mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-04-25 11:51:26 -07:00
445ff39f94
* [WIP] become plugins
Move from hardcoded method to plugins for ease of use, expansion and overrides
- load into connection as it is going to be the main consumer
- play_context will also use to keep backwards compat API
- ensure shell is used to construct commands when needed
- migrate settings remove from base config in favor of plugin specific configs
- cleanup ansible-doc
- add become plugin docs
- remove deprecated sudo/su code and keywords
- adjust become options for cli
- set plugin options from context
- ensure config defs are avaialbe before instance
- refactored getting the shell plugin, fixed tests
- changed into regex as they were string matching, which does not work with random string generation
- explicitly set flags for play context tests
- moved plugin loading up front
- now loads for basedir also
- allow pyc/o for non m modules
- fixes to tests and some plugins
- migrate to play objects fro play_context
- simiplify gathering
- added utf8 headers
- moved option setting
- add fail msg to dzdo
- use tuple for multiple options on fail/missing
- fix relative plugin paths
- shift from play context to play
- all tasks already inherit this from play directly
- remove obsolete 'set play'
- correct environment handling
- add wrap_exe option to pfexec
- fix runas to noop
- fixed setting play context
- added password configs
- removed required false
- remove from doc building till they are ready
future development:
- deal with 'enable' and 'runas' which are not 'command wrappers' but 'state flags' and currently hardcoded in diff subsystems
* cleanup
remove callers to removed func
removed --sudo cli doc refs
remove runas become_exe
ensure keyerorr on plugin
also fix backwards compat, missing method is attributeerror, not ansible error
get remote_user consistently
ignore missing system_tmpdirs on plugin load
correct config precedence
add deprecation
fix networking imports
backwards compat for plugins using BECOME_METHODS
* Port become_plugins to context.CLIARGS
This is a work in progress:
* Stop passing options around everywhere as we can use context.CLIARGS
instead
* Refactor make_become_commands as asked for by alikins
* Typo in comment fix
* Stop loading values from the cli in more than one place
Both play and play_context were saving default values from the cli
arguments directly. This changes things so that the default values are
loaded into the play and then play_context takes them from there.
* Rename BECOME_PLUGIN_PATH to DEFAULT_BECOME_PLUGIN_PATH
As alikins said, all other plugin paths are named
DEFAULT_plugintype_PLUGIN_PATH. If we're going to rename these, that
should be done all at one time rather than piecemeal.
* One to throw away
This is a set of hacks to get setting FieldAttribute defaults to command
line args to work. It's not fully done yet.
After talking it over with sivel and jimi-c this should be done by
fixing FieldAttributeBase and _get_parent_attribute() calls to do the
right thing when there is a non-None default.
What we want to be able to do ideally is something like this:
class Base(FieldAttributeBase):
_check_mode = FieldAttribute([..] default=lambda: context.CLIARGS['check'])
class Play(Base):
# lambda so that we have a chance to parse the command line args
# before we get here. In the future we might be able to restructure
# this so that the cli parsing code runs before these classes are
# defined.
class Task(Base):
pass
And still have a playbook like this function:
---
- hosts:
tasks:
- command: whoami
check_mode: True
(The check_mode test that is added as a separate commit in this PR will
let you test variations on this case).
There's a few separate reasons that the code doesn't let us do this or
a non-ugly workaround for this as written right now. The fix that
jimi-c, sivel, and I talked about may let us do this or it may still
require a workaround (but less ugly) (having one class that has the
FieldAttributes with default values and one class that inherits from
that but just overrides the FieldAttributes which now have defaults)
* Revert "One to throw away"
This reverts commit 23aa883cbed11429ef1be2a2d0ed18f83a3b8064.
* Set FieldAttr defaults directly from CLIARGS
* Remove dead code
* Move timeout directly to PlayContext, it's never needed on Play
* just for backwards compat, add a static version of BECOME_METHODS to constants
* Make the become attr on the connection public, since it's used outside of the connection
* Logic fix
* Nuke connection testing if it supports specific become methods
* Remove unused vars
* Address rebase issues
* Fix path encoding issue
* Remove unused import
* Various cleanups
* Restore network_cli check in _low_level_execute_command
* type improvements for cliargs_deferred_get and swap shallowcopy to default to False
* minor cleanups
* Allow the su plugin to work, since it doesn't define a prompt the same way
* Fix up ksu become plugin
* Only set prompt if build_become_command was called
* Add helper to assist connection plugins in knowing they need to wait for a prompt
* Fix tests and code expectations
* Doc updates
* Various additional minor cleanups
* Make doas functional
* Don't change connection signature, load become plugin from TaskExecutor
* Remove unused imports
* Add comment about setting the become plugin on the playcontext
* Fix up tests for recent changes
* Support 'Password:' natively for the doas plugin
* Make default prompts raw
* wording cleanups. ci_complete
* Remove unrelated changes
* Address spelling mistake
* Restore removed test, and udpate to use new functionality
* Add changelog fragment
* Don't hard fail in set_attributes_from_cli on missing CLI keys
* Remove unrelated change to loader
* Remove internal deprecated FieldAttributes now
* Emit deprecation warnings now
304 lines
13 KiB
Python
304 lines
13 KiB
Python
# Based on the chroot connection plugin by Maykel Moya
|
|
#
|
|
# (c) 2014, Lorin Hochstein
|
|
# (c) 2015, Leendert Brouwer (https://github.com/objectified)
|
|
# (c) 2015, Toshio Kuratomi <tkuratomi@ansible.com>
|
|
# Copyright (c) 2017 Ansible Project
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
from __future__ import (absolute_import, division, print_function)
|
|
__metaclass__ = type
|
|
|
|
DOCUMENTATION = """
|
|
author:
|
|
- Lorin Hochestein
|
|
- Leendert Brouwer
|
|
connection: docker
|
|
short_description: Run tasks in docker containers
|
|
description:
|
|
- Run commands or put/fetch files to an existing docker container.
|
|
version_added: "2.0"
|
|
options:
|
|
remote_user:
|
|
description:
|
|
- The user to execute as inside the container
|
|
default: The set user as per docker's configuration
|
|
vars:
|
|
- name: ansible_user
|
|
- name: ansible_docker4_user
|
|
docker_extra_args:
|
|
description:
|
|
- Extra arguments to pass to the docker command line
|
|
default: ''
|
|
remote_addr:
|
|
description:
|
|
- The name of the container you want to access.
|
|
default: inventory_hostname
|
|
vars:
|
|
- name: ansible_host
|
|
- name: ansible_docker_host
|
|
"""
|
|
|
|
import distutils.spawn
|
|
import os
|
|
import os.path
|
|
import subprocess
|
|
import re
|
|
|
|
from distutils.version import LooseVersion
|
|
|
|
import ansible.constants as C
|
|
from ansible.errors import AnsibleError, AnsibleFileNotFound
|
|
from ansible.module_utils.six.moves import shlex_quote
|
|
from ansible.module_utils._text import to_bytes, to_native, to_text
|
|
from ansible.plugins.connection import ConnectionBase, BUFSIZE
|
|
from ansible.utils.display import Display
|
|
|
|
display = Display()
|
|
|
|
|
|
class Connection(ConnectionBase):
|
|
''' Local docker based connections '''
|
|
|
|
transport = 'docker'
|
|
has_pipelining = True
|
|
|
|
def __init__(self, play_context, new_stdin, *args, **kwargs):
|
|
super(Connection, self).__init__(play_context, new_stdin, *args, **kwargs)
|
|
|
|
# Note: docker supports running as non-root in some configurations.
|
|
# (For instance, setting the UNIX socket file to be readable and
|
|
# writable by a specific UNIX group and then putting users into that
|
|
# group). Therefore we don't check that the user is root when using
|
|
# this connection. But if the user is getting a permission denied
|
|
# error it probably means that docker on their system is only
|
|
# configured to be connected to by root and they are not running as
|
|
# root.
|
|
|
|
if 'docker_command' in kwargs:
|
|
self.docker_cmd = kwargs['docker_command']
|
|
else:
|
|
self.docker_cmd = distutils.spawn.find_executable('docker')
|
|
if not self.docker_cmd:
|
|
raise AnsibleError("docker command not found in PATH")
|
|
|
|
docker_version = self._get_docker_version()
|
|
if LooseVersion(docker_version) < LooseVersion(u'1.3'):
|
|
raise AnsibleError('docker connection type requires docker 1.3 or higher')
|
|
|
|
# The remote user we will request from docker (if supported)
|
|
self.remote_user = None
|
|
# The actual user which will execute commands in docker (if known)
|
|
self.actual_user = None
|
|
|
|
if self._play_context.remote_user is not None:
|
|
if LooseVersion(docker_version) >= LooseVersion(u'1.7'):
|
|
# Support for specifying the exec user was added in docker 1.7
|
|
self.remote_user = self._play_context.remote_user
|
|
self.actual_user = self.remote_user
|
|
else:
|
|
self.actual_user = self._get_docker_remote_user()
|
|
|
|
if self.actual_user != self._play_context.remote_user:
|
|
display.warning(u'docker {0} does not support remote_user, using container default: {1}'
|
|
.format(docker_version, self.actual_user or u'?'))
