2.0.0.2_1 appears to have a quoting problem. It broke this playbook: --- - hosts: ws-leeb.ad.nyingma.org become: yes become_method: su gather_facts: false tasks: - name: install packages pkgng: name={{item}} state=present with_items: - editors/nano - net/x11vnc - x11/xscreensaver # env ANSIBLE_KEEP_REMOTE_FILES=1 ansible-playbook packages.yml -vvv Using /usr/local/etc/ansible/ansible.cfg as config file 1 plays in packages.yml PLAY *************************************************************************** TASK [install packages] ******************************************************** task path: /usr/local/home/niadmin/packages.yml:7 <ws-leeb.ad.nyingma.org> ESTABLISH CONNECTION FOR USER: None on PORT 22 TO ws-leeb.ad.nyingma.org <ws-leeb.ad.nyingma.org> EXEC /bin/sh -c '( umask 22 && mkdir -p "$( echo $HOME/.ansible/tmp/ansible-tmp-1453686702.79-221069478550614 )" && echo "$( echo $HOME/.ansible/tmp/ansible-tmp-1453686702.79-221069478550614 )" )' <ws-leeb.ad.nyingma.org> PUT /tmp/tmptorHDN TO /home/niadmin/.ansible/tmp/ansible-tmp-1453686702.79-221069478550614/pkgng <ws-leeb.ad.nyingma.org> EXEC /bin/sh -c 'su root -c "/bin/sh -c '"'"'echo BECOME-SUCCESS-euyywawtqzdtpwanwnukrkzmdlyqrtbv; /bin/sh -c '"'"'"'"'"'"'"'"'LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/local/bin/python /home/niadmin/.ansible/tmp/ansible-tmp-1453686702.79-221069478550614/pkgng'"'"'"'"'"'"'"'"''"'"'"' failed: [ws-leeb.ad.nyingma.org] => (item=[u'editors/nano', u'net/x11vnc', u'x11/xscreensaver']) => {"failed": true, "invocation": {"module_name": "pkgng"}, "item": ["editors/nano", "net/x11vnc", "x11/xscreensaver"], "module_stderr": "", "module_stdout": "Unmatched \".\r\n", "msg": "MODULE FAILURE", "parsed": false} PLAY RECAP ********************************************************************* ws-leeb.ad.nyingma.org : ok=0 changed=0 unreachable=0 failed=1 =========================== Rolling back to 2.0.0.2, the same playbook works: # env ANSIBLE_KEEP_REMOTE_FILES=1 ansible-playbook packages.yml -vvv Using /usr/local/etc/ansible/ansible.cfg as config file 1 plays in packages.yml PLAY *************************************************************************** TASK [install packages] ******************************************************** task path: /usr/local/home/niadmin/packages.yml:7 <ws-leeb.ad.nyingma.org> ESTABLISH CONNECTION FOR USER: None on PORT 22 TO ws-leeb.ad.nyingma.org <ws-leeb.ad.nyingma.org> EXEC ( umask 22 && mkdir -p "$( echo $HOME/.ansible/tmp/ansible-tmp-1453689071.67-21341447504375 )" && echo "$( echo $HOME/.ansible/tmp/ansible-tmp-1453689071.67-21341447504375 )" ) <ws-leeb.ad.nyingma.org> PUT /tmp/tmpjRacP2 TO /home/niadmin/.ansible/tmp/ansible-tmp-1453689071.67-21341447504375/pkgng <ws-leeb.ad.nyingma.org> EXEC /bin/sh -c 'su root -c "/bin/sh -c '"'"'echo BECOME-SUCCESS-aaekyjeoamlglygtuwivsglywepwospv; LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/local/bin/python /home/niadmin/.ansible/tmp/ansible-tmp-1453689071.67-21341447504375/pkgng'"'"'"' ok: [ws-leeb.ad.nyingma.org] => (item=[u'editors/nano', u'net/x11vnc', u'x11/xscreensaver']) => {"changed": false, "invocation": {"module_args": {"annotation": "", "cached": false, "name": ["editors/nano", "net/x11vnc", "x11/xscreensaver"], "pkgsite": "", "rootdir": "", "state": "present"}, "module_name": "pkgng"}, "item": ["editors/nano", "net/x11vnc", "x11/xscreensaver"], "msg": "package(s) already present"} PLAY RECAP ********************************************************************* ws-leeb.ad.nyingma.org : ok=1 changed=0 unreachable=0 failed=0
local and remote shell is /bin/sh.
I will look into this for you.
leeb, matthew: can you try both testcases with the second piece of extra-patch-8647fc removed please? If this works, I'll submit the fix upstream.
No, it just breaks differently. Using this: --- lib/ansible/plugins/action/__init__.py.orig 2016-01-14 22:33:27 UTC +++ lib/ansible/plugins/action/__init__.py @@ -475,8 +475,7 @@ class ActionBase(with_metaclass(ABCMeta, display.debug("done with _execute_module (%s, %s)" % (module_name, module_args)) return data - def _low_level_execute_command(self, cmd, sudoable=True, in_data=None, - executable=None, encoding_errors='replace'): + def _low_level_execute_command(self, cmd, sudoable=True, in_data=None, executable=C.DEFAULT_EXECUTABLE, encoding_errors='replace'): ''' This is the function which executes the low level shell command, which may be commands to create/remove directories for temporary files, or to I now get this result: $ env ANSIBLE_KEEP_REMOTE_FILES=1 ansible-playbook packages.yml -vvv Using /usr/local/etc/ansible/ansible.cfg as config file 1 plays in packages.yml PLAY *************************************************************************** TASK [install packages] ******************************************************** task path: /usr/local/home/niadmin/packages.yml:7 <ws-leeb.ad.nyingma.org> ESTABLISH CONNECTION FOR USER: None on PORT 22 TO ws-leeb.ad.nyingma.org <ws-leeb.ad.nyingma.org> EXEC /bin/sh -c ( umask 22 && mkdir -p "$( echo $HOME/.ansible/tmp/ansible-tmp-1453696957.15-50158191509323 )" && echo "$( echo $HOME/.ansible/tmp/ansible-tmp-1453696957.15-50158191509323 )" ) fatal: [ws-leeb.ad.nyingma.org]: UNREACHABLE! => {"changed": false, "msg": "All items completed", "results": [{"item": ["editors/nano", "net/x11vnc", "x11/xscreensaver"], "msg": "ERROR! Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: ( umask 22 && mkdir -p \"$( echo $HOME/.ansible/tmp/ansible-tmp-1453696957.15-50158191509323 )\" && echo \"$( echo $HOME/.ansible/tmp/ansible-tmp-1453696957.15-50158191509323 )\" ), exited with result 2: Syntax error: \"(\" unexpected\r\n", "unreachable": true}]} PLAY RECAP ********************************************************************* ws-leeb.ad.nyingma.org : ok=0 changed=0 unreachable=1 failed=0 ping module now fails too (it still ran with full patch): $ ansible -m ping ws-leeb.ad.nyingma.org ws-leeb.ad.nyingma.org | UNREACHABLE! => { "changed": false, "msg": "ERROR! Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: ( umask 22 && mkdir -p \"$( echo $HOME/.ansible/tmp/ansible-tmp-1453697577.22-162119065183458 )\" && echo \"$( echo $HOME/.ansible/tmp/ansible-tmp-1453697577.22-162119065183458 )\" ), exited with result 2: Syntax error: \"(\" unexpected\r\n", "unreachable": true Reverting to no patch $ env ANSIBLE_KEEP_REMOTE_FILES=1 ansible-playbook packages.yml -vvv Using /usr/local/etc/ansible/ansible.cfg as config file 1 plays in packages.yml PLAY *************************************************************************** TASK [install packages] ******************************************************** task path: /usr/local/home/niadmin/packages.yml:7 <ws-leeb.ad.nyingma.org> ESTABLISH CONNECTION FOR USER: None on PORT 22 TO ws-leeb.ad.nyingma.org <ws-leeb.ad.nyingma.org> EXEC ( umask 22 && mkdir -p "$( echo $HOME/.ansible/tmp/ansible-tmp-1453697875.05-54043981240493 )" && echo "$( echo $HOME/.ansible/tmp/ansible-tmp-1453697875.05-54043981240493 )" ) <ws-leeb.ad.nyingma.org> PUT /tmp/tmpFV1eMg TO /home/niadmin/.ansible/tmp/ansible-tmp-1453697875.05-54043981240493/pkgng <ws-leeb.ad.nyingma.org> EXEC /bin/sh -c 'su root -c "/bin/sh -c '"'"'echo BECOME-SUCCESS-sofeidbqqkhxdqzgofrolhdrukueqtlx; LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/local/bin/python /home/niadmin/.ansible/tmp/ansible-tmp-1453697875.05-54043981240493/pkgng'"'"'"' ok: [ws-leeb.ad.nyingma.org] => (item=[u'editors/nano', u'net/x11vnc', u'x11/xscreensaver']) => {"changed": false, "invocation": {"module_args": {"annotation": "", "cached": false, "name": ["editors/nano", "net/x11vnc", "x11/xscreensaver"], "pkgsite": "", "rootdir": "", "state": "present"}, "module_name": "pkgng"}, "item": ["editors/nano", "net/x11vnc", "x11/xscreensaver"], "msg": "package(s) already present"} PLAY RECAP ********************************************************************* ws-leeb.ad.nyingma.org : ok=1 changed=0 unreachable=0 failed=0 $ ansible -m ping ws-leeb.ad.nyingma.org ws-leeb.ad.nyingma.org | SUCCESS => { "changed": false, "ping": "pong" }
Fix the version number in the synopsis.
So far I'm not seeing problems with 2.0.0.2_1 (ie. with the patch) doing both ansible pings or running a playbook. I am using 'sudo' for the become_method though. Is this problem specific to the use of su(1)?
The problem only exhibits itself with become_method='su', not 'sudo'. I got both test cases from this bug and from Bugzilla 206498 passing by resetting the executable back to none when become_method='su'. Please test the patch I'm about to attach.
Created attachment 166104 [details] sysutils/ansible: fix 'su' regression
Comment on attachment 166104 [details] sysutils/ansible: fix 'su' regression I'm going to remove my approval for now, until both can test this.
I tested scenarios in Bugzilla 206498 and 206591 (this one) with both sudo and su.
The patched version fails with su(1) for me, I'm afraid: stingray:...local/etc/ansible:% ansible-playbook -vvv pkg.yml --limit stingray.fish.adestra.com --su --ask-su-pass Using /usr/local/etc/ansible/ansible.cfg as config file SU password: 1 plays in pkg.yml PLAY *************************************************************************** TASK [update pkg] ************************************************************** task path: /usr/local/etc/ansible/pkg.yml:6 <stingray.fish.adestra.com> ESTABLISH SSH CONNECTION FOR USER: None <stingray.fish.adestra.com> SSH: EXEC ssh -C -q -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/matthew/.ansible/cp/ansible-ssh-%h-%p-%r -tt stingray.fish.adestra.com '( umask 22 && mkdir -p "$( echo ${HOME}/.ansible/tmp/ansible-tmp-1453736624.04-78823669591423 )" && echo "$( echo ${HOME}/.ansible/tmp/ansible-tmp-1453736624.04-78823669591423 )" )' fatal: [stingray.fish.adestra.com]: UNREACHABLE! => {"changed": false, "msg": "ERROR! Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: ( umask 22 && mkdir -p \"$( echo ${HOME}/.ansible/tmp/ansible-tmp-1453736624.04-78823669591423 )\" && echo \"$( echo ${HOME}/.ansible/tmp/ansible-tmp-1453736624.04-78823669591423 )\" ), exited with result 1: Illegal variable name.\r\n", "unreachable": true} PLAY RECAP ********************************************************************* stingray.fish.adestra.com : ok=0 changed=0 unreachable=1 failed=0 stingray:...local/etc/ansible:% cat pkg.yml --- - hosts: all become: yes gather_facts: false tasks: - name: update pkg pkgng: name=ports-mgmt/pkg state=present
Created attachment 166108 [details] ansible fix This is an alternative approach to fix in 206498: quote become cmd before returning. This completely reverts offending upstream commit.
Please test above patch.
Unfortunately that latest patch seems not to work at all for me, either with su or without: stingray:...local/etc/ansible:% ansible-playbook -vvv pkg.yml --limit stingray.fish.adestra.com --su --ask-su-pass Using /usr/local/etc/ansible/ansible.cfg as config file SU password: 1 plays in pkg.yml PLAY *************************************************************************** TASK [update pkg] ************************************************************** task path: /usr/local/etc/ansible/pkg.yml:6 <stingray.fish.adestra.com> ESTABLISH SSH CONNECTION FOR USER: None <stingray.fish.adestra.com> SSH: EXEC ssh -C -q -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/matthew/.ansible/cp/ansible-ssh-%h-%p-%r -tt stingray.fish.adestra.com '( umask 22 && mkdir -p "$( echo ${HOME}/.ansible/tmp/ansible-tmp-1453744983.63-124899333474855 )" && echo "$( echo ${HOME}/.ansible/tmp/ansible-tmp-1453744983.63-124899333474855 )" )' fatal: [stingray.fish.adestra.com]: UNREACHABLE! => {"changed": false, "msg": "ERROR! Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: ( umask 22 && mkdir -p \"$( echo ${HOME}/.ansible/tmp/ansible-tmp-1453744983.63-124899333474855 )\" && echo \"$( echo ${HOME}/.ansible/tmp/ansible-tmp-1453744983.63-124899333474855 )\" ), exited with result 1: Illegal variable name.\r\n", "unreachable": true} PLAY RECAP ********************************************************************* stingray.fish.adestra.com : ok=0 changed=0 unreachable=1 failed=0 stingray:...local/etc/ansible:% ansible-playbook -vvv pkg.yml --limit stingray.fish.adestra.com Using /usr/local/etc/ansible/ansible.cfg as config file 1 plays in pkg.yml PLAY *************************************************************************** TASK [update pkg] ************************************************************** task path: /usr/local/etc/ansible/pkg.yml:6 <stingray.fish.adestra.com> ESTABLISH SSH CONNECTION FOR USER: None <stingray.fish.adestra.com> SSH: EXEC ssh -C -q -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/matthew/.ansible/cp/ansible-ssh-%h-%p-%r -tt stingray.fish.adestra.com '( umask 22 && mkdir -p "$( echo ${HOME}/.ansible/tmp/ansible-tmp-1453745069.57-222157343202845 )" && echo "$( echo ${HOME}/.ansible/tmp/ansible-tmp-1453745069.57-222157343202845 )" )' fatal: [stingray.fish.adestra.com]: UNREACHABLE! => {"changed": false, "msg": "ERROR! Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: ( umask 22 && mkdir -p \"$( echo ${HOME}/.ansible/tmp/ansible-tmp-1453745069.57-222157343202845 )\" && echo \"$( echo ${HOME}/.ansible/tmp/ansible-tmp-1453745069.57-222157343202845 )\" ), exited with result 1: Illegal variable name.\r\n", "unreachable": true} PLAY RECAP ********************************************************************* stingray.fish.adestra.com : ok=0 changed=0 unreachable=1 failed=0
That's weird. It works for me. Can you attach copies of these files, copy of your pkg.yml, and copy of your ansible.cfg please? /usr/local/lib/python2.7/site-packages/ansible/plugins/action/__init__.py /usr/local/lib/python2.7/site-packages/ansible/playbook/play_context.py
matthew: never mind, I can reproduce this.
Latest patch still fails with su(1) I'm afraid: stingray:...local/etc/ansible:% ansible-playbook -vvv pkg.yml --limit stingray.fish.adestra.com --su --ask-su-pass Using /usr/local/etc/ansible/ansible.cfg as config file SU password: 1 plays in pkg.yml PLAY *************************************************************************** TASK [update pkg] ************************************************************** task path: /usr/local/etc/ansible/pkg.yml:6 <stingray.fish.adestra.com> ESTABLISH SSH CONNECTION FOR USER: None <stingray.fish.adestra.com> SSH: EXEC ssh -C -q -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/matthew/.ansible/cp/ansible-ssh-%h-%p-%r -tt stingray.fish.adestra.com '( umask 22 && mkdir -p "$( echo ${HOME}/.ansible/tmp/ansible-tmp-1453807078.55-195191867401244 )" && echo "$( echo ${HOME}/.ansible/tmp/ansible-tmp-1453807078.55-195191867401244 )" )' fatal: [stingray.fish.adestra.com]: UNREACHABLE! => {"changed": false, "msg": "ERROR! Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: ( umask 22 && mkdir -p \"$( echo ${HOME}/.ansible/tmp/ansible-tmp-1453807078.55-195191867401244 )\" && echo \"$( echo ${HOME}/.ansible/tmp/ansible-tmp-1453807078.55-195191867401244 )\" ), exited with result 1: Illegal variable name.\r\n", "unreachable": true} PLAY RECAP ********************************************************************* stingray.fish.adestra.com : ok=0 changed=0 unreachable=1 failed=0 Everything else is working just fine.
I just swapped around the obsolete order of first/second patch. Second patch is bogus (I didn't fully understand the issue). I also opened an upstream bug report with the same info: https://github.com/ansible/ansible/issues/14116
Waiting on response from upstream.
Could you try the upcoming patch please?
Created attachment 166202 [details] ansible backport 6bf2f45
The latest patch works for me with both "su" and "sudo".
Matthew, I have pretty good confidence in this patch and it works for me. If you test it and it works for you, then I approve immediate commit.
A commit references this bug: Author: matthew Date: Thu Jan 28 10:11:32 UTC 2016 New revision: 407405 URL: https://svnweb.freebsd.org/changeset/ports/407405 Log: Backport upstream patch to fix overquoting of commands run via su PR: 206591 Submitted by: leeb@ratnaling.org Approved by: lifanov@mail.lifanov.com (maintainer) Obtained from: https://github.com/ansible/ansible/commit/6bf2f45ff52d252dbada6a1860416fa603be56bd Changes: head/sysutils/ansible/Makefile head/sysutils/ansible/files/extra-patch-6bf2f45
Committed, thanks!
Small nit: attribution is incorrect in commit message. It should have been reported by leeb@ratnaling.org and submitted by me.
Absolutely! I was confused about how the fields work.