Merge 230e5f2a98 into 0847977d12

Warn only when zones were ignored in firewalld_info (#504 )
* warn only when zones were ignored * add changelog 504-firewalld_info-warning
2026-03-08 02:25:20 +01:00 · 2024-01-10 08:44:32 -06:00 · 2024-01-09 16:07:58 -06:00 · 2024-01-09 16:06:26 -06:00 · 2024-01-09 18:43:25 +00:00 · 2024-01-09 07:30:04 +01:00
9 changed files with 38 additions and 22 deletions
--- a/.azure-pipelines/azure-pipelines.yml
+++ b/.azure-pipelines/azure-pipelines.yml
@ -211,8 +211,6 @@ stages:
              test: rhel/9.1
            - name: FreeBSD 13.2
              test: freebsd/13.2
-            - name: FreeBSD 12.4
-              test: freebsd/12.4
  - stage: Remote_2_14
    displayName: Remote 2.14
    dependsOn: []
@ -227,8 +225,6 @@ stages:
              test: rhel/8.6
            - name: FreeBSD 13.2
              test: freebsd/13.2
-            - name: FreeBSD 12.4
-              test: freebsd/12.4

  ## Finally

--- a/changelogs/fragments/334_synchronize_using_become_pass.yml
+++ b/changelogs/fragments/334_synchronize_using_become_pass.yml
@ -0,0 +1,3 @@
+---
+minor_changes:
+- synchronize - elevating privileges now works even when `sudo` requires entering the `become_pass`
--- a/changelogs/fragments/504-firewalld_info-warning.yaml
+++ b/changelogs/fragments/504-firewalld_info-warning.yaml
@ -0,0 +1,2 @@
+minor_changes:
+  - firewalld_info - Only warn about ignored zones, when there are zones ignored.
--- a/docs/ansible.posix.synchronize_module.rst
+++ b/docs/ansible.posix.synchronize_module.rst
@ -580,7 +580,7 @@ Notes

   - The user and permissions for the synchronize `dest` are those of the `remote_user` on the destination host or the `become_user` if `become=yes` is active.
   - In Ansible 2.0 a bug in the synchronize module made become occur on the "local host".  This was fixed in Ansible 2.0.1.
-   - Currently, synchronize is limited to elevating permissions via passwordless sudo.  This is because rsync itself is connecting to the remote machine and rsync doesn't give us a way to pass sudo credentials in.
+   - Currently, synchronize is limited to elevating permissions via sudo.  This now even works when password entry is required.
   - Currently there are only a few connection types which support synchronize (ssh, paramiko, local, and docker) because a sync strategy has been determined for those connection types.  Note that the connection for these must not need a password as rsync itself is making the connection and rsync does not provide us a way to pass a password to the connection.
   - Expect that dest=~/x will be ~<remote_user>/x even if using sudo.
   - Inspect the verbose output to validate the destination user/host/path are what was expected.
--- a/plugins/action/synchronize.py
+++ b/plugins/action/synchronize.py
@ -390,10 +390,24 @@ class ActionModule(ActionBase):
                # If no rsync_path is set, become was originally set, and dest is
                # remote then add privilege escalation here.
                if self._play_context.become_method == 'sudo':
-                    if self._play_context.become_user:
-                        rsync_path = 'sudo -u %s rsync' % self._play_context.become_user
+                    
+                    # if become is set, we can either rely on passwordless sudo or pass the password
+                    if self._play_context.become_pass is None:
+                        rsync_path = 'sudo '
                    else:
-                        rsync_path = 'sudo rsync'
+                        # pass the become password using the environment so that the synchronize module
+                        # can wrap ssh on the host with a shell script that injects the password into
+                        # stdin, allowing for `sudo -S` on the target machine to retrieve the password
+                        if hasattr(self._task, 'environment'):
+                            self._task.environment = []
+                        self._task.environment.append({'BECOME_PASS': self._play_context.become_pass})
+                        _tmp_args['_ssh_wrapper'] = True
+                        rsync_path = 'sudo -S '
+                    
+                    if self._play_context.become_user:
+                        rsync_path += '-u %s rsync' % self._play_context.become_user
+                    else:
+                        rsync_path += 'rsync'
                # TODO: have to add in the rest of the become methods here

            # We cannot use privilege escalation on the machine running the
--- a/plugins/modules/firewalld_info.py
+++ b/plugins/modules/firewalld_info.py
@ -356,8 +356,9 @@ def main():
            specified_zones = module.params['zones']
            collect_zones = list(set(specified_zones) & set(all_zones))
            ignore_zones = list(set(specified_zones) - set(collect_zones))
-            warn.append(
-                'Please note: zone:(%s) have been ignored in the gathering process.' % ','.join(ignore_zones))
+            if ignore_zones:
+                warn.append(
+                    'Please note: zone:(%s) have been ignored in the gathering process.' % ','.join(ignore_zones))
        else:
            collect_zones = get_all_zones(client)

