diff options
Diffstat (limited to 'ansible')
-rw-r--r-- | ansible/README.md | 3 | ||||
-rw-r--r-- | ansible/ansible.cfg | 1 | ||||
-rw-r--r-- | ansible/connection_plugins/lxc_ssh.py | 1259 | ||||
-rw-r--r-- | ansible/connection_plugins/lxc_ssh.pyc | bin | 0 -> 34768 bytes | |||
-rw-r--r-- | ansible/group_vars/via_knot.yml | 2 | ||||
-rw-r--r-- | ansible/hosts | 2 | ||||
-rw-r--r-- | ansible/inventory | 8 | ||||
-rw-r--r-- | ansible/knot.yml | 2 | ||||
-rw-r--r-- | ansible/mw.yml | 2 | ||||
-rw-r--r-- | ansible/roles/mw-backend/handlers/main.yml | 5 | ||||
-rw-r--r-- | ansible/roles/mw-backend/tasks/main.yml | 21 | ||||
-rw-r--r-- | ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf | 43 | ||||
-rw-r--r-- | ansible/roles/mw-frontend/tasks/main.yml | 11 |
13 files changed, 1330 insertions, 29 deletions
diff --git a/ansible/README.md b/ansible/README.md new file mode 100644 index 0000000..6549229 --- /dev/null +++ b/ansible/README.md @@ -0,0 +1,3 @@ +# lxc_ssh + +https://github.com/andreasscherbaum/ansible-lxc-ssh diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index d6d1012..c5caa3d 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -1,3 +1,4 @@ [defaults] become_method = sudo inventory = ./hosts +connection_plugins = ./connection_plugins diff --git a/ansible/connection_plugins/lxc_ssh.py b/ansible/connection_plugins/lxc_ssh.py new file mode 100644 index 0000000..9f93305 --- /dev/null +++ b/ansible/connection_plugins/lxc_ssh.py @@ -0,0 +1,1259 @@ +# Copyright 2016 Pierre Chifflier <pollux@wzdftpd.net> +# +# SSH + lxc-attach connection module for Ansible 2.0 +# +# Adapted from ansible/plugins/connection/ssh.py +# Forked from https://github.com/chifflier/ansible-lxc-ssh +# Hosted on https://github.com/andreasscherbaum/ansible-lxc-ssh +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see <http://www.gnu.org/licenses/>. +# +import errno +import fcntl +import hashlib +import os +import pipes +import pty +import shlex +import subprocess +import sys +from distutils.version import LooseVersion + +from ansible.release import __version__ as ansible_version +if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + from functools import wraps +from ansible import constants as C +if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + from ansible.compat.six import text_type, binary_type + from ansible.errors import AnsibleConnectionFailure, AnsibleError + from ansible.plugins.connection import ConnectionBase +if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + from ansible.errors import AnsibleError, AnsibleConnectionFailure, AnsibleFileNotFound + from ansible.errors import AnsibleOptionsError + from ansible.compat import selectors + from ansible.module_utils.six import PY3, text_type, binary_type + if LooseVersion(ansible_version) < LooseVersion('2.4.0.0'): + from ansible.compat.six.moves import shlex_quote + else: + from ansible.module_utils.six.moves import shlex_quote + from ansible.module_utils._text import to_bytes, to_native, to_text + if LooseVersion(ansible_version) >= LooseVersion('2.4.0.0'): + from ansible.module_utils.parsing.convert_bool import BOOLEANS, boolean + from ansible.plugins.connection import ConnectionBase, BUFSIZE +from ansible.utils.path import unfrackpath, makedirs_safe + +if LooseVersion(ansible_version) >= LooseVersion('2.2.0.0'): + from ansible.module_utils._text import to_bytes, to_text as to_unicode, to_native as to_str +else: + from ansible.utils.unicode import to_bytes, to_unicode, to_str + +try: + from __main__ import display +except ImportError: + from ansible.utils.display import Display + display = Display() + +if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + import select + + +# only used from Ansible version 2.3 on forward +class AnsibleControlPersistBrokenPipeError(AnsibleError): + ''' ControlPersist broken pipe ''' + pass + + +def _ssh_retry(func): + """ + Decorator to retry ssh/scp/sftp in the case of a connection failure + + Will retry if: + * an exception is caught + * ssh returns 255 + Will not retry if + * remaining_tries is <2 + * retries limit reached + """ + @wraps(func) + def wrapped(self, *args, **kwargs): + remaining_tries = int(C.ANSIBLE_SSH_RETRIES) + 1 + cmd_summary = "%s..." % args[0] + for attempt in range(remaining_tries): + cmd = args[0] + if attempt != 0 and self._play_context.password and isinstance(cmd, list): + # If this is a retry, the fd/pipe for sshpass is closed, and we need a new one + self.sshpass_pipe = os.pipe() + cmd[1] = b'-d' + to_bytes(self.sshpass_pipe[0], nonstring='simplerepr', errors='surrogate_or_strict') + + try: + try: + return_tuple = func(self, *args, **kwargs) + display.vvv(return_tuple, host=self.host) + # 0 = success + # 1-254 = remote command return code + # 255 = failure from the ssh command itself + except (AnsibleControlPersistBrokenPipeError) as e: + # Retry one more time because of the ControlPersist broken pipe (see #16731) + display.vvv(u"RETRYING BECAUSE OF CONTROLPERSIST BROKEN PIPE") + return_tuple = func(self, *args, **kwargs) + + if return_tuple[0] != 255: + break + else: + raise AnsibleConnectionFailure("Failed to connect to the host via ssh: %s" % to_native(return_tuple[2])) + except (AnsibleConnectionFailure, Exception) as e: + if attempt == remaining_tries - 1: + raise + else: + pause = 2 ** attempt - 1 + if pause > 30: + pause = 30 + + if isinstance(e, AnsibleConnectionFailure): + msg = "ssh_retry: attempt: %d, ssh return code is 255. cmd (%s), pausing for %d seconds" % (attempt, cmd_summary, pause) + else: + msg = "ssh_retry: attempt: %d, caught exception(%s) from cmd (%s), pausing for %d seconds" % (attempt, e, cmd_summary, pause) + + display.vv(msg, host=self.host) + + time.sleep(pause) + continue + + return return_tuple + return wrapped + + +class Connection(ConnectionBase): + ''' ssh+lxc_attach connection ''' + transport = 'lxc_ssh' + + def __init__(self, play_context, new_stdin, *args, **kwargs): + #print args + #print kwargs + super(Connection, self).__init__(play_context, new_stdin, *args, **kwargs) + self.host = self._play_context.remote_addr + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + self.port = self._play_context.port + self.user = self._play_context.remote_user + self.control_path = C.ANSIBLE_SSH_CONTROL_PATH + self.control_path_dir = C.ANSIBLE_SSH_CONTROL_PATH_DIR + self.lxc_version = None + + # LXC v1 uses 'lxc-info', 'lxc-attach' and so on + # LXC v2 uses just 'lxc' + (returncode2, stdout2, stderr2) = self._exec_command("which lxc", None, False) + (returncode1, stdout1, stderr1) = self._exec_command("which lxc-info", None, False) + if (returncode2 == 0): + self.lxc_version = 2 + display.vvv('LXC v2') + elif (returncode1 == 0): + self.lxc_version = 1 + display.vvv('LXC v1') + else: + raise AnsibleConnectionFailure('Cannot identify LXC version') + sys.exit(1) + + + # The connection is created by running ssh/scp/sftp from the exec_command, + # put_file, and fetch_file methods, so we don't need to do any connection + # management here. + def _connect(self): + ''' connect to the lxc; nothing to do here ''' + display.vvv('XXX connect') + super(Connection, self)._connect() + #self.container_name = self.ssh._play_context.remote_addr + self.container_name = self._play_context.ssh_extra_args # XXX + #self.container = None + + + # only used from Ansible version 2.3 on forward + @staticmethod + def _create_control_path(host, port, user, connection=None): + '''Make a hash for the controlpath based on con attributes''' + pstring = '%s-%s-%s' % (host, port, user) + if connection: + pstring += '-%s' % connection + m = hashlib.sha1() + m.update(to_bytes(pstring)) + digest = m.hexdigest() + cpath = '%(directory)s/' + digest[:10] + return cpath + + + @staticmethod + def _persistence_controls(b_command): + ''' + Takes a command array and scans it for ControlPersist and ControlPath + settings and returns two booleans indicating whether either was found. + This could be smarter, e.g. returning false if ControlPersist is 'no', + but for now we do it simple way. + ''' + + controlpersist = False + controlpath = False + + if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + for arg in b_command: + if 'controlpersist' in arg.lower(): + controlpersist = True + elif 'controlpath' in arg.lower(): + controlpath = True + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + for b_arg in (a.lower() for a in b_command): + if b'controlpersist' in b_arg: + controlpersist = True + elif b'controlpath' in b_arg: + controlpath = True + + return controlpersist, controlpath + + + @staticmethod + def _split_args(argstring): + """ + Takes a string like '-o Foo=1 -o Bar="foo bar"' and returns a + list ['-o', 'Foo=1', '-o', 'Bar=foo bar'] that can be added to + the argument list. The list will not contain any empty elements. + """ + return [to_unicode(x.strip()) for x in shlex.split(to_bytes(argstring)) if x.strip()] + + + if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + def _add_args(self, explanation, args): + """ + Adds the given args to self._command and displays a caller-supplied + explanation of why they were added. + """ + self._command += args + display.vvvvv('SSH: ' + explanation + ': (%s)' % ')('.join(args), host=self._play_context.remote_addr) + + + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + def _add_args(self, b_command, b_args, explanation): + """ + Adds arguments to the ssh command and displays a caller-supplied explanation of why. + :arg b_command: A list containing the command to add the new arguments to. + This list will be modified by this method. + :arg b_args: An iterable of new arguments to add. This iterable is used + more than once so it must be persistent (ie: a list is okay but a + StringIO would not) + :arg explanation: A text string containing explaining why the arguments + were added. It will be displayed with a high enough verbosity. + .. note:: This function does its work via side-effect. The b_command list has the new arguments appended. + """ + display.vvvvv(u'SSH: %s: (%s)' % (explanation, ')('.join(to_text(a) for a in b_args)), host=self._play_context.remote_addr) + b_command += b_args + + + if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + def _build_command(self, binary, *other_args): + self._command = [] + self._command += [binary] + self._command += ['-C'] + if self._play_context.verbosity > 3: + self._command += ['-vvv'] + elif binary == 'ssh': + # Older versions of ssh (e.g. in RHEL 6) don't accept sftp -q. + self._command += ['-q'] + # Next, we add [ssh_connection]ssh_args from ansible.cfg. + if self._play_context.ssh_args: + args = self._split_args(self._play_context.ssh_args) + self._add_args("ansible.cfg set ssh_args", args) + # Now we add various arguments controlled by configuration file settings + # (e.g. host_key_checking) or inventory variables (ansible_ssh_port) or + # a combination thereof. + if not C.HOST_KEY_CHECKING: + self._add_args( + "ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled", + ("-o", "StrictHostKeyChecking=no") + ) + if self._play_context.port is not None: + self._add_args( + "ANSIBLE_REMOTE_PORT/remote_port/ansible_port set", + ("-o", "Port={0}".format(self._play_context.port)) + ) + key = self._play_context.private_key_file + if key: + self._add_args( + "ANSIBLE_PRIVATE_KEY_FILE/private_key_file/ansible_ssh_private_key_file set", + ("-o", "IdentityFile=\"{0}\"".format(os.path.expanduser(key))) + ) + if not self._play_context.password: + self._add_args( + "ansible_password/ansible_ssh_pass not set", ( + "-o", "KbdInteractiveAuthentication=no", + "-o", "PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey", + "-o", "PasswordAuthentication=no" + ) + ) + user = self._play_context.remote_user + if user: + self._add_args( + "ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set", + ("-o", "User={0}".format(to_bytes(self._play_context.remote_user))) + ) + self._add_args( + "ANSIBLE_TIMEOUT/timeout set", + ("-o", "ConnectTimeout={0}".format(self._play_context.timeout)) + ) + # Check if ControlPersist is enabled and add a ControlPath if one hasn't + # already been set. + controlpersist, controlpath = self._persistence_controls(self._command) + if controlpersist: + self._persistent = True + if not controlpath: + cpdir = unfrackpath('$HOME/.ansible/cp') + display.vv(str(C.ANSIBLE_SSH_CONTROL_PATH)) + # The directory must exist and be writable. + makedirs_safe(cpdir, 0o700) + if not os.access(cpdir, os.W_OK): + raise AnsibleError("Cannot write to ControlPath %s" % cpdir) + args = ("-o", "ControlPath={0}".format( + to_bytes(C.ANSIBLE_SSH_CONTROL_PATH % dict(directory=cpdir))) + ) + self._add_args("found only ControlPersist; added ControlPath", args) + ## Finally, we add any caller-supplied extras. + if other_args: + self._command += other_args + return self._command + + + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + def _build_command(self, binary, *other_args): + b_command = [] + if binary == 'ssh': + b_command += [to_bytes(self._play_context.ssh_executable, errors='surrogate_or_strict')] + else: + b_command += [to_bytes(binary, errors='surrogate_or_strict')] + if self._play_context.verbosity > 3: + b_command.append(b'-vvv') + # Next, we add [ssh_connection]ssh_args from ansible.cfg. + # + if self._play_context.ssh_args: + b_args = [to_bytes(a, errors='surrogate_or_strict') for a in + self._split_args(self._play_context.ssh_args)] + self._add_args(b_command, b_args, u"ansible.cfg set ssh_args") + + # Now we add various arguments controlled by configuration file settings + # (e.g. host_key_checking) or inventory variables (ansible_ssh_port) or + # a combination thereof. + if not C.HOST_KEY_CHECKING: + b_args = (b"-o", b"StrictHostKeyChecking=no") + self._add_args(b_command, b_args, u"ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled") + if self._play_context.port is not None: + b_args = (b"-o", b"Port=" + to_bytes(self._play_context.port, nonstring='simplerepr', errors='surrogate_or_strict')) + self._add_args(b_command, b_args, u"ANSIBLE_REMOTE_PORT/remote_port/ansible_port set") + key = self._play_context.private_key_file + if key: + b_args = (b"-o", b'IdentityFile="' + to_bytes(os.path.expanduser(key), errors='surrogate_or_strict') + b'"') + self._add_args(b_command, b_args, u"ANSIBLE_PRIVATE_KEY_FILE/private_key_file/ansible_ssh_private_key_file set") + if not self._play_context.password: + self._add_args( + b_command, ( + b"-o", b"KbdInteractiveAuthentication=no", + b"-o", b"PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey", + b"-o", b"PasswordAuthentication=no" + ), + u"ansible_password/ansible_ssh_pass not set" + ) + user = self._play_context.remote_user + if user: + self._add_args( + b_command, + (b"-o", b"User=" + to_bytes(self._play_context.remote_user, errors='surrogate_or_strict')), + u"ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set" + ) + self._add_args( + b_command, + (b"-o", b"ConnectTimeout=" + to_bytes(self._play_context.timeout, errors='surrogate_or_strict', nonstring='simplerepr')), + u"ANSIBLE_TIMEOUT/timeout set" + ) + # Check if ControlPersist is enabled and add a ControlPath if one hasn't + # already been set. + controlpersist, controlpath = self._persistence_controls(b_command) + if controlpersist: + self._persistent = True + if not controlpath: + cpdir = unfrackpath(self.control_path_dir) + b_cpdir = to_bytes(cpdir, errors='surrogate_or_strict') + # The directory must exist and be writable. + makedirs_safe(b_cpdir, 0o700) + if not os.access(b_cpdir, os.W_OK): + raise AnsibleError("Cannot write to ControlPath %s" % to_native(cpdir)) + + if not self.control_path: + self.control_path = self._create_control_path( + self.host, + self.port, + self.user + ) + b_args = (b"-o", b"ControlPath=" + to_bytes(self.control_path % dict(directory=cpdir), errors='surrogate_or_strict')) + self._add_args(b_command, b_args, u"found only ControlPersist; added ControlPath") + + # Finally, we add any caller-supplied extras. + if other_args: + b_command += [to_bytes(a) for a in other_args] + + return b_command + + + def _send_initial_data(self, fh, in_data): + ''' + Writes initial data to the stdin filehandle of the subprocess and closes + it. (The handle must be closed; otherwise, for example, "sftp -b -" will + just hang forever waiting for more commands.) + ''' + + display.debug('Sending initial data') + + try: + if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + fh.write(in_data) + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + fh.write(to_bytes(in_data)) + fh.close() + except (OSError, IOError): + raise AnsibleConnectionFailure('SSH Error: data could not be sent to remote host "%s". Make sure this host can be reached over ssh' % self.host) + + display.debug('Sent initial data (%d bytes)' % len(in_data)) + + + # Used by _run() to kill processes on failures + @staticmethod + def _terminate_process(p): + """ Terminate a process, ignoring errors """ + try: + p.terminate() + except (OSError, IOError): + pass + + + if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + # This is separate from _run() because we need to do the same thing for stdout + # and stderr. + def _examine_output(self, source, state, chunk, sudoable): + ''' + Takes a string, extracts complete lines from it, tests to see if they + are a prompt, error message, etc., and sets appropriate flags in self. + Prompt and success lines are removed. + + Returns the processed (i.e. possibly-edited) output and the unprocessed + remainder (to be processed with the next chunk) as strings. + ''' + + output = [] + for l in chunk.splitlines(True): + suppress_output = False + + #display.debug("Examining line (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n'))) + if self._play_context.prompt and self.check_password_prompt(l): + display.debug("become_prompt: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n'))) + self._flags['become_prompt'] = True + suppress_output = True + elif self._play_context.success_key and self.check_become_success(l): + display.debug("become_success: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n'))) + self._flags['become_success'] = True + suppress_output = True + elif sudoable and self.check_incorrect_password(l): + display.debug("become_error: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n'))) + self._flags['become_error'] = True + elif sudoable and self.check_missing_password(l): + display.debug("become_nopasswd_error: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n'))) + self._flags['become_nopasswd_error'] = True + + if not suppress_output: + output.append(l) + + # The chunk we read was most likely a series of complete lines, but just + # in case the last line was incomplete (and not a prompt, which we would + # have removed from the output), we retain it to be processed with the + # next chunk. + + remainder = '' + if output and not output[-1].endswith('\n'): + remainder = output[-1] + output = output[:-1] + + return ''.join(output), remainder + + + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + # This is separate from _run() because we need to do the same thing for stdout + # and stderr. + def _examine_output(self, source, state, b_chunk, sudoable): + ''' + Takes a string, extracts complete lines from it, tests to see if they + are a prompt, error message, etc., and sets appropriate flags in self. + Prompt and success lines are removed. + Returns the processed (i.e. possibly-edited) output and the unprocessed + remainder (to be processed with the next chunk) as strings. + ''' + + output = [] + for b_line in b_chunk.splitlines(True): + display_line = to_text(b_line).rstrip('\r\n') + suppress_output = False + + # display.debug("Examining line (source=%s, state=%s): '%s'" % (source, state, display_line)) + if self._play_context.prompt and self.check_password_prompt(b_line): + display.debug("become_prompt: (source=%s, state=%s): '%s'" % (source, state, display_line)) + self._flags['become_prompt'] = True + suppress_output = True + elif self._play_context.success_key and