Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

become_method: sudo with docker connection not working as a non-root user #31759

Closed
tonytan4ever opened this issue Oct 15, 2017 · 7 comments

Comments

Projects
None yet
7 participants
@tonytan4ever
Copy link

commented Oct 15, 2017

ISSUE TYPE
  • Bug Report: become-method and become not working properly for docker connection
COMPONENT NAME

become-method become

ANSIBLE VERSION
ansible 2.4.0.0
  config file = /Users/tonytan4ever/.ansible.cfg
  configured module search path = [u'/Users/tonytan4ever/.ansible/plugins/library']
  ansible python module location = /Users/tonytan4ever/bin/ansible/lib/python2.7/site-packages/ansible
  executable location = /Users/tonytan4ever/bin/ansible/bin/ansible
  python version = 2.7.10 (default, Feb  7 2017, 00:08:15) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.34)]
CONFIGURATION
DEFAULT_MODULE_PATH(/Users/tonytan4ever/.ansible.cfg) = [u'/Users/tonytan4ever/.ansible/plugins/library']
DEFAULT_ROLES_PATH(/Users/tonytan4ever/.ansible.cfg) = [u'/Users/tonytan4ever/.ansible/roles']
DEFAULT_TRANSPORT(/Users/tonytan4ever/.ansible.cfg) = ssh
HOST_KEY_CHECKING(/Users/tonytan4ever/.ansible.cfg) = False
OS / ENVIRONMENT

Mac OSX 10.12.6

SUMMARY

When connecting a docker container as a non-root user, and trying to execute
sudo commands using become-method: sudo, become: yes, and --ask-become-pass option
, I get error:

"module_stderr": "[sudo via ansible, key=tejyqalaiqshnspylpkpekqgxzaxsbux] password: \n"

Seems like the password does not pass in

STEPS TO REPRODUCE

I use this docker file to run a docker container:

FROM ubuntu:16.04
MAINTAINER Someone <someone@somewhere.com>

#update all packages
RUN apt-get update && \ 
  apt-get -y install sudo && \
  apt-get install -y software-properties-common vim && \
  add-apt-repository ppa:jonathonf/python-3.6 && \
  apt-get update && \
  apt-get -y dist-upgrade && \
  apt-get -y autoremove && \
  apt-get clean
  
# install python
RUN apt-get install -y build-essential python3.6 python3.6-dev && \
  apt-get install -y python3-pip python3.6-venv

# update pip
RUN python3.6 -m pip install pip --upgrade && \
  python3.6 -m pip install wheel

RUN ln -sf /usr/bin/python3.6 /usr/bin/python


# create user (somehow this is not working with Ansible)
RUN useradd -ms /bin/bash test_user && \
	echo "test_user:password" | chpasswd && \
	adduser test_user sudo
	
USER test_user
CMD /bin/bash
- name: Set up a finbot instance
  hosts: host
  pre_tasks:
    - name: Echoing debug message
      shell: echo "Setting up finbot..."
    
    - name: Make sure default wheel group exists
      become: yes
      become_method: sudo
      group:
        name: wheel
        state: present
   
    - name: Allow 'wheel' group to have passwordless sudo
      become: yes
      become_method: sudo
      lineinfile:
        dest: /etc/sudoers
        state: present
        regexp: '^%wheel'
        line: '%wheel ALL=(ALL) NOPASSWD: ALL'
    
    - name: Create default finbot user
      become: yes
      become_method: sudo
      user:
        name: "{{ user }}" 
        groups: sudo,wheel  
        state: present    
  
  vars_files:
    - vars/default.yml
EXPECTED RESULTS

PLAY RECAP **************************************************************************************************
finbot_host : ok=2 changed=1 unreachable=0 failed=0

ACTUAL RESULTS

See following command and output:

(ansible) 690 $ ansible-playbook -i inventory/docker.ini -u test_user setup_finbot.yml --ask-sudo-pass -vvv
ansible-playbook 2.4.0.0
  config file = /Users/tonytan4ever/.ansible.cfg
  configured module search path = [u'/Users/tonytan4ever/.ansible/plugins/library']
  ansible python module location = /Users/tonytan4ever/bin/ansible/lib/python2.7/site-packages/ansible
  executable location = /Users/tonytan4ever/bin/ansible/bin/ansible-playbook
  python version = 2.7.10 (default, Feb  7 2017, 00:08:15) [GCC 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.34)]
Using /Users/tonytan4ever/.ansible.cfg as config file
[DEPRECATION WARNING]: The sudo command line option has been deprecated in favor of the "become" command
line arguments. This feature will be removed in version 2.6. Deprecation warnings can be disabled by setting
 deprecation_warnings=False in ansible.cfg.
SUDO password:
Parsed /Users/tonytan4ever/projects/Mine/financial_backbone/deploy/inventory/docker.ini inventory source with ini plugin
Read vars_file 'vars/default.yml'
Read vars_file 'vars/default.yml'
Read vars_file 'vars/default.yml'
[DEPRECATION WARNING]: The use of 'include' for tasks has been deprecated. Use 'import_tasks' for static
inclusions or 'include_tasks' for dynamic inclusions. This feature will be removed in a future release.
Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: include is kept for backwards compatibility but usage is discouraged. The module
documentation details page may explain more about this rationale.. This feature will be removed in a future
release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
Read vars_file 'vars/default.yml'
statically imported: /Users/tonytan4ever/projects/Mine/financial_backbone/deploy/roles/git/tasks/install-from-source.yml
Read vars_file 'vars/default.yml'
statically imported: /Users/tonytan4ever/projects/Mine/financial_backbone/deploy/roles/supervisorctl/tasks/config.yml
Read vars_file 'vars/default.yml'
statically imported: /Users/tonytan4ever/projects/Mine/financial_backbone/deploy/roles/supervisorctl/tasks/init-setup.yml

PLAYBOOK: setup_finbot.yml **********************************************************************************
1 plays in setup_finbot.yml
Read vars_file 'vars/default.yml'
Read vars_file 'vars/default.yml'

PLAY [Set up a finbot instance] *****************************************************************************
Read vars_file 'vars/default.yml'

TASK [Gathering Facts] **************************************************************************************
Using module file /Users/tonytan4ever/bin/ansible/lib/python2.7/site-packages/ansible/modules/system/setup.py
<finbot_test> ESTABLISH DOCKER CONNECTION FOR USER: test_user
<finbot_test> EXEC ['/usr/local/bin/docker', 'exec', '-u', u'test_user', '-i', u'finbot_test', u'/bin/sh', '-c', u"/bin/sh -c 'echo ~ && sleep 0'"]
<finbot_test> EXEC ['/usr/local/bin/docker', 'exec', '-u', u'test_user', '-i', u'finbot_test', u'/bin/sh', '-c', u'/bin/sh -c \'( umask 77 && mkdir -p "` echo /home/test_user/.ansible/tmp/ansible-tmp-1508092393.47-213435881979968 `" && echo ansible-tmp-1508092393.47-213435881979968="` echo /home/test_user/.ansible/tmp/ansible-tmp-1508092393.47-213435881979968 `" ) && sleep 0\'']
<finbot_test> PUT /var/folders/hk/2_hzs5n97ljb21x8l4q0kd0w0000gn/T/tmpQad8yj TO /home/test_user/.ansible/tmp/ansible-tmp-1508092393.47-213435881979968/setup.py
<finbot_test> EXEC ['/usr/local/bin/docker', 'exec', '-u', u'test_user', '-i', u'finbot_test', u'/bin/sh', '-c', u"/bin/sh -c 'chmod u+x /home/test_user/.ansible/tmp/ansible-tmp-1508092393.47-213435881979968/ /home/test_user/.ansible/tmp/ansible-tmp-1508092393.47-213435881979968/setup.py && sleep 0'"]
<finbot_test> EXEC ['/usr/local/bin/docker', 'exec', '-u', u'test_user', '-i', u'finbot_test', u'/bin/sh', '-c', u'/bin/sh -c \'/usr/bin/python /home/test_user/.ansible/tmp/ansible-tmp-1508092393.47-213435881979968/setup.py; rm -rf "/home/test_user/.ansible/tmp/ansible-tmp-1508092393.47-213435881979968/" > /dev/null 2>&1 && sleep 0\'']
ok: [finbot_host]
Read vars_file 'vars/default.yml'

