|
|
- # Copyright 2016 Pierre Chifflier <pollux@wzdftpd.net>
- #
- # SSH + lxc-attach connection module for Ansible 2.0
- #
- # Adapted from ansible/plugins/connection/ssh.py
- #
- # Ansible is free software: you can redistribute it and/or modify
- # it under the terms of the GNU General Public License as published by
- # the Free Software Foundation, either version 3 of the License, or
- # (at your option) any later version.
- #
- # Ansible is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with Ansible. If not, see <http://www.gnu.org/licenses/>.
- #
- import fcntl
- import os
- import pipes
- import pty
- import select
- import shlex
- import subprocess
-
- from ansible import constants as C
- from ansible.compat.six import text_type, binary_type
- from ansible.plugins.connection import ConnectionBase
- from ansible.utils.path import unfrackpath, makedirs_safe
- from ansible.module_utils._text import to_bytes, to_text
-
- try:
- from __main__ import display
- except ImportError:
- from ansible.utils.display import Display
- display = Display()
-
-
- class Connection(ConnectionBase):
- transport = 'lxc_ssh'
- has_pipelining = True
-
-
- def __init__(self, play_context, new_stdin, *args, **kwargs):
- #print args
- #print kwargs
- super(Connection, self).__init__(play_context, new_stdin, *args, **kwargs)
- self.host=self._play_context.remote_addr
- self.container_name = play_context.docker_extra_args # XXX
-
- def _connect(self):
- ''' connect to the lxc; nothing to do here '''
- display.vvv('XXX connect')
- super(Connection, self)._connect()
- #self.container_name = self.ssh._play_context.remote_addr
-
- # self._play_context.ssh_extra_args = ""
- #self.container = None
-
- @staticmethod
- def _persistence_controls(command):
- '''
- Takes a command array and scans it for ControlPersist and ControlPath
- settings and returns two booleans indicating whether either was found.
- This could be smarter, e.g. returning false if ControlPersist is 'no',
- but for now we do it simple way.
- '''
-
- controlpersist = False
- controlpath = False
-
- for arg in command:
- if 'controlpersist' in arg.lower():
- controlpersist = True
- elif 'controlpath' in arg.lower():
- controlpath = True
-
- return controlpersist, controlpath
-
-
- @staticmethod
- def _split_args(argstring):
- """
- Takes a string like '-o Foo=1 -o Bar="foo bar"' and returns a
- list ['-o', 'Foo=1', '-o', 'Bar=foo bar'] that can be added to
- the argument list. The list will not contain any empty elements.
- """
- return [to_text(x.strip()) for x in shlex.split(to_bytes(argstring)) if x.strip()]
-
-
- def _add_args(self, explanation, args):
- """
- Adds the given args to self._command and displays a caller-supplied
- explanation of why they were added.
- """
- self._command += args
- display.vvvvv('SSH: ' + explanation + ': (%s)' % ')('.join(args), host=self._play_context.remote_addr)
-
-
- def _build_command(self, binary, *other_args):
- self._command = []
- self._command += [binary]
- self._command += ['-C']
- if self._play_context.verbosity > 3:
- self._command += ['-vvv']
- elif binary == 'ssh':
- # Older versions of ssh (e.g. in RHEL 6) don't accept sftp -q.
- self._command += ['-q']
- # Next, we add [ssh_connection]ssh_args from ansible.cfg.
- # if self._play_context.ssh_args:
- # args = self._split_args(self._play_context.ssh_args)
- # self._add_args("ansible.cfg set ssh_args", args)
- # Now we add various arguments controlled by configuration file settings
- # (e.g. host_key_checking) or inventory variables (ansible_ssh_port) or
- # a combination thereof.
- if not C.HOST_KEY_CHECKING:
- self._add_args(
- "ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled",
- ("-o", "StrictHostKeyChecking=no")
- )
- if self._play_context.port is not None:
- self._add_args(
- "ANSIBLE_REMOTE_PORT/remote_port/ansible_port set",
- ("-o", "Port={0}".format(self._play_context.port))
- )
- key = self._play_context.private_key_file
- if key:
- self._add_args(
- "ANSIBLE_PRIVATE_KEY_FILE/private_key_file/ansible_ssh_private_key_file set",
- ("-o", "IdentityFile=\"{0}\"".format(os.path.expanduser(key)))
- )
- if not self._play_context.password:
- self._add_args(
- "ansible_password/ansible_ssh_pass not set", (
- "-o", "KbdInteractiveAuthentication=no",
- "-o", "PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey",
- "-o", "PasswordAuthentication=no"
- )
- )
- user = self._play_context.remote_user
- if user:
- self._add_args(
- "ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set",
- ("-o", "User={0}".format(to_bytes(self._play_context.remote_user)))
- )
- self._add_args(
- "ANSIBLE_TIMEOUT/timeout set",
- ("-o", "ConnectTimeout={0}".format(self._play_context.timeout))
- )
- # Check if ControlPersist is enabled and add a ControlPath if one hasn't
- # already been set.
- controlpersist, controlpath = self._persistence_controls(self._command)
- if controlpersist:
- self._persistent = True
- if not controlpath:
- cpdir = unfrackpath('$HOME/.ansible/cp')
- # The directory must exist and be writable.
- makedirs_safe(cpdir, 0o700)
- if not os.access(cpdir, os.W_OK):
- raise AnsibleError("Cannot write to ControlPath %s" % cpdir)
- args = ("-o", "ControlPath={0}".format(
- to_bytes(C.ANSIBLE_SSH_CONTROL_PATH % dict(directory=cpdir)))
- )
- self._add_args("found only ControlPersist; added ControlPath", args)
- ## Finally, we add any caller-supplied extras.
- if other_args:
- self._command += other_args
- return self._command
-
-
- def _send_initial_data(self, fh, in_data):
- '''
- Writes initial data to the stdin filehandle of the subprocess and closes
- it. (The handle must be closed; otherwise, for example, "sftp -b -" will
- just hang forever waiting for more commands.)
- '''
-
- display.debug('Sending initial data')
-
- try:
- fh.write(in_data)
- fh.close()
- except (OSError, IOError):
- raise AnsibleConnectionFailure('SSH Error: data could not be sent to the remote host. Make sure this host can be reached over ssh')
-
- display.debug('Sent initial data (%d bytes)' % len(in_data))
-
- # Used by _run() to kill processes on failures
- @staticmethod
- def _terminate_process(p):
- """ Terminate a process, ignoring errors """
- try:
- p.terminate()
- except (OSError, IOError):
- pass
-
- # This is separate from _run() because we need to do the same thing for stdout
- # and stderr.
- def _examine_output(self, source, state, chunk, sudoable):
- '''
- Takes a string, extracts complete lines from it, tests to see if they
- are a prompt, error message, etc., and sets appropriate flags in self.
- Prompt and success lines are removed.
-
- Returns the processed (i.e. possibly-edited) output and the unprocessed
- remainder (to be processed with the next chunk) as strings.
- '''
-
- output = []
- for l in chunk.splitlines(True):
- suppress_output = False
-
- #display.debug("Examining line (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n')))
- if self._play_context.prompt and self.check_password_prompt(l):
- display.debug("become_prompt: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n')))
- self._flags['become_prompt'] = True
- suppress_output = True
- elif self._play_context.success_key and self.check_become_success(l):
- display.debug("become_success: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n')))
- self._flags['become_success'] = True
- suppress_output = True
- elif sudoable and self.check_incorrect_password(l):
- display.debug("become_error: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n')))
- self._flags['become_error'] = True
- elif sudoable and self.check_missing_password(l):
- display.debug("become_nopasswd_error: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n')))
- self._flags['become_nopasswd_error'] = True
-
- if not suppress_output:
- output.append(l)
-
- # The chunk we read was most likely a series of complete lines, but just
- # in case the last line was incomplete (and not a prompt, which we would
- # have removed from the output), we retain it to be processed with the
- # next chunk.
-
- remainder = ''
- if output and not output[-1].endswith('\n'):
- remainder = output[-1]
- output = output[:-1]
-
- return ''.join(output), remainder
-
- def _run(self, cmd, in_data, sudoable=True):
- '''
- Starts the command and communicates with it until it ends.
- '''
-
- display_cmd = map(to_text, map(pipes.quote, cmd))
- display.vvv(u'SSH: EXEC {0}'.format(u' '.join(display_cmd)), host=self.host)
-
- # Start the given command. If we don't need to pipeline data, we can try
- # to use a pseudo-tty (ssh will have been invoked with -tt). If we are
- # pipelining data, or can't create a pty, we fall back to using plain
- # old pipes.
-
- p = None
-
- if isinstance(cmd, (text_type, binary_type)):
- cmd = to_bytes(cmd)
- else:
- cmd = map(to_bytes, cmd)
-
- if not in_data:
- try:
- # Make sure stdin is a proper pty to avoid tcgetattr errors
- master, slave = pty.openpty()
- p = subprocess.Popen(cmd, stdin=slave, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- stdin = os.fdopen(master, 'w', 0)
- os.close(slave)
- except (OSError, IOError):
- p = None
-
- if not p:
- p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- stdin = p.stdin
-
- # If we are using SSH password authentication, write the password into
- # the pipe we opened in _build_command.
-
- if self._play_context.password:
- os.close(self.sshpass_pipe[0])
- os.write(self.sshpass_pipe[1], "{0}\n".format(to_bytes(self._play_context.password)))
- os.close(self.sshpass_pipe[1])
-
- ## SSH state machine
- #
- # Now we read and accumulate output from the running process until it
- # exits. Depending on the circumstances, we may also need to write an
- # escalation password and/or pipelined input to the process.
-
- states = [
- 'awaiting_prompt', 'awaiting_escalation', 'ready_to_send', 'awaiting_exit'
- ]
-
- # Are we requesting privilege escalation? Right now, we may be invoked
- # to execute sftp/scp with sudoable=True, but we can request escalation
- # only when using ssh. Otherwise we can send initial data straightaway.
-
- state = states.index('ready_to_send')
- if b'ssh' in cmd:
- if self._play_context.prompt:
- # We're requesting escalation with a password, so we have to
- # wait for a password prompt.
- state = states.index('awaiting_prompt')
- display.debug('Initial state: %s: %s' % (states[state], self._play_context.prompt))
- elif self._play_context.become and self._play_context.success_key:
- # We're requesting escalation without a password, so we have to
- # detect success/failure before sending any initial data.
- state = states.index('awaiting_escalation')
- display.debug('Initial state: %s: %s' % (states[state], self._play_context.success_key))
-
- # We store accumulated stdout and stderr output from the process here,
- # but strip any privilege escalation prompt/confirmation lines first.
- # Output is accumulated into tmp_*, complete lines are extracted into
- # an array, then checked and removed or copied to stdout or stderr. We
- # set any flags based on examining the output in self._flags.
-
- stdout = stderr = ''
- tmp_stdout = tmp_stderr = ''
-
- self._flags = dict(
- become_prompt=False, become_success=False,
- become_error=False, become_nopasswd_error=False
- )
-
- # select timeout should be longer than the connect timeout, otherwise
- # they will race each other when we can't connect, and the connect
- # timeout usually fails
- timeout = 2 + self._play_context.timeout
- rpipes = [p.stdout, p.stderr]
- for fd in rpipes:
- fcntl.fcntl(fd, fcntl.F_SETFL, fcntl.fcntl(fd, fcntl.F_GETFL) | os.O_NONBLOCK)
-
- # If we can send initial data without waiting for anything, we do so
- # before we call select.
-
- if states[state] == 'ready_to_send' and in_data:
- self._send_initial_data(stdin, in_data)
- state += 1
-
- while True:
- rfd, wfd, efd = select.select(rpipes, [], [], timeout)
-
- # We pay attention to timeouts only while negotiating a prompt.
-
- if not rfd:
- if state <= states.index('awaiting_escalation'):
- # If the process has already exited, then it's not really a
- # timeout; we'll let the normal error handling deal with it.
- if p.poll() is not None:
- break
- self._terminate_process(p)
- raise AnsibleError('Timeout (%ds) waiting for privilege escalation prompt: %s' % (timeout, stdout))
-
- # Read whatever output is available on stdout and stderr, and stop
- # listening to the pipe if it's been closed.
-
- if p.stdout in rfd:
- chunk = p.stdout.read()
- if chunk == '':
- rpipes.remove(p.stdout)
- tmp_stdout += chunk
- display.debug("stdout chunk (state=%s):\n>>>%s<<<\n" % (state, chunk))
-
- if p.stderr in rfd:
- chunk = p.stderr.read()
- if chunk == '':
- rpipes.remove(p.stderr)
- tmp_stderr += chunk
- display.debug("stderr chunk (state=%s):\n>>>%s<<<\n" % (state, chunk))
-
- # We examine the output line-by-line until we have negotiated any
- # privilege escalation prompt and subsequent success/error message.
- # Afterwards, we can accumulate output without looking at it.
-
- if state < states.index('ready_to_send'):
- if tmp_stdout:
- output, unprocessed = self._examine_output('stdout', states[state], tmp_stdout, sudoable)
- stdout += output
- tmp_stdout = unprocessed
-
- if tmp_stderr:
- output, unprocessed = self._examine_output('stderr', states[state], tmp_stderr, sudoable)
- stderr += output
- tmp_stderr = unprocessed
- else:
- stdout += tmp_stdout
- stderr += tmp_stderr
- tmp_stdout = tmp_stderr = ''
-
- # If we see a privilege escalation prompt, we send the password.
- # (If we're expecting a prompt but the escalation succeeds, we
- # didn't need the password and can carry on regardless.)
-
- if states[state] == 'awaiting_prompt':
- if self._flags['become_prompt']:
- display.debug('Sending become_pass in response to prompt')
- stdin.write('{0}\n'.format(to_bytes(self._play_context.become_pass )))
- self._flags['become_prompt'] = False
- state += 1
- elif self._flags['become_success']:
- state += 1
-
- # We've requested escalation (with or without a password), now we
- # wait for an error message or a successful escalation.
-
- if states[state] == 'awaiting_escalation':
- if self._flags['become_success']:
- display.debug('Escalation succeeded')
- self._flags['become_success'] = False
- state += 1
- elif self._flags['become_error']:
- display.debug('Escalation failed')
- self._terminate_process(p)
- self._flags['become_error'] = False
- raise AnsibleError('Incorrect %s password' % self._play_context.become_method)
- elif self._flags['become_nopasswd_error']:
- display.debug('Escalation requires password')
- self._terminate_process(p)
- self._flags['become_nopasswd_error'] = False
- raise AnsibleError('Missing %s password' % self._play_context.become_method)
- elif self._flags['become_prompt']:
- # This shouldn't happen, because we should see the "Sorry,
- # try again" message first.
- display.debug('Escalation prompt repeated')
- self._terminate_process(p)
- self._flags['become_prompt'] = False
- raise AnsibleError('Incorrect %s password' % self._play_context.become_method)
-
- # Once we're sure that the privilege escalation prompt, if any, has
- # been dealt with, we can send any initial data and start waiting
- # for output.
-
- if states[state] == 'ready_to_send':
- if in_data:
- self._send_initial_data(stdin, in_data)
- state += 1
-
- # Now we're awaiting_exit: has the child process exited? If it has,
- # and we've read all available output from it, we're done.
-
- if p.poll() is not None:
- if not rpipes or not rfd:
- break
-
- # When ssh has ControlMaster (+ControlPath/Persist) enabled, the
- # first connection goes into the background and we never see EOF
- # on stderr. If we see EOF on stdout and the process has exited,
- # we're probably done. We call select again with a zero timeout,
- # just to make certain we don't miss anything that may have been
- # written to stderr between the time we called select() and when
- # we learned that the process had finished.
-
- if p.stdout not in rpipes:
- timeout = 0
- continue
-
- # If the process has not yet exited, but we've already read EOF from
- # its stdout and stderr (and thus removed both from rpipes), we can
- # just wait for it to exit.
-
- elif not rpipes:
- p.wait()
- break
-
- # Otherwise there may still be outstanding data to read.
-
- # close stdin after process is terminated and stdout/stderr are read
- # completely (see also issue #848)
- stdin.close()
-
- if C.HOST_KEY_CHECKING:
- if cmd[0] == b"sshpass" and p.returncode == 6:
- raise AnsibleError('Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. Please add this host\'s fingerprint to your known_hosts file to manage this host.')
-
- controlpersisterror = 'Bad configuration option: ControlPersist' in stderr or 'unknown configuration option: ControlPersist' in stderr
- if p.returncode != 0 and controlpersisterror:
- raise AnsibleError('using -c ssh on certain older ssh versions may not support ControlPersist, set ANSIBLE_SSH_ARGS="" (or ssh_args in [ssh_connection] section of the config file) before running again')
-
- if p.returncode == 255 and in_data:
- raise AnsibleConnectionFailure('SSH Error: data could not be sent to the remote host. Make sure this host can be reached over ssh')
-
- return (p.returncode, stdout, stderr)
-
- def _exec_command(self, cmd, in_data=None, sudoable=True):
- ''' run a command on the remote host '''
-
- super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable)
-
- display.vvv(u"ESTABLISH SSH CONNECTION FOR USER: {0}".format(self._play_context.remote_user), host=self._play_context.remote_addr)
-
- # we can only use tty when we are not pipelining the modules. piping
- # data into /usr/bin/python inside a tty automatically invokes the
- # python interactive-mode but the modules are not compatible with the
- # interactive-mode ("unexpected indent" mainly because of empty lines)
-
- if in_data:
- cmd = self._build_command('ssh', self.host, cmd)
- else:
- cmd = self._build_command('ssh', '-tt', self.host, cmd)
-
- (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=sudoable)
-
- return (returncode, stdout, stderr)
-
-
-
- def dir_print(self,obj):
- for attr_name in dir(obj):
- try:
- attr_value = getattr(obj, attr_name)
- print(attr_name, attr_value, callable(attr_value))
- except:
- pass
-
-
-
- def exec_command(self, cmd, in_data=None, sudoable=False):
- ''' run a command on the chroot '''
- display.vvv('XXX exec_command: %s' % cmd)
- super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable)
- # print dir(self)
- # print dir(self._play_context)
- # print self._play_context._attributes
- # self.dir_print(self._play_context)
- # print dir(self._play_context._vars)
- # print self._play_context._attributes['vars']
- # vm = self._play_context.get_ds()
- # print( vm )
- # raise "blah"
- h = self.container_name
- lxc_cmd = 'lxc-attach --name %s -- /bin/sh -c %s' \
- % (pipes.quote(h),
- pipes.quote(cmd))
- if in_data:
- cmd = self._build_command('ssh', self.host, lxc_cmd)
- else:
- cmd = self._build_command('ssh', '-tt', self.host, lxc_cmd)
- #self.ssh.exec_command(lxc_cmd,in_data,sudoable)
- (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=sudoable)
- return (returncode, stdout, stderr)
-
-
- def put_file(self, in_path, out_path):
- ''' transfer a file from local to lxc '''
- display.vvv('XXX put_file %s %s' % (in_path,out_path))
- super(Connection, self).put_file(in_path, out_path)
- if not os.path.exists(in_path):
- raise errors.AnsibleFileNotFound("file or module does not exist: %s" % in_path)
-
- with open(in_path,'r') as in_f:
- in_data = in_f.read()
- cmd = ('cat > %s; echo -n done' % pipes.quote(out_path))
- h = self.container_name
- lxc_cmd = 'lxc-attach --name %s -- /bin/sh -c %s' \
- % (pipes.quote(h),
- pipes.quote(cmd))
- if in_data:
- cmd = self._build_command('ssh', self.host, lxc_cmd)
- else:
- cmd = self._build_command('ssh', '-tt', self.host, lxc_cmd)
- #self.ssh.exec_command(lxc_cmd,in_data,sudoable)
- (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=False)
- return (returncode, stdout, stderr)
-
- def fetch_file(self, in_path, out_path):
- ''' fetch a file from lxc to local '''
- display.vvv('XXX fetch_file %s %s' % (in_path,out_path))
- super(Connection, self).fetch_file(in_path, out_path)
- cmd = ('cat %s' % pipes.quote(in_path))
- h = self.container_name
- lxc_cmd = 'lxc-attach --name %s -- /bin/sh -c %s' \
- % (pipes.quote(h),
- pipes.quote(cmd))
- in_data = None
- if in_data:
- cmd = self._build_command('ssh', self.host, lxc_cmd)
- else:
- cmd = self._build_command('ssh', '-tt', self.host, lxc_cmd)
- (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=False)
- if returncode != 0:
- raise AnsibleError("failed to transfer file from {0}:\n{1}\n{2}".format(in_path, stdout, stderr))
- with open(out_path,'w') as out_f:
- out_f.write(stdout)
-
- def close(self):
- ''' terminate the connection; nothing to do here '''
- display.vvv('XXX close')
- super(Connection, self).close()
- #self.ssh.close()
- self._connected = False
|
