Hi guys,
I have two different versions of ansible in my systems. One of them is ansible 1.2 and the other one is 1.4.1. (I’m trying to update the systems from 1.2 to 1.4)
I’m using a private key and certificates in order to get ansible sudo commands running without passwords.
When I run the same command in both installations the system whose ansible version is 1.4 doesn’t work. The command hangs
The ansible command I’m running is: ansible XXX.XXX.XXX.XXX -vvv -s -m shell -a “uptime”
Command with ansible 1.2
<XXX.XXX.XXX.XXX> ESTABLISH CONNECTION FOR USER: myuser
<XXX.XXX.XXX.XXX> EXEC [‘ssh’, ‘-tt’, ‘-q’, ‘-o’, ‘StrictHostKeyChecking=no’, ‘-o’, ‘PasswordAuthentication=no’, ‘-o’, ‘StrictHostKeyChecking=no’, ‘-o’, ‘Port=22’, ‘-o’, ‘IdentityFile=mycert.pem’, ‘-o’, ‘KbdInteractiveAuthentication=no’, ‘-o’, ‘PasswordAuthentication=no’, ‘-o’, ‘ConnectTimeout=10’, ‘XXX.XXX.XXX.XXX’, “/bin/sh -c ‘mkdir -p $HOME/.ansible/tmp/ansible-1387539732.06-150122069933302 && chmod a+rx $HOME/.ansible/tmp/ansible-1387539732.06-150122069933302 && echo $HOME/.ansible/tmp/ansible-1387539732.06-150122069933302’”]
<XXX.XXX.XXX.XXX> REMOTE_MODULE command uptime #USE_SHELL
<XXX.XXX.XXX.XXX> PUT /tmp/tmpf1tkYz TO /home/myuser/.ansible/tmp/ansible-1387539732.06-150122069933302/command
<XXX.XXX.XXX.XXX> EXEC [‘ssh’, ‘-tt’, ‘-q’, ‘-o’, ‘StrictHostKeyChecking=no’, ‘-o’, ‘PasswordAuthentication=no’, ‘-o’, ‘StrictHostKeyChecking=no’, ‘-o’, ‘Port=22’, ‘-o’, ‘IdentityFile=mycert.pem’, ‘-o’, ‘KbdInteractiveAuthentication=no’, ‘-o’, ‘PasswordAuthentication=no’, ‘-o’, ‘ConnectTimeout=10’, ‘XXX.XXX.XXX.XXX’, ‘/bin/sh -c 'sudo -k && sudo -H -S -p “[sudo via ansible, key=gfgeicunrdbbmktjrauegdbvbdjdazhc] password: " -u root /bin/sh -c '”'“'/usr/bin/python /home/myuser/.ansible/tmp/ansible-1387539732.06-150122069933302/command; rm -rf /home/myuser/.ansible/tmp/ansible-1387539732.06-150122069933302/ >/dev/null 2>&1'”'"''’]
XXX.XXX.XXX.XXX | success | rc=0 >>
12:42:12 up 25 min, 4 users, load average: 0.00, 0.02, 0.07
The same command with ansible 1.4.1:
<XXX.XXX.XXX.XXX> ESTABLISH CONNECTION FOR USER: myuser
<XXX.XXX.XXX.XXX> EXEC [‘ssh’, ‘-tt’, ‘-vvv’, ‘-o’, ‘StrictHostKeyChecking=no’, ‘-o’, ‘PasswordAuthentication=no’, ‘-o’, ‘StrictHostKeyChecking=no’, ‘-o’, ‘Port=22’, ‘-o’, ‘IdentityFile=mycert.pem’, ‘-o’, ‘KbdInteractiveAuthentication=no’, ‘-o’, ‘PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey’, ‘-o’, ‘PasswordAuthentication=no’, ‘-o’, ‘ConnectTimeout=10’, ‘XXX.XXX.XXX.XXX’, “/bin/sh -c ‘mkdir -p $HOME/.ansible/tmp/ansible-1387539725.72-214926055344642 && chmod a+rx $HOME/.ansible/tmp/ansible-1387539725.72-214926055344642 && echo $HOME/.ansible/tmp/ansible-1387539725.72-214926055344642’”]
<XXX.XXX.XXX.XXX> REMOTE_MODULE command uptime #USE_SHELL
<XXX.XXX.XXX.XXX> PUT /tmp/tmp6B6Ewf TO /home/myuser/.ansible/tmp/ansible-1387539725.72-214926055344642/command
<XXX.XXX.XXX.XXX> EXEC [‘ssh’, ‘-tt’, ‘-vvv’, ‘-o’, ‘StrictHostKeyChecking=no’, ‘-o’, ‘PasswordAuthentication=no’, ‘-o’, ‘StrictHostKeyChecking=no’, ‘-o’, ‘Port=22’, ‘-o’, ‘IdentityFile=mycert.pem’, ‘-o’, ‘KbdInteractiveAuthentication=no’, ‘-o’, ‘PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey’, ‘-o’, ‘PasswordAuthentication=no’, ‘-o’, ‘ConnectTimeout=10’, ‘XXX.XXX.XXX.XXX’, ‘/bin/sh -c 'sudo -k && sudo -H -S -p “[sudo via ansible, key=pgsdnkquhwjufslqsipwaonzwmgwahog] password: " -u root /bin/sh -c '”'“'echo SUDO-SUCCESS-pgsdnkquhwjufslqsipwaonzwmgwahog; /usr/bin/python /home/myuser/.ansible/tmp/ansible-1387539725.72-214926055344642/command; rm -rf /home/myuser/.ansible/tmp/ansible-1387539725.72-214926055344642/ >/dev/null 2>&1'”'"''’]
Command hangs
Looking in both logs I’ve found that the command are differents:
‘/bin/sh -c 'sudo -k && sudo -H -S -p “[sudo via ansible, key=gfgeicunrdbbmktjrauegdbvbdjdazhc] password: " -u root /bin/sh -c '”'“'/usr/bin/python /home/myuser/.ansible/tmp/ansible-1387539732.06-150122069933302/command; rm -rf /home/myuser/.ansible/tmp/ansible-1387539732.06-150122069933302/ >/dev/null 2>&1'”'"''’
‘/bin/sh -c 'sudo -k && sudo -H -S -p “[sudo via ansible, key=pgsdnkquhwjufslqsipwaonzwmgwahog] password: " -u root /bin/sh -c '”'“'echo SUDO-SUCCESS-pgsdnkquhwjufslqsipwaonzwmgwahog; /usr/bin/python /home/myuser/.ansible/tmp/ansible-1387539725.72-214926055344642/command; rm -rf /home/myuser/.ansible/tmp/ansible-1387539725.72-214926055344642/ >/dev/null 2>&1'”'"''’
How can I solve this issue?
I think maybe this is an issue in the make_sudo_cmd (https://github.com/ansible/ansible/commit/ea2ec6237aa97e6c434ccf4af124f0632747ef06) or maybe I should change something in my configuration.
My ansible configuration is:
# config file for ansible – http://ansible.github.com
# nearly all parameters can be overridden in ansible-playbook or with command line flags
# ansible will read ~/.ansible.cfg or /etc/ansible/ansible.cfg, whichever it finds first
[defaults]
# location of inventory file, eliminates need to specify -i
hostfile = /etc/ansible/hosts
host_key_checking = False
# location of ansible library, eliminates need to specify --module-path
library = /path/to/my/library
# default module name used in /usr/bin/ansible when -m is not specified
module_name = command
# home directory where temp files are stored on remote systems. Should
# almost always contain $HOME or be a directory writeable by all users
remote_tmp = $HOME/.ansible/tmp
# the default pattern for ansible-playbooks (“hosts:”)
pattern = *
# the default number of forks (parallelism) to be used. Usually you
# can crank this up.
forks=1
# the timeout used by various connection types. Usually this corresponds
# to an SSH timeout
# A bug in ansible leads to failures when this option is active.
# Keep it commented until ansible devs fix it.
# timeout=5
# when using --poll or “poll:” in an ansible playbook, and not specifying
# an explicit poll interval, use this interval
poll_interval=15
# when specifying --sudo to /usr/bin/ansible or “sudo:” in a playbook,
# and not specifying “–sudo-user” or “sudo_user” respectively, sudo
# to this user account
sudo_user=root
# the following forces ansible to always ask for the sudo password (instead of having
# to add -K to the commandline). Or you can use the environment variable (ANSIBLE_ASK_SUDO_PASS)
ask_sudo_pass=False
# the following forces ansible to always ask for the ssh-password (-k)
# can also be set by the environment variable ANSIBLE_ASK_PASS
#ask_pass=True
# connection to use when -c <connection_type> is not specified
transport=ssh
# remote SSH port to be used when --port or “port:” or an equivalent inventory
# variable is not specified.
remote_port=22
# if set, always run /usr/bin/ansible commands as this user, and assume this value
# if “user:” is not set in a playbook. If not set, use the current Unix user
# as the default
remote_user=myuser
# the default sudo executable. If a sudo alternative with a sudo-compatible interface
# is used, specify its executable name as the default
sudo_exe=sudo
# the default flags passed to sudo
# sudo_flags=-H
# how to handle hash defined in several places
# hash can be merged, or replaced
# if you use replace, and have multiple hashes named ‘x’, the last defined
# will override the previously defined one
# if you use merge here, hash will cumulate their keys, but keys will still
# override each other
# replace is the default value, and is how ansible always handled hash variables