self.check_become_success(b_line): + display.debug("become_success: (source=%s, state=%s): '%s'" % (source, state, display_line)) + self._flags['become_success'] = True + suppress_output = True + elif sudoable and self.check_incorrect_password(b_line): + display.debug("become_error: (source=%s, state=%s): '%s'" % (source, state, display_line)) + self._flags['become_error'] = True + elif sudoable and self.check_missing_password(b_line): + display.debug("become_nopasswd_error: (source=%s, state=%s): '%s'" % (source, state, display_line)) + self._flags['become_nopasswd_error'] = True + + if not suppress_output: + output.append(b_line) + + # The chunk we read was most likely a series of complete lines, but just + # in case the last line was incomplete (and not a prompt, which we would + # have removed from the output), we retain it to be processed with the + # next chunk. + + remainder = b'' + if output and not output[-1].endswith(b'\n'): + remainder = output[-1] + output = output[:-1] + + return b''.join(output), remainder + + + # only used from Ansible version 2.3 on forward + def _bare_run(self, cmd, in_data, sudoable=True, checkrc=True): + ''' + Starts the command and communicates with it until it ends. + ''' + + display_cmd = list(map(shlex_quote, map(to_text, cmd))) + display.vvv(u'SSH: EXEC {0}'.format(u' '.join(display_cmd)), host=self.host) + + # Start the given command. If we don't need to pipeline data, we can try + # to use a pseudo-tty (ssh will have been invoked with -tt). If we are + # pipelining data, or can't create a pty, we fall back to using plain + # old pipes. + + p = None + + if isinstance(cmd, (text_type, binary_type)): + cmd = to_bytes(cmd) + else: + cmd = map(to_bytes, cmd) + + if not in_data: + try: + # Make sure stdin is a proper pty to avoid tcgetattr errors + master, slave = pty.openpty() + if PY3 and self._play_context.password: + p = subprocess.Popen(cmd, stdin=slave, stdout=subprocess.PIPE, stderr=subprocess.PIPE, pass_fds=self.sshpass_pipe) + else: + p = subprocess.Popen(cmd, stdin=slave, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdin = os.fdopen(master, 'wb', 0) + os.close(slave) + except (OSError, IOError): + p = None + + if not p: + if PY3 and self._play_context.password: + p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, pass_fds=self.sshpass_pipe) + else: + p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdin = p.stdin + + # If we are using SSH password authentication, write the password into + # the pipe we opened in _build_command. + + if self._play_context.password: + os.close(self.sshpass_pipe[0]) + try: + os.write(self.sshpass_pipe[1], to_bytes(self._play_context.password) + b'\n') + except OSError as e: + # Ignore broken pipe errors if the sshpass process has exited. + if e.errno != errno.EPIPE or p.poll() is None: + raise + os.close(self.sshpass_pipe[1]) + + # + # SSH state machine + # + + # Now we read and accumulate output from the running process until it + # exits. Depending on the circumstances, we may also need to write an + # escalation password and/or pipelined input to the process. + + states = [ + 'awaiting_prompt', 'awaiting_escalation', 'ready_to_send', 'awaiting_exit' + ] + + # Are we requesting privilege escalation? Right now, we may be invoked + # to execute sftp/scp with sudoable=True, but we can request escalation + # only when using ssh. Otherwise we can send initial data straightaway. + + state = states.index('ready_to_send') + if b'ssh' in cmd: + if self._play_context.prompt: + # We're requesting escalation with a password, so we have to + # wait for a password prompt. + state = states.index('awaiting_prompt') + display.debug(u'Initial state: %s: %s' % (states[state], self._play_context.prompt)) + elif self._play_context.become and self._play_context.success_key: + # We're requesting escalation without a password, so we have to + # detect success/failure before sending any initial data. + state = states.index('awaiting_escalation') + display.debug(u'Initial state: %s: %s' % (states[state], self._play_context.success_key)) + + # We store accumulated stdout and stderr output from the process here, + # but strip any privilege escalation prompt/confirmation lines first. + # Output is accumulated into tmp_*, complete lines are extracted into + # an array, then checked and removed or copied to stdout or stderr. We + # set any flags based on examining the output in self._flags. + + b_stdout = b_stderr = b'' + b_tmp_stdout = b_tmp_stderr = b'' + + self._flags = dict( + become_prompt=False, become_success=False, + become_error=False, become_nopasswd_error=False + ) + + # select timeout should be longer than the connect timeout, otherwise + # they will race each other when we can't connect, and the connect + # timeout usually fails + timeout = 2 + self._play_context.timeout + for fd in (p.stdout, p.stderr): + fcntl.fcntl(fd, fcntl.F_SETFL, fcntl.fcntl(fd, fcntl.F_GETFL) | os.O_NONBLOCK) + + # TODO: bcoca would like to use SelectSelector() when open + # filehandles is low, then switch to more efficient ones when higher. + # select is faster when filehandles is low. + selector = selectors.DefaultSelector() + selector.register(p.stdout, selectors.EVENT_READ) + selector.register(p.stderr, selectors.EVENT_READ) + + # If we can send initial data without waiting for anything, we do so + # before we start polling + if states[state] == 'ready_to_send' and in_data: + self._send_initial_data(stdin, in_data) + state += 1 + + try: + while True: + poll = p.poll() + events = selector.select(timeout) + + # We pay attention to timeouts only while negotiating a prompt. + + if not events: + # We timed out + if state <= states.index('awaiting_escalation'): + # If the process has already exited, then it's not really a + # timeout; we'll let the normal error handling deal with it. + if poll is not None: + break + self._terminate_process(p) + raise AnsibleError('Timeout (%ds) waiting for privilege escalation prompt: %s' % (timeout, to_native(b_stdout))) + + # Read whatever output is available on stdout and stderr, and stop + # listening to the pipe if it's been closed. + + for key, event in events: + if key.fileobj == p.stdout: + b_chunk = p.stdout.read() + if b_chunk == b'': + # stdout has been closed, stop watching it + selector.unregister(p.stdout) + # When ssh has ControlMaster (+ControlPath/Persist) enabled, the + # first connection goes into the background and we never see EOF + # on stderr. If we see EOF on stdout, lower the select timeout + # to reduce the time wasted selecting on stderr if we observe + # that the process has not yet existed after this EOF. Otherwise + # we may spend a long timeout period waiting for an EOF that is + # not going to arrive until the persisted connection closes. + timeout = 1 + b_tmp_stdout += b_chunk + display.debug("stdout chunk (state=%s):\n>>>%s<<<\n" % (state, to_text(b_chunk))) + elif key.fileobj == p.stderr: + b_chunk = p.stderr.read() + if b_chunk == b'': + # stderr has been closed, stop watching it + selector.unregister(p.stderr) + b_tmp_stderr += b_chunk + display.debug("stderr chunk (state=%s):\n>>>%s<<<\n" % (state, to_text(b_chunk))) + + # We examine the output line-by-line until we have negotiated any + # privilege escalation prompt and subsequent success/error message. + # Afterwards, we can accumulate output without looking at it. + + if state < states.index('ready_to_send'): + if b_tmp_stdout: + b_output, b_unprocessed = self._examine_output('stdout', states[state], b_tmp_stdout, sudoable) + b_stdout += b_output + b_tmp_stdout = b_unprocessed + + if b_tmp_stderr: + b_output, b_unprocessed = self._examine_output('stderr', states[state], b_tmp_stderr, sudoable) + b_stderr += b_output + b_tmp_stderr = b_unprocessed + else: + b_stdout += b_tmp_stdout + b_stderr += b_tmp_stderr + b_tmp_stdout = b_tmp_stderr = b'' + + # If we see a privilege escalation prompt, we send the password. + # (If we're expecting a prompt but the escalation succeeds, we + # didn't need the password and can carry on regardless.) + + if states[state] == 'awaiting_prompt': + if self._flags['become_prompt']: + display.debug('Sending become_pass in response to prompt') + stdin.write(to_bytes(self._play_context.become_pass) + b'\n') + self._flags['become_prompt'] = False + state += 1 + elif self._flags['become_success']: + state += 1 + + # We've requested escalation (with or without a password), now we + # wait for an error message or a successful escalation. + + if states[state] == 'awaiting_escalation': + if self._flags['become_success']: + display.debug('Escalation succeeded') + self._flags['become_success'] = False + state += 1 + elif self._flags['become_error']: + display.debug('Escalation failed') + self._terminate_process(p) + self._flags['become_error'] = False + raise AnsibleError('Incorrect %s password' % self._play_context.become_method) + elif self._flags['become_nopasswd_error']: + display.debug('Escalation requires password') + self._terminate_process(p) + self._flags['become_nopasswd_error'] = False + raise AnsibleError('Missing %s password' % self._play_context.become_method) + elif self._flags['become_prompt']: + # This shouldn't happen, because we should see the "Sorry, + # try again" message first. + display.debug('Escalation prompt repeated') + self._terminate_process(p) + self._flags['become_prompt'] = False + raise AnsibleError('Incorrect %s password' % self._play_context.become_method) + + # Once we're sure that the privilege escalation prompt, if any, has + # been dealt with, we can send any initial data and start waiting + # for output. + + if states[state] == 'ready_to_send': + if in_data: + self._send_initial_data(stdin, in_data) + state += 1 + + # Now we're awaiting_exit: has the child process exited? If it has, + # and we've read all available output from it, we're done. + + if poll is not None: + if not selector.get_map() or not events: + break + # We should not see further writes to the stdout/stderr file + # descriptors after the process has closed, set the select + # timeout to gather any last writes we may have missed. + timeout = 0 + continue + + # If the process has not yet exited, but we've already read EOF from + # its stdout and stderr (and thus no longer watching any file + # descriptors), we can just wait for it to exit. + + elif not selector.get_map(): + p.wait() + break + + # Otherwise there may still be outstanding data to read. + finally: + selector.close() + # close stdin after process is terminated and stdout/stderr are read + # completely (see also issue #848) + stdin.close() + + if C.HOST_KEY_CHECKING: + if cmd[0] == b"sshpass" and p.returncode == 6: + raise AnsibleError('Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support ' + 'this. Please add this host\'s fingerprint to your known_hosts file to manage this host.') + + controlpersisterror = b'Bad configuration option: ControlPersist' in b_stderr or b'unknown configuration option: ControlPersist' in b_stderr + if p.returncode != 0 and controlpersisterror: + raise AnsibleError('using -c ssh on certain older ssh versions may not support ControlPersist, set ANSIBLE_SSH_ARGS="" ' + '(or ssh_args in [ssh_connection] section of the config file) before running again') + + # If we find a broken pipe because of ControlPersist timeout expiring (see #16731), + # we raise a special exception so that we can retry a connection. + controlpersist_broken_pipe = b'mux_client_hello_exchange: write packet: Broken pipe' in b_stderr + if p.returncode == 255 and controlpersist_broken_pipe: + raise AnsibleControlPersistBrokenPipeError('SSH Error: data could not be sent because of ControlPersist broken pipe.') + + if p.returncode == 255 and in_data and checkrc: + raise AnsibleConnectionFailure('SSH Error: data could not be sent to remote host "%s". Make sure this host can be reached over ssh' % self.host) + + return (p.returncode, b_stdout, b_stderr) + + + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + @_ssh_retry + def _run(self, cmd, in_data, sudoable=True, checkrc=True): + """Wrapper around _bare_run that retries the connection + """ + return self._bare_run(cmd, in_data, sudoable, checkrc) + + + if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + def _run(self, cmd, in_data, sudoable=True): + ''' + Starts the command and communicates with it until it ends. + ''' + + display_cmd = map(to_unicode, map(pipes.quote, cmd)) + display.vvv(u'SSH: EXEC {0}'.format(u' '.join(display_cmd)), host=self.host) + + # Start the given command. If we don't need to pipeline data, we can try + # to use a pseudo-tty (ssh will have been invoked with -tt). If we are + # pipelining data, or can't create a pty, we fall back to using plain + # old pipes. + + p = None + + if isinstance(cmd, (text_type, binary_type)): + cmd = to_bytes(cmd) + else: + cmd = map(to_bytes, cmd) + + if not in_data: + try: + # Make sure stdin is a proper pty to avoid tcgetattr errors + master, slave = pty.openpty() + p = subprocess.Popen(cmd, stdin=slave, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdin = os.fdopen(master, 'w', 0) + os.close(slave) + except (OSError, IOError): + p = None + + if not p: + p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdin = p.stdin + + # If we are using SSH password authentication, write the password into + # the pipe we opened in _build_command. + + if self._play_context.password: + os.close(self.sshpass_pipe[0]) + os.write(self.sshpass_pipe[1], "{0}\n".format(to_bytes(self._play_context.password))) + os.close(self.sshpass_pipe[1]) + + ## SSH state machine + # + # Now we read and accumulate output from the running process until it + # exits. Depending on the circumstances, we may also need to write an + # escalation password and/or pipelined input to the process. + + states = [ + 'awaiting_prompt', 'awaiting_escalation', 'ready_to_send', 'awaiting_exit' + ] + + # Are we requesting privilege escalation? Right now, we may be invoked + # to execute sftp/scp with sudoable=True, but we can request escalation + # only when using ssh. Otherwise we can send initial data straightaway. + + state = states.index('ready_to_send') + if b'ssh' in cmd: + if self._play_context.prompt: + # We're requesting escalation with a password, so we have to + # wait for a password prompt. + state = states.index('awaiting_prompt') + display.debug('Initial state: %s: %s' % (states[state], self._play_context.prompt)) + elif self._play_context.become and self._play_context.success_key: + # We're requesting escalation without a password, so we have to + # detect success/failure before sending any initial data. + state = states.index('awaiting_escalation') + display.debug('Initial state: %s: %s' % (states[state], self._play_context.success_key)) + + # We store accumulated stdout and stderr output from the process here, + # but strip any privilege escalation prompt/confirmation lines first. + # Output is accumulated into tmp_*, complete lines are extracted into + # an array, then checked and removed or copied to stdout or stderr. We + # set any flags based on examining the output in self._flags. + + stdout = stderr = '' + tmp_stdout = tmp_stderr = '' + + self._flags = dict( + become_prompt=False, become_success=False, + become_error=False, become_nopasswd_error=False + ) + + # select timeout should be longer than the connect timeout, otherwise + # they will race each other when we can't connect, and the connect + # timeout usually fails + timeout = 2 + self._play_context.timeout + rpipes = [p.stdout, p.stderr] + for fd in rpipes: + fcntl.fcntl(fd, fcntl.F_SETFL, fcntl.fcntl(fd, fcntl.F_GETFL) | os.O_NONBLOCK) + + # If we can send initial data without waiting for anything, we do so + # before we call select. + + if states[state] == 'ready_to_send' and in_data: + self._send_initial_data(stdin, in_data) + state += 1 + + while True: + rfd, wfd, efd = select.select(rpipes, [], [], timeout) + + # We pay attention to timeouts only while negotiating a prompt. + + if not rfd: + if state <= states.index('awaiting_escalation'): + # If the process has already exited, then it's not really a + # timeout; we'll let the normal error handling deal with it. + if p.poll() is not None: + break + self._terminate_process(p) + raise AnsibleError('Timeout (%ds) waiting for privilege escalation prompt: %s' % (timeout, stdout)) + + # Read whatever output is available on stdout and stderr, and stop + # listening to the pipe if it's been closed. + + if p.stdout in rfd: + chunk = p.stdout.read() + if chunk == '': + rpipes.remove(p.stdout) + tmp_stdout += chunk + display.debug("stdout chunk (state=%s):\n>>>%s<<<\n" % (state, chunk)) + + if p.stderr in rfd: + chunk = p.stderr.read() + if chunk == '': + rpipes.remove(p.stderr) + tmp_stderr += chunk + display.debug("stderr chunk (state=%s):\n>>>%s<<<\n" % (state, chunk)) + + # We examine the output line-by-line until we have negotiated any + # privilege escalation prompt and subsequent success/error message. + # Afterwards, we can accumulate output without looking at it. + + if state < states.index('ready_to_send'): + if tmp_stdout: + output, unprocessed = self._examine_output('stdout', states[state], tmp_stdout, sudoable) + stdout += output + tmp_stdout = unprocessed + + if tmp_stderr: + output, unprocessed = self._examine_output('stderr', states[state], tmp_stderr, sudoable) + stderr += output + tmp_stderr = unprocessed + else: + stdout += tmp_stdout + stderr += tmp_stderr + tmp_stdout = tmp_stderr = '' + + # If we see a privilege escalation prompt, we send the password. + # (If we're expecting a prompt but the escalation succeeds, we + # didn't need the password and can carry on regardless.) + + if states[state] == 'awaiting_prompt': + if self._flags['become_prompt']: + display.debug('Sending become_pass in response to prompt') + stdin.write('{0}\n'.format(to_bytes(self._play_context.become_pass ))) + self._flags['become_prompt'] = False + state += 1 + elif self._flags['become_success']: + state += 1 + + # We've requested escalation (with or without a password), now we + # wait for an error message or a successful escalation. + + if states[state] == 'awaiting_escalation': + if self._flags['become_success']: + display.debug('Escalation succeeded') + self._flags['become_success'] = False + state += 1 + elif self._flags['become_error']: + display.debug('Escalation failed') + self._terminate_process(p) + self._flags['become_error'] = False + raise AnsibleError('Incorrect %s password' % self._play_context.become_method) + elif self._flags['become_nopasswd_error']: + display.debug('Escalation requires password') + self._terminate_process(p) + self._flags['become_nopasswd_error'] = False + raise AnsibleError('Missing %s password' % self._play_context.become_method) + elif self._flags['become_prompt']: + # This shouldn't happen, because we should see the "Sorry, + # try again" message first. + display.debug('Escalation prompt repeated') + self._terminate_process(p) + self._flags['become_prompt'] = False + raise AnsibleError('Incorrect %s password' % self._play_context.become_method) + + # Once we're sure that the privilege escalation prompt, if any, has + # been dealt with, we can send any initial data and start waiting + # for output. + + if states[state] == 'ready_to_send': + if in_data: + self._send_initial_data(stdin, in_data) + state += 1 + + # Now we're awaiting_exit: has the child process exited? If it has, + # and we've read all available output from it, we're done. + + if p.poll() is not None: + if not rpipes or not rfd: + break + + # When ssh has ControlMaster (+ControlPath/Persist) enabled, the + # first connection goes into the background and we never see EOF + # on stderr. If we see EOF on stdout and the process has exited, + # we're probably done. We call select again with a zero timeout, + # just to make certain we don't miss anything that may have been + # written to stderr between the time we called select() and when + # we learned that the process had finished. + + if p.stdout not in rpipes: + timeout = 0 + continue + + # If the process has not yet exited, but we've already read EOF from + # its stdout and stderr (and thus removed both from rpipes), we can + # just wait for it to exit. + + elif not rpipes: + p.wait() + break + + # Otherwise there may still be outstanding data to read. + + # close stdin after process is terminated and stdout/stderr are read + # completely (see also issue #848) + stdin.close() + + if C.HOST_KEY_CHECKING: + if cmd[0] == b"sshpass" and p.returncode == 6: + raise AnsibleError('Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. Please add this host\'s fingerprint to your known_hosts file to manage this host.') + + controlpersisterror = 'Bad configuration option: ControlPersist' in stderr or 'unknown configuration option: ControlPersist' in stderr + if p.returncode != 0 and controlpersisterror: + raise AnsibleError('using -c ssh on certain older ssh versions may not support ControlPersist, set ANSIBLE_SSH_ARGS="" (or ssh_args in [ssh_connection] section of the config file) before running again') + + if p.returncode == 255 and in_data: + raise AnsibleConnectionFailure('SSH Error: data could not be sent to the remote host. Make sure this host can be reached over ssh') + + return (p.returncode, stdout, stderr) + + + def _exec_command(self, cmd, in_data=None, sudoable=True): + ''' run a command on the remote host ''' + + super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable) + + display.vvv(u"ESTABLISH SSH CONNECTION FOR USER: {0}".format(self._play_context.remote_user), host=self._play_context.remote_addr) + + # we can only use tty when we are not pipelining the modules. piping + # data into /usr/bin/python inside a tty automatically invokes the + # python interactive-mode but the modules are not compatible with the + # interactive-mode ("unexpected indent" mainly because of empty lines) + + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + ssh_executable = self._play_context.ssh_executable + if in_data: + if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + cmd = self._build_command('ssh', self.host, cmd) + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + cmd = self._build_command(ssh_executable, self.host, cmd) + else: + if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + cmd = self._build_command('ssh', '-tt', self.host, cmd) + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + cmd = self._build_command(ssh_executable, '-tt', self.host, cmd) + + (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=sudoable) + + return (returncode, stdout, stderr) + + + def dir_print(self,obj): + for attr_name in dir(obj): + try: + attr_value = getattr(obj, attr_name) + print(attr_name, attr_value, callable(attr_value)) + except: + pass + + + # + # Main public methods + # + def exec_command(self, cmd, in_data=None, sudoable=False): + ''' run a command on the chroot ''' + display.vvv('XXX exec_command: %s' % cmd) + super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable) + + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + ssh_executable = self._play_context.ssh_executable + ##print dir(self) + ##print dir(self._play_context) + ##print self._play_context._attributes + #self.dir_print(self._play_context) + #vm = self._play_context.get_ds() + #print( vm ) + #raise "blah" + h = self.container_name + if (self.lxc_version == 2): + lxc_cmd = 'sudo -i lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \ + % (pipes.quote(h), + pipes.quote(cmd)) + elif (self.lxc_version == 1): + lxc_cmd = 'sudo -i lxc-attach --name %s -- /bin/sh -c %s' \ + % (pipes.quote(h), + pipes.quote(cmd)) + if in_data: + if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + cmd = self._build_command('ssh', self.host, lxc_cmd) + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + cmd = self._build_command(ssh_executable, self.host, lxc_cmd) + else: + if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + cmd = self._build_command('ssh', '-tt', self.host, lxc_cmd) + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + cmd = self._build_command(ssh_executable, '-tt', self.host, lxc_cmd) + #self.ssh.exec_command(lxc_cmd,in_data,sudoable) + (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=sudoable) + return (returncode, stdout, stderr) + + + def put_file(self, in_path, out_path): + ''' transfer a file from local to lxc ''' + super(Connection, self).put_file(in_path, out_path) + if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + display.vvv('XXX put_file %s %s' % (in_path,out_path)) + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + display.vvv(u"PUT {0} TO {1}".format(in_path, out_path), host=self.host) + ssh_executable = self._play_context.ssh_executable + + if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + if not os.path.exists(in_path): + raise errors.AnsibleFileNotFound("file or module does not exist: %s" % in_path) + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + if not os.path.exists(to_bytes(in_path, errors='surrogate_or_strict')): + raise AnsibleFileNotFound("file or module does not exist: {0}".format(to_native(in_path))) + + with open(in_path,'r') as in_f: + in_data = in_f.read() + cmd = ('cat > %s; echo -n done' % pipes.quote(out_path)) + h = self.container_name + if (self.lxc_version == 2): + lxc_cmd = 'lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \ + % (pipes.quote(h), + pipes.quote(cmd)) + elif (self.lxc_version == 1): + lxc_cmd = 'lxc-attach --name %s -- /bin/sh -c %s' \ + % (pipes.quote(h), + pipes.quote(cmd)) + if in_data: + if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + cmd = self._build_command('ssh', self.host, lxc_cmd) + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + cmd = self._build_command(ssh_executable, self.host, lxc_cmd) + else: + if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + cmd = self._build_command('ssh', '-tt', self.host, lxc_cmd) + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + cmd = self._build_command(ssh_executable, '-tt', self.host, lxc_cmd) + #self.ssh.exec_command(lxc_cmd,in_data,sudoable) + (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=False) + return (returncode, stdout, stderr) + + + def fetch_file(self, in_path, out_path): + ''' fetch a file from lxc to local ''' + super(Connection, self).fetch_file(in_path, out_path) + if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + display.vvv('XXX fetch_file %s %s' % (in_path,out_path)) + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + display.vvv(u"FETCH {0} TO {1}".format(in_path, out_path), host=self.host) + ssh_executable = self._play_context.ssh_executable + + if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + cmd = ('cat %s' % pipes.quote(in_path)) + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + cmd = ('cat < %s' % pipes.quote(in_path)) + h = self.container_name + if (self.lxc_version == 2): + lxc_cmd = 'lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \ + % (pipes.quote(h), + pipes.quote(cmd)) + elif (self.lxc_version == 1): + lxc_cmd = 'lxc-attach --name %s -- /bin/sh -c %s' \ + % (pipes.quote(h), + pipes.quote(cmd)) + + if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): + in_data = None + if in_data: + cmd = self._build_command('ssh', self.host, lxc_cmd) + else: + cmd = self._build_command('ssh', '-tt', self.host, lxc_cmd) + (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=False) + if returncode != 0: + raise AnsibleError("failed to transfer file from {0}:\n{1}\n{2}".format(in_path, stdout, stderr)) + with open(out_path,'w') as out_f: + out_f.write(stdout) + + if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): + cmd = self._build_command(ssh_executable, self.host, lxc_cmd) + (returncode, stdout, stderr) = self._run(cmd, None, sudoable=False) + + if returncode != 0: + raise AnsibleError("failed to transfer file from {0}:\n{1}\n{2}".format(in_path, stdout, stderr)) + with open(out_path,'w') as out_f: + out_f.write(stdout) + + return (returncode, stdout, stderr) + + + # only used from Ansible version 2.3 on forward + def reset(self): + # If we have a persistent ssh connection (ControlPersist), we can ask it to stop listening. + cmd = self._build_command(self._play_context.ssh_executable, '-O', 'stop', self.host) + controlpersist, controlpath = self._persistence_controls(cmd) + if controlpersist: + display.vvv(u'sending stop: %s' % cmd) + p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdout, stderr = p.communicate() + status_code = p.wait() + if status_code != 0: + raise AnsibleError("Cannot reset connection:\n%s" % stderr) + self.close() + + + def close(self): + ''' terminate the connection; nothing to do here ''' + display.vvv('XXX close') + super(Connection, self).close() + #self.ssh.close() + self._connected = False diff --git a/ansible/connection_plugins/lxc_ssh.pyc b/ansible/connection_plugins/lxc_ssh.pyc Binary files differnew file mode 100644 index 0000000..01895c8 --- /dev/null +++ b/ansible/connection_plugins/lxc_ssh.pyc diff --git a/ansible/group_vars/via_knot.yml b/ansible/group_vars/via_knot.yml new file mode 100644 index 0000000..efd19c1 --- /dev/null +++ b/ansible/group_vars/via_knot.yml @@ -0,0 +1,2 @@ +#ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q trygvis.io"' +#ansible_ssh_common_args: 'ansible_host=mw.trygvis.io' diff --git a/ansible/hosts b/ansible/hosts deleted file mode 100644 index c30ec8a..0000000 --- a/ansible/hosts +++ /dev/null @@ -1,2 +0,0 @@ -knot.trygvis.io -mw.trygvis.io diff --git a/ansible/inventory b/ansible/inventory new file mode 100644 index 0000000..3aff9e0 --- /dev/null +++ b/ansible/inventory @@ -0,0 +1,8 @@ +all: + hosts: + knot: + ansible_host: knot.trygvis.io + mw: + ansible_host: mw.trygvis.io + +# vim: set filetype=yaml: diff --git a/ansible/knot.yml b/ansible/knot.yml index e90e56c..141542b 100644 --- a/ansible/knot.yml +++ b/ansible/knot.yml @@ -1,5 +1,5 @@ --- - hosts: - - knot.trygvis.io + - knot roles: - mw-frontend diff --git a/ansible/mw.yml b/ansible/mw.yml index d65245d..d7e711a 100644 --- a/ansible/mw.yml +++ b/ansible/mw.yml @@ -1,6 +1,6 @@ --- - hosts: - - mw.trygvis.io + - mw roles: - mw-backend diff --git a/ansible/roles/mw-backend/handlers/main.yml b/ansible/roles/mw-backend/handlers/main.yml new file mode 100644 index 0000000..0298ff9 --- /dev/null +++ b/ansible/roles/mw-backend/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: update apt cache + become: yes + apt: + update_cache: yes diff --git a/ansible/roles/mw-backend/tasks/main.yml b/ansible/roles/mw-backend/tasks/main.yml new file mode 100644 index 0000000..799f0e5 --- /dev/null +++ b/ansible/roles/mw-backend/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: apt setup + tags: packages + become: yes + block: + - copy: + dest: /etc/apt/apt.conf.d/99force-ipv4 + content: 'Acquire::ForceIPv4 "true";' + notify: update apt cache + + - meta: flush_handlers + +# - name: packages +# tags: packages +# become: yes +# apt: +# name: "{{ item }}" +# install_recommends: no +# with_items: +# - ping +# - apache2 diff --git a/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf b/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf index 6260e2e..533c559 100644 --- a/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf +++ b/ansible/roles/mw-frontend/files/etc/apache2/sites-available/mw.trygvis.io-ssl.conf @@ -1,29 +1,30 @@ +# Ansible <IfModule mod_ssl.c> <VirtualHost *:443> - ServerAdmin root@trygvis.io - ServerName mw.trygvis.io + ServerAdmin root@trygvis.io + ServerName mw.trygvis.io - LogLevel warn - ErrorLog ${APACHE_LOG_DIR}/mw.trygvis.io-error.log - CustomLog ${APACHE_LOG_DIR}/mw.trygvis.io-access.log combined + LogLevel warn + ErrorLog ${APACHE_LOG_DIR}/mw.trygvis.io-error.log + CustomLog ${APACHE_LOG_DIR}/mw.trygvis.io-access.log combined - DocumentRoot /var/www/mw.trygvis.io/htdocs - <Directory /> - Options FollowSymLinks - AllowOverride None - </Directory> - <Directory /var/www/mw.trygvis.io/htdocs/> - Options Indexes FollowSymLinks MultiViews - AllowOverride None - Order allow,deny - allow from all - </Directory> + DocumentRoot /var/www/mw.trygvis.io/htdocs + <Directory /> + Options FollowSymLinks + AllowOverride None + </Directory> + <Directory /var/www/mw.trygvis.io/htdocs/> + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Order allow,deny + allow from all + </Directory> - ProxyPreserveHost On - ProxyPass / http://conflatorio.vpn.trygvis.io:8080/ + ProxyPreserveHost On + ProxyPass / http://mw.trygvis.io/ - SSLCertificateFile /etc/letsencrypt/live/mw.trygvis.io/fullchain.pem - SSLCertificateKeyFile /etc/letsencrypt/live/mw.trygvis.io/privkey.pem - Include /etc/letsencrypt/options-ssl-apache.conf + SSLCertificateFile /etc/letsencrypt/live/mw.trygvis.io/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/mw.trygvis.io/privkey.pem + Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule> diff --git a/ansible/roles/mw-frontend/tasks/main.yml b/ansible/roles/mw-frontend/tasks/main.yml index b7bb13f..40906ea 100644 --- a/ansible/roles/mw-frontend/tasks/main.yml +++ b/ansible/roles/mw-frontend/tasks/main.yml @@ -1,5 +1,8 @@ --- -- name: apache config - copy: - src: etc/apache2/sites-available/mw.trygvis.io-ssl.conf - dest: /etc/apache2/sites-available/mw.trygvis.io-ssl.conf +- name: Apache config + become: yes + block: + - name: apache config + copy: + src: etc/apache2/sites-available/mw.trygvis.io-ssl.conf + dest: /etc/apache2/sites-available/mw.trygvis.io-ssl.conf |