2014-11-14 22:14:08 +00:00
# (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
2015-09-06 13:00:39 +00:00
# Copyright 2015 Abhijit Menon-Sen <ams@2ndQuadrant.com>
2014-11-14 22:14:08 +00:00
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
#
2015-04-13 20:28:01 +00:00
from __future__ import ( absolute_import , division , print_function )
__metaclass__ = type
2014-11-14 22:14:08 +00:00
2016-06-30 23:39:30 +00:00
import errno
2015-06-23 16:12:38 +00:00
import fcntl
2017-02-01 15:39:40 +00:00
import hashlib
2014-11-14 22:14:08 +00:00
import os
2015-06-23 16:12:38 +00:00
import pty
2014-11-14 22:14:08 +00:00
import select
2015-06-23 16:12:38 +00:00
import subprocess
import time
2014-11-14 22:14:08 +00:00
from ansible import constants as C
2016-10-02 22:04:38 +00:00
from ansible . compat . six import PY3 , text_type , binary_type
2016-11-17 21:18:29 +00:00
from ansible . compat . six . moves import shlex_quote
2015-04-15 23:32:44 +00:00
from ansible . errors import AnsibleError , AnsibleConnectionFailure , AnsibleFileNotFound
2016-09-29 21:44:54 +00:00
from ansible . errors import AnsibleOptionsError
from ansible . module_utils . basic import BOOLEANS
2016-09-07 05:54:17 +00:00
from ansible . module_utils . _text import to_bytes , to_native , to_text
2016-11-28 02:52:31 +00:00
from ansible . plugins . connection import ConnectionBase , BUFSIZE
2015-09-03 18:36:58 +00:00
from ansible . utils . path import unfrackpath , makedirs_safe
2014-11-14 22:14:08 +00:00
2016-11-22 20:50:24 +00:00
boolean = C . mk_boolean
2016-09-29 21:44:54 +00:00
2015-11-11 15:10:14 +00:00
try :
from __main__ import display
except ImportError :
from ansible . utils . display import Display
display = Display ( )
2015-09-04 04:42:01 +00:00
SSHPASS_AVAILABLE = None
2015-12-17 17:43:36 +00:00
2015-11-11 15:10:14 +00:00
2014-11-14 22:14:08 +00:00
class Connection ( ConnectionBase ) :
''' ssh based connections '''
2015-09-04 04:42:01 +00:00
transport = ' ssh '
2015-07-20 19:40:08 +00:00
has_pipelining = True
2015-06-15 03:49:10 +00:00
become_methods = frozenset ( C . BECOME_METHODS ) . difference ( [ ' runas ' ] )
2015-04-27 05:28:25 +00:00
def __init__ ( self , * args , * * kwargs ) :
super ( Connection , self ) . __init__ ( * args , * * kwargs )
2015-04-15 23:32:44 +00:00
2015-07-21 16:12:22 +00:00
self . host = self . _play_context . remote_addr
2017-02-01 15:39:40 +00:00
self . port = self . _play_context . port
self . user = self . _play_context . remote_user
self . control_path = C . ANSIBLE_SSH_CONTROL_PATH
self . control_path_dir = C . ANSIBLE_SSH_CONTROL_PATH_DIR
2015-06-16 19:47:33 +00:00
2015-09-04 04:42:01 +00:00
# The connection is created by running ssh/scp/sftp from the exec_command,
# put_file, and fetch_file methods, so we don't need to do any connection
# management here.
2014-11-14 22:14:08 +00:00
2015-09-04 04:42:01 +00:00
def _connect ( self ) :
return self
Squashed commit of the following:
commit 9921bb9d2002e136c030ff337c14f8b7eab0fc72
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:19:44 2015 +0530
Document --ssh-extra-args command-line option
commit 8b25595e7b1cc3658803d0821fbf498c18ee608a
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 13:24:57 2015 +0530
Don't disable GSSAPI/Pubkey authentication when using --ask-pass
This commit is based on a bug report and PR by kolbyjack (#6846) which
was subsequently closed and rebased as #11690. The original problem was:
«The password on the delegated host is different from the one I
provided on the command line, so it had to use the pubkey, and the
main host doesn't have a pubkey on it yet, so it had to use the
password.»
(This commit is revised and included here because #11690 would conflict
with the changes in #11908 otherwise.)
Closes #11690
commit 119d0323892c65e8169ae57e42bbe8e3517551a3
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 11:16:42 2015 +0530
Be more explicit about why SSH arguments are added
This adds vvvvv log messages that spell out in detail where each SSH
command-line argument is obtained from.
Unfortunately, we can't be sure if, say, self._play_context.remote_user
is obtained from ANSIBLE_REMOTE_USER in the environment, remote_user in
ansible.cfg, -u on the command line, or an ansible_ssh_user setting in
the inventory or on a task or play. In some cases, e.g. timeout, we
can't even be sure if it was set by the user or just a default.
Nevertheless, on the theory that at five v's you can use all the hints
available, I've mentioned the possible sources in the log messages.
Note that this caveat applies only to the arguments that ssh.py adds by
itself. In the case of ssh_args and ssh_extra_args, we know where they
are from, and say so, though we can't say WHERE in the inventory they
may be set (e.g. in host_vars or group_vars etc.).
commit b605c285baf505f75f0b7d73cb76b00d4723d02e
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Tue Aug 11 15:19:43 2015 +0530
Add a FAQ entry about ansible_ssh_extra_args
commit 49f8edd035cd28dd1cf8945f44ec3d55212910bd
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:48:50 2015 +0530
Allow ansible_ssh_args to be set as an inventory variable
Before this change, ssh_args could be set only in the [ssh_connection]
section of ansible.cfg, and was applied to all hosts. Now it's possible
to set ansible_ssh_args as an inventory variable (directly, or through
group_vars or host_vars) to selectively override the global setting.
Note that the default ControlPath settings are applied only if ssh_args
is not set, and this is true of ansible_ssh_args as well. So if you want
to override ssh_args but continue to set ControlPath, you'll need to
repeat the appropriate options when setting ansible_ssh_args.
(If you only need to add options to the default ssh_args, you may be
able to use the ansible_ssh_extra_args inventory variable instead.)
commit 37c1a5b6794cee29a7809ad056a86365a2c0f886
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:42:30 2015 +0530
Allow overriding ansible_ssh_extra_args on the command-line
This patch makes it possible to do:
ansible somehost -m setup \
--ssh-extra-args '-o ProxyCommand="ssh -W %h:%p -q user@bouncer.example.com"'
This overrides the inventory setting, if any, of ansible_ssh_extra_args.
Based on a patch originally by @Richard2ndQuadrant.
commit b023ace8a8a7ce6800e29129a27ebe8bf6bd38e0
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:06:19 2015 +0530
Add an ansible_ssh_extra_args inventory variable
This can be used to configure a per-host or per-group ProxyCommand to
connect to hosts through a jumphost, e.g.:
inventory:
[gatewayed]
foo ansible_ssh_host=192.0.2.1
group_vars/gatewayed.yml:
ansible_ssh_extra_args: '-o ProxyCommand="ssh -W %h:%p -q bounceuser@gateway.example.com"'
Note that this variable is used in addition to any ssh_args configured
in the [ssh_connection] section of ansible.cfg (so you don't need to
repeat the ControlPath settings in ansible_ssh_extra_args).
2015-09-03 15:26:56 +00:00
2017-02-01 15:39:40 +00:00
@staticmethod
def _create_control_path ( host , port , user ) :
''' Make a hash for the controlpath based on con attributes '''
pstring = ' %s - %s - %s ' % ( host , port , user )
m = hashlib . sha1 ( )
m . update ( to_bytes ( pstring ) )
digest = m . hexdigest ( )
cpath = ' %(directory)s / ' + digest [ : 10 ]
return cpath
2015-09-28 17:34:02 +00:00
@staticmethod
def _sshpass_available ( ) :
global SSHPASS_AVAILABLE
Squashed commit of the following:
commit 9921bb9d2002e136c030ff337c14f8b7eab0fc72
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:19:44 2015 +0530
Document --ssh-extra-args command-line option
commit 8b25595e7b1cc3658803d0821fbf498c18ee608a
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 13:24:57 2015 +0530
Don't disable GSSAPI/Pubkey authentication when using --ask-pass
This commit is based on a bug report and PR by kolbyjack (#6846) which
was subsequently closed and rebased as #11690. The original problem was:
«The password on the delegated host is different from the one I
provided on the command line, so it had to use the pubkey, and the
main host doesn't have a pubkey on it yet, so it had to use the
password.»
(This commit is revised and included here because #11690 would conflict
with the changes in #11908 otherwise.)
Closes #11690
commit 119d0323892c65e8169ae57e42bbe8e3517551a3
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 11:16:42 2015 +0530
Be more explicit about why SSH arguments are added
This adds vvvvv log messages that spell out in detail where each SSH
command-line argument is obtained from.
Unfortunately, we can't be sure if, say, self._play_context.remote_user
is obtained from ANSIBLE_REMOTE_USER in the environment, remote_user in
ansible.cfg, -u on the command line, or an ansible_ssh_user setting in
the inventory or on a task or play. In some cases, e.g. timeout, we
can't even be sure if it was set by the user or just a default.
Nevertheless, on the theory that at five v's you can use all the hints
available, I've mentioned the possible sources in the log messages.
Note that this caveat applies only to the arguments that ssh.py adds by
itself. In the case of ssh_args and ssh_extra_args, we know where they
are from, and say so, though we can't say WHERE in the inventory they
may be set (e.g. in host_vars or group_vars etc.).
commit b605c285baf505f75f0b7d73cb76b00d4723d02e
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Tue Aug 11 15:19:43 2015 +0530
Add a FAQ entry about ansible_ssh_extra_args
commit 49f8edd035cd28dd1cf8945f44ec3d55212910bd
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:48:50 2015 +0530
Allow ansible_ssh_args to be set as an inventory variable
Before this change, ssh_args could be set only in the [ssh_connection]
section of ansible.cfg, and was applied to all hosts. Now it's possible
to set ansible_ssh_args as an inventory variable (directly, or through
group_vars or host_vars) to selectively override the global setting.
Note that the default ControlPath settings are applied only if ssh_args
is not set, and this is true of ansible_ssh_args as well. So if you want
to override ssh_args but continue to set ControlPath, you'll need to
repeat the appropriate options when setting ansible_ssh_args.
(If you only need to add options to the default ssh_args, you may be
able to use the ansible_ssh_extra_args inventory variable instead.)
commit 37c1a5b6794cee29a7809ad056a86365a2c0f886
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:42:30 2015 +0530
Allow overriding ansible_ssh_extra_args on the command-line
This patch makes it possible to do:
ansible somehost -m setup \
--ssh-extra-args '-o ProxyCommand="ssh -W %h:%p -q user@bouncer.example.com"'
This overrides the inventory setting, if any, of ansible_ssh_extra_args.
Based on a patch originally by @Richard2ndQuadrant.
commit b023ace8a8a7ce6800e29129a27ebe8bf6bd38e0
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:06:19 2015 +0530
Add an ansible_ssh_extra_args inventory variable
This can be used to configure a per-host or per-group ProxyCommand to
connect to hosts through a jumphost, e.g.:
inventory:
[gatewayed]
foo ansible_ssh_host=192.0.2.1
group_vars/gatewayed.yml:
ansible_ssh_extra_args: '-o ProxyCommand="ssh -W %h:%p -q bounceuser@gateway.example.com"'
Note that this variable is used in addition to any ssh_args configured
in the [ssh_connection] section of ansible.cfg (so you don't need to
repeat the ControlPath settings in ansible_ssh_extra_args).
2015-09-03 15:26:56 +00:00
2015-09-28 17:34:02 +00:00
# We test once if sshpass is available, and remember the result. It
# would be nice to use distutils.spawn.find_executable for this, but
# distutils isn't always available; shutils.which() is Python3-only.
2014-11-14 22:14:08 +00:00
2015-09-28 17:34:02 +00:00
if SSHPASS_AVAILABLE is None :
try :
p = subprocess . Popen ( [ " sshpass " ] , stdin = subprocess . PIPE , stdout = subprocess . PIPE , stderr = subprocess . PIPE )
p . communicate ( )
SSHPASS_AVAILABLE = True
except OSError :
SSHPASS_AVAILABLE = False
return SSHPASS_AVAILABLE
@staticmethod
2016-10-02 21:55:55 +00:00
def _persistence_controls ( b_command ) :
2015-09-28 17:34:02 +00:00
'''
Takes a command array and scans it for ControlPersist and ControlPath
settings and returns two booleans indicating whether either was found .
This could be smarter , e . g . returning false if ControlPersist is ' no ' ,
but for now we do it simple way .
'''
controlpersist = False
controlpath = False
2016-10-02 21:55:55 +00:00
for b_arg in ( a . lower ( ) for a in b_command ) :
if b ' controlpersist ' in b_arg :
2015-09-28 17:34:02 +00:00
controlpersist = True
2016-10-02 21:55:55 +00:00
elif b ' controlpath ' in b_arg :
2015-09-28 17:34:02 +00:00
controlpath = True
return controlpersist , controlpath
2016-10-02 21:55:55 +00:00
def _add_args ( self , b_command , b_args , explanation ) :
2015-09-28 17:34:02 +00:00
"""
2016-10-02 21:55:55 +00:00
Adds arguments to the ssh command and displays a caller - supplied explanation of why .
: arg b_command : A list containing the command to add the new arguments to .
This list will be modified by this method .
: arg b_args : An iterable of new arguments to add . This iterable is used
more than once so it must be persistent ( ie : a list is okay but a
StringIO would not )
: arg explanation : A text string containing explaining why the arguments
were added . It will be displayed with a high enough verbosity .
. . note : : This function does its work via side - effect . The b_command list has the new arguments appended .
2015-09-28 17:34:02 +00:00
"""
2016-10-02 21:55:55 +00:00
display . vvvvv ( u ' SSH: %s : ( %s ) ' % ( explanation , ' )( ' . join ( to_text ( a ) for a in b_args ) ) , host = self . _play_context . remote_addr )
b_command + = b_args
2015-09-04 04:42:01 +00:00
def _build_command ( self , binary , * other_args ) :
'''
Takes a binary ( ssh , scp , sftp ) and optional extra arguments and returns
2015-09-06 13:00:39 +00:00
a command line as an array that can be passed to subprocess . Popen .
2015-09-04 04:42:01 +00:00
'''
2016-10-02 21:55:55 +00:00
b_command = [ ]
2015-09-04 04:42:01 +00:00
2016-10-02 21:55:55 +00:00
#
# First, the command to invoke
#
2015-09-04 04:42:01 +00:00
# If we want to use password authentication, we have to set up a pipe to
# write the password to sshpass.
if self . _play_context . password :
2015-09-28 15:28:30 +00:00
if not self . _sshpass_available ( ) :
2015-09-04 04:42:01 +00:00
raise AnsibleError ( " to use the ' ssh ' connection type with passwords, you must install the sshpass program " )
self . sshpass_pipe = os . pipe ( )
2016-10-02 21:55:55 +00:00
b_command + = [ b ' sshpass ' , b ' -d ' + to_bytes ( self . sshpass_pipe [ 0 ] , nonstring = ' simplerepr ' , errors = ' surrogate_or_strict ' ) ]
2015-09-04 04:42:01 +00:00
2017-02-01 22:20:22 +00:00
if binary == ' ssh ' :
b_command + = [ to_bytes ( self . _play_context . ssh_executable , errors = ' surrogate_or_strict ' ) ]
else :
b_command + = [ to_bytes ( binary , errors = ' surrogate_or_strict ' ) ]
2015-09-04 04:42:01 +00:00
2016-10-02 21:55:55 +00:00
#
# Next, additional arguments based on the configuration.
#
2015-09-04 04:42:01 +00:00
# sftp batch mode allows us to correctly catch failed transfers, but can
2016-05-13 17:39:04 +00:00
# be disabled if the client side doesn't support the option. However,
# sftp batch mode does not prompt for passwords so it must be disabled
# if not using controlpersist and using sshpass
2015-09-04 04:42:01 +00:00
if binary == ' sftp ' and C . DEFAULT_SFTP_BATCH_MODE :
2016-05-13 17:39:04 +00:00
if self . _play_context . password :
2016-10-02 21:55:55 +00:00
b_args = [ b ' -o ' , b ' BatchMode=no ' ]
self . _add_args ( b_command , b_args , u ' disable batch mode for sshpass ' )
b_command + = [ b ' -b ' , b ' - ' ]
2015-09-04 04:42:01 +00:00
2015-09-06 13:00:39 +00:00
if self . _play_context . verbosity > 3 :
2016-10-02 21:55:55 +00:00
b_command . append ( b ' -vvv ' )
2015-09-04 04:42:01 +00:00
2016-10-02 21:55:55 +00:00
#
2015-10-02 07:43:49 +00:00
# Next, we add [ssh_connection]ssh_args from ansible.cfg.
2016-10-02 21:55:55 +00:00
#
Squashed commit of the following:
commit 9921bb9d2002e136c030ff337c14f8b7eab0fc72
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:19:44 2015 +0530
Document --ssh-extra-args command-line option
commit 8b25595e7b1cc3658803d0821fbf498c18ee608a
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 13:24:57 2015 +0530
Don't disable GSSAPI/Pubkey authentication when using --ask-pass
This commit is based on a bug report and PR by kolbyjack (#6846) which
was subsequently closed and rebased as #11690. The original problem was:
«The password on the delegated host is different from the one I
provided on the command line, so it had to use the pubkey, and the
main host doesn't have a pubkey on it yet, so it had to use the
password.»
(This commit is revised and included here because #11690 would conflict
with the changes in #11908 otherwise.)
Closes #11690
commit 119d0323892c65e8169ae57e42bbe8e3517551a3
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 11:16:42 2015 +0530
Be more explicit about why SSH arguments are added
This adds vvvvv log messages that spell out in detail where each SSH
command-line argument is obtained from.
Unfortunately, we can't be sure if, say, self._play_context.remote_user
is obtained from ANSIBLE_REMOTE_USER in the environment, remote_user in
ansible.cfg, -u on the command line, or an ansible_ssh_user setting in
the inventory or on a task or play. In some cases, e.g. timeout, we
can't even be sure if it was set by the user or just a default.
Nevertheless, on the theory that at five v's you can use all the hints
available, I've mentioned the possible sources in the log messages.
Note that this caveat applies only to the arguments that ssh.py adds by
itself. In the case of ssh_args and ssh_extra_args, we know where they
are from, and say so, though we can't say WHERE in the inventory they
may be set (e.g. in host_vars or group_vars etc.).
commit b605c285baf505f75f0b7d73cb76b00d4723d02e
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Tue Aug 11 15:19:43 2015 +0530
Add a FAQ entry about ansible_ssh_extra_args
commit 49f8edd035cd28dd1cf8945f44ec3d55212910bd
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:48:50 2015 +0530
Allow ansible_ssh_args to be set as an inventory variable
Before this change, ssh_args could be set only in the [ssh_connection]
section of ansible.cfg, and was applied to all hosts. Now it's possible
to set ansible_ssh_args as an inventory variable (directly, or through
group_vars or host_vars) to selectively override the global setting.
Note that the default ControlPath settings are applied only if ssh_args
is not set, and this is true of ansible_ssh_args as well. So if you want
to override ssh_args but continue to set ControlPath, you'll need to
repeat the appropriate options when setting ansible_ssh_args.
(If you only need to add options to the default ssh_args, you may be
able to use the ansible_ssh_extra_args inventory variable instead.)
commit 37c1a5b6794cee29a7809ad056a86365a2c0f886
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:42:30 2015 +0530
Allow overriding ansible_ssh_extra_args on the command-line
This patch makes it possible to do:
ansible somehost -m setup \
--ssh-extra-args '-o ProxyCommand="ssh -W %h:%p -q user@bouncer.example.com"'
This overrides the inventory setting, if any, of ansible_ssh_extra_args.
Based on a patch originally by @Richard2ndQuadrant.
commit b023ace8a8a7ce6800e29129a27ebe8bf6bd38e0
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:06:19 2015 +0530
Add an ansible_ssh_extra_args inventory variable
This can be used to configure a per-host or per-group ProxyCommand to
connect to hosts through a jumphost, e.g.:
inventory:
[gatewayed]
foo ansible_ssh_host=192.0.2.1
group_vars/gatewayed.yml:
ansible_ssh_extra_args: '-o ProxyCommand="ssh -W %h:%p -q bounceuser@gateway.example.com"'
Note that this variable is used in addition to any ssh_args configured
in the [ssh_connection] section of ansible.cfg (so you don't need to
repeat the ControlPath settings in ansible_ssh_extra_args).
2015-09-03 15:26:56 +00:00
2015-10-02 07:25:48 +00:00
if self . _play_context . ssh_args :
2016-10-02 21:55:55 +00:00
b_args = [ to_bytes ( a , errors = ' surrogate_or_strict ' ) for a in
self . _split_ssh_args ( self . _play_context . ssh_args ) ]
self . _add_args ( b_command , b_args , u " ansible.cfg set ssh_args " )
Squashed commit of the following:
commit 9921bb9d2002e136c030ff337c14f8b7eab0fc72
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:19:44 2015 +0530
Document --ssh-extra-args command-line option
commit 8b25595e7b1cc3658803d0821fbf498c18ee608a
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 13:24:57 2015 +0530
Don't disable GSSAPI/Pubkey authentication when using --ask-pass
This commit is based on a bug report and PR by kolbyjack (#6846) which
was subsequently closed and rebased as #11690. The original problem was:
«The password on the delegated host is different from the one I
provided on the command line, so it had to use the pubkey, and the
main host doesn't have a pubkey on it yet, so it had to use the
password.»
(This commit is revised and included here because #11690 would conflict
with the changes in #11908 otherwise.)
Closes #11690
commit 119d0323892c65e8169ae57e42bbe8e3517551a3
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 11:16:42 2015 +0530
Be more explicit about why SSH arguments are added
This adds vvvvv log messages that spell out in detail where each SSH
command-line argument is obtained from.
Unfortunately, we can't be sure if, say, self._play_context.remote_user
is obtained from ANSIBLE_REMOTE_USER in the environment, remote_user in
ansible.cfg, -u on the command line, or an ansible_ssh_user setting in
the inventory or on a task or play. In some cases, e.g. timeout, we
can't even be sure if it was set by the user or just a default.
Nevertheless, on the theory that at five v's you can use all the hints
available, I've mentioned the possible sources in the log messages.
