Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Become for chroot connection plugin #49509

Open
wants to merge 1 commit into
base: devel
from

Conversation

@Abrosimov-a-a
Copy link

@Abrosimov-a-a Abrosimov-a-a commented Dec 4, 2018

SUMMARY

Add chroot_become variable to chroot plugin.
Execute chroot command via sudo if chroot_become is true.

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

plugins.connection.chroot

ADDITIONAL INFORMATION

This feature useful when user have root permissions only for chroot path command.
As example:

# sudoers has something like:
ansibleuser    ALL=NOPASSWD: /usr/sbin/chroot /mnt/chroot *

# inventory file:
_chroot ansible_connection=chroot ansible_host=/mnt/chroot ansible_chroot_become=yes
Copy link
Member

@bcoca bcoca left a comment

So 'become' is a misuse of the term here, first you are hardcoding to sudo, become is method agnostic, so su/dzdo/doas/etc .

Also become is meant for privilege escalation at the endpoint, not at the controller to execute the 'connection' itself, as such this will create much confusion on what the system does. There will also be a mismatch with other systems trying to compensate for 'user change' on the target while you are really changing the user 'at controller'.

I almost recommend creating an alternate connection plugin 'sudo_chroot' which will be a lot less confusing and not overload systems for different uses.

@@ -88,6 +98,10 @@ def __init__(self, play_context, new_stdin, *args, **kwargs):
if not self.chroot_cmd:
raise AnsibleError("chroot command not found in PATH")

self.chroot_become_cmd = distutils.spawn.find_executable('sudo')

This comment has been minimized.

@bcoca

bcoca Dec 5, 2018
Member

use get_bin_path from ansible.module_utils.common.process instead, it can also emit an error when the executable is missing

This comment has been minimized.

@Abrosimov-a-a

Abrosimov-a-a Dec 5, 2018
Author

Ok. I will make the appropriate changes in the near future.

@Abrosimov-a-a
Copy link
Author

@Abrosimov-a-a Abrosimov-a-a commented Dec 11, 2018

Which way is more preferable?

  1. Copy chroot plugin code to the sudo_chroot and update it there.
  2. Inherit the chroot.Connection class. Update UID check and split _buffered_exec_command in the chroot.py. Place sudo_chroot specific code in the sudo_chroot.py

I want to use the sudo_chroot_args variable for specify any sudo arguments. I looked at docker_extra_args from the docker plugin as an example, but this variable marked as TODO: remove in the constants.py.
Can I use constants.py or do I need to use another way?
Where can I see the actual example?

@bcoca
Copy link
Member

@bcoca bcoca commented Dec 11, 2018

you might want to wait for #38861 to land

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants