Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Privilege escallation not working when connection docker #53385

Closed
jojo221119 opened this issue Mar 6, 2019 · 11 comments

Comments

Projects
None yet
8 participants
@jojo221119
Copy link

commented Mar 6, 2019

SUMMARY

Ansible become is not working with a user different then root.
Checked with different become methods like here

For become method sudo the error message is:

"module_stderr": "[sudo via ansible, key=ptcnbeweejizxjabgoauixqsqanhxier] password: \n"

ISSUE TYPE
  • Feature Request
COMPONENT NAME

connection docker

ANSIBLE VERSION
ansible 2.7.7
  config file = /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/ansible.cfg
  configured module search path = [u'/local/home/apim_ansible/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible
  python version = 2.7.5 (default, Sep 12 2018, 05:31:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
CONFIGURATION
DEFAULT_TIMEOUT(ansible.cfg) = 10
OS / ENVIRONMENT

Ansible host OS RHEL7
Docker container OS Centos7

STEPS TO REPRODUCE

Start an image created by molecule (adds Python and other things to use ansible for containers) and add an additional user with permissions to become root.
Execute the playbook with connection "docker"

---
  - hosts: all
    tasks:

      - name: try become method sudo
        become: yes
        become_method: sudo
        command: whoami
        register: who
        ignore_errors: True

      - debug:
          var: who

      - name: try become method su
        become: yes
        become_method: su
        command: whoami
        register: who
        ignore_errors: True

      - debug:
          var: who

      - name: try become method sudo /bin/su
        become: yes
        become_method: sudo /bin/su -
        command: su - "test" -c whoami
        register: who
        ignore_errors: True

      - debug:
          var: who

      - name: fail
        fail:
EXPECTED RESULTS

Privilege escalation is working without any issue.

ACTUAL RESULTS

ansible-playbook -i hosts test.yml -c docker -vvvv

ansible-playbook 2.7.7
  config file = /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/ansible.cfg
  configured module search path = [u'/local/home/apim_ansible/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible-playbook
  python version = 2.7.5 (default, Sep 12 2018, 05:31:16) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
Using /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/ansible.cfg as config file
setting up inventory plugins
/net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/hosts did not meet host_list requirements, check plugin documentation if this is unexpected
/net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/hosts did not meet script requirements, check plugin documentation if this is unexpected
Parsed /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/hosts inventory source with ini plugin
Loading callback plugin default of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/default.pyc

PLAYBOOK: test.yml **************************************************************************************************************************************************************************************************************************
1 plays in test.yml

PLAY [all] **********************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************************************************************************
task path: /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/test.yml:2
<docker_test> ESTABLISH DOCKER CONNECTION FOR USER: apim_ansible
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c 'echo ~apim_ansible && sleep 0'"]
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u'/bin/sh -c \'( umask 77 && mkdir -p "` echo /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868451.82-113832299505192 `" && echo ansible-tmp-1551868451.82-113832299505192="` echo /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868451.82-113832299505192 `" ) && sleep 0\'']
Using module file /usr/lib/python2.7/site-packages/ansible/modules/system/setup.py
<docker_test> PUT /local/home/apim_ansible/.ansible/tmp/ansible-local-60877fNyu7d/tmpSIQUOE TO /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868451.82-113832299505192/AnsiballZ_setup.py
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c 'chmod u+x /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868451.82-113832299505192/ /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868451.82-113832299505192/AnsiballZ_setup.py && sleep 0'"]
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c '/usr/bin/python /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868451.82-113832299505192/AnsiballZ_setup.py && sleep 0'"]
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c 'rm -f -r /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868451.82-113832299505192/ > /dev/null 2>&1 && sleep 0'"]
ok: [docker_test]
META: ran handlers

