Ansible in a non-standard linux environment.

I’ve been reviewing Ansible and have really liked what I’ve seen. I’m working in a company that has a rather non-standard Linux environment though. To use Ansible I need to address a few rough spots and unfortunately I am limited in what I can change about how the target servers are setup and managed. After reviewing 0.4 and digging around the list I had some questions I was hoping to get some feedback on.

• Is there a way to suppress the autosyncing of modules? We have a deployment management system that makes code available on all servers and would like Ansible to get the module files from a path that is local to the target machine. There is considerable concern that the auditors will have issue with the software circumventing this system and copying files to servers.

No way to not auto-sync when using SSH, but you may want to take a look at ansible-pull or use play books in local mode if that’s a problem. Both are pretty good solutions.

• Does anyone have experience using Powerbroker[1] with Ansible? We cannot use sudo or root. All work is to be done with your personal account or a Powerbroker account. It looks like I could write a connector that handles how PB works. The only problem I see is that Sudo params are hard coded in the scripts. I suppose we could write our own bin scripts, but that seems like a lot for a little bit.

Haven’t heard about PB until now. “Sudo params are hard coded in the scripts” … hmm, well, you could subclass the SSH connection and override that handling…

• When I was trying something out on my demo, I tried to remote to some servers with my personal credentials, but no home directory. (This is the case for most of our servers.) One all those machines I got errors that Ansible could not create /home/tappnel/.ansible/tmp. Is there some way to override where the temp files are created or is this a bug?

It’s not really a bug, it just assumes if you are logging in as someone, you can put files in their home directory.

The ANSIBLE_REMOTE_TMP environment variable can be set to anything and is probably what you want.

Thanks for the feedback.

No way to not auto-sync when using SSH, but you may want to take a look at ansible-pull or use play books in local mode if that's a problem. Both are pretty good solutions.

I figured as much. As I thought more about the "Ansible way" such a feature doesn't make sense. A stated goal is that nothing needs to be on the target servers. What I'm asking for is essential that even if it's sitting on some replicated network drive that they are all mounting.

I will look in to the pull and local play book options.

Haven't heard about PB until now. "Sudo params are hard coded in the scripts" … hmm, well, you could subclass the SSH connection and override that handling...

I hadn't heard of PB either until I got here. The explanation I got was that sudo doesn't provide the level of fine grain control and auditability that a financial services company is required to have.

I figured I would have to create our own connection module. I was referring to params like --sudo-user in bin/ansible and adding ones required for using my connection like --pb-group.

The ANSIBLE_REMOTE_TMP environment variable can be set to anything and is probably what you want.

Yes it does.

How does one contribute to the docs? I saw info on how to contribute to the code, but not the docs. I'd be willing to write things up that are missing from the docs such as these environment variables.

<tim/>

It’s pretty simple.

Send a pull request to github.com/ansible/ansible.github.com, editing only the “rst” subdirectory (restructured text format). Don’t include any files that are the result of “make docs” in your pull request, just the rst edits (so use git commit vs git commit -a, basically).

–Michael

* Timothy Appnel <tappnel at gmail.com> [2012/06/08 11:10]:

> Haven't heard about PB until now. "Sudo params are hard coded
> in the scripts" ? hmm, well, you could subclass the SSH
> connection and override that handling...

I hadn't heard of PB either until I got here. The explanation I
got was that sudo doesn't provide the level of fine grain control
and auditability that a financial services company is required to
have.

I figured I would have to create our own connection module. I was
referring to params like --sudo-user in bin/ansible and adding
ones required for using my connection like --pb-group.

We're in a similar situation -- we use Centrify to integrate our
*nix machines into our active directory, and Centrify provides a
tool called dzdo. dzdo is identical to sudo, except that permissions
are based on Group Policies that come from the AD, instead of
/etc/sudoers. This allows for centralized control and blah blah
blah, but the gist of it is that we would either need to subclass
the relevant modules to override the name of the command, or add a
--sudo-command option to the scripts (and a sudo_command key for
playbooks) to make use of the sudo feature. In either case, changes
would need to be made to the modules themselves, since 'sudo' is
hard-coded into them, and would need to be made into a variable to
be overridden in a subclass.

I imagine this is a fairly uncommon situation, but I could probably
provide a patch if this is something that would be considered for
inclusion.

Basically I think we might want to allow plugin style loading of modules in something like lib/ansible/runner/connections/plugins, but additional ones can be supplied
inheriting from the ones in core.

That way the code behind the dzdo/powerthingy tools could remain very minimal without having to fork too much of the existing module.

We could probably also tweak the existing SSH module as needed to make that easier.

(It does seem that the idea of using a different pseudo mechanism is disjoint from being a connection option, but I don’t think that level of over-abstraction is going to be important immediately.)

So, sure, sounds interesting.

We could probably also tweak the existing SSH module as needed to make that easier.

Looking at the code, the else block could call a method like exec_privledged_command in the connection that by default is the sudo code currently there. In my case and Darren's we could subclass the ParamikoConnection class and override that one method to handle the proprietary pseudo call as needed.

Questions still remain as to the use of the term sudo in API and the bin/ansible commandline. Adding new options is a bigger issue to me than saying sudo_user is the "power builder user".

I'm not sure what plugin style loading buys that isn't handled by the current connection extensibility mechanism.

<tim/>

For a client (a bank) ansible is working on AIX 6.1 systems but we have to user powerbroker. (command pbrun) . (no ssh-keys are alowed, only ssh login with personal user is alowed and root is alowed via powerbroker rules)
My idea was to use ansible to install Websphere fixpacks on AIX using pbrun.

In general , ansible works as it should on AIX after installing a good python with some dependency’s but once pbrun is needed stuff tends to become complicated

ansible example command which works :

shell: chdir=${websphere_path} pbrun su root gunzip file.tar.gz
shell: chdir=${websphere_path} pbrun su root tar xvf file.tar

ansible example command which don’t work :

shell: chdir=${websphere_path} pbrun su root gzip -dc ${websphere_path}/file.tar.gz | tar xf -
or
shell: chdir=${websphere_path} pbrun su root gunzip ${websphere_path}/file.tar.gz && tar xf file.tar

When using pbrun it seems it is not possible to use a sequence of commands. It’s like pbrun/ansible can handle the first command but then drops out of the pbrun environment.

I also see this when using a $var set in a user environment.
like …

user WAS7 has in it’s ~/.profile
websphere_path=“/opt/WebSphere”

If using ansible like

shell: pbrun su WAS7 cd ${websphere_path}

it won’t work.

• the cd is just an example … I know chdir is build in … other var examples could be $JVM_HEAP_SIZE_MAX || $HEAP_DUMP_DIR …

It would be very apreciated if a powerbroker module would exist that works like sudo. Is somebody working on this ? Dag , I know you also have AIX systems ?

Thx in advance for any feedback.
Blokkie

Right there is no ‘drop into a shell and keep firing things at it here’, if that’s what pbrun is.

There is of course sudo replacement support in ansible.cfg where you can specify a utility that is sudo compatible to use instead – which I’m not sure if that works with powerbroker or not.

Hi ,

It’s not doing a “drop into a shell” , it’s more like the shell module in ansible neglects the common opperands , swallows them ?
Maybe you interpret my example as if powerbroker is spawning a new shell ?
After doing some further investigation I don’t even think it’s powerbroker specific

Let me recap with another example

Wrong outcome without powerbroker

Expected result : list the files , gunzip the file and pipe it to untar , list the files again ( On AIX there is no GNU tar , so tar xvzf is a no go )

[user@server ansible]$ ansible -i hosts oar-test -m shell -a 'ls -l /tmp/workplace/ && gzip -dc /tmp/workplace/file.tar.gz | tar xf - && ls -l /tmp/workplace/ ’ -u user -k -v
SSH password:
server | success | rc=0 >>
total 8
-rw-r–r-- 1 tbetfer midwas 136 Jul 17 15:05 file.tar.gz
total 8
-rw-r–r-- 1 tbetfer midwas 136 Jul 17 15:05 file.tar.gz

Result : list is done OK , untar or unzip is NOK , list is OK again

Wrong outcome with powerbroker
Expected result : list the files , use powerbroker to become root and execut gunzip the file and pipe it to tar to untar it , list the files again ( On AIX there is no GNU tar , so tar xvzf is a no go )

[user@server ansible]$ ansible -i hosts oar-test -m shell -a 'pbrun su root ls -l /tmp/workplace/ && gzip -dc /tmp/workplace/file.tar.gz | tar xf - && ls -l /tmp/workplace/ ’ -u user -k -v
SSH password:
server | success | rc=0 >>
total 8
-rw-r–r-- 1 tbetfer midwas 136 Jul 17 15:05 file.tar.gz
total 8
-rw-r–r-- 1 tbetfer midwas 136 Jul 17 15:05 file.tar.gzstty: tcgetattr: A specified file does not support the ioctl system call.

Result : first list is OK , untar or unzip NOK because file is not found , second list NOK and not even executed

Please note that in both situations ansible returns rc=0 which is IMO wrong.

For additional info because I’m not sure if it’s the shell module alone , I tried with the command module and here is the result

Wrong outcomeof command without powerbroker

[user@server ansible]$ ansible -i hosts oar-test -m command -a 'ls -l /tmp/workplace/ && gzip -dc /tmp/workplace/file.tar.gz | tar xf - && ls -l /tmp/workplace/ ’ -u user -k -v
SSH password:
server | FAILED | rc=2 >>
-rw-r–r-- 1 user group 136 Jul 17 15:05 /tmp/workplace/file.tar.gz

/tmp/workplace/:
total 8
-rw-r–r-- 1 user group 136 Jul 17 15:05 file.tar.gz

/tmp/workplace/:
total 8
-rw-r–r-- 1 user group 136 Jul 17 15:05 file.tar.gz&& not found
gzip not found
-dc not found

not found
tar not found
xf not found

• not found
  && not found
  ls not found
  -l not found

Wrong outcome of command with powerbroker

[user@server ansible]$ ansible -i hosts oar-test -m command -a 'pbrun su root ls -l /tmp/workplace/ && gzip -dc /tmp/workplace/file.tar.gz | tar xf - && ls -l /tmp/workplace/ ’ -u user -k -v
SSH password:
server | success | rc=0 >>
total 8
-rw-r–r-- 1 user group 136 Jul 17 15:05 file.tar.gz
total 8
-rw-r–r-- 1 user group 136 Jul 17 15:05 file.tar.gzstty: tcgetattr: A specified file does not support the ioctl system call.

Kind regards

​Your problem is the current directory of that process, which is not /tmp/,
so the tar xf - command doesn't extract it in /tmp.​

Serge

Yep, the shell modules takes a chdir= for that purpose.

Was a module for powerbroker ever created for Ansible? Just wondering since it would be nice to have it.

There is support to specifying a different path to sudo in ansible.cfg for sudo replacements.

Hi Michael,

Replacing pbrun in for sudo via the ansible.cfg file didn’t work.

Has anyone actually gotten Ansible to work with Powerbroker? It seems to be hit and miss with mixed results.

Mel ,

I don’t think a module is created and actualy it’s not realy needed.

I got everything working with the command or shell module with the correct "" excape tokens when executing commands in the powerbroker shell

Do you have an example of how you escaped everything out? Thank you!

Changing sudo_exe/sudo_flags doesn’t work for powerbroker since ansible expects sudo compatibility (e.g. -k flag) which pbrun doesn’t provide. So ‘out of the box’ the best you can do is limit yourself to the shell module, which is what blokkie’s doing.
I would think the best solution would be to allow the possibility to tweak the the whole sudocmd in ansible.cfg.

In the meantime, my poor man’s solution is that I made a tiny script called sudo that ignores -k and triggers pbrun instead…

I’m interested to see patches that would allow further tweaking of the sudo pattern, however I should point out we already do have some configurability in ansible.cfg

# what flags to pass to sudo
#sudo_flags = -H

However, we don't have a way to remove the -k

see [https://github.com/ansible/ansible/blob/devel/lib/ansible/utils/__init__.py#L852](https://github.com/ansible/ansible/blob/devel/lib/ansible/utils/__init__.py#L852)

This seems to imply adding a base_sudo_flags type variable that defaults to what is in __init__.py, as we need to preserve compatibility for those who have set sudo_flags, we can't simply just update the default.

Make sense?