TASK [Echoing debug message] ********************************************************************************
task path: /Users/tonytan4ever/projects/Mine/financial_backbone/deploy/setup_finbot.yml:6
Using module file /Users/tonytan4ever/bin/ansible/lib/python2.7/site-packages/ansible/modules/commands/command.py
<finbot_test> ESTABLISH DOCKER CONNECTION FOR USER: test_user
<finbot_test> EXEC ['/usr/local/bin/docker', 'exec', '-u', u'test_user', '-i', u'finbot_test', u'/bin/sh', '-c', u"/bin/sh -c 'echo ~ && sleep 0'"]
<finbot_test> EXEC ['/usr/local/bin/docker', 'exec', '-u', u'test_user', '-i', u'finbot_test', u'/bin/sh', '-c', u'/bin/sh -c \'( umask 77 && mkdir -p "` echo /home/test_user/.ansible/tmp/ansible-tmp-1508092395.3-256705826586466 `" && echo ansible-tmp-1508092395.3-256705826586466="` echo /home/test_user/.ansible/tmp/ansible-tmp-1508092395.3-256705826586466 `" ) && sleep 0\'']
<finbot_test> PUT /var/folders/hk/2_hzs5n97ljb21x8l4q0kd0w0000gn/T/tmp6J5KTH TO /home/test_user/.ansible/tmp/ansible-tmp-1508092395.3-256705826586466/command.py
<finbot_test> EXEC ['/usr/local/bin/docker', 'exec', '-u', u'test_user', '-i', u'finbot_test', u'/bin/sh', '-c', u"/bin/sh -c 'chmod u+x /home/test_user/.ansible/tmp/ansible-tmp-1508092395.3-256705826586466/ /home/test_user/.ansible/tmp/ansible-tmp-1508092395.3-256705826586466/command.py && sleep 0'"]
<finbot_test> EXEC ['/usr/local/bin/docker', 'exec', '-u', u'test_user', '-i', u'finbot_test', u'/bin/sh', '-c', u'/bin/sh -c \'/usr/bin/python /home/test_user/.ansible/tmp/ansible-tmp-1508092395.3-256705826586466/command.py; rm -rf "/home/test_user/.ansible/tmp/ansible-tmp-1508092395.3-256705826586466/" > /dev/null 2>&1 && sleep 0\'']
changed: [finbot_host] => {
    "changed": true,
    "cmd": "echo \"Setting up finbot...\"",
    "delta": "0:00:00.001506",
    "end": "2017-10-15 18:33:15.738312",
    "failed": false,
    "invocation": {
        "module_args": {
            "_raw_params": "echo \"Setting up finbot...\"",
            "_uses_shell": true,
            "chdir": null,
            "creates": null,
            "executable": null,
            "removes": null,
            "stdin": null,
            "warn": true
        }
    },
    "rc": 0,
    "start": "2017-10-15 18:33:15.736806",
    "stderr": "",
    "stderr_lines": [],
    "stdout": "Setting up finbot...",
    "stdout_lines": [
        "Setting up finbot..."
    ]
}
Read vars_file 'vars/default.yml'

TASK [Make sure default wheel group exists] *****************************************************************
task path: /Users/tonytan4ever/projects/Mine/financial_backbone/deploy/setup_finbot.yml:9
Using module file /Users/tonytan4ever/bin/ansible/lib/python2.7/site-packages/ansible/modules/system/group.py
<finbot_test> ESTABLISH DOCKER CONNECTION FOR USER: test_user
<finbot_test> EXEC ['/usr/local/bin/docker', 'exec', '-u', u'test_user', '-i', u'finbot_test', u'/bin/sh', '-c', u"/bin/sh -c 'echo ~ && sleep 0'"]
<finbot_test> EXEC ['/usr/local/bin/docker', 'exec', '-u', u'test_user', '-i', u'finbot_test', u'/bin/sh', '-c', u'/bin/sh -c \'( umask 77 && mkdir -p "` echo /home/test_user/.ansible/tmp/ansible-tmp-1508092395.93-171872067959409 `" && echo ansible-tmp-1508092395.93-171872067959409="` echo /home/test_user/.ansible/tmp/ansible-tmp-1508092395.93-171872067959409 `" ) && sleep 0\'']
<finbot_test> PUT /var/folders/hk/2_hzs5n97ljb21x8l4q0kd0w0000gn/T/tmpYDskjv TO /home/test_user/.ansible/tmp/ansible-tmp-1508092395.93-171872067959409/group.py
<finbot_test> EXEC ['/usr/local/bin/docker', 'exec', '-u', u'test_user', '-i', u'finbot_test', u'/bin/sh', '-c', u"/bin/sh -c 'chmod u+x /home/test_user/.ansible/tmp/ansible-tmp-1508092395.93-171872067959409/ /home/test_user/.ansible/tmp/ansible-tmp-1508092395.93-171872067959409/group.py && sleep 0'"]
<finbot_test> EXEC ['/usr/local/bin/docker', 'exec', '-u', u'test_user', '-i', u'finbot_test', u'/bin/sh', '-c', u'/bin/sh -c \'sudo -H -S  -p "[sudo via ansible, key=tejyqalaiqshnspylpkpekqgxzaxsbux] password: " -u root /bin/sh -c \'"\'"\'echo BECOME-SUCCESS-tejyqalaiqshnspylpkpekqgxzaxsbux; /usr/bin/python /home/test_user/.ansible/tmp/ansible-tmp-1508092395.93-171872067959409/group.py; rm -rf "/home/test_user/.ansible/tmp/ansible-tmp-1508092395.93-171872067959409/" > /dev/null 2>&1\'"\'"\' && sleep 0\'']
fatal: [finbot_host]: FAILED! => {
    "changed": false,
    "failed": true,
    "module_stderr": "[sudo via ansible, key=tejyqalaiqshnspylpkpekqgxzaxsbux] password: \n",
    "module_stdout": "",
    "msg": "MODULE FAILURE",
    "rc": 1
}
	to retry, use: --limit @/Users/tonytan4ever/projects/Mine/financial_backbone/deploy/setup_finbot.retry

PLAY RECAP **************************************************************************************************
finbot_host                : ok=2    changed=1    unreachable=0    failed=1

@tonytan4ever tonytan4ever changed the title become_method: sudo with docker connection not working become_method: sudo with docker connection not working as a non-root user Oct 15, 2017

@alikins

This comment has been minimized.

Copy link
Contributor

commented Oct 16, 2017

Was this working before 2.4.0? If so, what version?

@alikins alikins added needs_info and removed needs_triage labels Oct 16, 2017

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Jan 31, 2018

@tonytan4ever This issue is waiting for your response. Please respond or the issue will be closed.

click here for bot help

@ansibot ansibot added bug and removed bug_report labels Mar 1, 2018

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Mar 9, 2018

@tonytan4ever This issue is waiting for your response. Please respond or the issue will be closed.

click here for bot help

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Mar 17, 2018

@tonytan4ever You have not responded to information requests in this issue so we will assume it no longer affects you. If you are still interested in this, please create a new issue with the requested information.

click here for bot help

@ansibot ansibot closed this Mar 17, 2018

@jordanst3wart

This comment has been minimized.

Copy link

commented May 31, 2018

I found this really annoying, and confusing using docker, and ansible. Here is a short script, which should show my point:

- name: try become methods
  become: yes
  become_user: "someUser"
  become_method: su
  command: whoami
# actually still root :(

- name: try become methods
  become: yes
  become_user: "someUser"
  command: whoami
# actually still root :(

- name: try become methods
  become: yes
  become_user: "someUser" #
  become_method: sudo
  command: whoami
# actually still root :(

- name: try become methods
  become: yes
  become_user: "someUser"
  become_method: sudo /bin/su -
  command: su - "someUser" -c whoami
# someUser :) 

- name: fail
  fail:

ansible 2.4.2.0
docker 18.05.0-ce
There isn't many questions on stack-overflow about this either.

@dagwieers dagwieers added the docker label Jan 31, 2019

@tom-256

This comment has been minimized.

Copy link

commented Feb 1, 2019

Hi, I encoutnred same bug.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

become-method become

ANSIBLE VERSION
$ansible --version
ansible 2.7.4
  config file = /Users/xxx/ansible.cfg
  configured module search path = ['/Users/xxx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/xxx/.local/lib/python3.6/site-packages/ansible
  executable location = /Users/xxx/.local/bin/ansible
  python version = 3.6.5 (default, May 15 2018, 18:43:23) [GCC 4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.1)]
CONFIGURATION
$ansible-config dump --only-changed
DEFAULT_CALLBACK_WHITELIST(/Users/xxx/ansible.cfg) = ['profile_tasks']
DEFAULT_VAULT_PASSWORD_FILE(/Users/xxx/ansible.cfg) = /Users/xxx/vault_password_file
OS / ENVIRONMENT

Mac OSX 10.14.2

STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS
$docker pull centos:6.8
$docker run --name webserver -itd centos:6.8 bash
$ansible-playbook site.yml -i docker -c docker -vvv
TASK [Install wget] **************************************************************************************************************************************
fatal: [webserver]: FAILED! => {
    "changed": false,
    "module_stderr": "[sudo via ansible, key=xxx] password: \n",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}
@jojo221119

This comment has been minimized.

Copy link

commented Mar 1, 2019

Encountered the same issue. Privilege escalation does not seem to work.

larsks added a commit to larsks/ansible that referenced this issue Apr 26, 2019

connection/docker: fail with error message on sudo attempt
As described in ansible#53385 (and ansible#31759), the docker connection driver does
not support privilege escalation. With this commit, Ansible will fail
tasks with a meaningful error message rather than failing in a
non-obvious fashion.

larsks added a commit to larsks/ansible that referenced this issue Apr 26, 2019

connection/docker: fail with error message on sudo attempt
As described in ansible#53385 (and ansible#31759), the docker connection driver does
not support privilege escalation. With this commit, Ansible will fail
tasks with a meaningful error message rather than failing in a
non-obvious fashion.

larsks added a commit to larsks/ansible that referenced this issue Apr 26, 2019

connection/docker: add privilege escalation support
As described in ansible#53385 (and ansible#31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

Closes: ansible#53385

larsks added a commit to larsks/ansible that referenced this issue Apr 26, 2019

connection/docker: add privilege escalation support
As described in ansible#53385 (and ansible#31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

Closes: ansible#53385

@ansible ansible locked and limited conversation to collaborators Apr 26, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.