Note that this caveat applies only to the arguments that ssh.py adds by
itself. In the case of ssh_args and ssh_extra_args, we know where they
are from, and say so, though we can't say WHERE in the inventory they
may be set (e.g. in host_vars or group_vars etc.).
commit b605c285baf505f75f0b7d73cb76b00d4723d02e
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Tue Aug 11 15:19:43 2015 +0530
Add a FAQ entry about ansible_ssh_extra_args
commit 49f8edd035cd28dd1cf8945f44ec3d55212910bd
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:48:50 2015 +0530
Allow ansible_ssh_args to be set as an inventory variable
Before this change, ssh_args could be set only in the [ssh_connection]
section of ansible.cfg, and was applied to all hosts. Now it's possible
to set ansible_ssh_args as an inventory variable (directly, or through
group_vars or host_vars) to selectively override the global setting.
Note that the default ControlPath settings are applied only if ssh_args
is not set, and this is true of ansible_ssh_args as well. So if you want
to override ssh_args but continue to set ControlPath, you'll need to
repeat the appropriate options when setting ansible_ssh_args.
(If you only need to add options to the default ssh_args, you may be
able to use the ansible_ssh_extra_args inventory variable instead.)
commit 37c1a5b6794cee29a7809ad056a86365a2c0f886
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:42:30 2015 +0530
Allow overriding ansible_ssh_extra_args on the command-line
This patch makes it possible to do:
ansible somehost -m setup \
--ssh-extra-args '-o ProxyCommand="ssh -W %h:%p -q user@bouncer.example.com"'
This overrides the inventory setting, if any, of ansible_ssh_extra_args.
Based on a patch originally by @Richard2ndQuadrant.
commit b023ace8a8a7ce6800e29129a27ebe8bf6bd38e0
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:06:19 2015 +0530
Add an ansible_ssh_extra_args inventory variable
This can be used to configure a per-host or per-group ProxyCommand to
connect to hosts through a jumphost, e.g.:
inventory:
[gatewayed]
foo ansible_ssh_host=192.0.2.1
group_vars/gatewayed.yml:
ansible_ssh_extra_args: '-o ProxyCommand="ssh -W %h:%p -q bounceuser@gateway.example.com"'
Note that this variable is used in addition to any ssh_args configured
in the [ssh_connection] section of ansible.cfg (so you don't need to
repeat the ControlPath settings in ansible_ssh_extra_args).
2015-09-03 15:26:56 +00:00
2015-09-04 04:42:01 +00:00
# Now we add various arguments controlled by configuration file settings
# (e.g. host_key_checking) or inventory variables (ansible_ssh_port) or
# a combination thereof.
2015-09-03 18:36:58 +00:00
2014-11-14 22:14:08 +00:00
if not C . HOST_KEY_CHECKING :
2016-10-02 21:55:55 +00:00
b_args = ( b " -o " , b " StrictHostKeyChecking=no " )
self . _add_args ( b_command , b_args , u " ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled " )
2014-11-14 22:14:08 +00:00
2015-07-21 16:12:22 +00:00
if self . _play_context . port is not None :
2016-10-02 21:55:55 +00:00
b_args = ( b " -o " , b " Port= " + to_bytes ( self . _play_context . port , nonstring = ' simplerepr ' , errors = ' surrogate_or_strict ' ) )
self . _add_args ( b_command , b_args , u " ANSIBLE_REMOTE_PORT/remote_port/ansible_port set " )
Squashed commit of the following:
commit 9921bb9d2002e136c030ff337c14f8b7eab0fc72
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:19:44 2015 +0530
Document --ssh-extra-args command-line option
commit 8b25595e7b1cc3658803d0821fbf498c18ee608a
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 13:24:57 2015 +0530
Don't disable GSSAPI/Pubkey authentication when using --ask-pass
This commit is based on a bug report and PR by kolbyjack (#6846) which
was subsequently closed and rebased as #11690. The original problem was:
«The password on the delegated host is different from the one I
provided on the command line, so it had to use the pubkey, and the
main host doesn't have a pubkey on it yet, so it had to use the
password.»
(This commit is revised and included here because #11690 would conflict
with the changes in #11908 otherwise.)
Closes #11690
commit 119d0323892c65e8169ae57e42bbe8e3517551a3
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 11:16:42 2015 +0530
Be more explicit about why SSH arguments are added
This adds vvvvv log messages that spell out in detail where each SSH
command-line argument is obtained from.
Unfortunately, we can't be sure if, say, self._play_context.remote_user
is obtained from ANSIBLE_REMOTE_USER in the environment, remote_user in
ansible.cfg, -u on the command line, or an ansible_ssh_user setting in
the inventory or on a task or play. In some cases, e.g. timeout, we
can't even be sure if it was set by the user or just a default.
Nevertheless, on the theory that at five v's you can use all the hints
available, I've mentioned the possible sources in the log messages.
Note that this caveat applies only to the arguments that ssh.py adds by
itself. In the case of ssh_args and ssh_extra_args, we know where they
are from, and say so, though we can't say WHERE in the inventory they
may be set (e.g. in host_vars or group_vars etc.).
commit b605c285baf505f75f0b7d73cb76b00d4723d02e
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Tue Aug 11 15:19:43 2015 +0530
Add a FAQ entry about ansible_ssh_extra_args
commit 49f8edd035cd28dd1cf8945f44ec3d55212910bd
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:48:50 2015 +0530
Allow ansible_ssh_args to be set as an inventory variable
Before this change, ssh_args could be set only in the [ssh_connection]
section of ansible.cfg, and was applied to all hosts. Now it's possible
to set ansible_ssh_args as an inventory variable (directly, or through
group_vars or host_vars) to selectively override the global setting.
Note that the default ControlPath settings are applied only if ssh_args
is not set, and this is true of ansible_ssh_args as well. So if you want
to override ssh_args but continue to set ControlPath, you'll need to
repeat the appropriate options when setting ansible_ssh_args.
(If you only need to add options to the default ssh_args, you may be
able to use the ansible_ssh_extra_args inventory variable instead.)
commit 37c1a5b6794cee29a7809ad056a86365a2c0f886
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:42:30 2015 +0530
Allow overriding ansible_ssh_extra_args on the command-line
This patch makes it possible to do:
ansible somehost -m setup \
--ssh-extra-args '-o ProxyCommand="ssh -W %h:%p -q user@bouncer.example.com"'
This overrides the inventory setting, if any, of ansible_ssh_extra_args.
Based on a patch originally by @Richard2ndQuadrant.
commit b023ace8a8a7ce6800e29129a27ebe8bf6bd38e0
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:06:19 2015 +0530
Add an ansible_ssh_extra_args inventory variable
This can be used to configure a per-host or per-group ProxyCommand to
connect to hosts through a jumphost, e.g.:
inventory:
[gatewayed]
foo ansible_ssh_host=192.0.2.1
group_vars/gatewayed.yml:
ansible_ssh_extra_args: '-o ProxyCommand="ssh -W %h:%p -q bounceuser@gateway.example.com"'
Note that this variable is used in addition to any ssh_args configured
in the [ssh_connection] section of ansible.cfg (so you don't need to
repeat the ControlPath settings in ansible_ssh_extra_args).
2015-09-03 15:26:56 +00:00
key = self . _play_context . private_key_file
if key :
2016-10-02 21:55:55 +00:00
b_args = ( b " -o " , b ' IdentityFile= " ' + to_bytes ( os . path . expanduser ( key ) , errors = ' surrogate_or_strict ' ) + b ' " ' )
self . _add_args ( b_command , b_args , u " ANSIBLE_PRIVATE_KEY_FILE/private_key_file/ansible_ssh_private_key_file set " )
Squashed commit of the following:
commit 9921bb9d2002e136c030ff337c14f8b7eab0fc72
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:19:44 2015 +0530
Document --ssh-extra-args command-line option
commit 8b25595e7b1cc3658803d0821fbf498c18ee608a
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 13:24:57 2015 +0530
Don't disable GSSAPI/Pubkey authentication when using --ask-pass
This commit is based on a bug report and PR by kolbyjack (#6846) which
was subsequently closed and rebased as #11690. The original problem was:
«The password on the delegated host is different from the one I
provided on the command line, so it had to use the pubkey, and the
main host doesn't have a pubkey on it yet, so it had to use the
password.»
(This commit is revised and included here because #11690 would conflict
with the changes in #11908 otherwise.)
Closes #11690
commit 119d0323892c65e8169ae57e42bbe8e3517551a3
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 11:16:42 2015 +0530
Be more explicit about why SSH arguments are added
This adds vvvvv log messages that spell out in detail where each SSH
command-line argument is obtained from.
Unfortunately, we can't be sure if, say, self._play_context.remote_user
is obtained from ANSIBLE_REMOTE_USER in the environment, remote_user in
ansible.cfg, -u on the command line, or an ansible_ssh_user setting in
the inventory or on a task or play. In some cases, e.g. timeout, we
can't even be sure if it was set by the user or just a default.
Nevertheless, on the theory that at five v's you can use all the hints
available, I've mentioned the possible sources in the log messages.
Note that this caveat applies only to the arguments that ssh.py adds by
itself. In the case of ssh_args and ssh_extra_args, we know where they
are from, and say so, though we can't say WHERE in the inventory they
may be set (e.g. in host_vars or group_vars etc.).
commit b605c285baf505f75f0b7d73cb76b00d4723d02e
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Tue Aug 11 15:19:43 2015 +0530
Add a FAQ entry about ansible_ssh_extra_args
commit 49f8edd035cd28dd1cf8945f44ec3d55212910bd
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:48:50 2015 +0530
Allow ansible_ssh_args to be set as an inventory variable
Before this change, ssh_args could be set only in the [ssh_connection]
section of ansible.cfg, and was applied to all hosts. Now it's possible
to set ansible_ssh_args as an inventory variable (directly, or through
group_vars or host_vars) to selectively override the global setting.
Note that the default ControlPath settings are applied only if ssh_args
is not set, and this is true of ansible_ssh_args as well. So if you want
to override ssh_args but continue to set ControlPath, you'll need to
repeat the appropriate options when setting ansible_ssh_args.
(If you only need to add options to the default ssh_args, you may be
able to use the ansible_ssh_extra_args inventory variable instead.)
commit 37c1a5b6794cee29a7809ad056a86365a2c0f886
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:42:30 2015 +0530
Allow overriding ansible_ssh_extra_args on the command-line
This patch makes it possible to do:
ansible somehost -m setup \
--ssh-extra-args '-o ProxyCommand="ssh -W %h:%p -q user@bouncer.example.com"'
This overrides the inventory setting, if any, of ansible_ssh_extra_args.
Based on a patch originally by @Richard2ndQuadrant.
commit b023ace8a8a7ce6800e29129a27ebe8bf6bd38e0
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:06:19 2015 +0530
Add an ansible_ssh_extra_args inventory variable
This can be used to configure a per-host or per-group ProxyCommand to
connect to hosts through a jumphost, e.g.:
inventory:
[gatewayed]
foo ansible_ssh_host=192.0.2.1
group_vars/gatewayed.yml:
ansible_ssh_extra_args: '-o ProxyCommand="ssh -W %h:%p -q bounceuser@gateway.example.com"'
Note that this variable is used in addition to any ssh_args configured
in the [ssh_connection] section of ansible.cfg (so you don't need to
repeat the ControlPath settings in ansible_ssh_extra_args).
