-K, --ask-sudo-pass deprecated but --become doesn't functioning properly?

This is related to #11808

Making the move from -K to --become and running into many problems.

Since the first day of running the git devel branch I haven’t had this many problems so I feel like the problems are “personal problems” Given no one else is posting here this type of problem or opening similar issues on github I again feel like this is a “personal problem”.

Many of my roles are like this:

roles:

• { role: bootstrap, sudo: yes }

Side note, shouldn’t this be something like:

• { role: bootstrap, become: yes }

or

• { role: bootstrap, become_method: sudo }

Many roles that work with -K fail with --become, like a simple hostname setup? It just hangs.

Guessing my debugging skills aren’t very good.

roles:

• { role: bootstrap, become: yes }

Seems to resolve a lot of my problems.

responses inline

This is related to #11808

Making the move from -K to --become and running into many problems.

-K is --sudo-ask-pass, which is equivalent to --become-ask-pass, not --become
-s is --sudo which is equivalent to --become (and -S --su)

roles:
  - { role: bootstrap, sudo: yes }

Side note, shouldn't this be something like:

  - { role: bootstrap, become: yes }

or

  - { role: bootstrap, become_method: sudo }

setting the method does not imply become=true, it just sets the
default for when become=true

Many roles that work with -K fail with --become, like a simple hostname
setup? It just hangs.

it hangs because you are not providing a password, which -K prompts
for but --become does not as per my first reply above.

I used to invoke ansible like this:

$ ansible-playbook -i blah-inventory -K -k blah-playbook.yml

and not I invoke it like this:

$ ansible-playbook -i blah-inventory --ask-become-pass --become -i blah-inventory

Correct?

IF that is the correct invocation then I’m back to the template module hanging (as documented in https://github.com/ansible/ansible/issues/11808). Another example. Different role using template module.

• name: apticron.conf
  template: >
  src={{ ansible_lsb.codename }}/apticron.conf.j2
  dest=/etc/apticron/apticron.conf
  owner=root
  group=root
  mode=0644
  tags: apticron

ansible-playbook -i ~/projects/ansible.git/playbooks/vagrant-inventory ~/projects/ansible.git/playbooks/vagrant.yml --ask-become-pass --become -vvvv
Using ~/projects/ansible.git/playbooks/ansible.cfg as config file
SUDO password:

TASK [apticron : apticron.conf] *************************************************
<10.X.X.193> ESTABLISH SSH CONNECTION FOR USER: ansible
<10.X.X.193> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=600s -o ControlPath=“/tmp/ansible-ssh-%h-%p-%r” -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 mkdir -p “$HOME/.ansible/tmp/ansible-tmp-1438366902.71-207412673011801” && chmod a+rx “$HOME/.ansible/tmp/ansible-tmp-1438366902.71-207412673011801” && echo “$HOME/.ansible/tmp/ansible-tmp-1438366902.71-207412673011801”
<10.X.X.193> ESTABLISH SSH CONNECTION FOR USER: ansible
<10.X.X.193> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=600s -o ControlPath=“/tmp/ansible-ssh-%h-%p-%r” -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 /bin/sh -c ‘sudo -k && sudo -H -S -p “[sudo via ansible, key=tcskruuzdkrswczrlhqwlrptvdtiikjs] password: " -u root /bin/sh -c '”’“'echo BECOME-SUCCESS-tcskruuzdkrswczrlhqwlrptvdtiikjs; rc=flag; [ -r /etc/apticron/apticron.conf ] || rc=2; [ -f /etc/apticron/apticron.conf ] || rc=1; [ -d /etc/apticron/apticron.conf ] && rc=3; python -V 2>/dev/null || rc=4; [ x”$rc" != “xflag” ] && echo “${rc} “/etc/apticron/apticron.conf && exit 0; (python -c '”'”‘"’“'”‘"’“'”‘import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();
afile = open("’“'”‘"’“'”‘"’“'”‘/etc/apticron/apticron.conf’“'”‘"’“'”‘"’“'”‘", “rb”)
buf = afile.read(BLOCKSIZE)
while len(buf) > 0:
hasher.update(buf)
buf = afile.read(BLOCKSIZE)
afile.close()
print(hasher.hexdigest())’“'”‘"’“'”‘"’“'”’ 2>/dev/null) || (python -c ‘"’“'”‘"’“'”‘"’“'import sha; BLOCKSIZE = 65536; hasher = sha.sha();
afile = open(”‘"’“'”‘"’“'”‘"’“‘/etc/apticron/apticron.conf’”‘"’“'”‘"’“'”‘"’“, “rb”)
buf = afile.read(BLOCKSIZE)
while len(buf) > 0:
hasher.update(buf)
buf = afile.read(BLOCKSIZE)
afile.close()
print(hasher.hexdigest())'”‘"’“'”‘"’“'”‘"’ 2>/dev/null) || (echo ‘"’“'”‘"’“'”‘"’“'0 '”‘"’“'”‘"’“'”‘"’/etc/apticron/apticron.conf)‘"’"‘’

HANGS

On the remote side the “sudo -H -S -p [sudo via ansible, key=tcskruuzdkrswczrlhqwlrptvdtiikjs] password:” is waiting on a read.

