Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ansible_user with backslash does not work when used in task #20381

Closed
sreber84 opened this issue Jan 18, 2017 · 2 comments
Closed

ansible_user with backslash does not work when used in task #20381

sreber84 opened this issue Jan 18, 2017 · 2 comments
Assignees
@jimi-c
Labels
affects_2.2 This issue/PR affects Ansible v2.2 bug This issue/PR relates to a bug. c:plugins/connection/ssh
Milestone
2.3.0

Comments

@sreber84
Copy link

ISSUE TYPE
  • Bug Report
COMPONENT NAME

ansible core

ANSIBLE VERSION
ansible 2.2.0.0
CONFIGURATION
[foo@ansible ansible]$ cat hosts
[test]
client.example.com
[foo@ansible ansible]$ cat group_vars/all 
---
ansible_user: 'dom\user'
[foo@ansible ansible]$ pwd
/home/foo/ansible
[foo@ansible ansible]$ ANSIBLE_KEEP_REMOTE_FILES=1 ansible -vvvv -i hosts test -m command -a "/usr/bin/id -g {{ ansible_ssh_user }}"
OS / ENVIRONMENT
[foo@ansible ansible]$ uname -a
Linux ansible.example.com 3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16 13:15:13 EST 2016 x86_64 x86_64 x86_64 GNU/Linux

Red Hat Enterprise Linux 7.3

SUMMARY

When running a playbook with ansible_user set to something like dom\user the use of {{ansible_user}} in any task is failing.

If ansible_user is defined like the following example ansible_user: 'dom\user' the ssh connectivity is working but running id -g {{ansible_user}} will fail due to the escaping of the \

[foo@ansible ansible]$ ANSIBLE_KEEP_REMOTE_FILES=1 ansible -vvvv -i hosts test -m command -a "/usr/bin/id -g {{ ansible_ssh_user }}"
Using /home/foo/ansible/ansible.cfg as config file
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/__init__.pyc
Using module file /usr/lib/python2.7/site-packages/ansible/modules/core/commands/command.py
<client.example.com> ESTABLISH SSH CONNECTION FOR USER: dom\user
<client.example.com> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/foo/ansible/.ssh/ansible_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User=dom\user' -o ConnectTimeout=10 -o ControlPath=/home/foo/.ansible/cp/ansible-ssh-%h-%p-%r client.example.com '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1484727796.64-66600825524502 `" && echo ansible-tmp-1484727796.64-66600825524502="` echo $HOME/.ansible/tmp/ansible-tmp-1484727796.64-66600825524502 `" ) && sleep 0'"'"''
<client.example.com> PUT /tmp/tmp4Eo9IT TO /home/domuser/.ansible/tmp/ansible-tmp-1484727796.64-66600825524502/command.py
<client.example.com> SSH: EXEC sftp -b - -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/foo/ansible/.ssh/ansible_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User=dom\user' -o ConnectTimeout=10 -o ControlPath=/home/foo/.ansible/cp/ansible-ssh-%h-%p-%r '[client.example.com]'
<client.example.com> ESTABLISH SSH CONNECTION FOR USER: dom\user
<client.example.com> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/foo/ansible/.ssh/ansible_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User=dom\user' -o ConnectTimeout=10 -o ControlPath=/home/foo/.ansible/cp/ansible-ssh-%h-%p-%r client.example.com '/bin/sh -c '"'"'chmod u+x /home/domuser/.ansible/tmp/ansible-tmp-1484727796.64-66600825524502/ /home/domuser/.ansible/tmp/ansible-tmp-1484727796.64-66600825524502/command.py && sleep 0'"'"''
<client.example.com> ESTABLISH SSH CONNECTION FOR USER: dom\user
<client.example.com> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/foo/ansible/.ssh/ansible_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User=dom\user' -o ConnectTimeout=10 -o ControlPath=/home/foo/.ansible/cp/ansible-ssh-%h-%p-%r -tt client.example.com '/bin/sh -c '"'"'/usr/bin/python /home/domuser/.ansible/tmp/ansible-tmp-1484727796.64-66600825524502/command.py && sleep 0'"'"''
client.example.com | FAILED | rc=1 >>
/usr/bin/id: domuser: no such user

On the client we have:

