mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
d1a6b07fe1
At the moment, this change will use EPoll on Linux, KQueue on *BSDs, etc, so it should alleviate problems with too many open file descriptors. * Bundle a copy of selectors2 so that we have the selectors API everywhere. * Add licensing information to selectors2 file so it's clear what the licensing terms and conditions are. * Exclude the bundled copy of selectors2 from our boilerplate code-smell test * Rewrite ssh_run tests to attempt to work around problem with mocking select on shippable Fixes #14143
793 lines
36 KiB
Python
793 lines
36 KiB
Python
# (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
|
|
# Copyright 2015 Abhijit Menon-Sen <ams@2ndQuadrant.com>
|
|
# Copyright 2017 Toshio Kuratomi <tkuratomi@ansible.com>
|
|
#
|
|
# This file is part of Ansible
|
|
#
|
|
# Ansible is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# Ansible is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
from __future__ import (absolute_import, division, print_function)
|
|
__metaclass__ = type
|
|
|
|
import errno
|
|
import fcntl
|
|
import hashlib
|
|
import os
|
|
import pty
|
|
import subprocess
|
|
import time
|
|
|
|
from ansible import constants as C
|
|
from ansible.compat import selectors
|
|
from ansible.compat.six import PY3, text_type, binary_type
|
|
from ansible.compat.six.moves import shlex_quote
|
|
from ansible.errors import AnsibleError, AnsibleConnectionFailure, AnsibleFileNotFound
|
|
from ansible.errors import AnsibleOptionsError
|
|
from ansible.module_utils.basic import BOOLEANS
|
|
from ansible.module_utils._text import to_bytes, to_native, to_text
|
|
from ansible.plugins.connection import ConnectionBase, BUFSIZE
|
|
from ansible.utils.path import unfrackpath, makedirs_safe
|
|
|
|
boolean = C.mk_boolean
|
|
|
|
try:
|
|
from __main__ import display
|
|
except ImportError:
|
|
from ansible.utils.display import Display
|
|
display = Display()
|
|
|
|
SSHPASS_AVAILABLE = None
|
|
|
|
|
|
class Connection(ConnectionBase):
|
|
''' ssh based connections '''
|
|
|
|
transport = 'ssh'
|
|
has_pipelining = True
|
|
become_methods = frozenset(C.BECOME_METHODS).difference(['runas'])
|
|
|
|
def __init__(self, *args, **kwargs):
|
|
super(Connection, self).__init__(*args, **kwargs)
|
|
|
|
self.host = self._play_context.remote_addr
|
|
self.port = self._play_context.port
|
|
self.user = self._play_context.remote_user
|
|
self.control_path = C.ANSIBLE_SSH_CONTROL_PATH
|
|
self.control_path_dir = C.ANSIBLE_SSH_CONTROL_PATH_DIR
|
|
|
|
# The connection is created by running ssh/scp/sftp from the exec_command,
|
|
# put_file, and fetch_file methods, so we don't need to do any connection
|
|
# management here.
|
|
|
|
def _connect(self):
|
|
return self
|
|
|
|
@staticmethod
|
|
def _create_control_path(host, port, user):
|
|
'''Make a hash for the controlpath based on con attributes'''
|
|
pstring = '%s-%s-%s' % (host, port, user)
|
|
m = hashlib.sha1()
|
|
m.update(to_bytes(pstring))
|
|
digest = m.hexdigest()
|
|
cpath = '%(directory)s/' + digest[:10]
|
|
return cpath
|
|
|
|
@staticmethod
|
|
def _sshpass_available():
|
|
global SSHPASS_AVAILABLE
|
|
|
|
# We test once if sshpass is available, and remember the result. It
|
|
# would be nice to use distutils.spawn.find_executable for this, but
|
|
# distutils isn't always available; shutils.which() is Python3-only.
|
|
|
|
if SSHPASS_AVAILABLE is None:
|
|
try:
|
|
p = subprocess.Popen(["sshpass"], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
p.communicate()
|
|
SSHPASS_AVAILABLE = True
|
|
except OSError:
|
|
SSHPASS_AVAILABLE = False
|
|
|
|
return SSHPASS_AVAILABLE
|
|
|
|
@staticmethod
|
|
def _persistence_controls(b_command):
|
|
'''
|
|
Takes a command array and scans it for ControlPersist and ControlPath
|
|
settings and returns two booleans indicating whether either was found.
|
|
This could be smarter, e.g. returning false if ControlPersist is 'no',
|
|
but for now we do it simple way.
|
|
'''
|
|
|
|
controlpersist = False
|
|
controlpath = False
|
|
|
|
for b_arg in (a.lower() for a in b_command):
|
|
if b'controlpersist' in b_arg:
|
|
controlpersist = True
|
|
elif b'controlpath' in b_arg:
|
|
controlpath = True
|
|
|
|
return controlpersist, controlpath
|
|
|
|
def _add_args(self, b_command, b_args, explanation):
|
|
"""
|
|
Adds arguments to the ssh command and displays a caller-supplied explanation of why.
|
|
|
|
:arg b_command: A list containing the command to add the new arguments to.
|
|
This list will be modified by this method.
|
|
:arg b_args: An iterable of new arguments to add. This iterable is used
|
|
more than once so it must be persistent (ie: a list is okay but a
|
|
StringIO would not)
|
|
:arg explanation: A text string containing explaining why the arguments
|
|
were added. It will be displayed with a high enough verbosity.
|
|
.. note:: This function does its work via side-effect. The b_command list has the new arguments appended.
|
|
"""
|
|
display.vvvvv(u'SSH: %s: (%s)' % (explanation, ')('.join(to_text(a) for a in b_args)), host=self._play_context.remote_addr)
|
|
b_command += b_args
|
|
|
|
def _build_command(self, binary, *other_args):
|
|
'''
|
|
Takes a binary (ssh, scp, sftp) and optional extra arguments and returns
|
|
a command line as an array that can be passed to subprocess.Popen.
|
|
'''
|
|
|
|
b_command = []
|
|
|
|
#
|
|
# First, the command to invoke
|
|
#
|
|
|
|
# If we want to use password authentication, we have to set up a pipe to
|
|
# write the password to sshpass.
|
|
|
|
if self._play_context.password:
|
|
if not self._sshpass_available():
|
|
raise AnsibleError("to use the 'ssh' connection type with passwords, you must install the sshpass program")
|
|
|
|
self.sshpass_pipe = os.pipe()
|
|
b_command += [b'sshpass', b'-d' + to_bytes(self.sshpass_pipe[0], nonstring='simplerepr', errors='surrogate_or_strict')]
|
|
|
|
if binary == 'ssh':
|
|
b_command += [to_bytes(self._play_context.ssh_executable, errors='surrogate_or_strict')]
|
|
else:
|
|
b_command += [to_bytes(binary, errors='surrogate_or_strict')]
|
|
|
|
#
|
|
# Next, additional arguments based on the configuration.
|
|
#
|
|
|
|
# sftp batch mode allows us to correctly catch failed transfers, but can
|
|
# be disabled if the client side doesn't support the option. However,
|
|
# sftp batch mode does not prompt for passwords so it must be disabled
|
|
# if not using controlpersist and using sshpass
|
|
if binary == 'sftp' and C.DEFAULT_SFTP_BATCH_MODE:
|
|
if self._play_context.password:
|
|
b_args = [b'-o', b'BatchMode=no']
|
|
self._add_args(b_command, b_args, u'disable batch mode for sshpass')
|
|
b_command += [b'-b', b'-']
|
|
|
|
if self._play_context.verbosity > 3:
|
|
b_command.append(b'-vvv')
|
|
|
|
#
|
|
# Next, we add [ssh_connection]ssh_args from ansible.cfg.
|
|
#
|
|
|
|
if self._play_context.ssh_args:
|
|
b_args = [to_bytes(a, errors='surrogate_or_strict') for a in
|
|
self._split_ssh_args(self._play_context.ssh_args)]
|
|
self._add_args(b_command, b_args, u"ansible.cfg set ssh_args")
|
|
|
|
# Now we add various arguments controlled by configuration file settings
|
|
# (e.g. host_key_checking) or inventory variables (ansible_ssh_port) or
|
|
# a combination thereof.
|
|
|
|
if not C.HOST_KEY_CHECKING:
|
|
b_args = (b"-o", b"StrictHostKeyChecking=no")
|
|
self._add_args(b_command, b_args, u"ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled")
|
|
|
|
if self._play_context.port is not None:
|
|
b_args = (b"-o", b"Port=" + to_bytes(self._play_context.port, nonstring='simplerepr', errors='surrogate_or_strict'))
|
|
self._add_args(b_command, b_args, u"ANSIBLE_REMOTE_PORT/remote_port/ansible_port set")
|
|
|
|
key = self._play_context.private_key_file
|
|
if key:
|
|
b_args = (b"-o", b'IdentityFile="' + to_bytes(os.path.expanduser(key), errors='surrogate_or_strict') + b'"')
|
|
self._add_args(b_command, b_args, u"ANSIBLE_PRIVATE_KEY_FILE/private_key_file/ansible_ssh_private_key_file set")
|
|
|
|
if not self._play_context.password:
|
|
self._add_args(
|
|
b_command, (
|
|
b"-o", b"KbdInteractiveAuthentication=no",
|
|
b"-o", b"PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey",
|
|
b"-o", b"PasswordAuthentication=no"
|
|
),
|
|
u"ansible_password/ansible_ssh_pass not set"
|
|
)
|
|
|
|
user = self._play_context.remote_user
|
|
if user:
|
|
self._add_args(b_command,
|
|
(b"-o", b"User=" + to_bytes(self._play_context.remote_user, errors='surrogate_or_strict')),
|
|
u"ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set"
|
|
)
|
|
|
|
self._add_args(b_command,
|
|
(b"-o", b"ConnectTimeout=" + to_bytes(self._play_context.timeout, errors='surrogate_or_strict', nonstring='simplerepr')),
|
|
u"ANSIBLE_TIMEOUT/timeout set"
|
|
)
|
|
|
|
# Add in any common or binary-specific arguments from the PlayContext
|
|
# (i.e. inventory or task settings or overrides on the command line).
|
|
|
|
for opt in (u'ssh_common_args', u'{0}_extra_args'.format(binary)):
|
|
attr = getattr(self._play_context, opt, None)
|
|
if attr is not None:
|
|
b_args = [to_bytes(a, errors='surrogate_or_strict') for a in self._split_ssh_args(attr)]
|
|
self._add_args(b_command, b_args, u"PlayContext set %s" % opt)
|
|
|
|
# Check if ControlPersist is enabled and add a ControlPath if one hasn't
|
|
# already been set.
|
|
|
|
controlpersist, controlpath = self._persistence_controls(b_command)
|
|
|
|
if controlpersist:
|
|
self._persistent = True
|
|
|
|
if not controlpath:
|
|
cpdir = unfrackpath(self.control_path_dir)
|
|
b_cpdir = to_bytes(cpdir, errors='surrogate_or_strict')
|
|
|
|
# The directory must exist and be writable.
|
|
makedirs_safe(b_cpdir, 0o700)
|
|
if not os.access(b_cpdir, os.W_OK):
|
|
raise AnsibleError("Cannot write to ControlPath %s" % to_native(cpdir))
|
|
|
|
if not self.control_path:
|
|
self.control_path = self._create_control_path(
|
|
self.host,
|
|
self.port,
|
|
self.user
|
|
)
|
|
b_args = (b"-o", b"ControlPath=" + to_bytes(self.control_path % dict(directory=cpdir), errors='surrogate_or_strict'))
|
|
self._add_args(b_command, b_args, u"found only ControlPersist; added ControlPath")
|
|
|
|
# Finally, we add any caller-supplied extras.
|
|
if other_args:
|
|
b_command += [to_bytes(a) for a in other_args]
|
|
|
|
return b_command
|
|
|
|
def _send_initial_data(self, fh, in_data):
|
|
'''
|
|
Writes initial data to the stdin filehandle of the subprocess and closes
|
|
it. (The handle must be closed; otherwise, for example, "sftp -b -" will
|
|
just hang forever waiting for more commands.)
|
|
'''
|
|
|
|
display.debug('Sending initial data')
|
|
|
|
try:
|
|
fh.write(to_bytes(in_data))
|
|
fh.close()
|
|
except (OSError, IOError):
|
|
raise AnsibleConnectionFailure('SSH Error: data could not be sent to remote host "%s". Make sure this host can be reached over ssh' % self.host)
|
|
|
|
display.debug('Sent initial data (%d bytes)' % len(in_data))
|
|
|
|
# Used by _run() to kill processes on failures
|
|
@staticmethod
|
|
def _terminate_process(p):
|
|
""" Terminate a process, ignoring errors """
|
|
try:
|
|
p.terminate()
|
|
except (OSError, IOError):
|
|
pass
|
|
|
|
# This is separate from _run() because we need to do the same thing for stdout
|
|
# and stderr.
|
|
def _examine_output(self, source, state, b_chunk, sudoable):
|
|
'''
|
|
Takes a string, extracts complete lines from it, tests to see if they
|
|
are a prompt, error message, etc., and sets appropriate flags in self.
|
|
Prompt and success lines are removed.
|
|
|
|
Returns the processed (i.e. possibly-edited) output and the unprocessed
|
|
remainder (to be processed with the next chunk) as strings.
