mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-04-24 03:11:24 -07:00
23b1dbacaf
* included inventory and callback in new config allow inventory to be configurable updated connection options settings also updated winrm to work with new configs removed now obsolete set_host_overrides added notes for future bcoca, current one is just punting, it's future's problem updated docs per feedback added remove group/host methods to inv data moved fact cache from data to constructed cleaner/better options fix when vars are added extended ignore list to config dicts updated paramiko connection docs removed options from base that paramiko already handles left the look option as it is used by other plugin types resolve delegation updated cache doc options fixed test_script better fragment merge for options fixed proxy command restore ini for proxy normalized options moved pipelining to class updates for host_key_checking restructured mixins * fix typo
580 lines
22 KiB
Python
580 lines
22 KiB
Python
# (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
|
|
# (c) 2017 Ansible Project
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
from __future__ import (absolute_import, division, print_function)
|
|
__metaclass__ = type
|
|
|
|
DOCUMENTATION = """
|
|
author: Ansible Core Team
|
|
connection: paramiko
|
|
short_description: Run tasks via python ssh (paramiko)
|
|
description:
|
|
- Use the python ssh implementation (Paramiko) to connect to targets
|
|
- The paramiko transport is provided because many distributions, in particular EL6 and before do not support ControlPersist
|
|
in their SSH implementations.
|
|
- This is needed on the Ansible control machine to be reasonably efficient with connections.
|
|
Thus paramiko is faster for most users on these platforms.
|
|
Users with ControlPersist capability can consider using -c ssh or configuring the transport in the configuration file.
|
|
- This plugin also borrows a lot of settings from the ssh plugin as they both cover the same protocol.
|
|
version_added: "0.1"
|
|
options:
|
|
remote_addr:
|
|
description:
|
|
- Address of the remote target
|
|
default: inventory_hostname
|
|
vars:
|
|
- name: ansible_host
|
|
- name: ansible_ssh_host
|
|
- name: ansible_paramiko_host
|
|
remote_user:
|
|
description:
|
|
- User to login/authenticate as
|
|
- Can be set from the CLI via the ``--user`` or ``-u`` options.
|
|
vars:
|
|
- name: ansible_user
|
|
- name: ansible_ssh_user
|
|
- name: ansible_paramiko_user
|
|
env:
|
|
- name: ANSIBLE_REMOTE_USER
|
|
- name: ANSIBLE_PARAMIKO_REMOTE_USER
|
|
version_added: '2.5'
|
|
ini:
|
|
- section: defaults
|
|
key: remote_user
|
|
- section: paramiko_connection
|
|
key: remote_user
|
|
version_added: '2.5'
|
|
password:
|
|
description:
|
|
- Secret used to either login the ssh server or as a passphrase for ssh keys that require it
|
|
- Can be set from the CLI via the ``--ask-pass`` option.
|
|
vars:
|
|
- name: ansible_password
|
|
- name: ansible_ssh_pass
|
|
- name: ansible_paramiko_pass
|
|
version_added: '2.5'
|
|
host_key_auto_add:
|
|
description: 'TODO: write it'
|
|
env: [{name: ANSIBLE_PARAMIKO_HOST_KEY_AUTO_ADD}]
|
|
ini:
|
|
- {key: host_key_auto_add, section: paramiko_connection}
|
|
type: boolean
|
|
look_for_keys:
|
|
default: True
|
|
description: 'TODO: write it'
|
|
env: [{name: ANSIBLE_PARAMIKO_LOOK_FOR_KEYS}]
|
|
ini:
|
|
- {key: look_for_keys, section: paramiko_connection}
|
|
type: boolean
|
|
proxy_command:
|
|
default: ''
|
|
description:
|
|
- Proxy information for running the connection via a jumphost
|
|
- Also this plugin will scan 'ssh_args', 'ssh_extra_args' and 'ssh_common_args' from the 'ssh' plugin settings for proxy information if set.
|
|
env: [{name: ANSIBLE_PARAMIKO_PROXY_COMMAND}]
|
|
ini:
|
|
- {key: proxy_command, section: paramiko_connection}
|
|
pty:
|
|
default: True
|
|
description: 'TODO: write it'
|
|
env:
|
|
- name: ANSIBLE_PARAMIKO_PTY
|
|
ini:
|
|
- section: paramiko_connection
|
|
key: pty
|
|
type: boolean
|
|
record_host_keys:
|
|
default: True
|
|
description: 'TODO: write it'
|
|
env: [{name: ANSIBLE_PARAMIKO_RECORD_HOST_KEYS}]
|
|
ini:
|
|
- section: paramiko_connection
|
|
key: record_host_keys
|
|
type: boolean
|
|
host_key_checking:
|
|
description: 'Set this to "False" if you want to avoid host key checking by the underlying tools Ansible uses to connect to the host'
|
|
type: boolean
|
|
default: True
|
|
env:
|
|
- name: ANSIBLE_HOST_KEY_CHECKING
|
|
- name: ANSIBLE_SSH_HOST_KEY_CHECKING
|
|
version_added: '2.5'
|
|
- name: ANSIBLE_PARAMIKO_HOST_KEY_CHECKING
|
|
version_added: '2.5'
|
|
ini:
|
|
- section: defaults
|
|
key: host_key_checking
|
|
- section: paramiko_connection
|
|
key: host_key_checking
|
|
version_added: '2.5'
|
|
vars:
|
|
- name: ansible_host_key_checking
|
|
version_added: '2.5'
|
|
- name: ansible_ssh_host_key_checking
|
|
version_added: '2.5'
|
|
- name: ansible_paramiko_host_key_checking
|
|
version_added: '2.5'
|
|
# TODO:
|
|
#C.USE_PERSISTENT_CONNECTIONS:
|
|
#timeout=self._play_context.timeout,
|
|
"""
|
|
|
|
import warnings
|
|
import os
|
|
import socket
|
|
import tempfile
|
|
import traceback
|
|
import fcntl
|
|
import sys
|
|
import re
|
|
|
|
from termios import tcflush, TCIFLUSH
|
|
from binascii import hexlify
|
|
|
|
from ansible import constants as C
|
|
from ansible.errors import AnsibleError, AnsibleConnectionFailure, AnsibleFileNotFound
|
|
from ansible.module_utils.six import iteritems
|
|
from ansible.module_utils.six.moves import input
|
|
from ansible.plugins.connection import ConnectionBase
|
|
from ansible.utils.path import makedirs_safe
|
|
from ansible.module_utils._text import to_bytes, to_native
|
|
|
|
try:
|
|
from __main__ import display
|
|
except ImportError:
|
|
from ansible.utils.display import Display
|
|
display = Display()
|
|
|
|
|
|
AUTHENTICITY_MSG = """
|
|
paramiko: The authenticity of host '%s' can't be established.
|
|
The %s key fingerprint is %s.
|
|
Are you sure you want to continue connecting (yes/no)?
|
|
"""
|
|
|
|
# SSH Options Regex
|
|
SETTINGS_REGEX = re.compile(r'(\w+)(?:\s*=\s*|\s+)(.+)')
|
|
|
|
# prevent paramiko warning noise -- see http://stackoverflow.com/questions/3920502/
|
|
HAVE_PARAMIKO = False
|
|
with warnings.catch_warnings():
|
|
warnings.simplefilter("ignore")
|
|
try:
|
|
import paramiko
|
|
HAVE_PARAMIKO = True
|
|
except ImportError:
|
|
pass
|
|
|
|
|
|
class MyAddPolicy(object):
|
|
"""
|
|
Based on AutoAddPolicy in paramiko so we can determine when keys are added
|
|
|
|
and also prompt for input.
|
|
|
|
Policy for automatically adding the hostname and new host key to the
|
|
local L{HostKeys} object, and saving it. This is used by L{SSHClient}.
|
|
"""
|
|
|
|
def __init__(self, new_stdin, connection):
|
|
self._new_stdin = new_stdin
|
|
self.connection = connection
|
|
self._options = connection._options
|
|
|
|
def missing_host_key(self, client, hostname, key):
|
|
|
|
if all((self._options['host_key_checking'], not self._options['host_key_auto_add'])):
|
|
|
|
fingerprint = hexlify(key.get_fingerprint())
|
|
ktype = key.get_name()
|
|
|
|
if C.USE_PERSISTENT_CONNECTIONS:
|
|
# don't print the prompt string since the user cannot respond
|
|
# to the question anyway
|
|
raise AnsibleError(AUTHENTICITY_MSG[1:92] % (hostname, ktype, fingerprint))
|
|
|
|
self.connection.connection_lock()
|
|
|
|
old_stdin = sys.stdin
|
|
sys.stdin = self._new_stdin
|
|
|
|
# clear out any premature input on sys.stdin
|
|
tcflush(sys.stdin, TCIFLUSH)
|
|
|
|
inp = input(AUTHENTICITY_MSG % (hostname, ktype, fingerprint))
|
|
sys.stdin = old_stdin
|
|
|
|
self.connection.connection_unlock()
|
|
|
|
if inp not in ['yes', 'y', '']:
|
|
raise AnsibleError("host connection rejected by user")
|
|
|
|
key._added_by_ansible_this_time = True
|
|
|
|
# existing implementation below:
|
|
client._host_keys.add(hostname, key.get_name(), key)
|
|
|
|
# host keys are actually saved in close() function below
|
|
# in order to control ordering.
|
|
|
|
|
|
# keep connection objects on a per host basis to avoid repeated attempts to reconnect
|
|
|
|
SSH_CONNECTION_CACHE = {}
|
|
SFTP_CONNECTION_CACHE = {}
|
|
|
|
|
|
class Connection(ConnectionBase):
|
|
''' SSH based connections with Paramiko '''
|
|
|
|
transport = 'paramiko'
|
|
|
|
def _cache_key(self):
|
|
return "%s__%s__" % (self._play_context.remote_addr, self._play_context.remote_user)
|
|
|
|
def _connect(self):
|
|
cache_key = self._cache_key()
|
|
if cache_key in SSH_CONNECTION_CACHE:
|
|
self.ssh = SSH_CONNECTION_CACHE[cache_key]
|
|
else:
|
|
self.ssh = SSH_CONNECTION_CACHE[cache_key] = self._connect_uncached()
|
|
return self
|
|
|
|
def _parse_proxy_command(self, port=22):
|
|
proxy_command = None
|
|
# Parse ansible_ssh_common_args, specifically looking for ProxyCommand
|
|
ssh_args = [
|
|
getattr(self._play_context, 'ssh_extra_args', '') or '',
|
|
getattr(self._play_context, 'ssh_common_args', '') or '',
|
|
getattr(self._play_context, 'ssh_args', '') or '',
|
|
]
|
|
if ssh_args is not None:
|
|
args = self._split_ssh_args(' '.join(ssh_args))
|
|
for i, arg in enumerate(args):
|
|
if arg.lower() == 'proxycommand':
|
|
# _split_ssh_args split ProxyCommand from the command itself
|
|
proxy_command = args[i + 1]
|
|
else:
|
|
# ProxyCommand and the command itself are a single string
|
|
match = SETTINGS_REGEX.match(arg)
|
|
if match:
|
|
if match.group(1).lower() == 'proxycommand':
|
|
proxy_command = match.group(2)
|
|
|
|
if proxy_command:
|
|
break
|
|
|
|
proxy_command = proxy_command or self._options['proxy_command']
|
|
|
|
sock_kwarg = {}
|
|
if proxy_command:
|
|
replacers = {
|
|
'%h': self._play_context.remote_addr,
|
|
'%p': port,
|
|
'%r': self._play_context.remote_user
|
|
}
|
|
for find, replace in replacers.items():
|
|
proxy_command = proxy_command.replace(find, str(replace))
|
|
try:
|
|
sock_kwarg = {'sock': paramiko.ProxyCommand(proxy_command)}
|
|
display.vvv("CONFIGURE PROXY COMMAND FOR CONNECTION: %s" % proxy_command, host=self._play_context.remote_addr)
|
|
except AttributeError:
|
|
display.warning('Paramiko ProxyCommand support unavailable. '
|
|
'Please upgrade to Paramiko 1.9.0 or newer. '
|
|
'Not using configured ProxyCommand')
|
|
|
|
return sock_kwarg
|
|
|
|
def _connect_uncached(self):
|
|
''' activates the connection object '''
|
|
|
|
if not HAVE_PARAMIKO:
|
|
raise AnsibleError("paramiko is not installed")
|
|
|
|
port = self._play_context.port or 22
|
|
display.vvv("ESTABLISH CONNECTION FOR USER: %s on PORT %s TO %s" % (self._play_context.remote_user, port, self._play_context.remote_addr),
|
|
host=self._play_context.remote_addr)
|
|
|
|
ssh = paramiko.SSHClient()
|
|
|
|
self.keyfile = os.path.expanduser("~/.ssh/known_hosts")
|
|
|
|
if self._options['host_key_checking']:
|
|
for ssh_known_hosts in ("/etc/ssh/ssh_known_hosts", "/etc/openssh/ssh_known_hosts"):
|
|
try:
|
|
# TODO: check if we need to look at several possible locations, possible for loop
|
|
ssh.load_system_host_keys(ssh_known_hosts)
|
|
break
|
|
except IOError:
|
|
pass # file was not found, but not required to function
|
|
ssh.load_system_host_keys()
|
|
|
|
sock_kwarg = self._parse_proxy_command(port)
|
|
|
|
ssh.set_missing_host_key_policy(MyAddPolicy(self._new_stdin, self))
|
|
|
|
allow_agent = True
|
|
|
|
if self._play_context.password is not None:
|
|
allow_agent = False
|
|
|
|
try:
|
|
key_filename = None
|
|
if self._play_context.private_key_file:
|
|
key_filename = os.path.expanduser(self._play_context.private_key_file)
|
|
|
|
ssh.connect(
|
|
self._play_context.remote_addr,
|
|
username=self._play_context.remote_user,
|
|
allow_agent=allow_agent,
|
|
look_for_keys=self._options['look_for_keys'],
|
|
key_filename=key_filename,
|
|
password=self._play_context.password,
|
|
timeout=self._play_context.timeout,
|
|
port=port,
|
|
**sock_kwarg
|
|
)
|
|
except paramiko.ssh_exception.BadHostKeyException as e:
|
|
raise AnsibleConnectionFailure('host key mismatch for %s' % e.hostname)
|
|
except Exception as e:
|
|
msg = str(e)
|
|
if "PID check failed" in msg:
|
|
raise AnsibleError("paramiko version issue, please upgrade paramiko on the machine running ansible")
|
|
elif "Private key file is encrypted" in msg:
|
|
msg = 'ssh %s@%s:%s : %s\nTo connect as a different user, use -u <username>.' % (
|
|
self._play_context.remote_user, self._play_context.remote_addr, port, msg)
|
|
raise AnsibleConnectionFailure(msg)
|
|
else:
|
|
raise AnsibleConnectionFailure(msg)
|
|
|
|
return ssh
|
|
|
|
def exec_command(self, cmd, in_data=None, sudoable=True):
|
|
''' run a command on the remote host '''
|
|
|
|
super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable)
|
|
|
|
if in_data:
|
|
raise AnsibleError("Internal Error: this module does not support optimized module pipelining")
|
|
|
|
bufsize = 4096
|
|
|
|
try:
|
|
self.ssh.get_transport().set_keepalive(5)
|
|
chan = self.ssh.get_transport().open_session()
|
|
except Exception as e:
|
|
msg = "Failed to open session"
|
|
if len(str(e)) > 0:
|
|
msg += ": %s" % str(e)
|
|
raise AnsibleConnectionFailure(msg)
|
|
|
|
# sudo usually requires a PTY (cf. requiretty option), therefore
|
|
# we give it one by default (pty=True in ansble.cfg), and we try
|
|
# to initialise from the calling environment when sudoable is enabled
|
|
if self._options['pty'] and sudoable:
|
|
chan.get_pty(term=os.getenv('TERM', 'vt100'), width=int(os.getenv('COLUMNS', 0)), height=int(os.getenv('LINES', 0)))
|
|
|
|
display.vvv("EXEC %s" % cmd, host=self._play_context.remote_addr)
|
|
|
|
cmd = to_bytes(cmd, errors='surrogate_or_strict')
|
|
|
|
no_prompt_out = b''
|
|
no_prompt_err = b''
|
|
become_output = b''
|
|
|
|
try:
|
|
chan.exec_command(cmd)
|
|
if self._play_context.prompt:
|
|
passprompt = False
|
|
become_sucess = False
|
|
while not (become_sucess or passprompt):
|
|
display.debug('Waiting for Privilege Escalation input')
|
|
|
|
chunk = chan.recv(bufsize)
|
|
display.debug("chunk is: %s" % chunk)
|
|
if not chunk:
|
|
if b'unknown user' in become_output:
|
|
raise AnsibleError('user %s does not exist' % self._play_context.become_user)
|
|
else:
|
|
break
|
|
# raise AnsibleError('ssh connection closed waiting for password prompt')
|
|
become_output += chunk
|
|
|
|
# need to check every line because we might get lectured
|
|
# and we might get the middle of a line in a chunk
|
|
for l in become_output.splitlines(True):
|
|
if self.check_become_success(l):
|
|
become_sucess = True
|
|
break
|
|
elif self.check_password_prompt(l):
|
|
passprompt = True
|
|
break
|
|
|
|
if passprompt:
|
|
if self._play_context.become and self._play_context.become_pass:
|
|
chan.sendall(to_bytes(self._play_context.become_pass) + b'\n')
|
|
else:
|
|
raise AnsibleError("A password is reqired but none was supplied")
|
|
else:
|
|
no_prompt_out += become_output
|
|
no_prompt_err += become_output
|
|
except socket.timeout:
|
|
raise AnsibleError('ssh timed out waiting for privilege escalation.\n' + become_output)
|
|
|
|
stdout = b''.join(chan.makefile('rb', bufsize))
|
|
stderr = b''.join(chan.makefile_stderr('rb', bufsize))
|
|
|
|
return (chan.recv_exit_status(), no_prompt_out + stdout, no_prompt_out + stderr)
|
|
|
|
def put_file(self, in_path, out_path):
|
|
''' transfer a file from local to remote '''
|
|
|
|
super(Connection, self).put_file(in_path, out_path)
|
|
|
|
display.vvv("PUT %s TO %s" % (in_path, out_path), host=self._play_context.remote_addr)
|
|
|
|
if not os.path.exists(to_bytes(in_path, errors='surrogate_or_strict')):
|
|
raise AnsibleFileNotFound("file or module does not exist: %s" % in_path)
|
|
|
|
try:
|
|
self.sftp = self.ssh.open_sftp()
|
|
except Exception as e:
|
|
raise AnsibleError("failed to open a SFTP connection (%s)" % e)
|
|
|
|
try:
|
|
self.sftp.put(to_bytes(in_path, errors='surrogate_or_strict'), to_bytes(out_path, errors='surrogate_or_strict'))
|
|
except IOError:
|
|
raise AnsibleError("failed to transfer file to %s" % out_path)
|
|
|
|
def _connect_sftp(self):
|
|
|
|
cache_key = "%s__%s__" % (self._play_context.remote_addr, self._play_context.remote_user)
|
|
if cache_key in SFTP_CONNECTION_CACHE:
|
|
return SFTP_CONNECTION_CACHE[cache_key]
|
|
else:
|
|
result = SFTP_CONNECTION_CACHE[cache_key] = self._connect().ssh.open_sftp()
|
|
return result
|
|
|
|
def fetch_file(self, in_path, out_path):
|
|
''' save a remote file to the specified path '''
|
|
|
|
super(Connection, self).fetch_file(in_path, out_path)
|
|
|
|
display.vvv("FETCH %s TO %s" % (in_path, out_path), host=self._play_context.remote_addr)
|
|
|
|
try:
|
|
self.sftp = self._connect_sftp()
|
|
except Exception as e:
|
|
raise AnsibleError("failed to open a SFTP connection (%s)" % to_native(e))
|
|
|
|
try:
|
|
self.sftp.get(to_bytes(in_path, errors='surrogate_or_strict'), to_bytes(out_path, errors='surrogate_or_strict'))
|
|
except IOError:
|
|
raise AnsibleError("failed to transfer file from %s" % in_path)
|
|
|
|
def _any_keys_added(self):
|
|
|
|
for hostname, keys in iteritems(self.ssh._host_keys):
|
|
for keytype, key in iteritems(keys):
|
|
added_this_time = getattr(key, '_added_by_ansible_this_time', False)
|
|
if added_this_time:
|
|
return True
|
|
return False
|
|
|
|
def _save_ssh_host_keys(self, filename):
|
|
'''
|
|
not using the paramiko save_ssh_host_keys function as we want to add new SSH keys at the bottom so folks
|
|
don't complain about it :)
|
|
'''
|
|
|
|
if not self._any_keys_added():
|
|
return False
|
|
|
|
path = os.path.expanduser("~/.ssh")
|
|
makedirs_safe(path)
|
|
|
|
f = open(filename, 'w')
|
|
|
|
for hostname, keys in iteritems(self.ssh._host_keys):
|
|
|
|
for keytype, key in iteritems(keys):
|
|
|
|
# was f.write
|
|
added_this_time = getattr(key, '_added_by_ansible_this_time', False)
|
|
if not added_this_time:
|
|
f.write("%s %s %s\n" % (hostname, keytype, key.get_base64()))
|
|
|
|
for hostname, keys in iteritems(self.ssh._host_keys):
|
|
|
|
for keytype, key in iteritems(keys):
|
|
added_this_time = getattr(key, '_added_by_ansible_this_time', False)
|
|
if added_this_time:
|
|
f.write("%s %s %s\n" % (hostname, keytype, key.get_base64()))
|
|
|
|
f.close()
|
|
|
|
def close(self):
|
|
''' terminate the connection '''
|
|
|
|
cache_key = self._cache_key()
|
|
SSH_CONNECTION_CACHE.pop(cache_key, None)
|
|
SFTP_CONNECTION_CACHE.pop(cache_key, None)
|
|
|
|
if hasattr(self, 'sftp'):
|
|
if self.sftp is not None:
|
|
self.sftp.close()
|
|
|
|
if self._options['host_key_checking'] and self._options['record_host_keys'] and self._any_keys_added():
|
|
|
|
# add any new SSH host keys -- warning -- this could be slow
|
|
# (This doesn't acquire the connection lock because it needs
|
|
# to exclude only other known_hosts writers, not connections
|
|
# that are starting up.)
|
|
lockfile = self.keyfile.replace("known_hosts", ".known_hosts.lock")
|
|
dirname = os.path.dirname(self.keyfile)
|
|
makedirs_safe(dirname)
|
|
|
|
KEY_LOCK = open(lockfile, 'w')
|
|
fcntl.lockf(KEY_LOCK, fcntl.LOCK_EX)
|
|
|
|
try:
|
|
# just in case any were added recently
|
|
|
|
self.ssh.load_system_host_keys()
|
|
self.ssh._host_keys.update(self.ssh._system_host_keys)
|
|
|
|
# gather information about the current key file, so
|
|
# we can ensure the new file has the correct mode/owner
|
|
|
|
key_dir = os.path.dirname(self.keyfile)
|
|
if os.path.exists(self.keyfile):
|
|
key_stat = os.stat(self.keyfile)
|
|
mode = key_stat.st_mode
|
|
uid = key_stat.st_uid
|
|
gid = key_stat.st_gid
|
|
else:
|
|
mode = 33188
|
|
uid = os.getuid()
|
|
gid = os.getgid()
|
|
|
|
# Save the new keys to a temporary file and move it into place
|
|
# rather than rewriting the file. We set delete=False because
|
|
# the file will be moved into place rather than cleaned up.
|
|
|
|
tmp_keyfile = tempfile.NamedTemporaryFile(dir=key_dir, delete=False)
|
|
os.chmod(tmp_keyfile.name, mode & 0o7777)
|
|
os.chown(tmp_keyfile.name, uid, gid)
|
|
|
|
self._save_ssh_host_keys(tmp_keyfile.name)
|
|
tmp_keyfile.close()
|
|
|
|
os.rename(tmp_keyfile.name, self.keyfile)
|
|
|
|
except:
|
|
|
|
# unable to save keys, including scenario when key was invalid
|
|
# and caught earlier
|
|
traceback.print_exc()
|
|
fcntl.lockf(KEY_LOCK, fcntl.LOCK_UN)
|
|
|
|
self.ssh.close()
|