TASK [try become method sudo] ***************************************************************************************************************************************************************************************************************
task path: /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/test.yml:5
<docker_test> ESTABLISH DOCKER CONNECTION FOR USER: apim_ansible
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c 'echo ~apim_ansible && sleep 0'"]
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u'/bin/sh -c \'( umask 77 && mkdir -p "` echo /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868453.52-32552275530461 `" && echo ansible-tmp-1551868453.52-32552275530461="` echo /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868453.52-32552275530461 `" ) && sleep 0\'']
Using module file /usr/lib/python2.7/site-packages/ansible/modules/commands/command.py
<docker_test> PUT /local/home/apim_ansible/.ansible/tmp/ansible-local-60877fNyu7d/tmp27zHdB TO /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868453.52-32552275530461/AnsiballZ_command.py
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c 'chmod u+x /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868453.52-32552275530461/ /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868453.52-32552275530461/AnsiballZ_command.py && sleep 0'"]
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u'/bin/sh -c \'sudo -H -S  -p "[sudo via ansible, key=wwoieobzyhnbwezxmllsrzbwhcdwuyxd] password: " -u root /bin/sh -c \'"\'"\'echo BECOME-SUCCESS-wwoieobzyhnbwezxmllsrzbwhcdwuyxd; /usr/bin/python /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868453.52-32552275530461/AnsiballZ_command.py\'"\'"\' && sleep 0\'']
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c 'rm -f -r /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868453.52-32552275530461/ > /dev/null 2>&1 && sleep 0'"]
fatal: [docker_test]: FAILED! => {
    "changed": false,
    "module_stderr": "\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo via ansible, key=wwoieobzyhnbwezxmllsrzbwhcdwuyxd] password: \n",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}
...ignoring

TASK [debug] ********************************************************************************************************************************************************************************************************************************
task path: /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/test.yml:12
ok: [docker_test] => {
    "who": {
        "changed": false,
        "failed": true,
        "module_stderr": "\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo via ansible, key=wwoieobzyhnbwezxmllsrzbwhcdwuyxd] password: \n",
        "module_stdout": "",
        "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
        "rc": 1
    }
}

TASK [try become method su] *****************************************************************************************************************************************************************************************************************
task path: /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/test.yml:15
<docker_test> ESTABLISH DOCKER CONNECTION FOR USER: apim_ansible
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c 'echo ~apim_ansible && sleep 0'"]
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u'/bin/sh -c \'( umask 77 && mkdir -p "` echo /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868454.85-121843071372604 `" && echo ansible-tmp-1551868454.85-121843071372604="` echo /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868454.85-121843071372604 `" ) && sleep 0\'']
Using module file /usr/lib/python2.7/site-packages/ansible/modules/commands/command.py
<docker_test> PUT /local/home/apim_ansible/.ansible/tmp/ansible-local-60877fNyu7d/tmpAiJe6X TO /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868454.85-121843071372604/AnsiballZ_command.py
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c 'chmod u+x /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868454.85-121843071372604/ /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868454.85-121843071372604/AnsiballZ_command.py && sleep 0'"]
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u'/bin/sh -c \'su  root -c \'"\'"\'/bin/sh -c \'"\'"\'"\'"\'"\'"\'"\'"\'echo BECOME-SUCCESS-gtcxbtqkefmwzfjnrjhsefzmqbwlblyx; /usr/bin/python /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868454.85-121843071372604/AnsiballZ_command.py\'"\'"\'"\'"\'"\'"\'"\'"\'\'"\'"\' && sleep 0\'']
<docker_test> EXEC ['/bin/docker', 'exec', '-u', u'apim_ansible', '-i', u'docker_test', u'/bin/sh', '-c', u"/bin/sh -c 'rm -f -r /home/apim_ansible/.ansible/tmp/ansible-tmp-1551868454.85-121843071372604/ > /dev/null 2>&1 && sleep 0'"]
fatal: [docker_test]: FAILED! => {
    "changed": false,
    "module_stderr": "Password: su: Authentication failure\n",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}
...ignoring