2015-09-03 15:26:56 +00:00
if not self . _play_context . password :
2015-09-28 17:34:02 +00:00
self . _add_args (
2016-10-02 21:55:55 +00:00
b_command , (
b " -o " , b " KbdInteractiveAuthentication=no " ,
b " -o " , b " PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey " ,
b " -o " , b " PasswordAuthentication=no "
) ,
u " ansible_password/ansible_ssh_pass not set "
Squashed commit of the following:
commit 9921bb9d2002e136c030ff337c14f8b7eab0fc72
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:19:44 2015 +0530
Document --ssh-extra-args command-line option
commit 8b25595e7b1cc3658803d0821fbf498c18ee608a
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 13:24:57 2015 +0530
Don't disable GSSAPI/Pubkey authentication when using --ask-pass
This commit is based on a bug report and PR by kolbyjack (#6846) which
was subsequently closed and rebased as #11690. The original problem was:
«The password on the delegated host is different from the one I
provided on the command line, so it had to use the pubkey, and the
main host doesn't have a pubkey on it yet, so it had to use the
password.»
(This commit is revised and included here because #11690 would conflict
with the changes in #11908 otherwise.)
Closes #11690
commit 119d0323892c65e8169ae57e42bbe8e3517551a3
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 11:16:42 2015 +0530
Be more explicit about why SSH arguments are added
This adds vvvvv log messages that spell out in detail where each SSH
command-line argument is obtained from.
Unfortunately, we can't be sure if, say, self._play_context.remote_user
is obtained from ANSIBLE_REMOTE_USER in the environment, remote_user in
ansible.cfg, -u on the command line, or an ansible_ssh_user setting in
the inventory or on a task or play. In some cases, e.g. timeout, we
can't even be sure if it was set by the user or just a default.
Nevertheless, on the theory that at five v's you can use all the hints
available, I've mentioned the possible sources in the log messages.
Note that this caveat applies only to the arguments that ssh.py adds by
itself. In the case of ssh_args and ssh_extra_args, we know where they
are from, and say so, though we can't say WHERE in the inventory they
may be set (e.g. in host_vars or group_vars etc.).
commit b605c285baf505f75f0b7d73cb76b00d4723d02e
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Tue Aug 11 15:19:43 2015 +0530
Add a FAQ entry about ansible_ssh_extra_args
commit 49f8edd035cd28dd1cf8945f44ec3d55212910bd
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:48:50 2015 +0530
Allow ansible_ssh_args to be set as an inventory variable
Before this change, ssh_args could be set only in the [ssh_connection]
section of ansible.cfg, and was applied to all hosts. Now it's possible
to set ansible_ssh_args as an inventory variable (directly, or through
group_vars or host_vars) to selectively override the global setting.
Note that the default ControlPath settings are applied only if ssh_args
is not set, and this is true of ansible_ssh_args as well. So if you want
to override ssh_args but continue to set ControlPath, you'll need to
repeat the appropriate options when setting ansible_ssh_args.
(If you only need to add options to the default ssh_args, you may be
able to use the ansible_ssh_extra_args inventory variable instead.)
commit 37c1a5b6794cee29a7809ad056a86365a2c0f886
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:42:30 2015 +0530
Allow overriding ansible_ssh_extra_args on the command-line
This patch makes it possible to do:
ansible somehost -m setup \
--ssh-extra-args '-o ProxyCommand="ssh -W %h:%p -q user@bouncer.example.com"'
This overrides the inventory setting, if any, of ansible_ssh_extra_args.
Based on a patch originally by @Richard2ndQuadrant.
commit b023ace8a8a7ce6800e29129a27ebe8bf6bd38e0
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:06:19 2015 +0530
Add an ansible_ssh_extra_args inventory variable
This can be used to configure a per-host or per-group ProxyCommand to
connect to hosts through a jumphost, e.g.:
inventory:
[gatewayed]
foo ansible_ssh_host=192.0.2.1
group_vars/gatewayed.yml:
ansible_ssh_extra_args: '-o ProxyCommand="ssh -W %h:%p -q bounceuser@gateway.example.com"'
Note that this variable is used in addition to any ssh_args configured
in the [ssh_connection] section of ansible.cfg (so you don't need to
repeat the ControlPath settings in ansible_ssh_extra_args).
2015-09-03 15:26:56 +00:00
)
user = self . _play_context . remote_user
2015-10-24 03:15:45 +00:00
if user :
2016-10-02 21:55:55 +00:00
self . _add_args ( b_command ,
( b " -o " , b " User= " + to_bytes ( self . _play_context . remote_user , errors = ' surrogate_or_strict ' ) ) ,
2017-01-29 07:28:53 +00:00
u " ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set "
)
Squashed commit of the following:
commit 9921bb9d2002e136c030ff337c14f8b7eab0fc72
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:19:44 2015 +0530
Document --ssh-extra-args command-line option
commit 8b25595e7b1cc3658803d0821fbf498c18ee608a
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 13:24:57 2015 +0530
Don't disable GSSAPI/Pubkey authentication when using --ask-pass
This commit is based on a bug report and PR by kolbyjack (#6846) which
was subsequently closed and rebased as #11690. The original problem was:
«The password on the delegated host is different from the one I
provided on the command line, so it had to use the pubkey, and the
main host doesn't have a pubkey on it yet, so it had to use the
password.»
(This commit is revised and included here because #11690 would conflict
with the changes in #11908 otherwise.)
Closes #11690
commit 119d0323892c65e8169ae57e42bbe8e3517551a3
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 11:16:42 2015 +0530
Be more explicit about why SSH arguments are added
This adds vvvvv log messages that spell out in detail where each SSH
command-line argument is obtained from.
Unfortunately, we can't be sure if, say, self._play_context.remote_user
is obtained from ANSIBLE_REMOTE_USER in the environment, remote_user in
ansible.cfg, -u on the command line, or an ansible_ssh_user setting in
the inventory or on a task or play. In some cases, e.g. timeout, we
can't even be sure if it was set by the user or just a default.
Nevertheless, on the theory that at five v's you can use all the hints
available, I've mentioned the possible sources in the log messages.
Note that this caveat applies only to the arguments that ssh.py adds by
itself. In the case of ssh_args and ssh_extra_args, we know where they
are from, and say so, though we can't say WHERE in the inventory they
may be set (e.g. in host_vars or group_vars etc.).
commit b605c285baf505f75f0b7d73cb76b00d4723d02e
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Tue Aug 11 15:19:43 2015 +0530
Add a FAQ entry about ansible_ssh_extra_args
commit 49f8edd035cd28dd1cf8945f44ec3d55212910bd
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:48:50 2015 +0530
Allow ansible_ssh_args to be set as an inventory variable
Before this change, ssh_args could be set only in the [ssh_connection]
section of ansible.cfg, and was applied to all hosts. Now it's possible
to set ansible_ssh_args as an inventory variable (directly, or through
group_vars or host_vars) to selectively override the global setting.
Note that the default ControlPath settings are applied only if ssh_args
is not set, and this is true of ansible_ssh_args as well. So if you want
to override ssh_args but continue to set ControlPath, you'll need to
repeat the appropriate options when setting ansible_ssh_args.
(If you only need to add options to the default ssh_args, you may be
able to use the ansible_ssh_extra_args inventory variable instead.)
commit 37c1a5b6794cee29a7809ad056a86365a2c0f886
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:42:30 2015 +0530
Allow overriding ansible_ssh_extra_args on the command-line
This patch makes it possible to do:
ansible somehost -m setup \
--ssh-extra-args '-o ProxyCommand="ssh -W %h:%p -q user@bouncer.example.com"'
This overrides the inventory setting, if any, of ansible_ssh_extra_args.
Based on a patch originally by @Richard2ndQuadrant.
commit b023ace8a8a7ce6800e29129a27ebe8bf6bd38e0
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:06:19 2015 +0530
Add an ansible_ssh_extra_args inventory variable
This can be used to configure a per-host or per-group ProxyCommand to
connect to hosts through a jumphost, e.g.:
inventory:
[gatewayed]
foo ansible_ssh_host=192.0.2.1
group_vars/gatewayed.yml:
ansible_ssh_extra_args: '-o ProxyCommand="ssh -W %h:%p -q bounceuser@gateway.example.com"'
Note that this variable is used in addition to any ssh_args configured
in the [ssh_connection] section of ansible.cfg (so you don't need to
repeat the ControlPath settings in ansible_ssh_extra_args).
2015-09-03 15:26:56 +00:00
2016-10-02 21:55:55 +00:00
self . _add_args ( b_command ,
( b " -o " , b " ConnectTimeout= " + to_bytes ( self . _play_context . timeout , errors = ' surrogate_or_strict ' , nonstring = ' simplerepr ' ) ) ,
u " ANSIBLE_TIMEOUT/timeout set "
Squashed commit of the following:
commit 9921bb9d2002e136c030ff337c14f8b7eab0fc72
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:19:44 2015 +0530
Document --ssh-extra-args command-line option
commit 8b25595e7b1cc3658803d0821fbf498c18ee608a
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 13:24:57 2015 +0530
Don't disable GSSAPI/Pubkey authentication when using --ask-pass
This commit is based on a bug report and PR by kolbyjack (#6846) which
was subsequently closed and rebased as #11690. The original problem was:
«The password on the delegated host is different from the one I
provided on the command line, so it had to use the pubkey, and the
main host doesn't have a pubkey on it yet, so it had to use the
password.»
(This commit is revised and included here because #11690 would conflict
with the changes in #11908 otherwise.)
Closes #11690
commit 119d0323892c65e8169ae57e42bbe8e3517551a3
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Thu Aug 13 11:16:42 2015 +0530
Be more explicit about why SSH arguments are added
This adds vvvvv log messages that spell out in detail where each SSH
command-line argument is obtained from.
Unfortunately, we can't be sure if, say, self._play_context.remote_user
is obtained from ANSIBLE_REMOTE_USER in the environment, remote_user in
ansible.cfg, -u on the command line, or an ansible_ssh_user setting in
the inventory or on a task or play. In some cases, e.g. timeout, we
can't even be sure if it was set by the user or just a default.
Nevertheless, on the theory that at five v's you can use all the hints
available, I've mentioned the possible sources in the log messages.
Note that this caveat applies only to the arguments that ssh.py adds by
itself. In the case of ssh_args and ssh_extra_args, we know where they
are from, and say so, though we can't say WHERE in the inventory they
may be set (e.g. in host_vars or group_vars etc.).
commit b605c285baf505f75f0b7d73cb76b00d4723d02e
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Tue Aug 11 15:19:43 2015 +0530
Add a FAQ entry about ansible_ssh_extra_args
commit 49f8edd035cd28dd1cf8945f44ec3d55212910bd
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 20:48:50 2015 +0530
Allow ansible_ssh_args to be set as an inventory variable
Before this change, ssh_args could be set only in the [ssh_connection]
section of ansible.cfg, and was applied to all hosts. Now it's possible
to set ansible_ssh_args as an inventory variable (directly, or through
group_vars or host_vars) to selectively override the global setting.
Note that the default ControlPath settings are applied only if ssh_args
is not set, and this is true of ansible_ssh_args as well. So if you want
to override ssh_args but continue to set ControlPath, you'll need to
repeat the appropriate options when setting ansible_ssh_args.
