherwise typically need a sudo password to succeed?
- Where is the become:true being set? Commandline/role/etc.
Thanks for reporting
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#466 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AADsnTXKvkL0Upc3ZNQvFd2ITNr0CLpZks5vEkRYgaJpZM4aGyHq>
.
|
|
- hosts: myhosts
gather_facts: yes
become: true
roles:
- { role: ../roles/ansible }
None of the variables you provided are set. Defaults are used.
…On Fri, Jan 18, 2019 at 5:06 PM dw ***@***.***> wrote:
If any of the following variables are set, can you please indicate where
they are being set (maybe even in ansible.cfg or inventory):
- become_user
- become_pass / ansible_become_password
- ansible_python_interpreter
- become_exe
- sudo_args
Thanks
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#466 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AADsne9BiFHtQ-WH3yoqBgk7W5kimqjrks5vEkVKgaJpZM4aGyHq>
.
|
|
Can you please provide The interesting lines look like this: |
|
Here you go. This is without Mitogen on the same play |
|
Hi Lee, Sorry, I'm going braindead :) From looking at your log, it is the local machine ( If the sudo invocation was indeed running on the wrong machine, this is a manifestation of a major bug that was present in 0.2.3. Would it be possible to re-test using the current master and report if the problem persists? Also, just to be clear, you said with vanilla Ansible it does not ask for a password, but you did not say whether you have configured a become password in vanilla Ansible. If you indeed have a password configured, it should appear in the output of the mitogen_get_stack action. If the password is missing from this output, it indicates the extension failed to extract the password from Ansible correctly, rather than failed to supply it to sudo correctly. edit: note the mitogen_get_stack action was not available in 0.2.3, only current master |
|
My apologies. I replaced my hostnames during sanitation. I am executing the
playbook against a remote host. I will try running this again tomorrow with
the latest code and send you an update. Sudo doesn't require a password for
the user, it shouldn't be asking for one and it's not set in the playbook
either.
Thanks for looking into this.
…On Sun, Jan 27, 2019 at 11:31 AM dw ***@***.***> wrote:
Hi Lee,
Sorry, I'm going braindead :) From looking at your log, it is the local
machine (localhost) where sudo is running. Is that correct? In your
comment you mention a placeholder myhost, which suggests maybe a remote
machine.
If the sudo invocation was indeed running on the wrong machine, this is a
manifestation of a major bug that was present in 0.2.3. Would it be
possible to re-test using the current master and report if the problem
persists?
Also, just to be clear, you said with vanilla Ansible it does not ask for
a password, but you did not say whether you have configured a become
password in vanilla Ansible. If you indeed have a password configured, it
should appear in the output of the mitogen_get_stack action
<https://mitogen.readthedocs.io/en/latest/ansible.html#the-mitogen-get-stack-action>.
If the password is missing from this output, it indicates the extension
failed to extract the password from Ansible correctly, rather than failed
to supply it to sudo correctly.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#466 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AADsneHrTlXK4i8f5nYvJhRSQvv2iRMDks5vHdREgaJpZM4aGyHq>
.
|
|
@dw This works fine now when running against dev version. :) |
|
[WARNING]: Unhandled error in Python interpreter discovery for host swarm-hbf-01.dl.wb.ru: error occurred on host swarm-hbf-01.dl.wb.ru: sudo password is required I have a similar problem on versions 0.3.7 and 0.3.5. ansible --version /usr/lib/python3/dist-packages/paramiko/transport.py:237: CryptographyDeprecationWarning: Blowfish has been deprecated |
|
Happening with: ansible-core = "^2.17.5"
ansible-lint = { version = "^24.9.2", markers = "platform_system != 'Windows'" }
passlib = "^1.7.4"
jmespath = "^1.0.1"
mitogen = "^0.3.15"Snippet to reproduce: - name: Check sudo
block:
- name: Make sure we have a sudo ticket on localhost
command: whoami
become: true
register: sudo_ticket
timeout: 1
delegate_to: localhost
changed_when: false
- name: Make sure we have sudo ticket on remote
command: whoami
become: true
become_user: root
register: sudo_ticket_remote
changed_when: false
- name: Assert that `sudo` succeeded on both hosts
no_log: true
assert:
that:
- "sudo_ticket_remote.stdout == 'root'"
- "sudo_ticket.stdout == 'root'"
when: ansible_facts.env.USER != 'root'From the same shell, |
|
@savchenko to clarify
|
|
@moreati ,
I shall note that the task succeeds if I touch Yubikey / trigger U2F and type |
cross ref #999 |
I am running Mitogen 0.2.3. It works very well except today I ran a playbook that executes the shell module and it ends up failing asking for a sudo password which should not be required. The same playbook works fine without Mitogen.
{"msg": "error occurred on host myhost: sudo password is required"Controller
Target
Dump
The text was updated successfully, but these errors were encountered: