2012-03-10 18:35:46 +00:00
|
|
|
# (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
|
|
|
|
|
#
|
|
|
|
|
# This file is part of Ansible
|
|
|
|
|
#
|
|
|
|
|
# Ansible is free software: you can redistribute it and/or modify
|
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
# (at your option) any later version.
|
|
|
|
|
#
|
|
|
|
|
# Ansible is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
|
#
|
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
################################################
|
|
|
|
|
|
2012-04-12 00:20:55 +00:00
|
|
|
import warnings
|
2012-03-29 02:51:16 +00:00
|
|
|
import traceback
|
2012-03-13 00:53:10 +00:00
|
|
|
import os
|
2012-03-29 02:51:16 +00:00
|
|
|
import time
|
2012-04-06 23:38:27 +00:00
|
|
|
import re
|
|
|
|
|
import shutil
|
|
|
|
|
import subprocess
|
More robust remote sudo.
The basic idea is sudo /bin/sh -c 'quoted_command'. We use Paramiko's low-level API to set a timeout, get a pseudo tty, execute sudo and the (shell quoted) command atomically, wait just until sudo is ready to accept the password before sending it down the pipe, and then return the command's stdout and stderr.
This should be faster, as there are no unneeded sleeps. There are no permissions issues reading the output. It will raise socket.timeout if the command takes too long. However, this is a per-read timeout, not a total execution timeout, so as long as the command is writing output and you are reading it, it will not time out.
Local and non-sudo commands remain unchanged, but should probably adopt a similar approach.
Since this is a significant change, it needs a lot of testing. Also, someone smarter than I should double-check the quoting and execution, since it is a security issue.
2012-04-23 20:32:08 +00:00
|
|
|
import pipes
|
|
|
|
|
|
2012-03-18 21:16:12 +00:00
|
|
|
from ansible import errors
|
More robust remote sudo.
The basic idea is sudo /bin/sh -c 'quoted_command'. We use Paramiko's low-level API to set a timeout, get a pseudo tty, execute sudo and the (shell quoted) command atomically, wait just until sudo is ready to accept the password before sending it down the pipe, and then return the command's stdout and stderr.
This should be faster, as there are no unneeded sleeps. There are no permissions issues reading the output. It will raise socket.timeout if the command takes too long. However, this is a per-read timeout, not a total execution timeout, so as long as the command is writing output and you are reading it, it will not time out.
Local and non-sudo commands remain unchanged, but should probably adopt a similar approach.
Since this is a significant change, it needs a lot of testing. Also, someone smarter than I should double-check the quoting and execution, since it is a security issue.
2012-04-23 20:32:08 +00:00
|
|
|
# prevent paramiko warning noise
|
|
|
|
|
# see http://stackoverflow.com/questions/3920502/
|
|
|
|
|
with warnings.catch_warnings():
|
|
|
|
|
warnings.simplefilter("ignore")
|
|
|
|
|
import paramiko
|
|
|
|
|
|
2012-03-18 21:16:12 +00:00
|
|
|
|
2012-03-10 18:35:46 +00:00
|
|
|
################################################
|
|
|
|
|
|
2012-04-23 01:48:42 +00:00
|
|
|
|
|
|
|
|
|
2012-03-10 18:35:46 +00:00
|
|
|
class Connection(object):
|
|
|
|
|
''' Handles abstract connections to remote hosts '''
|
|
|
|
|
|
2012-04-06 23:38:27 +00:00
|
|
|
_LOCALHOSTRE = re.compile(r"^(127.0.0.1|localhost|%s)$" % os.uname()[1])
|
|
|
|
|
|
2012-03-10 18:35:46 +00:00
|
|
|
def __init__(self, runner, transport):
|
|
|
|
|
self.runner = runner
|
|
|
|
|
self.transport = transport
|
|
|
|
|
|
2012-04-17 01:52:15 +00:00
|
|
|
def connect(self, host, port=None):
|
2012-03-10 18:35:46 +00:00
|
|
|
conn = None
|
2012-04-10 20:20:03 +00:00
|
|
|
if self.transport == 'local' and self._LOCALHOSTRE.search(host):
|
2012-04-17 01:52:15 +00:00
|
|
|
conn = LocalConnection(self.runner, host, None)
|
2012-04-06 23:38:27 +00:00
|
|
|
elif self.transport == 'paramiko':
|
2012-04-17 01:52:15 +00:00
|
|
|
conn = ParamikoConnection(self.runner, host, port)
|
2012-03-10 18:35:46 +00:00
|
|
|
if conn is None:
|
|
|
|
|
raise Exception("unsupported connection type")
|
|
|
|
|
return conn.connect()
|
|
|
|
|
|
|
|
|
|
################################################
|
|
|
|
|
# want to implement another connection type?
|
|
|
|
|
# follow duck-typing of ParamikoConnection
|
|
|
|
|
# you may wish to read config files in __init__
|
|
|
|
|
# if you have any. Paramiko does not need any.
|
|
|
|
|
|
|
|
|
|
class ParamikoConnection(object):
|
|
|
|
|
''' SSH based connections with Paramiko '''
|
|
|
|
|
|
2012-04-17 01:52:15 +00:00
|
|
|
def __init__(self, runner, host, port=None):
|
2012-03-10 18:35:46 +00:00
|
|
|
self.ssh = None
|
|
|
|
|
self.runner = runner
|
|
|
|
|
self.host = host
|
2012-04-17 01:52:15 +00:00
|
|
|
self.port = port
|
|
|
|
|
if port is None:
|
|
|
|
|
self.port = self.runner.remote_port
|
2012-03-10 18:35:46 +00:00
|
|
|
|
2012-03-29 02:51:16 +00:00
|
|
|
def _get_conn(self):
|
2012-04-23 06:32:57 +00:00
|
|
|
credentials = {}
|
2012-04-23 01:48:42 +00:00
|
|
|
user = self.runner.remote_user
|
|
|
|
|
keypair = None
|
|
|
|
|
|
|
|
|
|
# Read file ~/.ssh/config, get data hostname, keyfile, port, etc
|
|
|
|
|
# This overrides the ansible defined username,hostname and port
|
|
|
|
|
try:
|
|
|
|
|
ssh_config = paramiko.SSHConfig()
|
|
|
|
|
config_file = ('~/.ssh/config')
|
2012-04-23 06:32:57 +00:00
|
|
|
if os.path.exists(os.path.expanduser(config_file)):
|
|
|
|
|
ssh_config.parse(open(os.path.expanduser(config_file)))
|
|
|
|
|
credentials = ssh_config.lookup(self.host)
|
|
|
|
|
|
2012-04-23 01:48:42 +00:00
|
|
|
except IOError,e:
|
|
|
|
|
raise errors.AnsibleConnectionFailed(str(e))
|
|
|
|
|
|
2012-04-23 06:32:57 +00:00
|
|
|
if 'hostname' in credentials:
|
|
|
|
|
self.host = credentials['hostname']
|
|
|
|
|
if 'port' in credentials:
|
2012-04-24 04:38:24 +00:00
|
|
|
self.port = int(credentials['port'])
|
2012-04-23 01:48:42 +00:00
|
|
|
if 'user' in credentials:
|
|
|
|
|
user = credentials['user']
|
|
|
|
|
if 'identityfile' in credentials:
|
|
|
|
|
keypair = credentials['identityfile']
|
|
|
|
|
|
2012-03-29 02:51:16 +00:00
|
|
|
ssh = paramiko.SSHClient()
|
|
|
|
|
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
|
2012-03-29 00:58:34 +00:00
|
|
|
|
2012-03-10 18:35:46 +00:00
|
|
|
try:
|
2012-03-29 02:51:16 +00:00
|
|
|
ssh.connect(
|
2012-04-17 01:52:15 +00:00
|
|
|
self.host,
|
2012-04-23 01:48:42 +00:00
|
|
|
username=user,
|
2012-04-17 01:52:15 +00:00
|
|
|
allow_agent=True,
|
|
|
|
|
look_for_keys=True,
|
|
|
|
|
password=self.runner.remote_pass,
|
2012-04-23 01:48:42 +00:00
|
|
|
key_filename=keypair,
|
2012-04-17 01:52:15 +00:00
|
|
|
timeout=self.runner.timeout,
|
|
|
|
|
port=self.port
|
2012-03-10 18:35:46 +00:00
|
|
|
)
|
|
|
|
|
except Exception, e:
|
2012-03-28 21:09:11 +00:00
|
|
|
if str(e).find("PID check failed") != -1:
|
2012-03-29 00:32:04 +00:00
|
|
|
raise errors.AnsibleError("paramiko version issue, please upgrade paramiko on the machine running ansible")
|
2012-03-29 02:51:16 +00:00
|
|
|
else:
|
2012-03-28 21:09:11 +00:00
|
|
|
raise errors.AnsibleConnectionFailed(str(e))
|
2012-03-29 00:58:34 +00:00
|
|
|
|
2012-03-29 02:51:16 +00:00
|
|
|
return ssh
|
|
|
|
|
|
|
|
|
|
def connect(self):
|
|
|
|
|
''' connect to the remote host '''
|
|
|
|
|
|
|
|
|
|
self.ssh = self._get_conn()
|
2012-03-10 18:35:46 +00:00
|
|
|
return self
|
|
|
|
|
|
More robust remote sudo.
The basic idea is sudo /bin/sh -c 'quoted_command'. We use Paramiko's low-level API to set a timeout, get a pseudo tty, execute sudo and the (shell quoted) command atomically, wait just until sudo is ready to accept the password before sending it down the pipe, and then return the command's stdout and stderr.
This should be faster, as there are no unneeded sleeps. There are no permissions issues reading the output. It will raise socket.timeout if the command takes too long. However, this is a per-read timeout, not a total execution timeout, so as long as the command is writing output and you are reading it, it will not time out.
Local and non-sudo commands remain unchanged, but should probably adopt a similar approach.
Since this is a significant change, it needs a lot of testing. Also, someone smarter than I should double-check the quoting and execution, since it is a security issue.
2012-04-23 20:32:08 +00:00
|
|
|
def exec_command(self, cmd, tmp_path, sudoable=False): # pylint: disable-msg=W0613
|
2012-03-10 18:35:46 +00:00
|
|
|
''' run a command on the remote host '''
|
2012-03-29 03:30:31 +00:00
|
|
|
if not self.runner.sudo or not sudoable:
|
2012-03-29 02:51:16 +00:00
|
|
|
stdin, stdout, stderr = self.ssh.exec_command(cmd)
|
|
|
|
|
return (stdin, stdout, stderr)
|
|
|
|
|
else:
|
More robust remote sudo.
The basic idea is sudo /bin/sh -c 'quoted_command'. We use Paramiko's low-level API to set a timeout, get a pseudo tty, execute sudo and the (shell quoted) command atomically, wait just until sudo is ready to accept the password before sending it down the pipe, and then return the command's stdout and stderr.
This should be faster, as there are no unneeded sleeps. There are no permissions issues reading the output. It will raise socket.timeout if the command takes too long. However, this is a per-read timeout, not a total execution timeout, so as long as the command is writing output and you are reading it, it will not time out.
Local and non-sudo commands remain unchanged, but should probably adopt a similar approach.
Since this is a significant change, it needs a lot of testing. Also, someone smarter than I should double-check the quoting and execution, since it is a security issue.
2012-04-23 20:32:08 +00:00
|
|
|
# Rather than detect if sudo wants a password this time, -k makes
|
|
|
|
|
# sudo always ask for a password if one is required. The "--"
|
|
|
|
|
# tells sudo that this is the end of sudo options and the command
|
|
|
|
|
# follows. Passing a quoted compound command to sudo (or sudo -s)
|
|
|
|
|
# directly doesn't work, so we shellquote it with pipes.quote()
|
|
|
|
|
# and pass the quoted string to the user's shell.
|
|
|
|
|
sudocmd = 'sudo -k -- "$SHELL" -c ' + pipes.quote(cmd)
|
|
|
|
|
bufsize = 4096 # Could make this a Runner param if needed
|
|
|
|
|
timeout_secs = self.runner.timeout # Reusing runner's TCP connect timeout as command progress timeout
|
|
|
|
|
chan = self.ssh.get_transport().open_session()
|
|
|
|
|
chan.settimeout(timeout_secs)
|
|
|
|
|
chan.get_pty() # Many sudo setups require a terminal
|
|
|
|
|
#print "exec_command: " + sudocmd
|
|
|
|
|
chan.exec_command(sudocmd)
|
2012-04-13 23:06:11 +00:00
|
|
|
if self.runner.sudo_pass:
|
More robust remote sudo.
The basic idea is sudo /bin/sh -c 'quoted_command'. We use Paramiko's low-level API to set a timeout, get a pseudo tty, execute sudo and the (shell quoted) command atomically, wait just until sudo is ready to accept the password before sending it down the pipe, and then return the command's stdout and stderr.
This should be faster, as there are no unneeded sleeps. There are no permissions issues reading the output. It will raise socket.timeout if the command takes too long. However, this is a per-read timeout, not a total execution timeout, so as long as the command is writing output and you are reading it, it will not time out.
Local and non-sudo commands remain unchanged, but should probably adopt a similar approach.
Since this is a significant change, it needs a lot of testing. Also, someone smarter than I should double-check the quoting and execution, since it is a security issue.
2012-04-23 20:32:08 +00:00
|
|
|
while not chan.recv_ready():
|
|
|
|
|
time.sleep(0.25)
|
|
|
|
|
sudo_output = chan.recv(bufsize) # Pull prompt, catch errors, eat sudo output
|
|
|
|
|
#print "exec_command: " + sudo_output
|
|
|
|
|
#print "exec_command: sending password"
|
|
|
|
|
chan.sendall(self.runner.sudo_pass + '\n')
|
|
|
|
|
|
|
|
|
|
stdin = chan.makefile('wb', bufsize)
|
|
|
|
|
stdout = chan.makefile('rb', bufsize)
|
|
|
|
|
stderr = chan.makefile_stderr('rb', bufsize)
|
|
|
|
|
return stdin, stdout, stderr
|
2012-03-10 18:35:46 +00:00
|
|
|
|
|
|
|
|
def put_file(self, in_path, out_path):
|
|
|
|
|
''' transfer a file from local to remote '''
|
2012-03-13 00:53:10 +00:00
|
|
|
if not os.path.exists(in_path):
|
2012-03-18 21:16:12 +00:00
|
|
|
raise errors.AnsibleFileNotFound("file or module does not exist: %s" % in_path)
|
2012-03-10 18:35:46 +00:00
|
|
|
sftp = self.ssh.open_sftp()
|
2012-03-13 00:53:10 +00:00
|
|
|
try:
|
|
|
|
|
sftp.put(in_path, out_path)
|
|
|
|
|
except IOError:
|
2012-03-29 02:51:16 +00:00
|
|
|
traceback.print_exc()
|
2012-03-23 15:59:08 +00:00
|
|
|
raise errors.AnsibleError("failed to transfer file to %s" % out_path)
|
2012-03-10 18:35:46 +00:00
|
|
|
sftp.close()
|
|
|
|
|
|
2012-04-11 03:19:23 +00:00
|
|
|
def fetch_file(self, in_path, out_path):
|
|
|
|
|
sftp = self.ssh.open_sftp()
|
|
|
|
|
try:
|
|
|
|
|
sftp.get(in_path, out_path)
|
|
|
|
|
except IOError:
|
|
|
|
|
traceback.print_exc()
|
|
|
|
|
raise errors.AnsibleError("failed to transfer file from %s" % in_path)
|
|
|
|
|
sftp.close()
|
|
|
|
|
|
2012-03-10 18:35:46 +00:00
|
|
|
def close(self):
|
|
|
|
|
''' terminate the connection '''
|
|
|
|
|
|
|
|
|
|
self.ssh.close()
|
|
|
|
|
|
|
|
|
|
############################################
|
|
|
|
|
# add other connection types here
|
|
|
|
|
|
2012-04-06 23:38:27 +00:00
|
|
|
class LocalConnection(object):
|
|
|
|
|
''' Local based connections '''
|
|
|
|
|
|
|
|
|
|
def __init__(self, runner, host):
|
|
|
|
|
self.runner = runner
|
|
|
|
|
self.host = host
|
|
|
|
|
|
2012-04-17 01:52:15 +00:00
|
|
|
def connect(self, port=None):
|
2012-04-06 23:38:27 +00:00
|
|
|
''' connect to the local host; nothing to do here '''
|
|
|
|
|
|
|
|
|
|
return self
|
|
|
|
|
|
|
|
|
|
def exec_command(self, cmd, tmp_path, sudoable=False):
|
|
|
|
|
''' run a command on the local host '''
|
|
|
|
|
if self.runner.sudo and sudoable:
|
|
|
|
|
cmd = "sudo -s %s" % cmd
|
2012-04-13 23:06:11 +00:00
|
|
|
if self.runner.sudo_pass:
|
|
|
|
|
# NOTE: if someone wants to add sudo w/ password to the local connection type, they are welcome
|
|
|
|
|
# to do so. The primary usage of the local connection is for crontab and kickstart usage however
|
|
|
|
|
# so this doesn't seem to be a huge priority
|
|
|
|
|
raise errors.AnsibleError("sudo with password is presently only supported on the paramiko (SSH) connection type")
|
|
|
|
|
|
2012-04-06 23:38:27 +00:00
|
|
|
p = subprocess.Popen(cmd, shell=True, stdin=None,
|
|
|
|
|
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
|
|
|
stdout, stderr = p.communicate()
|
|
|
|
|
return ("", stdout, stderr)
|
|
|
|
|
|
|
|
|
|
def put_file(self, in_path, out_path):
|
|
|
|
|
''' transfer a file from local to local '''
|
|
|
|
|
if not os.path.exists(in_path):
|
|
|
|
|
raise errors.AnsibleFileNotFound("file or module does not exist: %s" % in_path)
|
|
|
|
|
try:
|
|
|
|
|
shutil.copyfile(in_path, out_path)
|
|
|
|
|
except shutil.Error:
|
|
|
|
|
traceback.print_exc()
|
|
|
|
|
raise errors.AnsibleError("failed to copy: %s and %s are the same" % (in_path, out_path))
|
|
|
|
|
except IOError:
|
|
|
|
|
traceback.print_exc()
|
|
|
|
|
raise errors.AnsibleError("failed to transfer file to %s" % out_path)
|
|
|
|
|
|
2012-04-11 03:19:23 +00:00
|
|
|
def fetch_file(self, in_path, out_path):
|
|
|
|
|
''' fetch a file from local to local -- for copatibility '''
|
|
|
|
|
self.put_file(in_path, out_path)
|
|
|
|
|
|
2012-04-06 23:38:27 +00:00
|
|
|
def close(self):
|
|
|
|
|
''' terminate the connection; nothing to do here '''
|
|
|
|
|
|
|
|
|
|
pass
|