$ sudo strace -p 6283
[sudo] password for ansible:
Process 6283 attached
read(0,

On the control host the "ssh -C -tt -vvv -o ControlMaster=auto " is … don’t know what this is telling me. Little GoogleFu tells me we are waiting on a BSD system call to return but I have no idea what system API is being called.

$ sudo dtruss -p 14453
Password:
SYSCALL(args) = return

More (personal?) issues?

ANSIBLE_KEEP_REMOTE_FILES=1 and setup works as expected.

% ANSIBLE_KEEP_REMOTE_FILES=1 ansible-playbook -i ~/projects/ansible.git/playbooks/vagrant-inventory ~/projects/ansible.git/playbooks/vagrant.yml -vvvv
Using ~/projects/ansible.git/playbooks/ansible.cfg as config file
1 plays in ~/projects/ansible.git/playbooks/vagrant.yml
Loaded callback default of type stdout, v2.0

PLAY ****************************************************************************

TASK [setup] ********************************************************************
<10.X.X.193> ESTABLISH SSH CONNECTION FOR USER: ansible
<10.X.X.193> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=600s -o ControlPath=“/tmp/ansible-ssh-%h-%p-%r” -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 mkdir -p “$HOME/.ansible/tmp/ansible-tmp-1438373803.07-183638808056090” && chmod a+rx “$HOME/.ansible/tmp/ansible-tmp-1438373803.07-183638808056090” && echo “$HOME/.ansible/tmp/ansible-tmp-1438373803.07-183638808056090”
<10.X.X.193> ESTABLISH SSH CONNECTION FOR USER: ansible
<10.X.X.193> PUT /var/folders/d_/bm7rvz154jb_2djkqybb503h0000gp/T/tmpIuLWJX TO /home/ansible/.ansible/tmp/ansible-tmp-1438373803.07-183638808056090/setup
<10.X.X.193> ESTABLISH SSH CONNECTION FOR USER: ansible
<10.X.X.193> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=600s -o ControlPath=“/tmp/ansible-ssh-%h-%p-%r” -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 LANG=C LC_MESSAGES=C LC_CTYPE=C /usr/bin/python /home/ansible/.ansible/tmp/ansible-tmp-1438373803.07-183638808056090/setup
ok: [testing]

ANSIBLE_KEEP_REMOTE_FILES=1 with --become and --ask-become-pass and setup hangs

% ANSIBLE_KEEP_REMOTE_FILES=1 ansible-playbook -i ~/projects/ansible.git/playbooks/vagrant-inventory ~/projects/ansible.git/playbooks/vagrant.yml --ask-become-pass --become -vvvv
Using ~/projects/ansible.git/playbooks/ansible.cfg as config file
SUDO password:

plays in ~/projects/ansible.git/playbooks/vagrant.yml
Loaded callback default of type stdout, v2.0

PLAY ****************************************************************************
TASK [setup] ********************************************************************
<10.X.X.193> ESTABLISH SSH CONNECTION FOR USER: ansible
<10.X.X.193> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=600s -o ControlPath=“/tmp/ansible-ssh-%h-%p-%r” -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 mkdir -p “$HOME/.ansible/tmp/ansible-tmp-1438374066.58-129658387415852” && chmod a+rx “$HOME/.ansible/tmp/ansible-tmp-1438374066.58-129658387415852” && echo “$HOME/.ansible/tmp/ansible-tmp-1438374066.58-129658387415852”
<10.X.X.193> ESTABLISH SSH CONNECTION FOR USER: ansible
<10.X.X.193> PUT /var/folders/d_/bm7rvz154jb_2djkqybb503h0000gp/T/tmpfcw1XC TO /home/ansible/.ansible/tmp/ansible-tmp-1438374066.58-129658387415852/setup
<10.X.X.193> ESTABLISH SSH CONNECTION FOR USER: ansible
<10.X.X.193> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=600s -o ControlPath=“/tmp/ansible-ssh-%h-%p-%r” -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 /bin/sh -c ‘sudo -k && sudo -H -S -p “[sudo via ansible, key=avmjfmpzrimdtudrpdcayejzjmvgahpj] password: " -u root /bin/sh -c '”’“‘echo BECOME-SUCCESS-avmjfmpzrimdtudrpdcayejzjmvgahpj; LANG=C LC_MESSAGES=C LC_CTYPE=C /usr/bin/python /home/ansible/.ansible/tmp/ansible-tmp-1438374066.58-129658387415852/setup’”‘"’’

Breaking down the play.

$ ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=“/tmp/ansible-ssh-%h-%p-%r” -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 /bin/sh -c ‘sudo -k && sudo -H -S -p “[sudo via ansible, key=benehbanetqnytmmkklumnbvsiyukasg] password: " -u root /bin/sh -c '”’“‘echo BECOME-SUCCESS-benehbanetqnytmmkklumnbvsiyukasg; LANG=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/ansible/.ansible/tmp/ansible-tmp-1438377089.9-208037963158211/hostname’”‘"’’
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: auto-mux: Trying existing master
debug2: fd 3 setting O_NONBLOCK
debug2: mux_client_hello_exchange: master version 4
debug3: mux_client_forwards: request forwardings: 0 local, 0 remote
debug3: mux_client_request_session: entering
debug3: mux_client_request_alive: entering
debug3: mux_client_request_alive: done pid = 1474
debug3: mux_client_request_session: session request sent
debug1: mux_client_request_session: master session id: 12
usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]
[command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] [VAR=value] [-i|-s] []
usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file …
debug3: mux_client_read_packet: read header failed: Broken pipe

Odd, improper invocation of sudo? Break down of the sudo commands.

$ /bin/sh -c ‘sudo -k && sudo -H -S -p “[sudo via ansible, key=benehbanetqnytmmkklumnbvsiyukasg] password: " -u root /bin/sh -c '”’“‘echo BECOME-SUCCESS-benehbanetqnytmmkklumnbvsiyukasg; LANG=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/ansible/.ansible/tmp/ansible-tmp-1438377089.9-208037963158211/hostname’”‘"’’

[sudo via ansible, key=benehbanetqnytmmkklumnbvsiyukasg] password:

BECOME-SUCCESS-benehbanetqnytmmkklumnbvsiyukasg
{“changed”: false, “name”: “tester”, “ansible_facts”: {“ansible_hostname”: “tester”}}

That seems to work.

Test the ssh command.

$ ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=“/tmp/ansible-ssh-%h-%p-%r” -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: auto-mux: Trying existing master
debug2: fd 3 setting O_NONBLOCK
debug2: mux_client_hello_exchange: master version 4
debug3: mux_client_forwards: request forwardings: 0 local, 0 remote
debug3: mux_client_request_session: entering
debug3: mux_client_request_alive: entering
debug3: mux_client_request_alive: done pid = 1474
debug3: mux_client_request_session: session request sent
debug1: mux_client_request_session: master session id: 12
Last login: Fri Jul 31 16:33:09 2015 from 172.X.X.100
ansible@tester:~$

That seems to work.

Test the first sudo command, /bin/sh -c ‘sudo -k’

$ ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=“/tmp/ansible-ssh-%h-%p-%r” -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 /bin/sh -c ‘sudo -k’
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: auto-mux: Trying existing master
debug2: fd 3 setting O_NONBLOCK
debug2: mux_client_hello_exchange: master version 4
debug3: mux_client_forwards: request forwardings: 0 local, 0 remote
debug3: mux_client_request_session: entering
debug3: mux_client_request_alive: entering
debug3: mux_client_request_alive: done pid = 1474
debug3: mux_client_request_session: session request sent
debug1: mux_client_request_session: master session id: 12
usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]
[command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] [VAR=value] [-i|-s] []
usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file …
debug3: mux_client_read_packet: read header failed: Broken pipe
debug2: Received exit status from master 1

Not expected! Just over to the target system.

$ /bin/sh -c ‘sudo -k’
$ echo $?
0

So something about executing /bin/sh -c ‘sudo -k’ via ssh is breaking thing?

Is it the sudo -k?

$ ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=“/tmp/ansible-ssh-%h-%p-%r” -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 /bin/sh -c ‘sudo -h’

usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]
[command]
usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] [VAR=value] [-i|-s] []
usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p
prompt] [-u user] file …

Nope.

Is it the /bin/sh -c?

ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=“/tmp/ansible-ssh-%h-%p-%r” -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 sudo -h

Options:
-A, --askpass use a helper program for password prompting
-b, --background run command in the background
-C, --close-from=num close all file descriptors >= num
-E, --preserve-env preserve user environment when running command
-e, --edit edit files instead of running a command
-g, --group=group run command as the specified group name or ID
-H, --set-home set HOME variable to target user’s home dir
-h, --help display help message and exit

Yes!

What is ssh treating differently between /bin/sh -c ‘sudo -k’ vs sudo -k ?

I was able to get the ssh and sudo commands to work properly from the control host like this

$ ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=“/tmp/ansible-ssh-%h-%p-%r” -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 ‘/bin/sh -c “sudo -k && sudo -H -S -p "[sudo via ansible, key=oyhepruyffgwmikqvhscueppmxdhrrrs] password: " -u root /bin/sh -c "/usr/bin/python /home/ansible/.ansible/tmp/ansible-tmp-1438379820.92-121855719831019/hostname"”’

At least under Ubuntu 14.04 you need to quote the whole command passed via ssh.

I’ll post this to the issue as well.