Merge 230e5f2a98 into fd78e3e6da

Merge pull request #546 from felixfontein/ci
Add basic ansible-lint config to fix CI; add ansible-core 2.17 to CI SUMMARY ansible-lint makes the nightly CI fail (https://dev.azure.com/ansible/ansible.posix/_build/results?buildId=114105&view=logs&j=2671e6a6-f41a-533c-2720-8ffdcf8ab96f&t=5b604a49-baaa-558f-6ab2-4a2ff646af4f) due to two rules: meta-runtime[unsupported-version]: it doesn't like that the collection supports ansible-core versions that are EOL. This rule simply doesn't make any sense, and it should be disabled by default IMO. fqcn[deep]: this rule produces false positives for files in tests/unit/plugins/action/fixtures/. Also adds sanity ignore file for ansible-core 2.18 (the version used by the current devel branch). ISSUE TYPE Bugfix Pull Request Test Pull Request COMPONENT NAME ansible-lint in CI Reviewed-by: Adam Miller <admiller@redhat.com>
2026-03-09 19:15:19 +01:00 · 2024-06-07 23:13:49 +01:00 · 2024-06-07 15:42:58 +00:00 · 2024-06-07 11:38:13 +02:00 · 2024-06-07 07:12:06 +02:00 · 2024-06-07 07:03:56 +02:00
7 changed files with 86 additions and 7 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -0,0 +1,10 @@
+---
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-FileCopyrightText: 2024, Ansible Project
+
+skip_list:
+  - meta-runtime[unsupported-version]  # Tis rule doesn't make any sense
+  - fqcn[deep]  # This rule produces false positives for files in tests/unit/plugins/action/fixtures/
+exclude_paths:
+  - changelogs/
--- a/.azure-pipelines/azure-pipelines.yml
+++ b/.azure-pipelines/azure-pipelines.yml
@ -57,6 +57,21 @@ stages:
              test: units
            - name: Lint
              test: lint
+  - stage: Sanity_2_17
+    displayName: Ansible 2.17 sanity
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          nameFormat: "{0}"
+          testFormat: 2.17/{0}
+          targets:
+            - name: Sanity
+              test: sanity
+            - name: Units
+              test: units
+            - name: Lint
+              test: lint
  - stage: Sanity_2_16
    displayName: Ansible 2.16 sanity
    dependsOn: []
@ -70,8 +85,6 @@ stages:
              test: sanity
            - name: Units
              test: units
-            - name: Lint
-              test: lint
  - stage: Sanity_2_15
    displayName: Ansible 2.15 sanity
    dependsOn: []
@ -113,6 +126,20 @@ stages:
              test: ubuntu2004
            - name: Ubuntu 22.04
              test: ubuntu2204
+  - stage: Docker_2_17
+    displayName: Docker 2.17
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.17/linux/{0}/1
+          targets:
+            - name: Fedora 39
+              test: fedora39
+            - name: Ubuntu 20.04
+              test: ubuntu2004
+            - name: Ubuntu 22.04
+              test: ubuntu2204
  - stage: Docker_2_16
    displayName: Docker 2.16
    dependsOn: []
@ -180,6 +207,18 @@ stages:
              test: rhel/9.3
            - name: FreeBSD 13.3
              test: freebsd/13.3
+  - stage: Remote_2_17
+    displayName: Remote 2.17
+    dependsOn: []
+    jobs:
+      - template: templates/matrix.yml
+        parameters:
+          testFormat: 2.17/{0}/1
+          targets:
+            - name: RHEL 9.3
+              test: rhel/9.3
+            - name: FreeBSD 13.3
+              test: freebsd/13.3
  - stage: Remote_2_16
    displayName: Remote 2.16
    dependsOn: []
@ -240,6 +279,9 @@ stages:
      - Sanity_2_16
      - Remote_2_16
      - Docker_2_16
+      - Sanity_2_17
+      - Remote_2_17
+      - Docker_2_17
      - Sanity_devel
      - Remote_devel
      - Docker_devel
--- a/changelogs/fragments/334_synchronize_using_become_pass.yml
+++ b/changelogs/fragments/334_synchronize_using_become_pass.yml
@ -0,0 +1,3 @@
+---
+minor_changes:
+- synchronize - elevating privileges now works even when `sudo` requires entering the `become_pass`
--- a/docs/ansible.posix.synchronize_module.rst
+++ b/docs/ansible.posix.synchronize_module.rst
@ -580,7 +580,7 @@ Notes

   - The user and permissions for the synchronize `dest` are those of the `remote_user` on the destination host or the `become_user` if `become=yes` is active.
   - In Ansible 2.0 a bug in the synchronize module made become occur on the "local host".  This was fixed in Ansible 2.0.1.
-   - Currently, synchronize is limited to elevating permissions via passwordless sudo.  This is because rsync itself is connecting to the remote machine and rsync doesn't give us a way to pass sudo credentials in.
+   - Currently, synchronize is limited to elevating permissions via sudo.  This now even works when password entry is required.
   - Currently there are only a few connection types which support synchronize (ssh, paramiko, local, and docker) because a sync strategy has been determined for those connection types.  Note that the connection for these must not need a password as rsync itself is making the connection and rsync does not provide us a way to pass a password to the connection.
   - Expect that dest=~/x will be ~<remote_user>/x even if using sudo.
   - Inspect the verbose output to validate the destination user/host/path are what was expected.
--- a/plugins/action/synchronize.py
+++ b/plugins/action/synchronize.py
@ -391,10 +391,24 @@ class ActionModule(ActionBase):
                # If no rsync_path is set, become was originally set, and dest is
                # remote then add privilege escalation here.
                if self._play_context.become_method == 'sudo':
-                    if self._play_context.become_user:
-                        rsync_path = 'sudo -u %s rsync' % self._play_context.become_user
+                    
+                    # if become is set, we can either rely on passwordless sudo or pass the password
+                    if self._play_context.become_pass is None:
+                        rsync_path = 'sudo '
                    else:
-                        rsync_path = 'sudo rsync'
+                        # pass the become password using the environment so that the synchronize module
+                        # can wrap ssh on the host with a shell script that injects the password into
+                        # stdin, allowing for `sudo -S` on the target machine to retrieve the password
+                        if hasattr(self._task, 'environment'):
+                            self._task.environment = []
+                        self._task.environment.append({'BECOME_PASS': self._play_context.become_pass})
+                        _tmp_args['_ssh_wrapper'] = True
+                        rsync_path = 'sudo -S '
+                    
+                    if self._play_context.become_user:
+                        rsync_path += '-u %s rsync' % self._play_context.become_user
+                    else:
+                        rsync_path += 'rsync'
                # TODO: have to add in the rest of the become methods here

            # We cannot use privilege escalation on the machine running the
--- a/plugins/modules/synchronize.py
+++ b/plugins/modules/synchronize.py
@ -215,7 +215,7 @@ notes:
     delegate_to host when delegate_to is used).
   - The user and permissions for the synchronize `dest` are those of the `remote_user` on the destination host or the `become_user` if `become=yes` is active.
   - In Ansible 2.0 a bug in the synchronize module made become occur on the "local host".  This was fixed in Ansible 2.0.1.
-   - Currently, synchronize is limited to elevating permissions via passwordless sudo.  This is because rsync itself is connecting to the remote machine
+   - Currently, synchronize is limited to elevating permissions via sudo.  This now even works when password entry is required.
     and rsync doesn't give us a way to pass sudo credentials in.
   - Currently there are only a few connection types which support synchronize (ssh, paramiko, local, and docker) because a sync strategy has been
     determined for those connection types.  Note that the connection for these must not need a password as rsync itself is making the connection and
@ -432,6 +432,7 @@ def main():
            _ssh_args=dict(type='str'),
            use_ssh_args=dict(type='bool', default=False),
            ssh_connection_multiplexing=dict(type='bool', default=False),
+            _ssh_wrapper=dict(type='bool', default=False),
            partial=dict(type='bool', default=False),
            verify_host=dict(type='bool', default=False),
            delay_updates=dict(type='bool', default=True),
@ -474,6 +475,7 @@ def main():
    rsync_opts = module.params['rsync_opts']
    ssh_args = module.params['_ssh_args']
    ssh_connection_multiplexing = module.params['ssh_connection_multiplexing']
+    ssh_wrapper = module.params['_ssh_wrapper']
    verify_host = module.params['verify_host']
    link_dest = module.params['link_dest']
    delay_updates = module.params['delay_updates']
@ -568,6 +570,13 @@ def main():
            ssh_cmd_str = ' '.join(shlex_quote(arg) for arg in ssh_cmd)
            if ssh_args:
                ssh_cmd_str += ' %s' % ssh_args
+            # When `become: yes` is set but the account on the target requires a password for sudo, we have to supply
+            # it from the host side by wrapping the remote shell and inserting the password into stdin.
+            # In the ActionPlugin, the password is assigned to the BECOME_PASS environment variable, so we will not have
+            # to make it visible if anyone logs the command issued by ansible.
+            # Adapted from https://askubuntu.com/a/1263657
+            if ssh_wrapper:
+                ssh_cmd_str = '/bin/sh -c "{ echo $BECOME_PASS; cat - ; } | ' + ssh_cmd_str + ' $0 $* &"'
            cmd.append('--rsh=%s' % shlex_quote(ssh_cmd_str))

    if rsync_path:
--- a/tests/sanity/ignore-2.18.txt
+++ b/tests/sanity/ignore-2.18.txt
@ -0,0 +1 @@
+tests/utils/shippable/timing.py shebang
Author	SHA1	Message	Date
Mark Asbach	a29d8e29c0	Merge `230e5f2a98` into `fd78e3e6da`	2024-06-07 23:13:49 +01:00
softwarefactory-project-zuul[bot]	fd78e3e6da	Merge pull request #546 from felixfontein/ci Add basic ansible-lint config to fix CI; add ansible-core 2.17 to CI SUMMARY ansible-lint makes the nightly CI fail (https://dev.azure.com/ansible/ansible.posix/_build/results?buildId=114105&view=logs&j=2671e6a6-f41a-533c-2720-8ffdcf8ab96f&t=5b604a49-baaa-558f-6ab2-4a2ff646af4f) due to two rules: meta-runtime[unsupported-version]: it doesn't like that the collection supports ansible-core versions that are EOL. This rule simply doesn't make any sense, and it should be disabled by default IMO. fqcn[deep]: this rule produces false positives for files in tests/unit/plugins/action/fixtures/. Also adds sanity ignore file for ansible-core 2.18 (the version used by the current devel branch). ISSUE TYPE Bugfix Pull Request Test Pull Request COMPONENT NAME ansible-lint in CI Reviewed-by: Adam Miller <admiller@redhat.com>	2024-06-07 15:42:58 +00:00
Felix Fontein	11f29eba6f	Add ansible-core 2.17 to CI.	2024-06-07 11:38:13 +02:00
Felix Fontein	a615b84bf7	Add sanity ignore file for ansible-core devel 2.18.	2024-06-07 07:12:06 +02:00
Felix Fontein	9ccc24edf2	Add basic ansible-lint config.	2024-06-07 07:03:56 +02:00
Mark Asbach	230e5f2a98	allowing `synchronize` to elevate permissions when `sudo` requires password entry - implements #334	2022-03-13 00:29:22 +01:00