(If you only need to add options to the default ssh_args, you may be
able to use the ansible_ssh_extra_args inventory variable instead.)
commit 37c1a5b6794cee29a7809ad056a86365a2c0f886
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:42:30 2015 +0530
Allow overriding ansible_ssh_extra_args on the command-line
This patch makes it possible to do:
ansible somehost -m setup \
--ssh-extra-args '-o ProxyCommand="ssh -W %h:%p -q user@bouncer.example.com"'
This overrides the inventory setting, if any, of ansible_ssh_extra_args.
Based on a patch originally by @Richard2ndQuadrant.
commit b023ace8a8a7ce6800e29129a27ebe8bf6bd38e0
Author: Abhijit Menon-Sen <ams@2ndQuadrant.com>
Date: Mon Aug 10 19:06:19 2015 +0530
Add an ansible_ssh_extra_args inventory variable
This can be used to configure a per-host or per-group ProxyCommand to
connect to hosts through a jumphost, e.g.:
inventory:
[gatewayed]
foo ansible_ssh_host=192.0.2.1
group_vars/gatewayed.yml:
ansible_ssh_extra_args: '-o ProxyCommand="ssh -W %h:%p -q bounceuser@gateway.example.com"'
Note that this variable is used in addition to any ssh_args configured
in the [ssh_connection] section of ansible.cfg (so you don't need to
repeat the ControlPath settings in ansible_ssh_extra_args).
2015-09-03 15:26:56 +00:00
)
2015-10-02 07:25:48 +00:00
# Add in any common or binary-specific arguments from the PlayContext
# (i.e. inventory or task settings or overrides on the command line).
Rework additional ssh argument handling
Now we have the following ways to set additional arguments:
1. [ssh_connection]ssh_args in ansible.cfg: global setting, prepended to
every command line for ssh/scp/sftp. Overrides default ControlPersist
settings.
2. ansible_ssh_common_args inventory variable. Appended to every command
line for ssh/scp/sftp. Used in addition to ssh_args, if set above, or
the default settings.
3. ansible_{sftp,scp,ssh}_extra_args inventory variables. Appended to
every command line for the relevant binary only. Used in addition to
#1 and #2, if set above, or the default settings.
3. Using the --ssh-common-args or --{sftp,scp,ssh}-extra-args command
line options (which are overriden by #2 and #3 above).
This preserves backwards compatibility (for ssh_args in ansible.cfg),
but also permits global settings (e.g. ProxyCommand via _common_args) or
ssh-specific options (e.g. -R via ssh_extra_args).
Fixes #12576
2015-10-02 06:27:47 +00:00
2016-10-02 21:55:55 +00:00
for opt in ( u ' ssh_common_args ' , u ' {0} _extra_args ' . format ( binary ) ) :
2015-10-02 14:34:01 +00:00
attr = getattr ( self . _play_context , opt , None )
if attr is not None :
2016-10-02 21:55:55 +00:00
b_args = [ to_bytes ( a , errors = ' surrogate_or_strict ' ) for a in self . _split_ssh_args ( attr ) ]
self . _add_args ( b_command , b_args , u " PlayContext set %s " % opt )
2015-04-15 23:32:44 +00:00
2015-10-02 07:25:48 +00:00
# Check if ControlPersist is enabled and add a ControlPath if one hasn't
2015-09-28 15:41:56 +00:00
# already been set.
2014-11-14 22:14:08 +00:00
2016-10-02 21:55:55 +00:00
controlpersist , controlpath = self . _persistence_controls ( b_command )
2015-06-19 20:30:20 +00:00
2015-09-28 15:41:56 +00:00
if controlpersist :
2015-09-04 04:42:01 +00:00
self . _persistent = True
2014-11-14 22:14:08 +00:00
2015-09-28 15:41:56 +00:00
if not controlpath :
2017-02-01 15:39:40 +00:00
cpdir = unfrackpath ( self . control_path_dir )
2016-10-02 21:55:55 +00:00
b_cpdir = to_bytes ( cpdir , errors = ' surrogate_or_strict ' )
2015-09-28 15:41:56 +00:00
# The directory must exist and be writable.
2016-08-25 17:57:55 +00:00
makedirs_safe ( b_cpdir , 0o700 )
if not os . access ( b_cpdir , os . W_OK ) :
2016-09-07 05:54:17 +00:00
raise AnsibleError ( " Cannot write to ControlPath %s " % to_native ( cpdir ) )
2015-09-28 15:41:56 +00:00
2017-02-01 15:39:40 +00:00
if not self . control_path :
self . control_path = self . _create_control_path (
self . host ,
self . port ,
self . user
)
b_args = ( b " -o " , b " ControlPath= " + to_bytes ( self . control_path % dict ( directory = cpdir ) , errors = ' surrogate_or_strict ' ) )
2016-10-02 21:55:55 +00:00
self . _add_args ( b_command , b_args , u " found only ControlPersist; added ControlPath " )
2015-06-18 03:23:36 +00:00
2016-10-02 21:55:55 +00:00
# Finally, we add any caller-supplied extras.
2015-09-04 04:42:01 +00:00
if other_args :
2016-10-02 21:55:55 +00:00
b_command + = [ to_bytes ( a ) for a in other_args ]
2015-09-02 04:39:32 +00:00
2016-10-02 21:55:55 +00:00
return b_command
2015-06-18 03:23:36 +00:00
2015-12-03 16:01:05 +00:00
def _send_initial_data ( self , fh , in_data ) :
2015-09-28 17:34:02 +00:00
'''
Writes initial data to the stdin filehandle of the subprocess and closes
it . ( The handle must be closed ; otherwise , for example , " sftp -b - " will
just hang forever waiting for more commands . )
'''
2015-09-04 04:42:01 +00:00
2015-11-11 15:10:14 +00:00
display . debug ( ' Sending initial data ' )
2015-09-04 04:42:01 +00:00
2015-09-28 17:34:02 +00:00
try :
2016-08-25 17:57:55 +00:00
fh . write ( to_bytes ( in_data ) )
2015-09-28 17:34:02 +00:00
fh . close ( )
except ( OSError , IOError ) :
2017-01-30 16:16:13 +00:00
raise AnsibleConnectionFailure ( ' SSH Error: data could not be sent to remote host " %s " . Make sure this host can be reached over ssh ' % self . host )
2015-09-04 04:42:01 +00:00
2015-11-11 15:10:14 +00:00
display . debug ( ' Sent initial data ( %d bytes) ' % len ( in_data ) )
2014-11-14 22:14:08 +00:00
2015-09-28 17:34:02 +00:00
# Used by _run() to kill processes on failures
@staticmethod
def _terminate_process ( p ) :
""" Terminate a process, ignoring errors """
try :
p . terminate ( )
except ( OSError , IOError ) :
pass
2014-11-14 22:14:08 +00:00
2015-09-28 17:34:02 +00:00
# This is separate from _run() because we need to do the same thing for stdout
# and stderr.
2016-08-25 17:57:55 +00:00
def _examine_output ( self , source , state , b_chunk , sudoable ) :
2015-09-28 17:34:02 +00:00
'''
Takes a string , extracts complete lines from it , tests to see if they
are a prompt , error message , etc . , and sets appropriate flags in self .
Prompt and success lines are removed .
2014-11-14 22:14:08 +00:00
2015-09-28 17:34:02 +00:00
Returns the processed ( i . e . possibly - edited ) output and the unprocessed
remainder ( to be processed with the next chunk ) as strings .
'''
2015-06-15 02:35:53 +00:00
2015-09-28 17:34:02 +00:00
output = [ ]
2016-08-25 17:57:55 +00:00
for b_line in b_chunk . splitlines ( True ) :
2016-09-07 05:54:17 +00:00
display_line = to_text ( b_line ) . rstrip ( ' \r \n ' )
2015-09-28 17:34:02 +00:00
suppress_output = False
2014-11-14 22:14:08 +00:00
2016-08-25 17:57:55 +00:00
#display.debug("Examining line (source=%s, state=%s): '%s'" % (source, state, display_line))
if self . _play_context . prompt and self . check_password_prompt ( b_line ) :
display . debug ( " become_prompt: (source= %s , state= %s ): ' %s ' " % ( source , state , display_line ) )
2015-09-28 17:34:02 +00:00
self . _flags [ ' become_prompt ' ] = True
suppress_output = True
2016-08-25 17:57:55 +00:00
elif self . _play_context . success_key and self . check_become_success ( b_line ) :
display . debug ( " become_success: (source= %s , state= %s ): ' %s ' " % ( source , state , display_line ) )
2015-09-28 17:34:02 +00:00
self . _flags [ ' become_success ' ] = True
suppress_output = True
2016-08-25 17:57:55 +00:00
elif sudoable and self . check_incorrect_password ( b_line ) :
display . debug ( " become_error: (source= %s , state= %s ): ' %s ' " % ( source , state , display_line ) )
2015-09-28 17:34:02 +00:00
self . _flags [ ' become_error ' ] = True
2016-08-25 17:57:55 +00:00
elif sudoable and self . check_missing_password ( b_line ) :
display . debug ( " become_nopasswd_error: (source= %s , state= %s ): ' %s ' " % ( source , state , display_line ) )
2015-09-28 17:34:02 +00:00
self . _flags [ ' become_nopasswd_error ' ] = True
2015-09-04 04:42:01 +00:00
2015-09-28 17:34:02 +00:00
if not suppress_output :
2016-08-25 17:57:55 +00:00
output . append ( b_line )
2015-09-04 04:42:01 +00:00
2015-09-28 17:34:02 +00:00
# The chunk we read was most likely a series of complete lines, but just
# in case the last line was incomplete (and not a prompt, which we would
# have removed from the output), we retain it to be processed with the
# next chunk.
2015-09-04 04:42:01 +00:00
2016-08-25 17:57:55 +00:00
remainder = b ' '
if output and not output [ - 1 ] . endswith ( b ' \n ' ) :
2015-09-28 17:34:02 +00:00
remainder = output [ - 1 ]
output = output [ : - 1 ]
2015-09-04 04:42:01 +00:00
2016-08-25 17:57:55 +00:00
return b ' ' . join ( output ) , remainder
2015-09-04 04:42:01 +00:00
2016-09-29 21:44:54 +00:00
def _run ( self , cmd , in_data , sudoable = True , checkrc = True ) :
2015-09-04 04:42:01 +00:00
'''
Starts the command and communicates with it until it ends .