|
|
'''
|
|
|
|
output = []
|
|
for b_line in b_chunk.splitlines(True):
|
|
display_line = to_text(b_line).rstrip('\r\n')
|
|
suppress_output = False
|
|
|
|
#display.debug("Examining line (source=%s, state=%s): '%s'" % (source, state, display_line))
|
|
if self._play_context.prompt and self.check_password_prompt(b_line):
|
|
display.debug("become_prompt: (source=%s, state=%s): '%s'" % (source, state, display_line))
|
|
self._flags['become_prompt'] = True
|
|
suppress_output = True
|
|
elif self._play_context.success_key and self.check_become_success(b_line):
|
|
display.debug("become_success: (source=%s, state=%s): '%s'" % (source, state, display_line))
|
|
self._flags['become_success'] = True
|
|
suppress_output = True
|
|
elif sudoable and self.check_incorrect_password(b_line):
|
|
display.debug("become_error: (source=%s, state=%s): '%s'" % (source, state, display_line))
|
|
self._flags['become_error'] = True
|
|
elif sudoable and self.check_missing_password(b_line):
|
|
display.debug("become_nopasswd_error: (source=%s, state=%s): '%s'" % (source, state, display_line))
|
|
self._flags['become_nopasswd_error'] = True
|
|
|
|
if not suppress_output:
|
|
output.append(b_line)
|
|
|
|
# The chunk we read was most likely a series of complete lines, but just
|
|
# in case the last line was incomplete (and not a prompt, which we would
|
|
# have removed from the output), we retain it to be processed with the
|
|
# next chunk.
|
|
|
|
remainder = b''
|
|
if output and not output[-1].endswith(b'\n'):
|
|
remainder = output[-1]
|
|
output = output[:-1]
|
|
|
|
return b''.join(output), remainder
|
|
|
|
def _run(self, cmd, in_data, sudoable=True, checkrc=True):
|
|
'''
|
|
Starts the command and communicates with it until it ends.
|
|
'''
|
|
|
|
display_cmd = list(map(shlex_quote, map(to_text, cmd)))
|
|
display.vvv(u'SSH: EXEC {0}'.format(u' '.join(display_cmd)), host=self.host)
|
|
|
|
# Start the given command. If we don't need to pipeline data, we can try
|
|
# to use a pseudo-tty (ssh will have been invoked with -tt). If we are
|
|
# pipelining data, or can't create a pty, we fall back to using plain
|
|
# old pipes.
|
|
|
|
p = None
|
|
|
|
if isinstance(cmd, (text_type, binary_type)):
|
|
cmd = to_bytes(cmd)
|
|
else:
|
|
cmd = list(map(to_bytes, cmd))
|
|
|
|
if not in_data:
|
|
try:
|
|
# Make sure stdin is a proper pty to avoid tcgetattr errors
|
|
master, slave = pty.openpty()
|
|
if PY3 and self._play_context.password:
|
|
p = subprocess.Popen(cmd, stdin=slave, stdout=subprocess.PIPE, stderr=subprocess.PIPE, pass_fds=self.sshpass_pipe)
|
|
else:
|
|
p = subprocess.Popen(cmd, stdin=slave, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
stdin = os.fdopen(master, 'wb', 0)
|
|
os.close(slave)
|
|
except (OSError, IOError):
|
|
p = None
|
|
|
|
if not p:
|
|
if PY3 and self._play_context.password:
|
|
p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, pass_fds=self.sshpass_pipe)
|
|
else:
|
|
p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
stdin = p.stdin
|
|
|
|
# If we are using SSH password authentication, write the password into
|
|
# the pipe we opened in _build_command.
|
|
|
|
if self._play_context.password:
|
|
os.close(self.sshpass_pipe[0])
|
|
try:
|
|
os.write(self.sshpass_pipe[1], to_bytes(self._play_context.password) + b'\n')
|
|
except OSError as e:
|
|
# Ignore broken pipe errors if the sshpass process has exited.
|
|
if e.errno != errno.EPIPE or p.poll() is None:
|
|
raise
|
|
os.close(self.sshpass_pipe[1])
|
|
|
|
#
|
|
# SSH state machine
|
|
#
|
|
|
|
# Now we read and accumulate output from the running process until it
|
|
# exits. Depending on the circumstances, we may also need to write an
|
|
# escalation password and/or pipelined input to the process.
|
|
|
|
states = [
|
|
'awaiting_prompt', 'awaiting_escalation', 'ready_to_send', 'awaiting_exit'
|
|
]
|
|
|
|
# Are we requesting privilege escalation? Right now, we may be invoked
|
|
# to execute sftp/scp with sudoable=True, but we can request escalation
|
|
# only when using ssh. Otherwise we can send initial data straightaway.
|
|
|
|
state = states.index('ready_to_send')
|
|
if b'ssh' in cmd:
|
|
if self._play_context.prompt:
|
|
# We're requesting escalation with a password, so we have to
|
|
# wait for a password prompt.
|
|
state = states.index('awaiting_prompt')
|
|
display.debug(u'Initial state: %s: %s' % (states[state], self._play_context.prompt))
|
|
elif self._play_context.become and self._play_context.success_key:
|
|
# We're requesting escalation without a password, so we have to
|
|
# detect success/failure before sending any initial data.
|
|
state = states.index('awaiting_escalation')
|
|
display.debug(u'Initial state: %s: %s' % (states[state], self._play_context.success_key))
|
|
|
|
# We store accumulated stdout and stderr output from the process here,
|
|
# but strip any privilege escalation prompt/confirmation lines first.
|
|
# Output is accumulated into tmp_*, complete lines are extracted into
|
|
# an array, then checked and removed or copied to stdout or stderr. We
|
|
# set any flags based on examining the output in self._flags.
|
|
|
|
b_stdout = b_stderr = b''
|
|
b_tmp_stdout = b_tmp_stderr = b''
|
|
|
|
self._flags = dict(
|
|
become_prompt=False, become_success=False,
|
|
become_error=False, become_nopasswd_error=False
|
|
)
|
|
|
|
# select timeout should be longer than the connect timeout, otherwise
|
|
# they will race each other when we can't connect, and the connect
|
|
# timeout usually fails
|
|
timeout = 2 + self._play_context.timeout
|
|
for fd in (p.stdout, p.stderr):
|
|
fcntl.fcntl(fd, fcntl.F_SETFL, fcntl.fcntl(fd, fcntl.F_GETFL) | os.O_NONBLOCK)
|
|
|
|
### TODO: bcoca would like to use SelectSelector() when open
|
|
# filehandles is low, then switch to more efficient ones when higher.
|
|
# select is faster when filehandles is low.
|
|
selector = selectors.DefaultSelector()
|
|
selector.register(p.stdout, selectors.EVENT_READ)
|
|
selector.register(p.stderr, selectors.EVENT_READ)
|
|
|
|
# If we can send initial data without waiting for anything, we do so
|
|
# before we start polling
|
|
if states[state] == 'ready_to_send' and in_data:
|
|
self._send_initial_data(stdin, in_data)
|
|
state += 1
|
|
|
|
try:
|
|
while True:
|
|
events = selector.select(timeout)
|
|
|
|
# We pay attention to timeouts only while negotiating a prompt.
|
|
|
|
if not events:
|
|
# We timed out
|
|
if state <= states.index('awaiting_escalation'):
|
|
# If the process has already exited, then it's not really a
|
|
# timeout; we'll let the normal error handling deal with it.
|
|
if p.poll() is not None:
|
|
break
|
|
self._terminate_process(p)
|
|
raise AnsibleError('Timeout (%ds) waiting for privilege escalation prompt: %s' % (timeout, to_native(b_stdout)))
|
|
|
|
# Read whatever output is available on stdout and stderr, and stop
|
|
# listening to the pipe if it's been closed.
|
|
|
|
for key, event in events:
|
|
if key.fileobj == p.stdout:
|
|
b_chunk = p.stdout.read()
|
|
if b_chunk == b'':
|
|
# stdout has been closed, stop watching it
|
|
selector.unregister(p.stdout)
|
|
# When ssh has ControlMaster (+ControlPath/Persist) enabled, the
|
|
# first connection goes into the background and we never see EOF
|
|
# on stderr. If we see EOF on stdout, lower the select timeout
|
|
# to reduce the time wasted selecting on stderr if we observe
|
|
# that the process has not yet existed after this EOF. Otherwise
|
|
# we may spend a long timeout period waiting for an EOF that is
|
|
# not going to arrive until the persisted connection closes.
|
|
timeout = 1
|
|
b_tmp_stdout += b_chunk
|
|
display.debug("stdout chunk (state=%s):\n>>>%s<<<\n" % (state, to_text(b_chunk)))
|
|
elif key.fileobj == p.stderr:
|
|
b_chunk = p.stderr.read()
|
|
if b_chunk == b'':
|
|
# stderr has been closed, stop watching it
|
|
selector.unregister(p.stderr)
|
|
b_tmp_stderr += b_chunk
|
|
display.debug("stderr chunk (state=%s):\n>>>%s<<<\n" % (state, to_text(b_chunk)))
|
|
|
|
# We examine the output line-by-line until we have negotiated any
|
|
# privilege escalation prompt and subsequent success/error message.
|
|
# Afterwards, we can accumulate output without looking at it.
|
|
|
|
if state < states.index('ready_to_send'):
|
|
if b_tmp_stdout:
|
|
b_output, b_unprocessed = self._examine_output('stdout', states[state], b_tmp_stdout, sudoable)
|
|
b_stdout += b_output
|
|
b_tmp_stdout = b_unprocessed
|
|
|
|
if b_tmp_stderr:
|
|
b_output, b_unprocessed = self._examine_output('stderr', states[state], b_tmp_stderr, sudoable)
|
|
b_stderr += b_output
|
|
b_tmp_stderr = b_unprocessed
|
|
else:
|
|
b_stdout += b_tmp_stdout
|
|
b_stderr += b_tmp_stderr
|
|
b_tmp_stdout = b_tmp_stderr = b''
|
|
|
|
# If we see a privilege escalation prompt, we send the password.
|
|
# (If we're expecting a prompt but the escalation succeeds, we
|
|
# didn't need the password and can carry on regardless.)
|
|
|
|
if states[state] == 'awaiting_prompt':
|
|
if self._flags['become_prompt']:
|
|
display.debug('Sending become_pass in response to prompt')
|
|
stdin.write(to_bytes(self._play_context.become_pass) + b'\n')
|
|
self._flags['become_prompt'] = False
|
|
state += 1
|
|
elif self._flags['become_success']:
|
|
state += 1
|
|
|
|
# We've requested escalation (with or without a password), now we
|
|
# wait for an error message or a successful escalation.
|
|
|
|
if states[state] == 'awaiting_escalation':
|
|
if self._flags['become_success']:
|
|
display.debug('Escalation succeeded')
|
|
self._flags['become_success'] = False
|
|
state += 1
|
|
elif self._flags['become_error']:
|
|
display.debug('Escalation failed')
|
|
self._terminate_process(p)
|
|
self._flags['become_error'] = False
|
|
raise AnsibleError('Incorrect %s password' % self._play_context.become_method)
|
|
elif self._flags['become_nopasswd_error']:
|
|
display.debug('Escalation requires password')
|
|
self._terminate_process(p)
|
|
self._flags['become_nopasswd_error'] = False
|
|
raise AnsibleError('Missing %s password' % self._play_context.become_method)
|
|
elif self._flags['become_prompt']:
|
|
# This shouldn't happen, because we should see the "Sorry,
|
|
# try again" message first.
|
|
display.debug('Escalation prompt repeated')
|
|
self._terminate_process(p)
|
|
self._flags['become_prompt'] = False
|
|
raise AnsibleError('Incorrect %s password' % self._play_context.become_method)
|
|
|
|
# Once we're sure that the privilege escalation prompt, if any, has
|
|
# been dealt with, we can send any initial data and start waiting
|
|
# for output.
|
|
|
|
if states[state] == 'ready_to_send':
|
|
if in_data:
|
|
self._send_initial_data(stdin, in_data)
|
|
state += 1
|
|
|
|
# Now we're awaiting_exit: has the child process exited? If it has,
|
|
# and we've read all available output from it, we're done.
|
|
|
|
if p.poll() is not None:
|
|
if not selector.get_map() or not events:
|
|
break
|
|
# We should not see further writes to the stdout/stderr file
|
|
# descriptors after the process has closed, set the select
|
|
# timeout to gather any last writes we may have missed.
|
|
timeout = 0
|
|
continue
|
|
|
|
# If the process has not yet exited, but we've already read EOF from
|
|
# its stdout and stderr (and thus no longer watching any file
|
|
# descriptors), we can just wait for it to exit.
|
|
|
|
elif not selector.get_map():
|
|
p.wait()
|
|
break
|
|
|
|
# Otherwise there may still be outstanding data to read.
|
|
finally:
|
|
selector.close()
|
|
# close stdin after process is terminated and stdout/stderr are read
|
|
# completely (see also issue #848)
|
|
stdin.close()
|
|
|
|
if C.HOST_KEY_CHECKING:
|
|
if cmd[0] == b"sshpass" and p.returncode == 6:
|
|
raise AnsibleError('Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. Please add this host\'s fingerprint to your known_hosts file to manage this host.')
|
|
|
|
controlpersisterror = b'Bad configuration option: ControlPersist' in b_stderr or b'unknown configuration option: ControlPersist' in b_stderr
|
|
if p.returncode != 0 and controlpersisterror:
|
|
raise AnsibleError('using -c ssh on certain older ssh versions may not support ControlPersist, set ANSIBLE_SSH_ARGS="" (or ssh_args in [ssh_connection] section of the config file) before running again')
|
|
|
|
if p.returncode == 255 and in_data and checkrc:
|
|
raise AnsibleConnectionFailure('SSH Error: data could not be sent to remote host "%s". Make sure this host can be reached over ssh' % self.host)
|
|
|
|
return (p.returncode, b_stdout, b_stderr)
|
|
|
|
def _exec_command(self, cmd, in_data=None, sudoable=True):
|
|
''' run a command on the remote host '''
|
|
|
|
super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable)
|
|
|
|
display.vvv(u"ESTABLISH SSH CONNECTION FOR USER: {0}".format(self._play_context.remote_user), host=self._play_context.remote_addr)
|
|
|
|
|
|
# we can only use tty when we are not pipelining the modules. piping
|
|
# data into /usr/bin/python inside a tty automatically invokes the
|
|
# python interactive-mode but the modules are not compatible with the
|
|
# interactive-mode ("unexpected indent" mainly because of empty lines)
|
|
if not in_data and sudoable:
|
|
args = ('ssh', '-tt', self.host, cmd)
|
|
else:
|
|
args = ('ssh', self.host, cmd)
|
|
|
|
cmd = self._build_command(*args)
|
|
(returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=sudoable)
|
|
|
|
return (returncode, stdout, stderr)
|
|
|
|
def _file_transport_command(self, in_path, out_path, sftp_action):
|
|
# scp and sftp require square brackets for IPv6 addresses, but
|
|
# accept them for hostnames and IPv4 addresses too.
|
|
host = '[%s]' % self.host
|
|
|
|
# Transfer methods to try
|
|
methods = []
|
|
|
|
# Use the transfer_method option if set, otherwise use scp_if_ssh
|
|
ssh_transfer_method = self._play_context.ssh_transfer_method
|
|
if ssh_transfer_method is not None:
|
|
if not (ssh_transfer_method in ('smart', 'sftp', 'scp', 'piped')):
|
|
raise AnsibleOptionsError('transfer_method needs to be one of [smart|sftp|scp|piped]')
|
|
if ssh_transfer_method == 'smart':
|
|
methods = ['sftp', 'scp', 'piped']
|
|
else:
|
|
methods = [ssh_transfer_method]
|
|
else:
|
|
# since this can be a non-bool now, we need to handle it correctly
|
|
scp_if_ssh = C.DEFAULT_SCP_IF_SSH
|
|
if not isinstance(scp_if_ssh, bool):
|
|
scp_if_ssh = scp_if_ssh.lower()
|
|
if scp_if_ssh in BOOLEANS:
|
|
scp_if_ssh = boolean(scp_if_ssh)
|
|
elif scp_if_ssh != 'smart':
|
|
raise AnsibleOptionsError('scp_if_ssh needs to be one of [smart|True|False]')
|
|
if scp_if_ssh == 'smart':
|
|
methods = ['sftp', 'scp', 'piped']
|
|
elif scp_if_ssh == True:
|
|
methods = ['scp']
|
|
else:
|
|
methods = ['sftp']
|
|
|
|
success = False
|
|
res = None
|
|
for method in methods:
|
|
returncode = stdout = stderr = None
|
|
if method == 'sftp':
|
|
cmd = self._build_command('sftp', to_bytes(host))
|
|
in_data = u"{0} {1} {2}\n".format(sftp_action, shlex_quote(in_path), shlex_quote(out_path))
|
|
in_data = to_bytes(in_data, nonstring='passthru')
|
|
(returncode, stdout, stderr) = self._run(cmd, in_data, checkrc=False)
|
|
elif method == 'scp':
|
|
if sftp_action == 'get':
|
|
cmd = self._build_command('scp', u'{0}:{1}'.format(host, shlex_quote(in_path)), out_path)
|
|
else:
|
|
cmd = self._build_command('scp', in_path, u'{0}:{1}'.format(host, shlex_quote(out_path)))
|
|
in_data = None
|
|
(returncode, stdout, stderr) = self._run(cmd, in_data, checkrc=False)
|
|
elif method == 'piped':
|
|
if sftp_action == 'get':
|
|
# we pass sudoable=False to disable pty allocation, which
|
|
# would end up mixing stdout/stderr and screwing with newlines
|
|
(returncode, stdout, stderr) = self._exec_command('dd if=%s bs=%s' % (in_path, BUFSIZE), sudoable=False)
|
|
out_file = open(to_bytes(out_path, errors='surrogate_or_strict'), 'wb+')
|
|
out_file.write(stdout)
|
|
out_file.close()
|
|
else:
|
|
in_data = open(to_bytes(in_path, errors='surrogate_or_strict'), 'rb').read()
|
|
in_data = to_bytes(in_data, nonstring='passthru')
|
|
(returncode, stdout, stderr) = self._exec_command('dd of=%s bs=%s' % (out_path, BUFSIZE), in_data=in_data)
|
|
|
|
# Check the return code and rollover to next method if failed
|
|
if returncode == 0:
|
|
success = True
|
|
break
|
|
else:
|
|
# If not in smart mode, the data will be printed by the raise below
|
|
if len(methods) > 1:
|
|
display.warning(msg='%s transfer mechanism failed on %s. Use ANSIBLE_DEBUG=1 to see detailed information' % (method, host))
|
|
display.debug(msg='%s' % to_native(stdout))
|
|
display.debug(msg='%s' % to_native(stderr))
|
|
res = (returncode, stdout, stderr)
|
|
|
|
if not success:
|
|
raise AnsibleError("failed to transfer file {0} to {1}:\n{2}\n{3}"\
|
|
.format(to_native(in_path), to_native(out_path), to_native(res[1]), to_native(res[2])))
|
|
|
|
#
|
|
# Main public methods
|
|
#
|
|
def exec_command(self, *args, **kwargs):
|
|
"""
|
|
Wrapper around _exec_command to retry in the case of an ssh failure
|
|
|
|
Will retry if:
|
|
* an exception is caught
|
|
* ssh returns 255
|
|
Will not retry if
|
|
* remaining_tries is <2
|
|
* retries limit reached
|
|
"""
|
|
|
|
remaining_tries = int(C.ANSIBLE_SSH_RETRIES) + 1
|
|
cmd_summary = "%s..." % args[0]
|
|
for attempt in range(remaining_tries):
|
|
try:
|
|
return_tuple = self._exec_command(*args, **kwargs)
|
|
# 0 = success
|
|
# 1-254 = remote command return code
|
|
# 255 = failure from the ssh command itself
|
|
if return_tuple[0] != 255:
|
|
break
|
|
else:
|
|
raise AnsibleConnectionFailure("Failed to connect to the host via ssh: %s" % to_native(return_tuple[2]))
|
|
except (AnsibleConnectionFailure, Exception) as e:
|
|
if attempt == remaining_tries - 1:
|
|
raise
|
|
else:
|
|
pause = 2 ** attempt - 1
|
|
if pause > 30:
|
|
pause = 30
|
|
|
|
if isinstance(e, AnsibleConnectionFailure):
|
|
msg = "ssh_retry: attempt: %d, ssh return code is 255. cmd (%s), pausing for %d seconds" % (attempt, cmd_summary, pause)
|
|
else:
|
|
msg = "ssh_retry: attempt: %d, caught exception(%s) from cmd (%s), pausing for %d seconds" % (attempt, e, cmd_summary, pause)
|
|
|
|
display.vv(msg, host=self.host)
|
|
|
|
time.sleep(pause)
|
|
continue
|
|
|
|
return return_tuple
|
|
|
|
def put_file(self, in_path, out_path):
|
|
''' transfer a file from local to remote '''
|
|
|
|
super(Connection, self).put_file(in_path, out_path)
|
|
|
|
display.vvv(u"PUT {0} TO {1}".format(in_path, out_path), host=self.host)
|
|
if not os.path.exists(to_bytes(in_path, errors='surrogate_or_strict')):
|
|
raise AnsibleFileNotFound("file or module does not exist: {0}".format(to_native(in_path)))
|
|
|
|
self._file_transport_command(in_path, out_path, 'put')
|
|
|
|
def fetch_file(self, in_path, out_path):
|
|
''' fetch a file from remote to local '''
|
|
|
|
super(Connection, self).fetch_file(in_path, out_path)
|
|
|
|
display.vvv(u"FETCH {0} TO {1}".format(in_path, out_path), host=self.host)
|
|
self._file_transport_command(in_path, out_path, 'get')
|
|
|
|
def close(self):
|
|
# If we have a persistent ssh connection (ControlPersist), we can ask it
|
|
# to stop listening. Otherwise, there's nothing to do here.
|
|
|
|
# TODO: reenable once winrm issues are fixed
|
|
# temporarily disabled as we are forced to currently close connections after every task because of winrm
|
|
# if self._connected and self._persistent:
|
|
# ssh_executable = self._play_context.ssh_executable
|
|
# cmd = self._build_command('ssh', '-O', 'stop', self.host)
|
|
#
|
|
# cmd = map(to_bytes, cmd)
|
|
# p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
# stdout, stderr = p.communicate()
|
|
|
|
self._connected = False
|