|
|
elif self._display.verbosity > 2:
|
|
# Since we're not setting the actual_user, look it up so we have it for logging later
|
|
# Only do this if display verbosity is high enough that we'll need the value
|
|
# This saves overhead from calling into docker when we don't need to
|
|
self.actual_user = self._get_docker_remote_user()
|
|
|
|
@staticmethod
|
|
def _sanitize_version(version):
|
|
return re.sub(u'[^0-9a-zA-Z.]', u'', version)
|
|
|
|
def _old_docker_version(self):
|
|
cmd_args = []
|
|
if self._play_context.docker_extra_args:
|
|
cmd_args += self._play_context.docker_extra_args.split(' ')
|
|
|
|
old_version_subcommand = ['version']
|
|
|
|
old_docker_cmd = [self.docker_cmd] + cmd_args + old_version_subcommand
|
|
p = subprocess.Popen(old_docker_cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
cmd_output, err = p.communicate()
|
|
|
|
return old_docker_cmd, to_native(cmd_output), err, p.returncode
|
|
|
|
def _new_docker_version(self):
|
|
# no result yet, must be newer Docker version
|
|
cmd_args = []
|
|
if self._play_context.docker_extra_args:
|
|
cmd_args += self._play_context.docker_extra_args.split(' ')
|
|
|
|
new_version_subcommand = ['version', '--format', "'{{.Server.Version}}'"]
|
|
|
|
new_docker_cmd = [self.docker_cmd] + cmd_args + new_version_subcommand
|
|
p = subprocess.Popen(new_docker_cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
cmd_output, err = p.communicate()
|
|
return new_docker_cmd, to_native(cmd_output), err, p.returncode
|
|
|
|
def _get_docker_version(self):
|
|
|
|
cmd, cmd_output, err, returncode = self._old_docker_version()
|
|
if returncode == 0:
|
|
for line in to_text(cmd_output, errors='surrogate_or_strict').split(u'\n'):
|
|
if line.startswith(u'Server version:'): # old docker versions
|
|
return self._sanitize_version(line.split()[2])
|
|
|
|
cmd, cmd_output, err, returncode = self._new_docker_version()
|
|
if returncode:
|
|
raise AnsibleError('Docker version check (%s) failed: %s' % (to_native(cmd), to_native(err)))
|
|
|
|
return self._sanitize_version(to_text(cmd_output, errors='surrogate_or_strict'))
|
|
|
|
def _get_docker_remote_user(self):
|
|
""" Get the default user configured in the docker container """
|
|
p = subprocess.Popen([self.docker_cmd, 'inspect', '--format', '{{.Config.User}}', self._play_context.remote_addr],
|
|
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
|
|
out, err = p.communicate()
|
|
out = to_text(out, errors='surrogate_or_strict')
|
|
|
|
if p.returncode != 0:
|
|
display.warning(u'unable to retrieve default user from docker container: %s %s' % (out, to_text(err)))
|
|
return None
|
|
|
|
# The default exec user is root, unless it was changed in the Dockerfile with USER
|
|
return out.strip() or u'root'
|
|
|
|
def _build_exec_cmd(self, cmd):
|
|
""" Build the local docker exec command to run cmd on remote_host
|
|
|
|
If remote_user is available and is supported by the docker
|
|
version we are using, it will be provided to docker exec.
|
|
"""
|
|
|
|
local_cmd = [self.docker_cmd]
|
|
|
|
if self._play_context.docker_extra_args:
|
|
local_cmd += self._play_context.docker_extra_args.split(' ')
|
|
|
|
local_cmd += [b'exec']
|
|
|
|
if self.remote_user is not None:
|
|
local_cmd += [b'-u', self.remote_user]
|
|
|
|
# -i is needed to keep stdin open which allows pipelining to work
|
|
local_cmd += [b'-i', self._play_context.remote_addr] + cmd
|
|
|
|
return local_cmd
|
|
|
|
def _connect(self, port=None):
|
|
""" Connect to the container. Nothing to do """
|
|
super(Connection, self)._connect()
|
|
if not self._connected:
|
|
display.vvv(u"ESTABLISH DOCKER CONNECTION FOR USER: {0}".format(
|
|
self.actual_user or u'?'), host=self._play_context.remote_addr
|
|
)
|
|
self._connected = True
|
|
|
|
def exec_command(self, cmd, in_data=None, sudoable=False):
|
|
""" Run a command on the docker host """
|
|
super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable)
|
|
|
|
local_cmd = self._build_exec_cmd([self._play_context.executable, '-c', cmd])
|
|
|
|
display.vvv("EXEC %s" % (local_cmd,), host=self._play_context.remote_addr)
|
|
local_cmd = [to_bytes(i, errors='surrogate_or_strict') for i in local_cmd]
|
|
p = subprocess.Popen(local_cmd, shell=False, stdin=subprocess.PIPE,
|
|
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
|
|
stdout, stderr = p.communicate(in_data)
|
|
return (p.returncode, stdout, stderr)
|
|
|
|
def _prefix_login_path(self, remote_path):
|
|
''' Make sure that we put files into a standard path
|
|
|
|
If a path is relative, then we need to choose where to put it.
|
|
ssh chooses $HOME but we aren't guaranteed that a home dir will
|
|
exist in any given chroot. So for now we're choosing "/" instead.
|
|
This also happens to be the former default.
|
|
|
|
Can revisit using $HOME instead if it's a problem
|
|
'''
|
|
if not remote_path.startswith(os.path.sep):
|
|
remote_path = os.path.join(os.path.sep, remote_path)
|
|
return os.path.normpath(remote_path)
|
|
|
|
def put_file(self, in_path, out_path):
|
|
""" Transfer a file from local to docker container """
|
|
super(Connection, self).put_file(in_path, out_path)
|
|
display.vvv("PUT %s TO %s" % (in_path, out_path), host=self._play_context.remote_addr)
|
|
|
|
out_path = self._prefix_login_path(out_path)
|
|
if not os.path.exists(to_bytes(in_path, errors='surrogate_or_strict')):
|
|
raise AnsibleFileNotFound(
|
|
"file or module does not exist: %s" % to_native(in_path))
|
|
|
|
out_path = shlex_quote(out_path)
|
|
# Older docker doesn't have native support for copying files into
|
|
# running containers, so we use docker exec to implement this
|
|
# Although docker version 1.8 and later provide support, the
|
|
# owner and group of the files are always set to root
|
|
with open(to_bytes(in_path, errors='surrogate_or_strict'), 'rb') as in_file:
|
|
if not os.fstat(in_file.fileno()).st_size:
|
|
count = ' count=0'
|
|
else:
|
|
count = ''
|
|
args = self._build_exec_cmd([self._play_context.executable, "-c", "dd of=%s bs=%s%s" % (out_path, BUFSIZE, count)])
|
|
args = [to_bytes(i, errors='surrogate_or_strict') for i in args]
|
|
try:
|
|
p = subprocess.Popen(args, stdin=in_file,
|
|
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
except OSError:
|
|
raise AnsibleError("docker connection requires dd command in the container to put files")
|
|
stdout, stderr = p.communicate()
|
|
|
|
if p.returncode != 0:
|
|
raise AnsibleError("failed to transfer file %s to %s:\n%s\n%s" %
|
|
(to_native(in_path), to_native(out_path), to_native(stdout), to_native(stderr)))
|
|
|
|
def fetch_file(self, in_path, out_path):
|
|
""" Fetch a file from container to local. """
|
|
super(Connection, self).fetch_file(in_path, out_path)
|
|
display.vvv("FETCH %s TO %s" % (in_path, out_path), host=self._play_context.remote_addr)
|
|
|
|
in_path = self._prefix_login_path(in_path)
|
|
# out_path is the final file path, but docker takes a directory, not a
|
|
# file path
|
|
out_dir = os.path.dirname(out_path)
|
|
|
|
args = [self.docker_cmd, "cp", "%s:%s" % (self._play_context.remote_addr, in_path), out_dir]
|
|
args = [to_bytes(i, errors='surrogate_or_strict') for i in args]
|
|
|
|
p = subprocess.Popen(args, stdin=subprocess.PIPE,
|
|
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
p.communicate()
|
|
|
|
actual_out_path = os.path.join(out_dir, os.path.basename(in_path))
|
|
|
|
if p.returncode != 0:
|
|
# Older docker doesn't have native support for fetching files command `cp`
|
|
# If `cp` fails, try to use `dd` instead
|
|
args = self._build_exec_cmd([self._play_context.executable, "-c", "dd if=%s bs=%s" % (in_path, BUFSIZE)])
|
|
args = [to_bytes(i, errors='surrogate_or_strict') for i in args]
|
|
with open(to_bytes(actual_out_path, errors='surrogate_or_strict'), 'wb') as out_file:
|
|
try:
|
|
p = subprocess.Popen(args, stdin=subprocess.PIPE,
|
|
stdout=out_file, stderr=subprocess.PIPE)
|
|
except OSError:
|
|
raise AnsibleError("docker connection requires dd command in the container to put files")
|
|
stdout, stderr = p.communicate()
|
|
|
|
if p.returncode != 0:
|
|
raise AnsibleError("failed to fetch file %s to %s:\n%s\n%s" % (in_path, out_path, stdout, stderr))
|
|
|
|
# Rename if needed
|
|
if actual_out_path != out_path:
|
|
os.rename(to_bytes(actual_out_path, errors='strict'), to_bytes(out_path, errors='strict'))
|
|
|
|
def close(self):
|
|
""" Terminate the connection. Nothing to do for Docker"""
|
|
super(Connection, self).close()
|
|
self._connected = False
|