'''
2016-11-17 21:18:29 +00:00
display_cmd = list ( map ( shlex_quote , map ( to_text , cmd ) ) )
2016-01-05 03:23:12 +00:00
display . vvv ( u ' SSH: EXEC {0} ' . format ( u ' ' . join ( display_cmd ) ) , host = self . host )
2015-09-04 04:42:01 +00:00
2015-12-03 16:01:05 +00:00
# Start the given command. If we don't need to pipeline data, we can try
# to use a pseudo-tty (ssh will have been invoked with -tt). If we are
# pipelining data, or can't create a pty, we fall back to using plain
# old pipes.
2015-09-04 04:42:01 +00:00
2015-12-03 16:01:05 +00:00
p = None
2016-01-05 03:23:12 +00:00
if isinstance ( cmd , ( text_type , binary_type ) ) :
cmd = to_bytes ( cmd )
else :
2016-03-09 19:17:10 +00:00
cmd = list ( map ( to_bytes , cmd ) )
2016-01-05 03:23:12 +00:00
2015-12-03 16:01:05 +00:00
if not in_data :
try :
# Make sure stdin is a proper pty to avoid tcgetattr errors
master , slave = pty . openpty ( )
2016-10-02 22:04:38 +00:00
if PY3 and self . _play_context . password :
p = subprocess . Popen ( cmd , stdin = slave , stdout = subprocess . PIPE , stderr = subprocess . PIPE , pass_fds = self . sshpass_pipe )
else :
p = subprocess . Popen ( cmd , stdin = slave , stdout = subprocess . PIPE , stderr = subprocess . PIPE )
2016-08-25 17:57:55 +00:00
stdin = os . fdopen ( master , ' wb ' , 0 )
2015-12-03 16:01:05 +00:00
os . close ( slave )
except ( OSError , IOError ) :
p = None
if not p :
2016-10-02 22:04:38 +00:00
if PY3 and self . _play_context . password :
p = subprocess . Popen ( cmd , stdin = subprocess . PIPE , stdout = subprocess . PIPE , stderr = subprocess . PIPE , pass_fds = self . sshpass_pipe )
else :
p = subprocess . Popen ( cmd , stdin = subprocess . PIPE , stdout = subprocess . PIPE , stderr = subprocess . PIPE )
2015-12-03 16:01:05 +00:00
stdin = p . stdin
2015-09-04 04:42:01 +00:00
2015-09-06 13:00:39 +00:00
# If we are using SSH password authentication, write the password into
# the pipe we opened in _build_command.
2015-09-04 04:42:01 +00:00
if self . _play_context . password :
os . close ( self . sshpass_pipe [ 0 ] )
2016-06-30 23:39:30 +00:00
try :
2016-08-25 17:57:55 +00:00
os . write ( self . sshpass_pipe [ 1 ] , to_bytes ( self . _play_context . password ) + b ' \n ' )
2016-06-30 23:39:30 +00:00
except OSError as e :
# Ignore broken pipe errors if the sshpass process has exited.
if e . errno != errno . EPIPE or p . poll ( ) is None :
raise
2015-09-04 04:42:01 +00:00
os . close ( self . sshpass_pipe [ 1 ] )
#
2016-10-02 21:55:55 +00:00
# SSH state machine
#
2015-09-06 13:00:39 +00:00
# Now we read and accumulate output from the running process until it
# exits. Depending on the circumstances, we may also need to write an
# escalation password and/or pipelined input to the process.
states = [
' awaiting_prompt ' , ' awaiting_escalation ' , ' ready_to_send ' , ' awaiting_exit '
]
# Are we requesting privilege escalation? Right now, we may be invoked
# to execute sftp/scp with sudoable=True, but we can request escalation
# only when using ssh. Otherwise we can send initial data straightaway.
state = states . index ( ' ready_to_send ' )
2016-01-05 03:23:12 +00:00
if b ' ssh ' in cmd :
2015-09-06 13:00:39 +00:00
if self . _play_context . prompt :
# We're requesting escalation with a password, so we have to
# wait for a password prompt.
state = states . index ( ' awaiting_prompt ' )
2016-08-25 17:57:55 +00:00
display . debug ( u ' Initial state: %s : %s ' % ( states [ state ] , self . _play_context . prompt ) )
2015-11-24 17:00:37 +00:00
elif self . _play_context . become and self . _play_context . success_key :
2015-09-06 13:00:39 +00:00
# We're requesting escalation without a password, so we have to
# detect success/failure before sending any initial data.
state = states . index ( ' awaiting_escalation ' )
2016-08-25 17:57:55 +00:00
display . debug ( u ' Initial state: %s : %s ' % ( states [ state ] , self . _play_context . success_key ) )
2015-09-06 13:00:39 +00:00
# We store accumulated stdout and stderr output from the process here,
# but strip any privilege escalation prompt/confirmation lines first.
# Output is accumulated into tmp_*, complete lines are extracted into
# an array, then checked and removed or copied to stdout or stderr. We
# set any flags based on examining the output in self._flags.
2015-09-04 04:42:01 +00:00
2016-08-25 17:57:55 +00:00
b_stdout = b_stderr = b ' '
b_tmp_stdout = b_tmp_stderr = b ' '
2015-09-04 13:30:31 +00:00
2015-09-06 13:00:39 +00:00
self . _flags = dict (
become_prompt = False , become_success = False ,
become_error = False , become_nopasswd_error = False
)
2015-09-04 13:30:31 +00:00
2015-11-13 03:48:20 +00:00
# select timeout should be longer than the connect timeout, otherwise
# they will race each other when we can't connect, and the connect
# timeout usually fails
timeout = 2 + self . _play_context . timeout
2015-09-06 13:00:39 +00:00
rpipes = [ p . stdout , p . stderr ]
for fd in rpipes :
fcntl . fcntl ( fd , fcntl . F_SETFL , fcntl . fcntl ( fd , fcntl . F_GETFL ) | os . O_NONBLOCK )
2015-09-04 13:30:31 +00:00
2015-09-23 14:39:50 +00:00
# If we can send initial data without waiting for anything, we do so
# before we call select.
if states [ state ] == ' ready_to_send ' and in_data :
2015-12-03 16:01:05 +00:00
self . _send_initial_data ( stdin , in_data )
2015-09-23 14:39:50 +00:00
state + = 1
2015-09-06 13:00:39 +00:00
while True :
Clarify select() handling for ssh connections
This change is motivated by an ssh oddity: when ControlPersist is
enabled, the first (i.e. master) connection goes into the background; we
see EOF on its stdout and the process exits, but we never see EOF on its
stderr. So if we ran a command like this:
ANSIBLE_SSH_PIPELINING=1 ansible -T 30 -vvv somehost -u someuser -m command -a whoami
We would first do select([stdout,stderr], timeout) and read the command
module output, then select([stdout,stderr], timeout) again and read EOF
on stdout, then select([stderr], timeout) AGAIN (though the process has
exited), and select() would wait for the full timeout before returning
rfd=[], and then we would exit. The use of a very short timeout in the
code masked the underlying problem (that we don't see EOF on stderr).
It's always preferable to call select() with a long timeout so that the
process doesn't use any CPU until one of the events it's interested in
happens (and then select will return independent of elapsed time).
(A long timeout value means "if nothing happens, sleep for up to <x>";
omitting the timeout value means "if nothing happens, sleep forever";
specifying a zero timeout means "don't sleep at all", i.e. poll for
events and return immediately.)
This commit uses a long timeout, but explicitly detects the condition
where we've seen EOF on stdout and the process has exited, but we have
not seen EOF on stderr. If and only if that happens, it reruns select()
with a short timeout (in practice it could just exit at that point, but
I chose to be extra cautious). As a result, we end up calling select()
far less often, and use less CPU while waiting, but don't sleep for a
long time waiting for something that will never happen.
Note that we don't omit the timeout to select() altogether because if
we're waiting for an escalation prompt, we DO want to give up with an
error after some time. We also don't set exceptfds, because we're not
actually acting on any notifications of exceptional conditions.
2015-09-24 03:27:35 +00:00
rfd , wfd , efd = select . select ( rpipes , [ ] , [ ] , timeout )
2015-06-18 03:23:36 +00:00
2015-09-06 13:00:39 +00:00
# We pay attention to timeouts only while negotiating a prompt.
2015-09-04 04:42:01 +00:00
2015-09-06 13:00:39 +00:00
if not rfd :
if state < = states . index ( ' awaiting_escalation ' ) :
2015-11-13 14:40:08 +00:00
# If the process has already exited, then it's not really a
# timeout; we'll let the normal error handling deal with it.
if p . poll ( ) is not None :
break
2015-09-06 13:00:39 +00:00
self . _terminate_process ( p )
2016-09-07 05:54:17 +00:00
raise AnsibleError ( ' Timeout ( %d s) waiting for privilege escalation prompt: %s ' % ( timeout , to_native ( b_stdout ) ) )
2015-09-04 04:42:01 +00:00
2015-09-06 13:00:39 +00:00
# Read whatever output is available on stdout and stderr, and stop
# listening to the pipe if it's been closed.
2015-09-04 04:42:01 +00:00
2015-09-23 17:02:15 +00:00
if p . stdout in rfd :
2016-08-25 17:57:55 +00:00
b_chunk = p . stdout . read ( )
if b_chunk == b ' ' :
2015-09-06 13:00:39 +00:00
rpipes . remove ( p . stdout )
2016-10-27 19:36:56 +00:00
# When ssh has ControlMaster (+ControlPath/Persist) enabled, the
# first connection goes into the background and we never see EOF
# on stderr. If we see EOF on stdout, lower the select timeout
# to reduce the time wasted selecting on stderr if we observe
# that the process has not yet existed after this EOF. Otherwise
# we may spend a long timeout period waiting for an EOF that is
# not going to arrive until the persisted connection closes.
timeout = 1
2016-08-25 17:57:55 +00:00
b_tmp_stdout + = b_chunk
2016-09-07 05:54:17 +00:00
display . debug ( " stdout chunk (state= %s ): \n >>> %s <<< \n " % ( state , to_text ( b_chunk ) ) )
2015-09-04 04:42:01 +00:00
2015-09-23 17:02:15 +00:00
if p . stderr in rfd :
2016-08-25 17:57:55 +00:00
b_chunk = p . stderr . read ( )
if b_chunk == b ' ' :
2015-09-06 13:00:39 +00:00
rpipes . remove ( p . stderr )
2016-08-25 17:57:55 +00:00
b_tmp_stderr + = b_chunk
2016-09-07 05:54:17 +00:00
display . debug ( " stderr chunk (state= %s ): \n >>> %s <<< \n " % ( state , to_text ( b_chunk ) ) )
2015-09-06 13:00:39 +00:00
# We examine the output line-by-line until we have negotiated any
# privilege escalation prompt and subsequent success/error message.
# Afterwards, we can accumulate output without looking at it.
if state < states . index ( ' ready_to_send ' ) :
2016-08-25 17:57:55 +00:00
if b_tmp_stdout :
b_output , b_unprocessed = self . _examine_output ( ' stdout ' , states [ state ] , b_tmp_stdout , sudoable )
b_stdout + = b_output
b_tmp_stdout = b_unprocessed
if b_tmp_stderr :
b_output , b_unprocessed = self . _examine_output ( ' stderr ' , states [ state ] , b_tmp_stderr , sudoable )
b_stderr + = b_output
b_tmp_stderr = b_unprocessed
2015-09-06 13:00:39 +00:00
else :
2016-08-25 17:57:55 +00:00
b_stdout + = b_tmp_stdout
b_stderr + = b_tmp_stderr
b_tmp_stdout = b_tmp_stderr = b ' '
2015-09-04 04:42:01 +00:00
2015-09-06 13:00:39 +00:00
# If we see a privilege escalation prompt, we send the password.
2015-11-25 15:37:17 +00:00
# (If we're expecting a prompt but the escalation succeeds, we
# didn't need the password and can carry on regardless.)
if states [ state ] == ' awaiting_prompt ' :
if self . _flags [ ' become_prompt ' ] :
display . debug ( ' Sending become_pass in response to prompt ' )
2016-08-25 17:57:55 +00:00
stdin . write ( to_bytes ( self . _play_context . become_pass ) + b ' \n ' )
2015-11-25 15:37:17 +00:00
self . _flags [ ' become_prompt ' ] = False
state + = 1
elif self . _flags [ ' become_success ' ] :
state + = 1
2015-09-06 13:00:39 +00:00
# We've requested escalation (with or without a password), now we
# wait for an error message or a successful escalation.
if states [ state ] == ' awaiting_escalation ' :
if self . _flags [ ' become_success ' ] :
2015-11-11 15:10:14 +00:00
display . debug ( ' Escalation succeeded ' )
2015-09-06 13:00:39 +00:00
self . _flags [ ' become_success ' ] = False
state + = 1
elif self . _flags [ ' become_error ' ] :
2015-11-11 15:10:14 +00:00
display . debug ( ' Escalation failed ' )
2015-09-06 13:00:39 +00:00
self . _terminate_process ( p )
self . _flags [ ' become_error ' ] = False
raise AnsibleError ( ' Incorrect %s password ' % self . _play_context . become_method )
elif self . _flags [ ' become_nopasswd_error ' ] :
2015-11-11 15:10:14 +00:00
display . debug ( ' Escalation requires password ' )
2015-09-06 13:00:39 +00:00
self . _terminate_process ( p )
self . _flags [ ' become_nopasswd_error ' ] = False
2015-09-04 04:42:01 +00:00
raise AnsibleError ( ' Missing %s password ' % self . _play_context . become_method )
2015-09-06 13:00:39 +00:00
elif self . _flags [ ' become_prompt ' ] :
# This shouldn't happen, because we should see the "Sorry,
# try again" message first.
2015-11-11 15:10:14 +00:00
display . debug ( ' Escalation prompt repeated ' )
2015-09-06 13:00:39 +00:00
self . _terminate_process ( p )
self . _flags [ ' become_prompt ' ] = False
raise AnsibleError ( ' Incorrect %s password ' % self . _play_context . become_method )
# Once we're sure that the privilege escalation prompt, if any, has
# been dealt with, we can send any initial data and start waiting
2015-09-23 14:39:50 +00:00
# for output.
2015-09-06 13:00:39 +00:00
if states [ state ] == ' ready_to_send ' :
if in_data :
2015-12-03 16:01:05 +00:00
self . _send_initial_data ( stdin , in_data )
2015-09-06 13:00:39 +00:00
state + = 1
Clarify select() handling for ssh connections
This change is motivated by an ssh oddity: when ControlPersist is
enabled, the first (i.e. master) connection goes into the background; we
see EOF on its stdout and the process exits, but we never see EOF on its
stderr. So if we ran a command like this:
ANSIBLE_SSH_PIPELINING=1 ansible -T 30 -vvv somehost -u someuser -m command -a whoami
We would first do select([stdout,stderr], timeout) and read the command
module output, then select([stdout,stderr], timeout) again and read EOF
on stdout, then select([stderr], timeout) AGAIN (though the process has
exited), and select() would wait for the full timeout before returning
rfd=[], and then we would exit. The use of a very short timeout in the
code masked the underlying problem (that we don't see EOF on stderr).
It's always preferable to call select() with a long timeout so that the
process doesn't use any CPU until one of the events it's interested in
happens (and then select will return independent of elapsed time).
(A long timeout value means "if nothing happens, sleep for up to <x>";
omitting the timeout value means "if nothing happens, sleep forever";
specifying a zero timeout means "don't sleep at all", i.e. poll for
events and return immediately.)
This commit uses a long timeout, but explicitly detects the condition
where we've seen EOF on stdout and the process has exited, but we have
not seen EOF on stderr. If and only if that happens, it reruns select()
with a short timeout (in practice it could just exit at that point, but
I chose to be extra cautious). As a result, we end up calling select()
far less often, and use less CPU while waiting, but don't sleep for a
long time waiting for something that will never happen.
Note that we don't omit the timeout to select() altogether because if
we're waiting for an escalation prompt, we DO want to give up with an
error after some time. We also don't set exceptfds, because we're not
actually acting on any notifications of exceptional conditions.
2015-09-24 03:27:35 +00:00
# Now we're awaiting_exit: has the child process exited? If it has,
# and we've read all available output from it, we're done.
2015-09-06 13:00:39 +00:00
Clarify select() handling for ssh connections
This change is motivated by an ssh oddity: when ControlPersist is
enabled, the first (i.e. master) connection goes into the background; we
see EOF on its stdout and the process exits, but we never see EOF on its
stderr. So if we ran a command like this:
ANSIBLE_SSH_PIPELINING=1 ansible -T 30 -vvv somehost -u someuser -m command -a whoami
We would first do select([stdout,stderr], timeout) and read the command
module output, then select([stdout,stderr], timeout) again and read EOF
on stdout, then select([stderr], timeout) AGAIN (though the process has
exited), and select() would wait for the full timeout before returning
rfd=[], and then we would exit. The use of a very short timeout in the
code masked the underlying problem (that we don't see EOF on stderr).
It's always preferable to call select() with a long timeout so that the
process doesn't use any CPU until one of the events it's interested in
happens (and then select will return independent of elapsed time).
(A long timeout value means "if nothing happens, sleep for up to <x>";
omitting the timeout value means "if nothing happens, sleep forever";
specifying a zero timeout means "don't sleep at all", i.e. poll for
events and return immediately.)
This commit uses a long timeout, but explicitly detects the condition
where we've seen EOF on stdout and the process has exited, but we have
not seen EOF on stderr. If and only if that happens, it reruns select()
with a short timeout (in practice it could just exit at that point, but
I chose to be extra cautious). As a result, we end up calling select()
far less often, and use less CPU while waiting, but don't sleep for a
long time waiting for something that will never happen.
Note that we don't omit the timeout to select() altogether because if
we're waiting for an escalation prompt, we DO want to give up with an
error after some time. We also don't set exceptfds, because we're not
actually acting on any notifications of exceptional conditions.
2015-09-24 03:27:35 +00:00
if p . poll ( ) is not None :
if not rpipes or not rfd :
break
2016-10-27 19:36:56 +00:00
# We should not see further writes to the stdout/stderr file
# descriptors after the process has closed, set the select
# timeout to gather any last writes we may have missed.
timeout = 0
continue
Clarify select() handling for ssh connections
This change is motivated by an ssh oddity: when ControlPersist is
enabled, the first (i.e. master) connection goes into the background; we
see EOF on its stdout and the process exits, but we never see EOF on its
stderr. So if we ran a command like this:
ANSIBLE_SSH_PIPELINING=1 ansible -T 30 -vvv somehost -u someuser -m command -a whoami
We would first do select([stdout,stderr], timeout) and read the command
module output, then select([stdout,stderr], timeout) again and read EOF
on stdout, then select([stderr], timeout) AGAIN (though the process has
exited), and select() would wait for the full timeout before returning
rfd=[], and then we would exit. The use of a very short timeout in the
code masked the underlying problem (that we don't see EOF on stderr).
It's always preferable to call select() with a long timeout so that the
process doesn't use any CPU until one of the events it's interested in
happens (and then select will return independent of elapsed time).
(A long timeout value means "if nothing happens, sleep for up to <x>";
omitting the timeout value means "if nothing happens, sleep forever";
specifying a zero timeout means "don't sleep at all", i.e. poll for
events and return immediately.)
This commit uses a long timeout, but explicitly detects the condition
where we've seen EOF on stdout and the process has exited, but we have
not seen EOF on stderr. If and only if that happens, it reruns select()
with a short timeout (in practice it could just exit at that point, but
I chose to be extra cautious). As a result, we end up calling select()
far less often, and use less CPU while waiting, but don't sleep for a
long time waiting for something that will never happen.
Note that we don't omit the timeout to select() altogether because if
we're waiting for an escalation prompt, we DO want to give up with an
error after some time. We also don't set exceptfds, because we're not
actually acting on any notifications of exceptional conditions.
2015-09-24 03:27:35 +00:00
# If the process has not yet exited, but we've already read EOF from
# its stdout and stderr (and thus removed both from rpipes), we can
# just wait for it to exit.
elif not rpipes :
2015-09-04 04:42:01 +00:00
p . wait ( )
break
2015-04-15 23:32:44 +00:00
Clarify select() handling for ssh connections
This change is motivated by an ssh oddity: when ControlPersist is
enabled, the first (i.e. master) connection goes into the background; we
see EOF on its stdout and the process exits, but we never see EOF on its
stderr. So if we ran a command like this:
ANSIBLE_SSH_PIPELINING=1 ansible -T 30 -vvv somehost -u someuser -m command -a whoami
We would first do select([stdout,stderr], timeout) and read the command
module output, then select([stdout,stderr], timeout) again and read EOF
on stdout, then select([stderr], timeout) AGAIN (though the process has
exited), and select() would wait for the full timeout before returning
rfd=[], and then we would exit. The use of a very short timeout in the
code masked the underlying problem (that we don't see EOF on stderr).
It's always preferable to call select() with a long timeout so that the
process doesn't use any CPU until one of the events it's interested in
happens (and then select will return independent of elapsed time).
(A long timeout value means "if nothing happens, sleep for up to <x>";
omitting the timeout value means "if nothing happens, sleep forever";
specifying a zero timeout means "don't sleep at all", i.e. poll for
events and return immediately.)
This commit uses a long timeout, but explicitly detects the condition
where we've seen EOF on stdout and the process has exited, but we have
not seen EOF on stderr. If and only if that happens, it reruns select()
with a short timeout (in practice it could just exit at that point, but
I chose to be extra cautious). As a result, we end up calling select()
far less often, and use less CPU while waiting, but don't sleep for a
long time waiting for something that will never happen.
Note that we don't omit the timeout to select() altogether because if
we're waiting for an escalation prompt, we DO want to give up with an
error after some time. We also don't set exceptfds, because we're not
actually acting on any notifications of exceptional conditions.