--- a/plugins/modules/mount.py
+++ b/plugins/modules/mount.py
@ -831,7 +831,7 @@ def main():
        # handle mount on boot.  To avoid mount option conflicts, if 'noauto'
        # specified in 'opts',  mount module will ignore 'boot'.
        opts = args['opts'].split(',')
-        if 'noauto' in opts:
+        if module.params['boot'] and 'noauto' in opts:
            args['warnings'].append("Ignore the 'boot' due to 'opts' contains 'noauto'.")
        elif not module.params['boot']:
            args['boot'] = 'no'
--- a/plugins/modules/synchronize.py
+++ b/plugins/modules/synchronize.py
@ -215,7 +215,7 @@ notes:
     delegate_to host when delegate_to is used).
   - The user and permissions for the synchronize `dest` are those of the `remote_user` on the destination host or the `become_user` if `become=yes` is active.
   - In Ansible 2.0 a bug in the synchronize module made become occur on the "local host".  This was fixed in Ansible 2.0.1.
-   - Currently, synchronize is limited to elevating permissions via passwordless sudo.  This is because rsync itself is connecting to the remote machine
+   - Currently, synchronize is limited to elevating permissions via sudo.  This now even works when password entry is required.
     and rsync doesn't give us a way to pass sudo credentials in.
   - Currently there are only a few connection types which support synchronize (ssh, paramiko, local, and docker) because a sync strategy has been
     determined for those connection types.  Note that the connection for these must not need a password as rsync itself is making the connection and
@ -432,6 +432,7 @@ def main():
            _ssh_args=dict(type='str'),
            use_ssh_args=dict(type='bool', default=False),
            ssh_connection_multiplexing=dict(type='bool', default=False),
+            _ssh_wrapper=dict(type='bool', default=False),
            partial=dict(type='bool', default=False),
            verify_host=dict(type='bool', default=False),
            delay_updates=dict(type='bool', default=True),
@ -474,6 +475,7 @@ def main():
    rsync_opts = module.params['rsync_opts']
    ssh_args = module.params['_ssh_args']
    ssh_connection_multiplexing = module.params['ssh_connection_multiplexing']
+    ssh_wrapper = module.params['_ssh_wrapper']
    verify_host = module.params['verify_host']
    link_dest = module.params['link_dest']
    delay_updates = module.params['delay_updates']
@ -568,6 +570,13 @@ def main():
            ssh_cmd_str = ' '.join(shlex_quote(arg) for arg in ssh_cmd)
            if ssh_args:
                ssh_cmd_str += ' %s' % ssh_args
+            # When `become: yes` is set but the account on the target requires a password for sudo, we have to supply
+            # it from the host side by wrapping the remote shell and inserting the password into stdin.
+            # In the ActionPlugin, the password is assigned to the BECOME_PASS environment variable, so we will not have
+            # to make it visible if anyone logs the command issued by ansible.
+            # Adapted from https://askubuntu.com/a/1263657
+            if ssh_wrapper:
+                ssh_cmd_str = '/bin/sh -c "{ echo $BECOME_PASS; cat - ; } | ' + ssh_cmd_str + ' $0 $* &"'
            cmd.append('--rsh=%s' % shlex_quote(ssh_cmd_str))

    if rsync_path:
--- a/tests/utils/shippable/shippable.sh
+++ b/tests/utils/shippable/shippable.sh
@ -62,16 +62,7 @@ else
    retry pip install "https://github.com/ansible/ansible/archive/stable-${ansible_version}.tar.gz" --disable-pip-version-check
 fi

-if [ "${SHIPPABLE_BUILD_ID:-}" ]; then
-    export ANSIBLE_COLLECTIONS_PATHS="${HOME}/.ansible"
-    SHIPPABLE_RESULT_DIR="$(pwd)/shippable"
-    TEST_DIR="${ANSIBLE_COLLECTIONS_PATHS}/ansible_collections/ansible/posix"
-    mkdir -p "${TEST_DIR}"
-    cp -aT "${SHIPPABLE_BUILD_DIR}" "${TEST_DIR}"
-    cd "${TEST_DIR}"
-else
-    export ANSIBLE_COLLECTIONS_PATHS="${PWD}/../../../"
-fi
+export ANSIBLE_COLLECTIONS_PATHS="${PWD}/../../../"

 # START: HACK install dependencies
 if [ "${ansible_version}" == "2.9" ] || [ "${ansible_version}" == "2.10" ]; then
Author	SHA1	Message	Date
Mark Asbach	f08770dd5c	Merge `230e5f2a98` into `0847977d12`	2024-01-10 08:44:32 -06:00
Michael	0847977d12	Warn only when zones were ignored in firewalld_info (#504 ) * warn only when zones were ignored * add changelog 504-firewalld_info-warning	2024-01-09 16:07:58 -06:00
Christer Warén	2a1fb334ee	mount: edit boot parameters warning condition (#523 ) the CI failures are unrelated and shouldn't even be showing up ... I'm going to sort that out separately but that doesn't need to prevent this merge, all relevant CI tests passed	2024-01-09 16:06:26 -06:00
softwarefactory-project-zuul[bot]	af870d0b83	Merge pull request #524 from felixfontein/fix-ci Fix CI issues SUMMARY Sanity tests fail; remove problematic Shippable-specific parts of shippable.sh script. FreeBSD 12.4 have apparently been removed also from older versions of ansible-test. ISSUE TYPE Test Pull Request COMPONENT NAME CI	2024-01-09 18:43:25 +00:00
Felix Fontein	8e900e5218	Support for FreeBSD 12.4 was removed.	2024-01-09 07:30:04 +01:00
Felix Fontein	45d8819b7c	Remove Shippable leftovers.	2024-01-09 07:25:45 +01:00
Mark Asbach	230e5f2a98	allowing `synchronize` to elevate permissions when `sudo` requires password entry - implements #334	2022-03-13 00:29:22 +01:00