New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Become for chroot connection plugin #49509

Open
wants to merge 1 commit into
base: devel
from

Conversation

Projects
None yet
4 participants
@Abrosimov-a-a

Abrosimov-a-a commented Dec 4, 2018

SUMMARY

Add chroot_become variable to chroot plugin.
Execute chroot command via sudo if chroot_become is true.

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

plugins.connection.chroot

ADDITIONAL INFORMATION

This feature useful when user have root permissions only for chroot path command.
As example:

# sudoers has something like:
ansibleuser    ALL=NOPASSWD: /usr/sbin/chroot /mnt/chroot *

# inventory file:
_chroot ansible_connection=chroot ansible_host=/mnt/chroot ansible_chroot_become=yes
@bcoca

So 'become' is a misuse of the term here, first you are hardcoding to sudo, become is method agnostic, so su/dzdo/doas/etc .

Also become is meant for privilege escalation at the endpoint, not at the controller to execute the 'connection' itself, as such this will create much confusion on what the system does. There will also be a mismatch with other systems trying to compensate for 'user change' on the target while you are really changing the user 'at controller'.

I almost recommend creating an alternate connection plugin 'sudo_chroot' which will be a lot less confusing and not overload systems for different uses.

@@ -88,6 +98,10 @@ def __init__(self, play_context, new_stdin, *args, **kwargs):
if not self.chroot_cmd:
raise AnsibleError("chroot command not found in PATH")
self.chroot_become_cmd = distutils.spawn.find_executable('sudo')

This comment has been minimized.

@bcoca

bcoca Dec 5, 2018

Member

use get_bin_path from ansible.module_utils.common.process instead, it can also emit an error when the executable is missing

This comment has been minimized.

@Abrosimov-a-a

Abrosimov-a-a Dec 5, 2018

Ok. I will make the appropriate changes in the near future.

@Abrosimov-a-a

This comment has been minimized.

Abrosimov-a-a commented Dec 11, 2018

Which way is more preferable?

  1. Copy chroot plugin code to the sudo_chroot and update it there.
  2. Inherit the chroot.Connection class. Update UID check and split _buffered_exec_command in the chroot.py. Place sudo_chroot specific code in the sudo_chroot.py

I want to use the sudo_chroot_args variable for specify any sudo arguments. I looked at docker_extra_args from the docker plugin as an example, but this variable marked as TODO: remove in the constants.py.
Can I use constants.py or do I need to use another way?
Where can I see the actual example?

@bcoca

This comment has been minimized.

Member

bcoca commented Dec 11, 2018

you might want to wait for #38861 to land

@samdoran samdoran removed the needs_triage label Dec 11, 2018

@ansibot ansibot added the stale_ci label Dec 14, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment