2021-08-07 15:02:21 +02:00
|
|
|
# -*- coding: utf-8 -*-
|
2020-03-09 10:11:07 +01:00
|
|
|
# Based on local.py by Michael DeHaan <michael.dehaan@gmail.com>
|
|
|
|
# and chroot.py by Maykel Moya <mmoya@speedyrails.com>
|
|
|
|
# Copyright (c) 2013, Michael Scherer <misc@zarb.org>
|
|
|
|
# Copyright (c) 2015, Toshio Kuratomi <tkuratomi@ansible.com>
|
|
|
|
# Copyright (c) 2017 Ansible Project
|
2022-08-05 12:28:29 +02:00
|
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
2020-03-09 10:11:07 +01:00
|
|
|
|
|
|
|
from __future__ import (absolute_import, division, print_function)
|
|
|
|
__metaclass__ = type
|
|
|
|
|
|
|
|
DOCUMENTATION = '''
|
|
|
|
author: Ansible Core Team
|
2021-01-12 07:12:03 +01:00
|
|
|
name: jail
|
2020-03-09 10:11:07 +01:00
|
|
|
short_description: Run tasks in jails
|
|
|
|
description:
|
|
|
|
- Run commands or put/fetch files to an existing jail
|
|
|
|
options:
|
|
|
|
remote_addr:
|
|
|
|
description:
|
|
|
|
- Path to the jail
|
2024-07-21 21:04:53 +02:00
|
|
|
type: string
|
2020-03-09 10:11:07 +01:00
|
|
|
default: inventory_hostname
|
|
|
|
vars:
|
2023-03-03 22:56:24 +01:00
|
|
|
- name: inventory_hostname
|
2020-03-09 10:11:07 +01:00
|
|
|
- name: ansible_host
|
|
|
|
- name: ansible_jail_host
|
|
|
|
remote_user:
|
|
|
|
description:
|
|
|
|
- User to execute as inside the jail
|
2024-07-21 21:04:53 +02:00
|
|
|
type: string
|
2020-03-09 10:11:07 +01:00
|
|
|
vars:
|
|
|
|
- name: ansible_user
|
|
|
|
- name: ansible_jail_user
|
|
|
|
'''
|
|
|
|
|
|
|
|
import os
|
|
|
|
import os.path
|
|
|
|
import subprocess
|
|
|
|
import traceback
|
|
|
|
|
|
|
|
from ansible.errors import AnsibleError
|
|
|
|
from ansible.module_utils.six.moves import shlex_quote
|
2022-01-04 06:56:28 +01:00
|
|
|
from ansible.module_utils.common.process import get_bin_path
|
2021-06-26 23:59:11 +02:00
|
|
|
from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text
|
2020-03-09 10:11:07 +01:00
|
|
|
from ansible.plugins.connection import ConnectionBase, BUFSIZE
|
|
|
|
from ansible.utils.display import Display
|
|
|
|
|
|
|
|
display = Display()
|
|
|
|
|
|
|
|
|
|
|
|
class Connection(ConnectionBase):
|
2021-05-16 13:24:37 +02:00
|
|
|
""" Local BSD Jail based connections """
|
2020-03-09 10:11:07 +01:00
|
|
|
|
|
|
|
modified_jailname_key = 'conn_jail_name'
|
|
|
|
|
|
|
|
transport = 'community.general.jail'
|
|
|
|
# Pipelining may work. Someone needs to test by setting this to True and
|
|
|
|
# having pipelining=True in their ansible.cfg
|
|
|
|
has_pipelining = True
|
|
|
|
has_tty = False
|
|
|
|
|
|
|
|
def __init__(self, play_context, new_stdin, *args, **kwargs):
|
|
|
|
super(Connection, self).__init__(play_context, new_stdin, *args, **kwargs)
|
|
|
|
|
|
|
|
self.jail = self._play_context.remote_addr
|
|
|
|
if self.modified_jailname_key in kwargs:
|
|
|
|
self.jail = kwargs[self.modified_jailname_key]
|
|
|
|
|
|
|
|
if os.geteuid() != 0:
|
|
|
|
raise AnsibleError("jail connection requires running as root")
|
|
|
|
|
|
|
|
self.jls_cmd = self._search_executable('jls')
|
|
|
|
self.jexec_cmd = self._search_executable('jexec')
|
|
|
|
|
|
|
|
if self.jail not in self.list_jails():
|
|
|
|
raise AnsibleError("incorrect jail name %s" % self.jail)
|
|
|
|
|
|
|
|
@staticmethod
|
|
|
|
def _search_executable(executable):
|
2022-01-04 06:56:28 +01:00
|
|
|
try:
|
|
|
|
return get_bin_path(executable)
|
|
|
|
except ValueError:
|
2020-03-09 10:11:07 +01:00
|
|
|
raise AnsibleError("%s command not found in PATH" % executable)
|
|
|
|
|
|
|
|
def list_jails(self):
|
|
|
|
p = subprocess.Popen([self.jls_cmd, '-q', 'name'],
|
|
|
|
stdin=subprocess.PIPE,
|
|
|
|
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
|
|
|
|
|
|
stdout, stderr = p.communicate()
|
|
|
|
|
|
|
|
return to_text(stdout, errors='surrogate_or_strict').split()
|
|
|
|
|
|
|
|
def _connect(self):
|
2021-05-16 13:24:37 +02:00
|
|
|
""" connect to the jail; nothing to do here """
|
2020-03-09 10:11:07 +01:00
|
|
|
super(Connection, self)._connect()
|
|
|
|
if not self._connected:
|
|
|
|
display.vvv(u"ESTABLISH JAIL CONNECTION FOR USER: {0}".format(self._play_context.remote_user), host=self.jail)
|
|
|
|
self._connected = True
|
|
|
|
|
|
|
|
def _buffered_exec_command(self, cmd, stdin=subprocess.PIPE):
|
2021-05-16 13:24:37 +02:00
|
|
|
""" run a command on the jail. This is only needed for implementing
|
2020-03-09 10:11:07 +01:00
|
|
|
put_file() get_file() so that we don't have to read the whole file
|
|
|
|
into memory.
|
|
|
|
|
|
|
|
compared to exec_command() it looses some niceties like being able to
|
|
|
|
return the process's exit code immediately.
|
2021-05-16 13:24:37 +02:00
|
|
|
"""
|
2020-03-09 10:11:07 +01:00
|
|
|
|
|
|
|
local_cmd = [self.jexec_cmd]
|
|
|
|
set_env = ''
|
|
|
|
|
|
|
|
if self._play_context.remote_user is not None:
|
|
|
|
local_cmd += ['-U', self._play_context.remote_user]
|
|
|
|
# update HOME since -U does not update the jail environment
|
|
|
|
set_env = 'HOME=~' + self._play_context.remote_user + ' '
|
|
|
|
|
|
|
|
local_cmd += [self.jail, self._play_context.executable, '-c', set_env + cmd]
|
|
|
|
|
|
|
|
display.vvv("EXEC %s" % (local_cmd,), host=self.jail)
|
|
|
|
local_cmd = [to_bytes(i, errors='surrogate_or_strict') for i in local_cmd]
|
|
|
|
p = subprocess.Popen(local_cmd, shell=False, stdin=stdin,
|
|
|
|
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
|
|
|
|
|
|
return p
|
|
|
|
|
|
|
|
def exec_command(self, cmd, in_data=None, sudoable=False):
|
2021-05-16 13:24:37 +02:00
|
|
|
""" run a command on the jail """
|
2020-03-09 10:11:07 +01:00
|
|
|
super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable)
|
|
|
|
|
|
|
|
p = self._buffered_exec_command(cmd)
|
|
|
|
|
|
|
|
stdout, stderr = p.communicate(in_data)
|
2021-05-16 13:24:37 +02:00
|
|
|
return p.returncode, stdout, stderr
|
2020-03-09 10:11:07 +01:00
|
|
|
|
2021-05-16 13:24:37 +02:00
|
|
|
@staticmethod
|
|
|
|
def _prefix_login_path(remote_path):
|
|
|
|
""" Make sure that we put files into a standard path
|
2020-03-09 10:11:07 +01:00
|
|
|
|
|
|
|
If a path is relative, then we need to choose where to put it.
|
|
|
|
ssh chooses $HOME but we aren't guaranteed that a home dir will
|
|
|
|
exist in any given chroot. So for now we're choosing "/" instead.
|
|
|
|
This also happens to be the former default.
|
|
|
|
|
|
|
|
Can revisit using $HOME instead if it's a problem
|
2021-05-16 13:24:37 +02:00
|
|
|
"""
|
2020-03-09 10:11:07 +01:00
|
|
|
if not remote_path.startswith(os.path.sep):
|
|
|
|
remote_path = os.path.join(os.path.sep, remote_path)
|
|
|
|
return os.path.normpath(remote_path)
|
|
|
|
|
|
|
|
def put_file(self, in_path, out_path):
|
2021-05-16 13:24:37 +02:00
|
|
|
""" transfer a file from local to jail """
|
2020-03-09 10:11:07 +01:00
|
|
|
super(Connection, self).put_file(in_path, out_path)
|
|
|
|
display.vvv("PUT %s TO %s" % (in_path, out_path), host=self.jail)
|
|
|
|
|
|
|
|
out_path = shlex_quote(self._prefix_login_path(out_path))
|
|
|
|
try:
|
|
|
|
with open(to_bytes(in_path, errors='surrogate_or_strict'), 'rb') as in_file:
|
|
|
|
if not os.fstat(in_file.fileno()).st_size:
|
|
|
|
count = ' count=0'
|
|
|
|
else:
|
|
|
|
count = ''
|
|
|
|
try:
|
|
|
|
p = self._buffered_exec_command('dd of=%s bs=%s%s' % (out_path, BUFSIZE, count), stdin=in_file)
|
|
|
|
except OSError:
|
|
|
|
raise AnsibleError("jail connection requires dd command in the jail")
|
|
|
|
try:
|
|
|
|
stdout, stderr = p.communicate()
|
|
|
|
except Exception:
|
|
|
|
traceback.print_exc()
|
|
|
|
raise AnsibleError("failed to transfer file %s to %s" % (in_path, out_path))
|
|
|
|
if p.returncode != 0:
|
|
|
|
raise AnsibleError("failed to transfer file %s to %s:\n%s\n%s" % (in_path, out_path, to_native(stdout), to_native(stderr)))
|
|
|
|
except IOError:
|
|
|
|
raise AnsibleError("file or module does not exist at: %s" % in_path)
|
|
|
|
|
|
|
|
def fetch_file(self, in_path, out_path):
|
2021-05-16 13:24:37 +02:00
|
|
|
""" fetch a file from jail to local """
|
2020-03-09 10:11:07 +01:00
|
|
|
super(Connection, self).fetch_file(in_path, out_path)
|
|
|
|
display.vvv("FETCH %s TO %s" % (in_path, out_path), host=self.jail)
|
|
|
|
|
|
|
|
in_path = shlex_quote(self._prefix_login_path(in_path))
|
|
|
|
try:
|
|
|
|
p = self._buffered_exec_command('dd if=%s bs=%s' % (in_path, BUFSIZE))
|
|
|
|
except OSError:
|
|
|
|
raise AnsibleError("jail connection requires dd command in the jail")
|
|
|
|
|
|
|
|
with open(to_bytes(out_path, errors='surrogate_or_strict'), 'wb+') as out_file:
|
|
|
|
try:
|
|
|
|
chunk = p.stdout.read(BUFSIZE)
|
|
|
|
while chunk:
|
|
|
|
out_file.write(chunk)
|
|
|
|
chunk = p.stdout.read(BUFSIZE)
|
|
|
|
except Exception:
|
|
|
|
traceback.print_exc()
|
|
|
|
raise AnsibleError("failed to transfer file %s to %s" % (in_path, out_path))
|
|
|
|
stdout, stderr = p.communicate()
|
|
|
|
if p.returncode != 0:
|
|
|
|
raise AnsibleError("failed to transfer file %s to %s:\n%s\n%s" % (in_path, out_path, to_native(stdout), to_native(stderr)))
|
|
|
|
|
|
|
|
def close(self):
|
2021-05-16 13:24:37 +02:00
|
|
|
""" terminate the connection; nothing to do here """
|
2020-03-09 10:11:07 +01:00
|
|
|
super(Connection, self).close()
|
|
|
|
self._connected = False
|