[root@client ansible-tmp-1484727796.64-66600825524502]# grep -i dom command.py 
    ANSIBALLZ_PARAMS = '{"ANSIBLE_MODULE_ARGS": {"_ansible_version": "2.2.0.0", "_ansible_selinux_special_fs": ["fuse", "nfs", "vboxsf", "ramfs"], "_ansible_no_log": false, "_ansible_module_name": "command", "_raw_params": "/usr/bin/id -g dom\\\\user", "_ansible_verbosity": 4, "_ansible_syslog_facility": "LOG_USER", "_ansible_diff": false, "_ansible_debug": false, "_ansible_check_mode": false}}'

Note the /usr/bin/id -g dom\\\\user

No matter how I set the variable it either fails to login via ssh or then when running id -g. The only way it's working is, when the variable in the task is escaped:

[foo@ansible ansible]$ ANSIBLE_KEEP_REMOTE_FILES=1 ansible -vvvv -i hosts test -m command -a "/usr/bin/id -g \"{{ ansible_ssh_user }}\""
Using /home/foo/ansible/ansible.cfg as config file
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/__init__.pyc
Using module file /usr/lib/python2.7/site-packages/ansible/modules/core/commands/command.py
<client.example.com> ESTABLISH SSH CONNECTION FOR USER: dom\user
<client.example.com> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/foo/ansible/.ssh/ansible_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User=dom\user' -o ConnectTimeout=10 -o ControlPath=/home/foo/.ansible/cp/ansible-ssh-%h-%p-%r client.example.com '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1484728799.45-96838385015641 `" && echo ansible-tmp-1484728799.45-96838385015641="` echo $HOME/.ansible/tmp/ansible-tmp-1484728799.45-96838385015641 `" ) && sleep 0'"'"''
<client.example.com> PUT /tmp/tmpTG3ulC TO /home/domuser/.ansible/tmp/ansible-tmp-1484728799.45-96838385015641/command.py
<client.example.com> SSH: EXEC sftp -b - -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/foo/ansible/.ssh/ansible_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User=dom\user' -o ConnectTimeout=10 -o ControlPath=/home/foo/.ansible/cp/ansible-ssh-%h-%p-%r '[client.example.com]'
<client.example.com> ESTABLISH SSH CONNECTION FOR USER: dom\user
<client.example.com> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/foo/ansible/.ssh/ansible_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User=dom\user' -o ConnectTimeout=10 -o ControlPath=/home/foo/.ansible/cp/ansible-ssh-%h-%p-%r client.example.com '/bin/sh -c '"'"'chmod u+x /home/domuser/.ansible/tmp/ansible-tmp-1484728799.45-96838385015641/ /home/domuser/.ansible/tmp/ansible-tmp-1484728799.45-96838385015641/command.py && sleep 0'"'"''
<client.example.com> ESTABLISH SSH CONNECTION FOR USER: dom\user
<client.example.com> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/foo/ansible/.ssh/ansible_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User=dom\user' -o ConnectTimeout=10 -o ControlPath=/home/foo/.ansible/cp/ansible-ssh-%h-%p-%r -tt client.example.com '/bin/sh -c '"'"'/usr/bin/python /home/domuser/.ansible/tmp/ansible-tmp-1484728799.45-96838385015641/command.py && sleep 0'"'"''
client.example.com | SUCCESS | rc=0 >>
1000

The command.py in this case looks like the below example:

[root@client ansible-tmp-1484728799.45-96838385015641]# grep -i dom command.py 
    ANSIBALLZ_PARAMS = '{"ANSIBLE_MODULE_ARGS": {"_ansible_version": "2.2.0.0", "_ansible_selinux_special_fs": ["fuse", "nfs", "vboxsf", "ramfs"], "_ansible_no_log": false, "_ansible_module_name": "command", "_raw_params": "/usr/bin/id -g \\"dom\\\\user\\"", "_ansible_verbosity": 4, "_ansible_syslog_facility": "LOG_USER", "_ansible_diff": false, "_ansible_debug": false, "_ansible_check_mode": false}}'

Certainly, fixing this in the playbook is one option. But this option is not always possible, if somebody gets a playbook provided by a vendor or similar. It would therefore be nice, if ansible_user and be set in format dom\user and then work via ssh and also when used in a task as variable.

STEPS TO REPRODUCE

Setup account dom\user on client.example.com or even better connect the system to Windows or similar that does require to login via dom\user. We are also aware that @ is a valid delimiter but in certain cases it can not be used/configured.

Create hosts and group_vars/all as below and run the below command:

[foo@ansible ansible]$ cat hosts
[test]
client.example.com
[foo@ansible ansible]$ cat group_vars/all 
---
ansible_user: 'dom\user'
[foo@ansible ansible]$ pwd
/home/foo/ansible
[foo@ansible ansible]$ ANSIBLE_KEEP_REMOTE_FILES=1 ansible -vvvv -i hosts test -m command -a "/usr/bin/id -g {{ ansible_ssh_user }}"
EXPECTED RESULTS

/usr/bin/id -g {{ ansible_ssh_user }} should return the UID of the ansible_user

ACTUAL RESULTS
[foo@ansible ansible]$ ANSIBLE_KEEP_REMOTE_FILES=1 ansible -vvvv -i hosts test -m command -a "/usr/bin/id -g {{ ansible_ssh_user }}"
Using /home/foo/ansible/ansible.cfg as config file
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/__init__.pyc
Using module file /usr/lib/python2.7/site-packages/ansible/modules/core/commands/command.py
<client.example.com> ESTABLISH SSH CONNECTION FOR USER: dom\user
<client.example.com> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/foo/ansible/.ssh/ansible_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User=dom\user' -o ConnectTimeout=10 -o ControlPath=/home/foo/.ansible/cp/ansible-ssh-%h-%p-%r client.example.com '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1484727796.64-66600825524502 `" && echo ansible-tmp-1484727796.64-66600825524502="` echo $HOME/.ansible/tmp/ansible-tmp-1484727796.64-66600825524502 `" ) && sleep 0'"'"''
<client.example.com> PUT /tmp/tmp4Eo9IT TO /home/domuser/.ansible/tmp/ansible-tmp-1484727796.64-66600825524502/command.py
<client.example.com> SSH: EXEC sftp -b - -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/foo/ansible/.ssh/ansible_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User=dom\user' -o ConnectTimeout=10 -o ControlPath=/home/foo/.ansible/cp/ansible-ssh-%h-%p-%r '[client.example.com]'
<client.example.com> ESTABLISH SSH CONNECTION FOR USER: dom\user
<client.example.com> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/foo/ansible/.ssh/ansible_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User=dom\user' -o ConnectTimeout=10 -o ControlPath=/home/foo/.ansible/cp/ansible-ssh-%h-%p-%r client.example.com '/bin/sh -c '"'"'chmod u+x /home/domuser/.ansible/tmp/ansible-tmp-1484727796.64-66600825524502/ /home/domuser/.ansible/tmp/ansible-tmp-1484727796.64-66600825524502/command.py && sleep 0'"'"''
<client.example.com> ESTABLISH SSH CONNECTION FOR USER: dom\user
<client.example.com> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'IdentityFile="/home/foo/ansible/.ssh/ansible_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User=dom\user' -o ConnectTimeout=10 -o ControlPath=/home/foo/.ansible/cp/ansible-ssh-%h-%p-%r -tt client.example.com '/bin/sh -c '"'"'/usr/bin/python /home/domuser/.ansible/tmp/ansible-tmp-1484727796.64-66600825524502/command.py && sleep 0'"'"''
client.example.com | FAILED | rc=1 >>
/usr/bin/id: domuser: no such user
@ansibot ansibot added affects_2.2 This issue/PR affects Ansible v2.2 bug_report needs_triage Needs a first human triage before being processed. labels Jan 18, 2017
@nitzmahone nitzmahone added c:plugins/connection/ssh and removed needs_triage Needs a first human triage before being processed. labels Jan 19, 2017
@nitzmahone nitzmahone added this to the 2.3.0 milestone Jan 19, 2017
@jimi-c jimi-c self-assigned this Feb 7, 2017
@sdodson
Copy link

sdodson commented Feb 28, 2017

We ended up passing ansible_ssh_user through the quote filter which worked.
/usr/bin/id -g {{ ansible_ssh_user | quote }}

@abadger abadger changed the title ansible_user with backslash does work when used in task ansible_user with backslash does not work when used in task Mar 21, 2017
@nitzmahone
Copy link
Member

Thinking about this some more, this doesn't seem like an Ansible issue- we preserve the backslash correctly, but if it's passed "naked" to the shell (as in this case), of course it's not going to work. The value needs to be escaped for the shell, and the quote filter was the right thing to do it. Closing this, since Ansible did what it was supposed to.

@ansibot ansibot added bug This issue/PR relates to a bug. and removed bug_report labels Mar 7, 2018
@ansible ansible locked and limited conversation to collaborators Apr 26, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jimi-c jimi-c

Labels
affects_2.2 This issue/PR affects Ansible v2.2 bug This issue/PR relates to a bug. c:plugins/connection/ssh
Projects
None yet
Milestone
2.3.0
Development

No branches or pull requests
5 participants
@jimi-c @sdodson @sreber84 @ansibot @nitzmahone