TASK [debug] ********************************************************************************************************************************************************************************************************************************
task path: /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/test.yml:22
ok: [docker_test] => {
    "who": {
        "changed": false,
        "failed": true,
        "module_stderr": "Password: su: Authentication failure\n",
        "module_stdout": "",
        "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
        "rc": 1
    }
}

TASK [try become method sudo /bin/su] *******************************************************************************************************************************************************************************************************
task path: /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/test.yml:25
fatal: [docker_test]: FAILED! => {
    "msg": "Internal Error: this connection module does not support running commands via sudo /bin/su -"
}
...ignoring

TASK [debug] ********************************************************************************************************************************************************************************************************************************
task path: /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/test.yml:32
ok: [docker_test] => {
    "who": {
        "failed": true,
        "msg": "Internal Error: this connection module does not support running commands via sudo /bin/su -"
    }
}

TASK [fail] *********************************************************************************************************************************************************************************************************************************
task path: /net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/test.yml:35
fatal: [docker_test]: FAILED! => {
    "changed": false,
    "msg": "Failed as requested from task"
}
        to retry, use: --limit @/net/fe0vmc1258/fs0/develop/htj8fe/ops-tools/ansible_scripts/test.retry

PLAY RECAP **********************************************************************************************************************************************************************************************************************************
docker_test                : ok=7    changed=0    unreachable=0    failed=1

@jojo221119 jojo221119 added the bug label Mar 6, 2019

@ansibot

This comment has been minimized.

Copy link
Contributor

commented Mar 6, 2019

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@WojciechowskiPiotr

This comment has been minimized.

Copy link
Contributor

commented Mar 6, 2019

Hi,

Looking at the plugin code I would say that privilege escalation is not supported by the plugin. It inspects the container and the default exec user is root, unless it was changed in the Dockerfile with USER. The sudoable flag for the plugin has been set to False by the plugin developers. I don't know the reason but I may guess it affected the way pluging returns the data.

The only quick solution to test I may think of is giving the USER permission to execute sudo without password, but that will lower the container security.

In my opinion this is feature request not a bug.

@jojo221119

This comment has been minimized.

Copy link
Author

commented Mar 6, 2019

Hi,

as I detected it while looking for possibilities to run the playbooks on a test environment the option with password-less sudo should be sufficient.

Besides from that how can this be filed as a feature request?

@WojciechowskiPiotr

This comment has been minimized.

Copy link
Contributor

commented Mar 6, 2019

+label feature
-label bug

@WojciechowskiPiotr

This comment has been minimized.

Copy link
Contributor

commented Mar 6, 2019

@objectified @lorin can you share more details on supporting privilege escalation in docker connection plugin?

@lorin

This comment has been minimized.

Copy link
Member

commented Mar 6, 2019

@WojciechowskiPiotr Alas, I have not worked on this code base in years, I'm not sure who the current maintainer is at this point for the docker connection plugin.

@felixfontein

This comment has been minimized.

Copy link
Contributor

commented Mar 6, 2019

@jojo221119 Why don't you use ansible_docker_user/ansible_user to execute something as another user in the container? That's an option of the docker connection plugin. You might be able to define it per-task (using vars:). Also, you can change the type of this issue by editing the first post and changing "Bug Report" to "Feature Request". I think that does the trick.

@lorin maintainership is essentially $team_docker, but I think nobody of us has much experience with this plugin, so it's not really maintained at the moment.

@sivel sivel added the needs_triage label Mar 6, 2019

@ansibot ansibot removed the needs_triage label Mar 6, 2019

@jojo221119

This comment has been minimized.

Copy link
Author

commented Mar 7, 2019

@felixfontein The playbooks I develop are aimed to run against real servers using the SSH connection type.
I'm currently looking for an option to test the playbooks and stumbled upon molecule which uses the docker connection to test roles so I thought I could use a similar approach to test playbooks.

@ansibot ansibot added the feature label Mar 7, 2019

@felixfontein

This comment has been minimized.

