Sudo issues... again

Makimoto_Marakatti · March 20, 2014, 2:05pm

Hi all

I had few sudo issues in the past, and those got solved. Now after updating to latest release (1.5.3) the problem has resurfaced again.
My master box has an ansible user. Which connects through ssh certs and has sudo rights to root on each of the remote boxes.
I’ve got 62 boxes that are failing if I sudo to them with ansible. Those 62 are a mixture to rhel/centos 5.?/6.? 32/64. Nothing in common.
Examples below are shown using a single box.

So if I do not use sudo, it works:

`
$ ansible commando -om ping
commando | success >> {“changed”: false, “ping”: “pong”}

`

Now with sudo:

`
$ ansible commando -sKom ping
sudo password:
commando | FAILED => ssh connection closed waiting for sudo or su password prompt

`

and yet:

`
$ ssh commando
Last login: Thu Mar 20 12:02:12 2014 from ansible_master.passmark.net
[ansible@commando ~]$ sudo su -
[sudo] password for ansible:
[root@commando ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

`

I actually updated to dev as I was told that my previous sudo issues had been solved in the dev branch. Unfortunately no difference. (It got rid of the nagging “previous host file not found” message thou)

Any help to try to clear this issue for once and for all would be very welcome indeed.

Thanks

sivel · March 20, 2014, 2:29pm

Makimoto,

Have you enabled ‘pipelining = True’ in your ansible.cfg file?

If so, this is potentially the cause. Regardless, it would be nice to see the output of ansible -vvvv as that would help identify if pipelining is being used or not, or any other potential issues.

Makimoto_Marakatti · March 20, 2014, 2:34pm

Hi

Pipelining is most definitely on. The speed advantage is great. I tried disabling it and see, but the end result is the same.

with pipelining on:

`
$ ansible commando -sKom ping -vvvv
sudo password:
ESTABLISH CONNECTION FOR USER: ansible
REMOTE_MODULE ping
EXEC [‘ssh’, ‘-C’, ‘-vvv’, ‘-o’, ‘PasswordAuthentication=no’, ‘-o’, ‘ControlMaster=auto’, ‘-o’, ‘ControlPath=~/tmp/ansible-ssh-%h-%p-%r’, ‘-o’, ‘Port=22’, ‘-o’, ‘KbdInteractiveAuthentication=no’, ‘-o’, ‘PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey’, ‘-o’, ‘PasswordAuthentication=no’, ‘-o’, ‘ConnectTimeout=30’, ‘commando’, ‘/bin/sh -c 'sudo -k && sudo -H -S -p “[sudo via ansible, key=eitjzleioedwxwlkwhlcyyraqeqvqzxk] password: " -u root /bin/sh -c '”'“'echo SUDO-SUCCESS-eitjzleioedwxwlkwhlcyyraqeqvqzxk; /usr/bin/python'”'"''’]
EXEC previous known host file not found for commando
commando | FAILED => ssh connection closed waiting for sudo or su password prompt

`

without pipelining:

$ ansible commando -sKom ping -vvvvv sudo password: <commando> ESTABLISH CONNECTION FOR USER: ansible <commando> REMOTE_MODULE ping <commando> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'PasswordAuthentication=no', '-o', 'ControlMaster=auto', '-o', 'ControlPath=~/tmp/ansible-ssh-%h-%p-%r', '-o', 'Port=22', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'ConnectTimeout=30', 'commando', "/bin/sh -c 'mkdir -p /tmp/ansible-tmp-1395325848.27-139028944178673 && chmod a+rx /tmp/ansible-tmp-1395325848.27-139028944178673 && echo /tmp/ansible-tmp-1395325848.27-139028944178673'"] EXEC previous known host file not found for commando commando | FAILED => Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in "/tmp". Failed command was: mkdir -p /tmp/ansible-tmp-1395325848.27-139028944178673 && chmod a+rx /tmp/ansible-tmp-1395325848.27-139028944178673 && echo /tmp/ansible-tmp-1395325848.27-139028944178673, exited with result 1: mkdir: cannot create directory/tmp/ansible-tmp-1395325848.27-139028944178673’: Permission denied

`

Makimoto_Marakatti · March 20, 2014, 2:35pm

For the record I do have this on ansible.cfg:

`
remote_tmp = /tmp

`

Makimoto_Marakatti · March 20, 2014, 3:11pm

By the way, I did forget to mention that I tried to give a passwordless sudo access to the ‘ansible’ user.
And did not work. Got the same output.
Which leads me to think that sudo does not get called properly.
Just speculating thou…

James_Cammarata · March 20, 2014, 3:49pm

What was the last official release that worked for you? Also, are there any other ansible.cfg settings you’ve changed from their defaults?

Makimoto_Marakatti · March 20, 2014, 4:25pm

Hi

Last working one was 1.5.1.
And yes few changes to the cfg. Here the comments stripped version:

`
[defaults]
hostfile = /ansible/etc/hosts
library = /usr/share/ansible
remote_tmp = /tmp
pattern = *
forks = 5
poll_interval = 15
sudo_user = root
transport = ssh
remote_port = 22
connection = ssh
timeout = 30
log_path = /ansible/log/ansible.log
ansible_managed = Mantained by Ansible. Please refer to {host} to make changes in {file}. Direct edits to this file WILL BE overwritten.
display_skipped_hosts = True
error_on_undefined_vars = True
action_plugins = /usr/share/ansible_plugins/action_plugins
callback_plugins = /usr/share/ansible_plugins/callback_plugins
connection_plugins = /usr/share/ansible_plugins/connection_plugins
lookup_plugins = /usr/share/ansible_plugins/lookup_plugins
vars_plugins = /usr/share/ansible_plugins/vars_plugins
filter_plugins = /usr/share/ansible_plugins/filter_plugins
[paramiko_connection]
[ssh_connection]
ssh_args = -o PasswordAuthentication=no -o ControlMaster=auto -o ControlPath=~/tmp/ansible-ssh-%h-%p-%r
scp_if_ssh = True
[accelerate]

`

Normally pipelining is there also, but I just disabled it per advice on this thread.

James_Cammarata · March 20, 2014, 5:58pm

I see you’ve set you’re setting the transport to ssh rather than smart, when you’re using EL 5/6, does the same issue occur if you set the transport to paramiko or smart?

Makimoto_Marakatti · March 20, 2014, 6:30pm

that’s a good point. haven’t tried.
Will try tomorrow at work and report back.

thanks!

Makimoto_Marakatti · March 21, 2014, 8:45am

Same result unfortunately.
paramiko is a no go for me though, as I’ve got a number of boxes behind a jumpbox. And I use ssh config to get direct access to those.
I’ll try to think out of the box and see what happens…

Makimoto_Marakatti · March 21, 2014, 11:28am

solved!

At the end it was something simple (isn’t it always…)
On the client machines, /etc/sudoers had this fateful line:

Defaults requiretty

That has been commented out. And no issues.
But I feel ambivalent about the security side of things. Is there no way for ansible to log with a tty???

Topic		Views
Sudo syntax help, please. Ansible Project	2	September 15, 2014
Is there an issue with `sudo -k' ? Ansible Project ubuntu	0	December 14, 2012
Another sudo issue Ansible Project	3	June 18, 2014
Support for sudo with a password in latest git (master branch)! Ansible Project	0	April 13, 2012
unabel to use pipelining on centos 6.6 -> amazon linux Ansible Project	1	July 14, 2015

Sudo issues... again

Related topics