2015-09-24 03:27:35 +00:00
# Otherwise there may still be outstanding data to read.
2015-09-04 04:42:01 +00:00
# close stdin after process is terminated and stdout/stderr are read
# completely (see also issue #848)
stdin . close ( )
2015-06-18 03:23:36 +00:00
2014-11-14 22:14:08 +00:00
if C . HOST_KEY_CHECKING :
2016-01-05 03:23:12 +00:00
if cmd [ 0 ] == b " sshpass " and p . returncode == 6 :
2014-11-14 22:14:08 +00:00
raise AnsibleError ( ' Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. Please add this host \' s fingerprint to your known_hosts file to manage this host. ' )
2016-08-25 17:57:55 +00:00
controlpersisterror = b ' Bad configuration option: ControlPersist ' in b_stderr or b ' unknown configuration option: ControlPersist ' in b_stderr
2014-11-14 22:14:08 +00:00
if p . returncode != 0 and controlpersisterror :
raise AnsibleError ( ' using -c ssh on certain older ssh versions may not support ControlPersist, set ANSIBLE_SSH_ARGS= " " (or ssh_args in [ssh_connection] section of the config file) before running again ' )
2015-09-06 13:00:39 +00:00
2016-09-29 21:44:54 +00:00
if p . returncode == 255 and in_data and checkrc :
2017-01-30 16:16:13 +00:00
raise AnsibleConnectionFailure ( ' SSH Error: data could not be sent to remote host " %s " . Make sure this host can be reached over ssh ' % self . host )
2014-11-14 22:14:08 +00:00
2016-08-25 17:57:55 +00:00
return ( p . returncode , b_stdout , b_stderr )
2015-09-06 13:00:39 +00:00
2015-09-28 17:34:02 +00:00
def _exec_command ( self , cmd , in_data = None , sudoable = True ) :
''' run a command on the remote host '''
2015-09-23 14:39:50 +00:00
2015-09-28 17:34:02 +00:00
super ( Connection , self ) . exec_command ( cmd , in_data = in_data , sudoable = sudoable )
2015-09-23 14:39:50 +00:00
2016-01-06 23:18:22 +00:00
display . vvv ( u " ESTABLISH SSH CONNECTION FOR USER: {0} " . format ( self . _play_context . remote_user ) , host = self . _play_context . remote_addr )
2015-09-23 14:39:50 +00:00
2016-09-07 21:13:11 +00:00
2015-12-03 16:01:05 +00:00
# we can only use tty when we are not pipelining the modules. piping
# data into /usr/bin/python inside a tty automatically invokes the
# python interactive-mode but the modules are not compatible with the
# interactive-mode ("unexpected indent" mainly because of empty lines)
2016-04-12 03:19:12 +00:00
if not in_data and sudoable :
2017-02-01 22:20:22 +00:00
args = ( ' ssh ' , ' -tt ' , self . host , cmd )
2015-12-03 16:01:05 +00:00
else :
2017-02-01 22:20:22 +00:00
args = ( ' ssh ' , self . host , cmd )
2015-09-06 13:00:39 +00:00
2016-04-12 03:19:12 +00:00
cmd = self . _build_command ( * args )
2015-12-03 16:01:05 +00:00
( returncode , stdout , stderr ) = self . _run ( cmd , in_data , sudoable = sudoable )
2015-09-06 13:00:39 +00:00
2015-09-28 17:34:02 +00:00
return ( returncode , stdout , stderr )
2015-09-06 13:00:39 +00:00
2016-10-21 13:59:56 +00:00
def _file_transport_command ( self , in_path , out_path , sftp_action ) :
# scp and sftp require square brackets for IPv6 addresses, but
# accept them for hostnames and IPv4 addresses too.
host = ' [ %s ] ' % self . host
2016-11-28 02:52:31 +00:00
# Transfer methods to try
methods = [ ]
# Use the transfer_method option if set, otherwise use scp_if_ssh
ssh_transfer_method = self . _play_context . ssh_transfer_method
if ssh_transfer_method is not None :
if not ( ssh_transfer_method in ( ' smart ' , ' sftp ' , ' scp ' , ' piped ' ) ) :
raise AnsibleOptionsError ( ' transfer_method needs to be one of [smart|sftp|scp|piped] ' )
if ssh_transfer_method == ' smart ' :
methods = [ ' sftp ' , ' scp ' , ' piped ' ]
else :
methods = [ ssh_transfer_method ]
else :
# since this can be a non-bool now, we need to handle it correctly
scp_if_ssh = C . DEFAULT_SCP_IF_SSH
if not isinstance ( scp_if_ssh , bool ) :
scp_if_ssh = scp_if_ssh . lower ( )
if scp_if_ssh in BOOLEANS :
scp_if_ssh = boolean ( scp_if_ssh )
elif scp_if_ssh != ' smart ' :
raise AnsibleOptionsError ( ' scp_if_ssh needs to be one of [smart|True|False] ' )
if scp_if_ssh == ' smart ' :
methods = [ ' sftp ' , ' scp ' , ' piped ' ]
elif scp_if_ssh == True :
methods = [ ' scp ' ]
else :
methods = [ ' sftp ' ]
2016-10-21 13:59:56 +00:00
success = False
res = None
for method in methods :
2016-11-28 02:52:31 +00:00
returncode = stdout = stderr = None
2016-10-21 13:59:56 +00:00
if method == ' sftp ' :
cmd = self . _build_command ( ' sftp ' , to_bytes ( host ) )
2016-11-17 21:18:29 +00:00
in_data = u " {0} {1} {2} \n " . format ( sftp_action , shlex_quote ( in_path ) , shlex_quote ( out_path ) )
2016-11-28 02:52:31 +00:00
in_data = to_bytes ( in_data , nonstring = ' passthru ' )
( returncode , stdout , stderr ) = self . _run ( cmd , in_data , checkrc = False )
2016-10-21 13:59:56 +00:00
elif method == ' scp ' :
2016-11-26 22:55:38 +00:00
if sftp_action == ' get ' :
2016-12-01 04:10:49 +00:00
cmd = self . _build_command ( ' scp ' , u ' {0} : {1} ' . format ( host , shlex_quote ( in_path ) ) , out_path )
2016-11-26 22:55:38 +00:00
else :
cmd = self . _build_command ( ' scp ' , in_path , u ' {0} : {1} ' . format ( host , shlex_quote ( out_path ) ) )
2016-10-21 13:59:56 +00:00
in_data = None
2016-11-28 02:52:31 +00:00
( returncode , stdout , stderr ) = self . _run ( cmd , in_data , checkrc = False )
elif method == ' piped ' :
if sftp_action == ' get ' :
# we pass sudoable=False to disable pty allocation, which
# would end up mixing stdout/stderr and screwing with newlines
( returncode , stdout , stderr ) = self . _exec_command ( ' dd if= %s bs= %s ' % ( in_path , BUFSIZE ) , sudoable = False )
out_file = open ( to_bytes ( out_path , errors = ' surrogate_or_strict ' ) , ' wb+ ' )
out_file . write ( stdout )
out_file . close ( )
else :
in_data = open ( to_bytes ( in_path , errors = ' surrogate_or_strict ' ) , ' rb ' ) . read ( )
in_data = to_bytes ( in_data , nonstring = ' passthru ' )
( returncode , stdout , stderr ) = self . _exec_command ( ' dd of= %s bs= %s ' % ( out_path , BUFSIZE ) , in_data = in_data )
2016-10-21 13:59:56 +00:00
# Check the return code and rollover to next method if failed
if returncode == 0 :
success = True
break
else :
# If not in smart mode, the data will be printed by the raise below
2016-11-28 02:52:31 +00:00
if len ( methods ) > 1 :
2016-10-21 13:59:56 +00:00
display . warning ( msg = ' %s transfer mechanism failed on %s . Use ANSIBLE_DEBUG=1 to see detailed information ' % ( method , host ) )
display . debug ( msg = ' %s ' % to_native ( stdout ) )
display . debug ( msg = ' %s ' % to_native ( stderr ) )
res = ( returncode , stdout , stderr )
if not success :
2017-01-19 03:20:46 +00:00
raise AnsibleError ( " failed to transfer file {0} to {1} : \n {2} \n {3} " \
. format ( to_native ( in_path ) , to_native ( out_path ) , to_native ( res [ 1 ] ) , to_native ( res [ 2 ] ) ) )
2016-10-21 13:59:56 +00:00
2015-09-28 17:34:02 +00:00
#
# Main public methods
#
def exec_command ( self , * args , * * kwargs ) :
"""
Wrapper around _exec_command to retry in the case of an ssh failure
2015-09-06 13:00:39 +00:00
2015-09-28 17:34:02 +00:00
Will retry if :
* an exception is caught
* ssh returns 255
Will not retry if
* remaining_tries is < 2
* retries limit reached
"""
2015-09-06 13:00:39 +00:00
2015-09-28 17:34:02 +00:00
remaining_tries = int ( C . ANSIBLE_SSH_RETRIES ) + 1
cmd_summary = " %s ... " % args [ 0 ]
2016-03-09 19:17:10 +00:00
for attempt in range ( remaining_tries ) :
2015-09-28 17:34:02 +00:00
try :
return_tuple = self . _exec_command ( * args , * * kwargs )
# 0 = success
# 1-254 = remote command return code
# 255 = failure from the ssh command itself
2016-03-08 19:49:18 +00:00
if return_tuple [ 0 ] != 255 :
2015-09-28 17:34:02 +00:00
break
else :
2016-09-29 21:19:17 +00:00
raise AnsibleConnectionFailure ( " Failed to connect to the host via ssh: %s " % to_native ( return_tuple [ 2 ] ) )
2015-09-28 17:34:02 +00:00
except ( AnsibleConnectionFailure , Exception ) as e :
if attempt == remaining_tries - 1 :
2016-01-05 03:23:12 +00:00
raise
2015-09-28 17:34:02 +00:00
else :
pause = 2 * * attempt - 1
if pause > 30 :
pause = 30
2015-09-06 13:00:39 +00:00
2015-09-28 17:34:02 +00:00
if isinstance ( e , AnsibleConnectionFailure ) :
msg = " ssh_retry: attempt: %d , ssh return code is 255. cmd ( %s ), pausing for %d seconds " % ( attempt , cmd_summary , pause )
else :
msg = " ssh_retry: attempt: %d , caught exception( %s ) from cmd ( %s ), pausing for %d seconds " % ( attempt , e , cmd_summary , pause )
2015-09-06 13:00:39 +00:00
2016-03-26 00:22:48 +00:00
display . vv ( msg , host = self . host )
2015-09-06 13:00:39 +00:00
2015-09-28 17:34:02 +00:00
time . sleep ( pause )
continue
2015-06-04 18:27:18 +00:00
2015-09-28 17:34:02 +00:00
return return_tuple
2014-11-14 22:14:08 +00:00
2015-09-28 17:34:02 +00:00
def put_file ( self , in_path , out_path ) :
''' transfer a file from local to remote '''
2015-09-28 15:28:30 +00:00
2015-09-28 17:34:02 +00:00
super ( Connection , self ) . put_file ( in_path , out_path )
2015-09-28 15:28:30 +00:00
2016-01-06 23:18:22 +00:00
display . vvv ( u " PUT {0} TO {1} " . format ( in_path , out_path ) , host = self . host )
2016-09-07 05:54:17 +00:00
if not os . path . exists ( to_bytes ( in_path , errors = ' surrogate_or_strict ' ) ) :
raise AnsibleFileNotFound ( " file or module does not exist: {0} " . format ( to_native ( in_path ) ) )
2015-09-28 15:28:30 +00:00
2016-10-21 13:59:56 +00:00
self . _file_transport_command ( in_path , out_path , ' put ' )
2015-09-28 15:41:56 +00:00
2015-09-28 17:34:02 +00:00
def fetch_file ( self , in_path , out_path ) :
''' fetch a file from remote to local '''
2015-09-28 15:41:56 +00:00
2015-09-28 17:34:02 +00:00
super ( Connection , self ) . fetch_file ( in_path , out_path )
2015-09-06 13:00:39 +00:00
2016-01-06 23:18:22 +00:00
display . vvv ( u " FETCH {0} TO {1} " . format ( in_path , out_path ) , host = self . host )
2016-10-21 13:59:56 +00:00
self . _file_transport_command ( in_path , out_path , ' get ' )
2015-09-28 17:34:02 +00:00
def close ( self ) :
# If we have a persistent ssh connection (ControlPersist), we can ask it
# to stop listening. Otherwise, there's nothing to do here.
# TODO: reenable once winrm issues are fixed
# temporarily disabled as we are forced to currently close connections after every task because of winrm
# if self._connected and self._persistent:
2016-09-07 21:13:11 +00:00
# ssh_executable = self._play_context.ssh_executable
2017-02-01 22:20:22 +00:00
# cmd = self._build_command('ssh', '-O', 'stop', self.host)
2016-01-05 03:23:12 +00:00
#
# cmd = map(to_bytes, cmd)
2015-09-28 17:34:02 +00:00
# p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
# stdout, stderr = p.communicate()
self . _connected = False
