Merge 230e5f2a98 into 34f140c22f

Fixed sysctl to work on symlinks

SUMMARY
Fixes #111.
This issue reports a bug of sysctl that the module does not work properly when sysctl_file is a symlink.
I Fixed the bug by inserting os.path.realpath to get real path.
When sysctl_file is a real file, os.path.realpath return the original path as is.
ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME
sysctl
ADDITIONAL INFORMATION


I have executed the script described in #111 and confirmed that it works properly.
But I need to add some tests.

satken@dockerhost1:~/ansible$ sudo docker run --rm -v ${PWD}:/work -w /work -e ANSIBLE_LIBRARY=/work/ansible.posix -e ANSIBLE_HOST_KEY_CHECKING=False satken2/ansible:3.3.0 ansible-playbook -i hosts main.yml

PLAY [test] ********************************************************************

TASK [Gathering Facts] *********************************************************
ok: [192.168.91.76]

TASK [test] ********************************************************************
ok: [192.168.91.76] => {
    "msg": "This is test"
}

TASK [command] *****************************************************************
changed: [192.168.91.76]

TASK [command] *****************************************************************
ok: [192.168.91.76]

TASK [debug] *******************************************************************
ok: [192.168.91.76] => {
    "sysctl_current_value.stdout": "kernel.randomize_va_space = 2"
}

TASK [copy] ********************************************************************
changed: [192.168.91.76]

TASK [file] ********************************************************************
changed: [192.168.91.76]

TASK [stat] ********************************************************************
ok: [192.168.91.76]

TASK [assert] ******************************************************************
ok: [192.168.91.76] => {
    "changed": false,
    "msg": "/tmp/ansible_sysctl_test_symlink.conf is correct symlink"
}

TASK [sysctl | enable randomized layout of virtual address space] **************
changed: [192.168.91.76]

TASK [stat] ********************************************************************
ok: [192.168.91.76]

TASK [assert] ******************************************************************
ok: [192.168.91.76] => {
    "changed": false,
    "msg": "/tmp/ansible_sysctl_test_symlink.conf is correct symlink"
}

PLAY RECAP *********************************************************************
192.168.91.76              : ok=12   changed=4    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Reviewed-by: quidame
Reviewed-by: Jill R

changelogs/fragments/206_fix_sysctl_to_work_on_symlinks.yml

@@ -0,0 +1,3 @@
+---
+bugfixes:
+- sysctl - fix sysctl to work properly on symlinks (https://github.com/ansible-collections/ansible.posix/issues/111).

changelogs/fragments/334_synchronize_using_become_pass.yml

@@ -0,0 +1,3 @@
+---
+minor_changes:
+- synchronize - elevating privileges now works even when `sudo` requires entering the `become_pass`

docs/ansible.posix.synchronize_module.rst

@@ -580,7 +580,7 @@ Notes
 
    - The user and permissions for the synchronize `dest` are those of the `remote_user` on the destination host or the `become_user` if `become=yes` is active.
    - In Ansible 2.0 a bug in the synchronize module made become occur on the "local host".  This was fixed in Ansible 2.0.1.
-   - Currently, synchronize is limited to elevating permissions via passwordless sudo.  This is because rsync itself is connecting to the remote machine and rsync doesn't give us a way to pass sudo credentials in.
+   - Currently, synchronize is limited to elevating permissions via sudo.  This now even works when password entry is required.
    - Currently there are only a few connection types which support synchronize (ssh, paramiko, local, and docker) because a sync strategy has been determined for those connection types.  Note that the connection for these must not need a password as rsync itself is making the connection and rsync does not provide us a way to pass a password to the connection.
    - Expect that dest=~/x will be ~<remote_user>/x even if using sudo.
    - Inspect the verbose output to validate the destination user/host/path are what was expected.

plugins/action/synchronize.py

@@ -391,10 +391,24 @@ class ActionModule(ActionBase):
                 # If no rsync_path is set, become was originally set, and dest is
                 # remote then add privilege escalation here.
                 if self._play_context.become_method == 'sudo':
-                    if self._play_context.become_user:
+                    
-                        rsync_path = 'sudo -u %s rsync' % self._play_context.become_user
+                    # if become is set, we can either rely on passwordless sudo or pass the password
+                    if self._play_context.become_pass is None:
+                        rsync_path = 'sudo '
                     else:
-                        rsync_path = 'sudo rsync'
+                        # pass the become password using the environment so that the synchronize module
+                        # can wrap ssh on the host with a shell script that injects the password into
+                        # stdin, allowing for `sudo -S` on the target machine to retrieve the password
+                        if hasattr(self._task, 'environment'):
+                            self._task.environment = []
+                        self._task.environment.append({'BECOME_PASS': self._play_context.become_pass})
+                        _tmp_args['_ssh_wrapper'] = True
+                        rsync_path = 'sudo -S '
+                    
+                    if self._play_context.become_user:
+                        rsync_path += '-u %s rsync' % self._play_context.become_user
+                    else:
+                        rsync_path += 'rsync'
                 # TODO: have to add in the rest of the become methods here
 
             # We cannot use privilege escalation on the machine running the

plugins/modules/synchronize.py

@@ -215,7 +215,7 @@ notes:
      delegate_to host when delegate_to is used).
    - The user and permissions for the synchronize `dest` are those of the `remote_user` on the destination host or the `become_user` if `become=yes` is active.
    - In Ansible 2.0 a bug in the synchronize module made become occur on the "local host".  This was fixed in Ansible 2.0.1.
-   - Currently, synchronize is limited to elevating permissions via passwordless sudo.  This is because rsync itself is connecting to the remote machine
+   - Currently, synchronize is limited to elevating permissions via sudo.  This now even works when password entry is required.
      and rsync doesn't give us a way to pass sudo credentials in.
    - Currently there are only a few connection types which support synchronize (ssh, paramiko, local, and docker) because a sync strategy has been
      determined for those connection types.  Note that the connection for these must not need a password as rsync itself is making the connection and
@@ -432,6 +432,7 @@ def main():
             _ssh_args=dict(type='str'),
             use_ssh_args=dict(type='bool', default=False),
             ssh_connection_multiplexing=dict(type='bool', default=False),
+            _ssh_wrapper=dict(type='bool', default=False),
             partial=dict(type='bool', default=False),
             verify_host=dict(type='bool', default=False),
             delay_updates=dict(type='bool', default=True),
@@ -474,6 +475,7 @@ def main():
     rsync_opts = module.params['rsync_opts']
     ssh_args = module.params['_ssh_args']
     ssh_connection_multiplexing = module.params['ssh_connection_multiplexing']
+    ssh_wrapper = module.params['_ssh_wrapper']
     verify_host = module.params['verify_host']
     link_dest = module.params['link_dest']
     delay_updates = module.params['delay_updates']
@@ -568,6 +570,13 @@ def main():
             ssh_cmd_str = ' '.join(shlex_quote(arg) for arg in ssh_cmd)
             if ssh_args:
                 ssh_cmd_str += ' %s' % ssh_args
+            # When `become: yes` is set but the account on the target requires a password for sudo, we have to supply
+            # it from the host side by wrapping the remote shell and inserting the password into stdin.
+            # In the ActionPlugin, the password is assigned to the BECOME_PASS environment variable, so we will not have
+            # to make it visible if anyone logs the command issued by ansible.
+            # Adapted from https://askubuntu.com/a/1263657
+            if ssh_wrapper:
+                ssh_cmd_str = '/bin/sh -c "{ echo $BECOME_PASS; cat - ; } | ' + ssh_cmd_str + ' $0 $* &"'
             cmd.append('--rsh=%s' % shlex_quote(ssh_cmd_str))
 
     if rsync_path:

plugins/modules/sysctl.py

@@ -366,7 +366,7 @@ class SysctlModule(object):
     # Completely rewrite the sysctl file
     def write_sysctl(self):
         # open a tmp file
-        fd, tmp_path = tempfile.mkstemp('.conf', '.ansible_m_sysctl_', os.path.dirname(self.sysctl_file))
+        fd, tmp_path = tempfile.mkstemp('.conf', '.ansible_m_sysctl_', os.path.dirname(os.path.realpath(self.sysctl_file)))
         f = open(tmp_path, "w")
         try:
             for l in self.fixed_lines:
@@ -377,7 +377,7 @@ class SysctlModule(object):
         f.close()
 
         # replace the real one
-        self.module.atomic_move(tmp_path, self.sysctl_file)
+        self.module.atomic_move(tmp_path, os.path.realpath(self.sysctl_file))
 
 
 # ==============================================================

tests/integration/targets/sysctl/tasks/main.yml

@@ -332,3 +332,37 @@
         that:
           - sysctl_invalid_set1 is failed
           - "'vm.mmap_rnd_bits' not in sysctl_invalid_conf_content.stdout"
+
+    # Test sysctl: sysctl_file is symlink
+    - name: Create link source
+      ansible.builtin.copy:
+        content: |
+          # Testing Ansible Sysctl module on symlink.
+        dest: /tmp/ansible_sysctl_test.conf
+        mode: "0644"
+
+    - name: Create symlink to the conf file
+      ansible.builtin.file:
+        src: /tmp/ansible_sysctl_test.conf
+        dest: /tmp/ansible_sysctl_test_symlink.conf
+        state: link
+
+    - name: Use sysctl module with symlink sysctl file
+      ansible.posix.sysctl:
+        name: 'kernel.randomize_va_space'
+        value: '1'
+        sysctl_file: /tmp/ansible_sysctl_test_symlink.conf
+        state: present
+        sysctl_set: false
+        reload: false
+
+    - name: Stat sysctl file
+      ansible.builtin.stat:
+        path: /tmp/ansible_sysctl_test_symlink.conf
+      register: stat_result
+
+    - name: Ensure the sysctl file remains a symlink
+      ansible.builtin.assert:
+        that:
+          - stat_result.stat.islnk is defined and stat_result.stat.islnk
+          - stat_result.stat.lnk_source == '/tmp/ansible_sysctl_test.conf'