Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Privilage escalation prompt timeout when working in a loop with different users #58787

Open
vespian opened this issue Jul 6, 2019 · 1 comment
Open

Privilage escalation prompt timeout when working in a loop with different users #58787

vespian opened this issue Jul 6, 2019 · 1 comment
Labels
affects_2.8 This issue/PR affects Ansible v2.8 bug This issue/PR relates to a bug. has_pr This issue has an associated PR. P3 Priority 3 - Approved, No Time Limitation python3 support:core This issue/PR relates to code supported by the Ansible Engineering Team. verified This issue has been verified/reproduced by maintainer

Comments

@vespian
Copy link
Contributor

vespian commented Jul 6, 2019
edited

SUMMARY

Ansible reports password escalation prompt timeout when running a task with a loop, but only during 2nd iteration when using ansible_connection=local. The first iteration passes. See the attached playbook for a repro and details.

This is a change compared to older versions. I am not 100% sure but I think 2.7 did not have this behaviour, it started happening during last 1-2 months.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

become, privilege escalation

ANSIBLE VERSION
ansible 2.8.1
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/vespian/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.7.3 (default, May 11 2019, 00:45:16) [GCC 8.3.1 20190223 (Red Hat 8.3.1-2)]
CONFIGURATION
ANSIBLE_PIPELINING(/etc/ansible/ansible.cfg) = True
DEFAULT_FORKS(/etc/ansible/ansible.cfg) = 5
DEFAULT_GATHERING(/etc/ansible/ansible.cfg) = implicit
DEFAULT_JINJA2_EXTENSIONS(/etc/ansible/ansible.cfg) = jinja2.ext.do,jinja2.ext.i18n
DEFAULT_LOCAL_TMP(/etc/ansible/ansible.cfg) = /home/vespian/.ansible/tmp/ansible-local-17565m8xdgny3
DEFAULT_POLL_INTERVAL(/etc/ansible/ansible.cfg) = 15
DEFAULT_TRANSPORT(/etc/ansible/ansible.cfg) = ssh
DIFF_ALWAYS(/etc/ansible/ansible.cfg) = True
RETRY_FILES_ENABLED(/etc/ansible/ansible.cfg) = False

The problem manifests itself only when using ansible_connection=local, it works on remote hosts.

OS / ENVIRONMENT

x86_64, Fedora 29

STEPS TO REPRODUCE
- name: Sample playbook
  hosts:
    - budrys
    - engel2
  tasks:
    - name: checkout plugins from upstream git repos
      command: whoami
      become: yes
      become_user: "{{ item[1] }}"
      with_nested:
        - - a
          - b
          - c
        - - vespian
          - root
          - kamila
EXPECTED RESULTS

The loop is executed without errors

ACTUAL RESULTS

The loop is unable to execute due to password prompt timeout error

$ ap -l budrys -D -K /tmp/playbook.yml
BECOME password:

PLAY [Sample playbook] *******************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************
ok: [budrys]

TASK [checkout plugins from upstream git repos] ******************************************************************************
changed: [budrys] => (item=['a', 'vespian'])
changed: [budrys] => (item=['a', 'root'])
changed: [budrys] => (item=['a', 'kamila'])
fatal: [budrys]: FAILED! => {"msg": "timeout waiting for privilege escalation password prompt:\n"}

PLAY RECAP *******************************************************************************************************************
budrys                     : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

On a remote hosts, it works though (removed user kamila from the playbook as it is not present on the host`):

$ ap -l engel2 -D -K /tmp/playbook.yml
BECOME password:

PLAY [Sample playbook] **********************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************
ok: [engel2]

TASK [checkout plugins from upstream git repos] **********************************************************************************************************************************
changed: [engel2] => (item=['a', 'vespian'])
changed: [engel2] => (item=['a', 'root'])
changed: [engel2] => (item=['b', 'vespian'])
changed: [engel2] => (item=['b', 'root'])
changed: [engel2] => (item=['c', 'vespian'])
changed: [engel2] => (item=['c', 'root'])

PLAY RECAP **********************************************************************************************************************************
engel2                     : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
@ansibot
Copy link
Contributor

ansibot commented Jul 6, 2019

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot ansibot added affects_2.8 This issue/PR affects Ansible v2.8 bug This issue/PR relates to a bug. needs_triage Needs a first human triage before being processed. python3 support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels Jul 6, 2019
@bcoca bcoca added needs_verified This issue needs to be verified/reproduced by maintainer P3 Priority 3 - Approved, No Time Limitation and removed needs_triage Needs a first human triage before being processed. labels Jul 11, 2019
@bcoca bcoca mentioned this issue Jul 26, 2019
Merged
@ansibot ansibot added the has_pr This issue has an associated PR. label Jul 27, 2019
mkrizek added a commit to mkrizek/ansible that referenced this issue Jul 30, 2019
@mkrizek
Reset become prompt in a loop with diff users
3b83567 
Fixes ansible#58787
@mkrizek mkrizek added verified This issue has been verified/reproduced by maintainer and removed needs_verified This issue needs to be verified/reproduced by maintainer labels Jul 30, 2019
@mkrizek mkrizek mentioned this issue Jul 30, 2019
Closed
mkrizek added a commit to mkrizek/ansible that referenced this issue Jun 4, 2020
@mkrizek
Reset become prompt in a loop with diff users
b7961d4 
Fixes ansible#58787
mkrizek added a commit to mkrizek/ansible that referenced this issue Jun 5, 2020
@mkrizek
Reset ALL connection settings for next loop iteration
862d4df 
The original purpose of the change was to fix Become's
prompt not being reset for the next loop iteration which
this change fixes but also forces the connection/become/...
objects to be re-created which is simpler and more robust
than the original solution.

Co-authored-by: Brian Coca <bcoca@users.noreply.github.com>

Fixes ansible#58787
@mkrizek mkrizek mentioned this issue Jun 5, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects_2.8 This issue/PR affects Ansible v2.8 bug This issue/PR relates to a bug. has_pr This issue has an associated PR. P3 Priority 3 - Approved, No Time Limitation python3 support:core This issue/PR relates to code supported by the Ansible Engineering Team. verified This issue has been verified/reproduced by maintainer
Projects
None yet
Milestone
No milestone
4 participants
@bcoca @mkrizek @vespian @ansibot