Copy link
Contributor

commented Mar 7, 2019

@jojo221119 yep, in that case, become support would definitely be more useful :)

@mkrizek mkrizek removed the bug label Mar 7, 2019

@larsks

This comment has been minimized.

Copy link
Contributor

commented Apr 26, 2019

I just ran into this, trying to do the same thing (using containers for testing out playbooks that will ultimately run against real servers). If the plugin doesn't support privilege escalation, can we modify it to produce a more obvious error message?

larsks added a commit to larsks/ansible that referenced this issue Apr 26, 2019

connection/docker: fail with error message on sudo attempt
As described in ansible#53385 (and ansible#31759), the docker connection driver does
not support privilege escalation. With this commit, Ansible will fail
tasks with a meaningful error message rather than failing in a
non-obvious fashion.

larsks added a commit to larsks/ansible that referenced this issue Apr 26, 2019

connection/docker: fail with error message on sudo attempt
As described in ansible#53385 (and ansible#31759), the docker connection driver does
not support privilege escalation. With this commit, Ansible will fail
tasks with a meaningful error message rather than failing in a
non-obvious fashion.

larsks added a commit to larsks/ansible that referenced this issue Apr 26, 2019

connection/docker: add privilege escalation support
As described in ansible#53385 (and ansible#31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

Closes: ansible#53385

larsks added a commit to larsks/ansible that referenced this issue Apr 26, 2019

connection/docker: add privilege escalation support
As described in ansible#53385 (and ansible#31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

Closes: ansible#53385

larsks added a commit to larsks/ansible that referenced this issue May 5, 2019

connection/docker: add privilege escalation support
As described in ansible#53385 (and ansible#31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

Closes: ansible#53385

larsks added a commit to larsks/ansible that referenced this issue May 5, 2019

connection/docker: add privilege escalation support
As described in ansible#53385 (and ansible#31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

This is a backport to stable-2.7 of ansible#55816.

felixfontein added a commit to felixfontein/ansible that referenced this issue May 9, 2019

connection/docker: add privilege escalation support (ansible#55816)
As described in ansible#53385 (and ansible#31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

Closes: ansible#53385
(cherry picked from commit 61e476b)

@ansibot ansibot closed this in 61e476b May 9, 2019

larsks added a commit to larsks/ansible that referenced this issue May 9, 2019

connection/docker: add privilege escalation support
As described in ansible#53385 (and ansible#31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

This is a backport to stable-2.7 of ansible#55816.

larsks added a commit to larsks/ansible that referenced this issue May 9, 2019

connection/docker: add privilege escalation support
As described in ansible#53385 (and ansible#31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

This is a backport to stable-2.7 of ansible#55816.

larsks added a commit to larsks/ansible that referenced this issue May 10, 2019

connection/docker: add privilege escalation support
As described in ansible#53385 (and ansible#31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

This is a backport to stable-2.7 of ansible#55816.

mnecas added a commit to mnecas/ansible that referenced this issue May 13, 2019

connection/docker: add privilege escalation support (ansible#55816)
As described in ansible#53385 (and ansible#31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

Closes: ansible#53385

abadger added a commit that referenced this issue May 21, 2019

[WIP] [2.8] connection/docker: add support for privilege escalation (#…
…56277)

* connection/docker: add privilege escalation support (#55816)

As described in #53385 (and #31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

Closes: #53385
(cherry picked from commit 61e476b)

* docker connection plugin: make privilege escalation code more similar to local.py (#56288)

* Make more similar to local.py

* Fix typo.

(cherry picked from commit 708bda0)

abadger added a commit that referenced this issue May 21, 2019

connection/docker: add privilege escalation support
As described in #53385 (and #31759), the docker connection driver did
not support privilege escalation. This commit is a shameless
cut-and-paste of the privilege escalation support from the `local`
connection plugin into the `docker` plugin.

This is a backport to stable-2.7 of #55816.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.