ansible 2.0.0, ansible.cfg, and changing the control_path

Archives Ansible Developer
1

I have a long path name to my home directory and some fairly long hostnames so I’m hitting the 108 character limit on the control_path

As a test I changed control_path in the ansible.cfg

control_path = /var/tmp/.ansible/cp/%%h-%%p-%%r

Things did not work until I manually created the .ansible/cp inside the /var/tmp/ directory.

Any reason Ansible doesn’t securely create the control_path?

My old control_path

control_path = %(directory)s/%%h-%%p-%%r

I do not recall making the (effectively) $HOME/.ansible/cp/ directory so what changes when moving it to /var/tmp?

Running ansible with “-vvvv” and taking that command and executing it by hand.

$ ssh -C -vvv -o ControlMaster=auto -o ControlPersist=600s -o ForwardAgent=yes -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/var/tmp/.ansible/cp/%h-%p-%r verylonghostname.longsubdomain.real-time.com LANG=C LC_ALL=C LC_MESSAGES=C /usr/bin/python

debug3: muxserver_listen: temporary control path /var/tmp/.ansible/cp/verylonghostname.longsubdomain.real-time.com-22-ansible.e36VI5Uh9JoNL2x2
bind: No such file or directory
unix_listener: cannot bind to path: /var/tmp/.ansible/cp/verylonghostname.longsubdomain.real-time.com-22-ansible.e36VI5Uh9JoNL2x2

$ mkdir /var/tmp/.ansible

$ ssh -C -vvv -o ControlMaster=auto -o ControlPersist=600s -o ForwardAgent=yes -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/var/tmp/.ansible/cp/%h-%p-%r verylonghostname.longsubdomain.real-time.com LANG=C LC_ALL=C LC_MESSAGES=C /usr/bin/python

debug3: muxserver_listen: temporary control path /var/tmp/.ansible/cp/verylonghostname.longsubdomain.real-time.com-22-ansible.e36VI5Uh9JoNL2x2
bind: No such file or directory
unix_listener: cannot bind to path: /var/tmp/.ansible/cp/verylonghostname.longsubdomain.real-time.com-22-ansible.e36VI5Uh9JoNL2x2

$ mkdir /var/tmp/.ansible/cp

$ ssh -C -vvv -o ControlMaster=auto -o ControlPersist=600s -o ForwardAgent=yes -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/var/tmp/.ansible/cp/%h-%p-%r verylonghostname.longsubdomain.real-time.com LANG=C LC_ALL=C LC_MESSAGES=C /usr/bin/python

Now things work.

2

IIRC ansible only creates the last dir for control path /cp/ in this
case, other parts of ansible normally create the ~/.ansible for use of
temprary files. I'm not sure we want the controlpath code to create
the full tree above the controlpath dir.

3

Fully understand and appreciate the security ramifications related to the control_path and creating the directory path. Maybe just a doc change inside the ansible.cfg? Stating what you just posted?

4

I was thinking we can add the path expansion to the jsonfile plugin
itself, as it is the one 'knowingly' overloading the config item.

5

Fun and games. I’ve found that

control_path = %(directory)s/%%C

can be really helpful in such circumstances (%C is just a hash of %l%h%p%r, so should keep below the limit)

I’m not sure in what version of openssh %C became available (seems to be on Fedora 22 but not RHEL7.1, for example) but it’s great if you have it.

6

Nice find! Thanks!