Using Cpanel with Ansible

Hi,

Let me explain our environment first:

We have about 500 cpanel servers which are either openvz VEs or physical servers. We are now using puppet to manage and carry out any common system administration tasks on the servers. Direct ssh root login is disabled on ll these servers.

Requirement: We need to setup ansible to replace puppet.

What I’ve done:

Since direct ssh root login is disabled, I’ve created a new user in the client server and set up key based authentication from ansible master server. Also gave sudo privileges to this user so that the user has got sufficient privileges to execute commands as the root user.

I tried a few ansible adhoc commands and they worked for a few times, for eg:

[ih_ansible_user@ansible /]$ ansible -m shell -a ‘/etc/init.d/exim status’ test.cpanelserver.com
test.cpanelserver.com | SUCCESS | rc=0 >>
exim (pid 28919 22473 21885 19961 19960 18016 16832 10399 10059 6131 3856 3657 3501 3431 2083 2012) is running…

[ih_ansible_user@ansible /]$ ansible -m shell -a ‘/etc/init.d/mysql status’ test.cpanelserver.com
test.cpanelserver.com | SUCCESS | rc=0 >>
SUCCESS! MySQL running (13701)

[ih_ansible_user@ansible /]$ ansible -m shell -a ‘df -h’ test.cpanelserver.com
test.cpanelserver.com | SUCCESS | rc=0 >>
Filesystem Size Used Avail Use% Mounted on
/dev/simfs 2.0T 1.3T 598G 69% /

But after a few tries, I get the error:

[ih_ansible_user@ansible /]$ ansible -m shell -a ‘/etc/init.d/httpd status’ test.cpanelserver.com
test.cpanelserver.com| FAILED! => {
“changed”: false,
“failed”: true,
“module_stderr”: “Shared connection to test.cpanelserver.com closed.\r\n”,
“module_stdout”: “sudo: PERM_ROOT: setresuid(0, -1, -1): too many processes\r\n”,
“msg”: “MODULE FAILURE”,
“rc”: 1
}

I’m also getting a similar error when I execute the command from the client server as the ansible user:

ih_ansible_user@test [/root]# sudo httpd status
sudo: PERM_ROOT: setresuid(0, -1, -1): too many processes

Upon searching, I could see that the number of processes for users other than root is restricted in cpanel servers. The suggested fix is to disable shell fork bomb protection but it is not secure. Also I’m unable to increase the limit.

Currently I’m stuck at this point. Please let me know if this is the correct approach, like adding a new user for ansible etc.

Is it not possible to lift this restriction on the user that runs Ansible?

There work in progress to make Ansible use thread instead for forking, this might help your case.

https://groups.google.com/forum/#!topic/ansible-devel/2-yqn3zuWg8

I tried increasing the limits but it won’t take effect unless i disable shell fork bomb protection from WHM interface. And is not a good idea to disable it.

Fayad

The issue was fixed by creating the ansible user on the client server with uid less than 500 which are meant for system accounts and the limit is not applicable for these accounts.

Fayad

Is it required to run ansible commands as the root user?

If running as another user, is there any privileges required to be given for this user?

Fayad

Is it required to run ansible commands as the root user?

No.

If running as another user, is there any privileges required to be given
for this user?

No.
But if a command or a action need privileges the user doesn't have it will of course not work with Ansible either.

Thanks Kai.

I’ve added the following line in the /etc/sudoers file on the client server:

ansible_user ALL=(root) NOPASSWD: ALL

Won’t this provide enough privilege for the ansible user to execute commands as root?

Yes, it will, but you still has to tell ansible to use become, it won't magically use sudo unless you specify become: true or use the option -b on the command line.

Hi,

Yes, I’ve already enabled it. Please see the below lines:

[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False

Is this the correct method if root login is disabled?

Fayad