密码出现Ansible权限提升问题

时间:2019-10-01 17:31:28

标签: linux ssh ansible ansible-2.x

TL; DR;

这个问题困扰了一个多星期,我似乎无法弄清楚。我正在以 user1 身份运行ansible,该用户具有成为root的权限,但是ansible返回此错误: Timeout (12s) waiting for privilege escalation prompt:。使用ansible调试模式export ANSIBLE_DEBUG=True,我注意到当升级的特权提示出现时,ansible只是挂起了。因此,似乎没有提供我一开始就提供的密码。

我的设置

我的 ansible.cfg 配置已完全注释。只是默认的配置文件。

主机是 CentOS7 ,并且具有 python 2.7

运行命令 ansible --version 

ansible 2.8.2
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/user1/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible
  python version = 2.7.5 (default, Jun 20 2019, 20:27:34) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

问题

我正在尝试使用become运行我的剧本,但是我无法超越“收集事实”部分。我想成为dzdo root 来执行我的剧本中的任务。但是,如果您查看调试日志,则ansible似乎挂在变成密码提示上。请参见下面的Ansible Debug:>>>[dzdo via ansible, key=KEY_STRING] password:<<<,它在该行上停留10秒钟,然后输出它正在等待特权升级提示。但是,提示明显发生了。因此,我决定自己运行似乎已挂起的命令(您可以在下面的Ansible Debug部分中自己看到):

ssh -tt host1 '/bin/sh -c '"'"'dzdo -H -S -p "[dzdo via ansible, key=KEY_STRING] password:" -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-KEY_STRING ; /usr/bin/python /home/user1/.ansible/tmp/ansible-tmp-1569872806.13-188766343287198/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''

运行此命令时,提示我输入密码,并提供root密码和SUCCESS!我收到了有关主机事实的巨大json斑点。

我运行的示例性错误命令“未能成为”并返回应作为根源运行的同一错误

(注意:我添加了-vvvv来打印调试语句以检查幕后情况,但是如果一切正常,我通常不会添加此选项。此外,默认情况下,我知道--become-user设置为root。为清楚起见,我只是添加它。)

  1. ansible host1 -kbK -m command -a "id" --user=user1 --become-user=root --become-method=dzdo
  2. ansible-playbook -kbK myplaybook.yml --tags="myTag" --user=user1 --become-user=root --become-method=dzdo

任何想法为何ansible似乎都无法看到,因此提供了我一开始提供的密码。此外,仅出于测试目的,当提示我输入密码时:

SSH password: 
BECOME password[defaults to SSH password]:

我已经通过简单地将BECOME密码保留为空白(通过按Enter键将其默认设置为SSH密码)来测试了BECOME密码,然后输入了一个错误的密码(只需将键盘捣碎,如果使用了密码,它就会意识到那是错误的密码)。

可调试的调试日志 

...everything above seems to be ok, I successfully see:
1. Successful ssh connection to the hosts with the given user1
2. Successful ssh connection to move the ansible file it will run and making the directory
3. Attempting the python interpreter discovery
4. Finding the PLATFORM
5. etc... until I get to the actual escalated privilege line below
<host1> ESTABLISH SSH CONNECTION FOR USER: user1
<host1> SSH: EXEC sshpass -d8 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o 'User="user1"' -o ConnectTimeout=10 -o ControlPath=/home/user1/.ansible/cp/89ddddab56 -tt host1 '/bin/sh -c '"'"'dzdo -H -S  -p "[dzdo via ansible, key=KEY_STRING] password:" -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-KEY_STRING ; /usr/bin/python /home/user1/.ansible/tmp/ansible-tmp-1569872806.13-188766343287198/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
 22694 1569872807.55226: Initial state: awaiting_escalation: BECOME-SUCCESS-KEY_STRING
 22694 1569872807.58708: stderr chunk (state=1):
>>>OpenSSH_7.6p1 (CentrifyDC build 5.5.0-193) , OpenSSL 1.0.2n-fips  7 Dec 2017
<<<

 22694 1569872807.58831: stderr chunk (state=1):
>>>debug1: Reading configuration data /etc/centrifydc/ssh/ssh_config
debug1: /etc/centrifydc/ssh/ssh_config line 47: Applying options for *
<<<

 22694 1569872807.58942: stderr chunk (state=1):
>>>debug1: auto-mux: Trying existing master
debug2: fd 3 setting O_NONBLOCK
debug2: mux_client_hello_exchange: master version 4
debug3: mux_client_forwards: request forwardings: 0 local, 0 remote
debug3: mux_client_request_session: entering
debug3: mux_client_request_alive: entering
debug3: mux_client_request_alive: done pid = 22660
debug3: mux_client_request_session: session request sent
<<<

 22694 1569872807.59199: stderr chunk (state=1):
>>>debug1: mux_client_request_session: master session id: 2
<<<

 22694 1569872807.87886: stdout chunk (state=1):
>>>[dzdo via ansible, key=KEY_STRING] password:<<<

 22694 1569872819.89077: done running TaskExecutor() for host1/TASK: command [c81f66f6-8106-36fa-2522-0000000000a5]
 22694 1569872819.89146: sending task result for task c81f66f6-8106-36fa-2522-0000000000a5
 22694 1569872819.89287: done sending task result for task c81f66f6-8106-36fa-2522-0000000000a5
 22694 1569872819.89309: WORKER PROCESS EXITING
 22686 1569872819.89555: marking host1 as failed
 22686 1569872819.89601: marking host host1 failed, current state: HOST STATE: block=2, task=1, rescue=0, always=0, run_state=ITERATING_TASKS, fail_state=FAILED_NONE, pending_setup=False, tasks child state? (None), rescue child state? (None), always child state? (None), did rescue? False, did start at task? False
 22686 1569872819.89633: ^ failed state is now: HOST STATE: block=2, task=1, rescue=0, always=0, run_state=ITERATING_COMPLETE, fail_state=FAILED_TASKS, pending_setup=False, tasks child state? (None), rescue child state? (None), always child state? (None), did rescue? False, did start at task? False
 22686 1569872819.89658: getting the next task for host host1
 22686 1569872819.89680: host host1 is done iterating, returning
host1 | FAILED | rc=-1 >>
Timeout (12s) waiting for privilege escalation prompt:

...然后关闭与host1的连接。

1 个答案:

答案 0 :(得分:0)

您正在体验的事实是,用户sudo到来时需要输入密码

可以在ansible.cfg,您的清单中或直接在剧本中使用以下配置来解决此问题:

ansible_become_method: 'su'
ansible_become_exe: 'sudo -p "Password: " su -'

此技术的所有功劳归于 rahim-raddahi https://github.com/ansible/ansible/issues/12686#issuecomment-373326739

相关问题
最新问题