mirror of
https://github.com/ansible-collections/ansible.posix.git
synced 2026-03-10 03:25:22 +01:00
Compare commits
8 commits
d390e7cf20
...
41c8802a8b
| Author | SHA1 | Date | |
|---|---|---|---|
|
41c8802a8b | ||
|
795d8e34e7 | ||
|
b615d61fae | ||
|
|
bda85b7453 | ||
|
ac82f575c6 | ||
|
|
a356bdd3c4 | ||
|
|
4f93234a8b | ||
|
230e5f2a98 |
7 changed files with 39 additions and 15 deletions
|
|
@ -178,8 +178,8 @@ stages:
|
||||||
targets:
|
targets:
|
||||||
- name: RHEL 9.3
|
- name: RHEL 9.3
|
||||||
test: rhel/9.3
|
test: rhel/9.3
|
||||||
- name: FreeBSD 13.2
|
- name: FreeBSD 13.3
|
||||||
test: freebsd/13.2
|
test: freebsd/13.3
|
||||||
- stage: Remote_2_16
|
- stage: Remote_2_16
|
||||||
displayName: Remote 2.16
|
displayName: Remote 2.16
|
||||||
dependsOn: []
|
dependsOn: []
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,3 @@
|
||||||
|
---
|
||||||
|
minor_changes:
|
||||||
|
- synchronize - elevating privileges now works even when `sudo` requires entering the `become_pass`
|
||||||
|
|
@ -580,7 +580,7 @@ Notes
|
||||||
|
|
||||||
- The user and permissions for the synchronize `dest` are those of the `remote_user` on the destination host or the `become_user` if `become=yes` is active.
|
- The user and permissions for the synchronize `dest` are those of the `remote_user` on the destination host or the `become_user` if `become=yes` is active.
|
||||||
- In Ansible 2.0 a bug in the synchronize module made become occur on the "local host". This was fixed in Ansible 2.0.1.
|
- In Ansible 2.0 a bug in the synchronize module made become occur on the "local host". This was fixed in Ansible 2.0.1.
|
||||||
- Currently, synchronize is limited to elevating permissions via passwordless sudo. This is because rsync itself is connecting to the remote machine and rsync doesn't give us a way to pass sudo credentials in.
|
- Currently, synchronize is limited to elevating permissions via sudo. This now even works when password entry is required.
|
||||||
- Currently there are only a few connection types which support synchronize (ssh, paramiko, local, and docker) because a sync strategy has been determined for those connection types. Note that the connection for these must not need a password as rsync itself is making the connection and rsync does not provide us a way to pass a password to the connection.
|
- Currently there are only a few connection types which support synchronize (ssh, paramiko, local, and docker) because a sync strategy has been determined for those connection types. Note that the connection for these must not need a password as rsync itself is making the connection and rsync does not provide us a way to pass a password to the connection.
|
||||||
- Expect that dest=~/x will be ~<remote_user>/x even if using sudo.
|
- Expect that dest=~/x will be ~<remote_user>/x even if using sudo.
|
||||||
- Inspect the verbose output to validate the destination user/host/path are what was expected.
|
- Inspect the verbose output to validate the destination user/host/path are what was expected.
|
||||||
|
|
|
||||||
|
|
@ -391,10 +391,24 @@ class ActionModule(ActionBase):
|
||||||
# If no rsync_path is set, become was originally set, and dest is
|
# If no rsync_path is set, become was originally set, and dest is
|
||||||
# remote then add privilege escalation here.
|
# remote then add privilege escalation here.
|
||||||
if self._play_context.become_method == 'sudo':
|
if self._play_context.become_method == 'sudo':
|
||||||
if self._play_context.become_user:
|
|
||||||
rsync_path = 'sudo -u %s rsync' % self._play_context.become_user
|
# if become is set, we can either rely on passwordless sudo or pass the password
|
||||||
|
if self._play_context.become_pass is None:
|
||||||
|
rsync_path = 'sudo '
|
||||||
else:
|
else:
|
||||||
rsync_path = 'sudo rsync'
|
# pass the become password using the environment so that the synchronize module
|
||||||
|
# can wrap ssh on the host with a shell script that injects the password into
|
||||||
|
# stdin, allowing for `sudo -S` on the target machine to retrieve the password
|
||||||
|
if hasattr(self._task, 'environment'):
|
||||||
|
self._task.environment = []
|
||||||
|
self._task.environment.append({'BECOME_PASS': self._play_context.become_pass})
|
||||||
|
_tmp_args['_ssh_wrapper'] = True
|
||||||
|
rsync_path = 'sudo -S '
|
||||||
|
|
||||||
|
if self._play_context.become_user:
|
||||||
|
rsync_path += '-u %s rsync' % self._play_context.become_user
|
||||||
|
else:
|
||||||
|
rsync_path += 'rsync'
|
||||||
# TODO: have to add in the rest of the become methods here
|
# TODO: have to add in the rest of the become methods here
|
||||||
|
|
||||||
# We cannot use privilege escalation on the machine running the
|
# We cannot use privilege escalation on the machine running the
|
||||||
|
|
|
||||||
|
|
@ -215,7 +215,7 @@ notes:
|
||||||
delegate_to host when delegate_to is used).
|
delegate_to host when delegate_to is used).
|
||||||
- The user and permissions for the synchronize `dest` are those of the `remote_user` on the destination host or the `become_user` if `become=yes` is active.
|
- The user and permissions for the synchronize `dest` are those of the `remote_user` on the destination host or the `become_user` if `become=yes` is active.
|
||||||
- In Ansible 2.0 a bug in the synchronize module made become occur on the "local host". This was fixed in Ansible 2.0.1.
|
- In Ansible 2.0 a bug in the synchronize module made become occur on the "local host". This was fixed in Ansible 2.0.1.
|
||||||
- Currently, synchronize is limited to elevating permissions via passwordless sudo. This is because rsync itself is connecting to the remote machine
|
- Currently, synchronize is limited to elevating permissions via sudo. This now even works when password entry is required.
|
||||||
and rsync doesn't give us a way to pass sudo credentials in.
|
and rsync doesn't give us a way to pass sudo credentials in.
|
||||||
- Currently there are only a few connection types which support synchronize (ssh, paramiko, local, and docker) because a sync strategy has been
|
- Currently there are only a few connection types which support synchronize (ssh, paramiko, local, and docker) because a sync strategy has been
|
||||||
determined for those connection types. Note that the connection for these must not need a password as rsync itself is making the connection and
|
determined for those connection types. Note that the connection for these must not need a password as rsync itself is making the connection and
|
||||||
|
|
@ -432,6 +432,7 @@ def main():
|
||||||
_ssh_args=dict(type='str'),
|
_ssh_args=dict(type='str'),
|
||||||
use_ssh_args=dict(type='bool', default=False),
|
use_ssh_args=dict(type='bool', default=False),
|
||||||
ssh_connection_multiplexing=dict(type='bool', default=False),
|
ssh_connection_multiplexing=dict(type='bool', default=False),
|
||||||
|
_ssh_wrapper=dict(type='bool', default=False),
|
||||||
partial=dict(type='bool', default=False),
|
partial=dict(type='bool', default=False),
|
||||||
verify_host=dict(type='bool', default=False),
|
verify_host=dict(type='bool', default=False),
|
||||||
delay_updates=dict(type='bool', default=True),
|
delay_updates=dict(type='bool', default=True),
|
||||||
|
|
@ -474,6 +475,7 @@ def main():
|
||||||
rsync_opts = module.params['rsync_opts']
|
rsync_opts = module.params['rsync_opts']
|
||||||
ssh_args = module.params['_ssh_args']
|
ssh_args = module.params['_ssh_args']
|
||||||
ssh_connection_multiplexing = module.params['ssh_connection_multiplexing']
|
ssh_connection_multiplexing = module.params['ssh_connection_multiplexing']
|
||||||
|
ssh_wrapper = module.params['_ssh_wrapper']
|
||||||
verify_host = module.params['verify_host']
|
verify_host = module.params['verify_host']
|
||||||
link_dest = module.params['link_dest']
|
link_dest = module.params['link_dest']
|
||||||
delay_updates = module.params['delay_updates']
|
delay_updates = module.params['delay_updates']
|
||||||
|
|
@ -568,6 +570,13 @@ def main():
|
||||||
ssh_cmd_str = ' '.join(shlex_quote(arg) for arg in ssh_cmd)
|
ssh_cmd_str = ' '.join(shlex_quote(arg) for arg in ssh_cmd)
|
||||||
if ssh_args:
|
if ssh_args:
|
||||||
ssh_cmd_str += ' %s' % ssh_args
|
ssh_cmd_str += ' %s' % ssh_args
|
||||||
|
# When `become: yes` is set but the account on the target requires a password for sudo, we have to supply
|
||||||
|
# it from the host side by wrapping the remote shell and inserting the password into stdin.
|
||||||
|
# In the ActionPlugin, the password is assigned to the BECOME_PASS environment variable, so we will not have
|
||||||
|
# to make it visible if anyone logs the command issued by ansible.
|
||||||
|
# Adapted from https://askubuntu.com/a/1263657
|
||||||
|
if ssh_wrapper:
|
||||||
|
ssh_cmd_str = '/bin/sh -c "{ echo $BECOME_PASS; cat - ; } | ' + ssh_cmd_str + ' $0 $* &"'
|
||||||
cmd.append('--rsh=%s' % shlex_quote(ssh_cmd_str))
|
cmd.append('--rsh=%s' % shlex_quote(ssh_cmd_str))
|
||||||
|
|
||||||
if rsync_path:
|
if rsync_path:
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
- name: Attempt to add mapping without 'seuser'
|
- name: Attempt to add mapping without 'seuser'
|
||||||
register: selogin_error
|
register: selogin_error
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
community.general.system.selogin:
|
community.general.selogin:
|
||||||
login: seuser
|
login: seuser
|
||||||
- name: Verify failure
|
- name: Verify failure
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
|
|
@ -19,7 +19,7 @@
|
||||||
- false
|
- false
|
||||||
- true
|
- true
|
||||||
- false
|
- false
|
||||||
community.general.system.selogin:
|
community.general.selogin:
|
||||||
login: seuser
|
login: seuser
|
||||||
seuser: staff_u
|
seuser: staff_u
|
||||||
- name: New mapping- verify functionality and check_mode
|
- name: New mapping- verify functionality and check_mode
|
||||||
|
|
@ -37,7 +37,7 @@
|
||||||
- false
|
- false
|
||||||
- true
|
- true
|
||||||
- false
|
- false
|
||||||
community.general.system.selogin:
|
community.general.selogin:
|
||||||
login: seuser
|
login: seuser
|
||||||
seuser: user_u
|
seuser: user_u
|
||||||
- name: Changed mapping- verify functionality and check_mode
|
- name: Changed mapping- verify functionality and check_mode
|
||||||
|
|
@ -55,7 +55,7 @@
|
||||||
- false
|
- false
|
||||||
- true
|
- true
|
||||||
- false
|
- false
|
||||||
community.general.system.selogin:
|
community.general.selogin:
|
||||||
login: seuser
|
login: seuser
|
||||||
state: absent
|
state: absent
|
||||||
- name: Delete mapping- verify functionality and check_mode
|
- name: Delete mapping- verify functionality and check_mode
|
||||||
|
|
|
||||||
|
|
@ -64,8 +64,7 @@ if sys.version_info >= (3,) and sys.version_info < (3, 4, 4):
|
||||||
# newline that our naive format() added
|
# newline that our naive format() added
|
||||||
data_as_list[-1] = data_as_list[-1][:-1]
|
data_as_list[-1] = data_as_list[-1][:-1]
|
||||||
|
|
||||||
for line in data_as_list:
|
yield from data_as_list
|
||||||
yield line
|
|
||||||
|
|
||||||
def mock_open(mock=None, read_data=''):
|
def mock_open(mock=None, read_data=''):
|
||||||
"""
|
"""
|
||||||
|
|
@ -93,8 +92,7 @@ if sys.version_info >= (3,) and sys.version_info < (3, 4, 4):
|
||||||
if handle.readline.return_value is not None:
|
if handle.readline.return_value is not None:
|
||||||
while True:
|
while True:
|
||||||
yield handle.readline.return_value
|
yield handle.readline.return_value
|
||||||
for line in _data:
|
yield from _data
|
||||||
yield line
|
|
||||||
|
|
||||||
global file_spec
|
global file_spec
|
||||||
if file_spec is None:
|
if file_spec is None:
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue