# Copyright 2016 Pierre Chifflier # # SSH + lxc-attach connection module for Ansible 2.0 # # Adapted from ansible/plugins/connection/ssh.py # Forked from https://github.com/chifflier/ansible-lxc-ssh # Hosted on https://github.com/andreasscherbaum/ansible-lxc-ssh # # Ansible is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Ansible is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Ansible. If not, see . # import errno import fcntl import hashlib import os import pipes import pty import shlex import subprocess import sys from distutils.version import LooseVersion from ansible.release import __version__ as ansible_version if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): from functools import wraps from ansible import constants as C if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): from ansible.compat.six import text_type, binary_type from ansible.errors import AnsibleConnectionFailure, AnsibleError from ansible.plugins.connection import ConnectionBase if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): from ansible.errors import AnsibleError, AnsibleConnectionFailure, AnsibleFileNotFound from ansible.errors import AnsibleOptionsError from ansible.compat import selectors from ansible.module_utils.six import PY3, text_type, binary_type if LooseVersion(ansible_version) < LooseVersion('2.4.0.0'): from ansible.compat.six.moves import shlex_quote else: from ansible.module_utils.six.moves import shlex_quote from ansible.module_utils._text import to_bytes, to_native, to_text if LooseVersion(ansible_version) >= LooseVersion('2.4.0.0'): from ansible.module_utils.parsing.convert_bool import BOOLEANS, boolean from ansible.plugins.connection import ConnectionBase, BUFSIZE from ansible.utils.path import unfrackpath, makedirs_safe if LooseVersion(ansible_version) >= LooseVersion('2.2.0.0'): from ansible.module_utils._text import to_bytes, to_text as to_unicode, to_native as to_str else: from ansible.utils.unicode import to_bytes, to_unicode, to_str try: from __main__ import display except ImportError: from ansible.utils.display import Display display = Display() if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): import select # only used from Ansible version 2.3 on forward class AnsibleControlPersistBrokenPipeError(AnsibleError): ''' ControlPersist broken pipe ''' pass def _ssh_retry(func): """ Decorator to retry ssh/scp/sftp in the case of a connection failure Will retry if: * an exception is caught * ssh returns 255 Will not retry if * remaining_tries is <2 * retries limit reached """ @wraps(func) def wrapped(self, *args, **kwargs): remaining_tries = int(C.ANSIBLE_SSH_RETRIES) + 1 cmd_summary = "%s..." % args[0] for attempt in range(remaining_tries): cmd = args[0] if attempt != 0 and self._play_context.password and isinstance(cmd, list): # If this is a retry, the fd/pipe for sshpass is closed, and we need a new one self.sshpass_pipe = os.pipe() cmd[1] = b'-d' + to_bytes(self.sshpass_pipe[0], nonstring='simplerepr', errors='surrogate_or_strict') try: try: return_tuple = func(self, *args, **kwargs) display.vvv(return_tuple, host=self.host) # 0 = success # 1-254 = remote command return code # 255 = failure from the ssh command itself except (AnsibleControlPersistBrokenPipeError) as e: # Retry one more time because of the ControlPersist broken pipe (see #16731) display.vvv(u"RETRYING BECAUSE OF CONTROLPERSIST BROKEN PIPE") return_tuple = func(self, *args, **kwargs) if return_tuple[0] != 255: break else: raise AnsibleConnectionFailure("Failed to connect to the host via ssh: %s" % to_native(return_tuple[2])) except (AnsibleConnectionFailure, Exception) as e: if attempt == remaining_tries - 1: raise else: pause = 2 ** attempt - 1 if pause > 30: pause = 30 if isinstance(e, AnsibleConnectionFailure): msg = "ssh_retry: attempt: %d, ssh return code is 255. cmd (%s), pausing for %d seconds" % (attempt, cmd_summary, pause) else: msg = "ssh_retry: attempt: %d, caught exception(%s) from cmd (%s), pausing for %d seconds" % (attempt, e, cmd_summary, pause) display.vv(msg, host=self.host) time.sleep(pause) continue return return_tuple return wrapped class Connection(ConnectionBase): ''' ssh+lxc_attach connection ''' transport = 'lxc_ssh' def __init__(self, play_context, new_stdin, *args, **kwargs): #print args #print kwargs super(Connection, self).__init__(play_context, new_stdin, *args, **kwargs) self.host = self._play_context.remote_addr if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): self.port = self._play_context.port self.user = self._play_context.remote_user self.control_path = C.ANSIBLE_SSH_CONTROL_PATH self.control_path_dir = C.ANSIBLE_SSH_CONTROL_PATH_DIR self.lxc_version = None # LXC v1 uses 'lxc-info', 'lxc-attach' and so on # LXC v2 uses just 'lxc' (returncode2, stdout2, stderr2) = self._exec_command("which lxc", None, False) (returncode1, stdout1, stderr1) = self._exec_command("which lxc-info", None, False) if (returncode2 == 0): self.lxc_version = 2 display.vvv('LXC v2') elif (returncode1 == 0): self.lxc_version = 1 display.vvv('LXC v1') else: raise AnsibleConnectionFailure('Cannot identify LXC version') sys.exit(1) # The connection is created by running ssh/scp/sftp from the exec_command, # put_file, and fetch_file methods, so we don't need to do any connection # management here. def _connect(self): ''' connect to the lxc; nothing to do here ''' display.vvv('XXX connect') super(Connection, self)._connect() #self.container_name = self.ssh._play_context.remote_addr self.container_name = self._play_context.ssh_extra_args # XXX #self.container = None # only used from Ansible version 2.3 on forward @staticmethod def _create_control_path(host, port, user, connection=None): '''Make a hash for the controlpath based on con attributes''' pstring = '%s-%s-%s' % (host, port, user) if connection: pstring += '-%s' % connection m = hashlib.sha1() m.update(to_bytes(pstring)) digest = m.hexdigest() cpath = '%(directory)s/' + digest[:10] return cpath @staticmethod def _persistence_controls(b_command): ''' Takes a command array and scans it for ControlPersist and ControlPath settings and returns two booleans indicating whether either was found. This could be smarter, e.g. returning false if ControlPersist is 'no', but for now we do it simple way. ''' controlpersist = False controlpath = False if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): for arg in b_command: if 'controlpersist' in arg.lower(): controlpersist = True elif 'controlpath' in arg.lower(): controlpath = True if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): for b_arg in (a.lower() for a in b_command): if b'controlpersist' in b_arg: controlpersist = True elif b'controlpath' in b_arg: controlpath = True return controlpersist, controlpath @staticmethod def _split_args(argstring): """ Takes a string like '-o Foo=1 -o Bar="foo bar"' and returns a list ['-o', 'Foo=1', '-o', 'Bar=foo bar'] that can be added to the argument list. The list will not contain any empty elements. """ return [to_unicode(x.strip()) for x in shlex.split(to_bytes(argstring)) if x.strip()] if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): def _add_args(self, explanation, args): """ Adds the given args to self._command and displays a caller-supplied explanation of why they were added. """ self._command += args display.vvvvv('SSH: ' + explanation + ': (%s)' % ')('.join(args), host=self._play_context.remote_addr) if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): def _add_args(self, b_command, b_args, explanation): """ Adds arguments to the ssh command and displays a caller-supplied explanation of why. :arg b_command: A list containing the command to add the new arguments to. This list will be modified by this method. :arg b_args: An iterable of new arguments to add. This iterable is used more than once so it must be persistent (ie: a list is okay but a StringIO would not) :arg explanation: A text string containing explaining why the arguments were added. It will be displayed with a high enough verbosity. .. note:: This function does its work via side-effect. The b_command list has the new arguments appended. """ display.vvvvv(u'SSH: %s: (%s)' % (explanation, ')('.join(to_text(a) for a in b_args)), host=self._play_context.remote_addr) b_command += b_args if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): def _build_command(self, binary, *other_args): self._command = [] self._command += [binary] self._command += ['-C'] if self._play_context.verbosity > 3: self._command += ['-vvv'] elif binary == 'ssh': # Older versions of ssh (e.g. in RHEL 6) don't accept sftp -q. self._command += ['-q'] # Next, we add [ssh_connection]ssh_args from ansible.cfg. if self._play_context.ssh_args: args = self._split_args(self._play_context.ssh_args) self._add_args("ansible.cfg set ssh_args", args) # Now we add various arguments controlled by configuration file settings # (e.g. host_key_checking) or inventory variables (ansible_ssh_port) or # a combination thereof. if not C.HOST_KEY_CHECKING: self._add_args( "ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled", ("-o", "StrictHostKeyChecking=no") ) if self._play_context.port is not None: self._add_args( "ANSIBLE_REMOTE_PORT/remote_port/ansible_port set", ("-o", "Port={0}".format(self._play_context.port)) ) key = self._play_context.private_key_file if key: self._add_args( "ANSIBLE_PRIVATE_KEY_FILE/private_key_file/ansible_ssh_private_key_file set", ("-o", "IdentityFile=\"{0}\"".format(os.path.expanduser(key))) ) if not self._play_context.password: self._add_args( "ansible_password/ansible_ssh_pass not set", ( "-o", "KbdInteractiveAuthentication=no", "-o", "PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey", "-o", "PasswordAuthentication=no" ) ) user = self._play_context.remote_user if user: self._add_args( "ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set", ("-o", "User={0}".format(to_bytes(self._play_context.remote_user))) ) self._add_args( "ANSIBLE_TIMEOUT/timeout set", ("-o", "ConnectTimeout={0}".format(self._play_context.timeout)) ) # Check if ControlPersist is enabled and add a ControlPath if one hasn't # already been set. controlpersist, controlpath = self._persistence_controls(self._command) if controlpersist: self._persistent = True if not controlpath: cpdir = unfrackpath('$HOME/.ansible/cp') display.vv(str(C.ANSIBLE_SSH_CONTROL_PATH)) # The directory must exist and be writable. makedirs_safe(cpdir, 0o700) if not os.access(cpdir, os.W_OK): raise AnsibleError("Cannot write to ControlPath %s" % cpdir) args = ("-o", "ControlPath={0}".format( to_bytes(C.ANSIBLE_SSH_CONTROL_PATH % dict(directory=cpdir))) ) self._add_args("found only ControlPersist; added ControlPath", args) ## Finally, we add any caller-supplied extras. if other_args: self._command += other_args return self._command if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): def _build_command(self, binary, *other_args): b_command = [] if binary == 'ssh': b_command += [to_bytes(self._play_context.ssh_executable, errors='surrogate_or_strict')] else: b_command += [to_bytes(binary, errors='surrogate_or_strict')] if self._play_context.verbosity > 3: b_command.append(b'-vvv') # Next, we add [ssh_connection]ssh_args from ansible.cfg. # if self._play_context.ssh_args: b_args = [to_bytes(a, errors='surrogate_or_strict') for a in self._split_args(self._play_context.ssh_args)] self._add_args(b_command, b_args, u"ansible.cfg set ssh_args") # Now we add various arguments controlled by configuration file settings # (e.g. host_key_checking) or inventory variables (ansible_ssh_port) or # a combination thereof. if not C.HOST_KEY_CHECKING: b_args = (b"-o", b"StrictHostKeyChecking=no") self._add_args(b_command, b_args, u"ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled") if self._play_context.port is not None: b_args = (b"-o", b"Port=" + to_bytes(self._play_context.port, nonstring='simplerepr', errors='surrogate_or_strict')) self._add_args(b_command, b_args, u"ANSIBLE_REMOTE_PORT/remote_port/ansible_port set") key = self._play_context.private_key_file if key: b_args = (b"-o", b'IdentityFile="' + to_bytes(os.path.expanduser(key), errors='surrogate_or_strict') + b'"') self._add_args(b_command, b_args, u"ANSIBLE_PRIVATE_KEY_FILE/private_key_file/ansible_ssh_private_key_file set") if not self._play_context.password: self._add_args( b_command, ( b"-o", b"KbdInteractiveAuthentication=no", b"-o", b"PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey", b"-o", b"PasswordAuthentication=no" ), u"ansible_password/ansible_ssh_pass not set" ) user = self._play_context.remote_user if user: self._add_args( b_command, (b"-o", b"User=" + to_bytes(self._play_context.remote_user, errors='surrogate_or_strict')), u"ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set" ) self._add_args( b_command, (b"-o", b"ConnectTimeout=" + to_bytes(self._play_context.timeout, errors='surrogate_or_strict', nonstring='simplerepr')), u"ANSIBLE_TIMEOUT/timeout set" ) # Check if ControlPersist is enabled and add a ControlPath if one hasn't # already been set. controlpersist, controlpath = self._persistence_controls(b_command) if controlpersist: self._persistent = True if not controlpath: cpdir = unfrackpath(self.control_path_dir) b_cpdir = to_bytes(cpdir, errors='surrogate_or_strict') # The directory must exist and be writable. makedirs_safe(b_cpdir, 0o700) if not os.access(b_cpdir, os.W_OK): raise AnsibleError("Cannot write to ControlPath %s" % to_native(cpdir)) if not self.control_path: self.control_path = self._create_control_path( self.host, self.port, self.user ) b_args = (b"-o", b"ControlPath=" + to_bytes(self.control_path % dict(directory=cpdir), errors='surrogate_or_strict')) self._add_args(b_command, b_args, u"found only ControlPersist; added ControlPath") # Finally, we add any caller-supplied extras. if other_args: b_command += [to_bytes(a) for a in other_args] return b_command def _send_initial_data(self, fh, in_data): ''' Writes initial data to the stdin filehandle of the subprocess and closes it. (The handle must be closed; otherwise, for example, "sftp -b -" will just hang forever waiting for more commands.) ''' display.debug('Sending initial data') try: if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): fh.write(in_data) if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): fh.write(to_bytes(in_data)) fh.close() except (OSError, IOError): raise AnsibleConnectionFailure('SSH Error: data could not be sent to remote host "%s". Make sure this host can be reached over ssh' % self.host) display.debug('Sent initial data (%d bytes)' % len(in_data)) # Used by _run() to kill processes on failures @staticmethod def _terminate_process(p): """ Terminate a process, ignoring errors """ try: p.terminate() except (OSError, IOError): pass if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): # This is separate from _run() because we need to do the same thing for stdout # and stderr. def _examine_output(self, source, state, chunk, sudoable): ''' Takes a string, extracts complete lines from it, tests to see if they are a prompt, error message, etc., and sets appropriate flags in self. Prompt and success lines are removed. Returns the processed (i.e. possibly-edited) output and the unprocessed remainder (to be processed with the next chunk) as strings. ''' output = [] for l in chunk.splitlines(True): suppress_output = False #display.debug("Examining line (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n'))) if self._play_context.prompt and self.check_password_prompt(l): display.debug("become_prompt: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n'))) self._flags['become_prompt'] = True suppress_output = True elif self._play_context.success_key and self.check_become_success(l): display.debug("become_success: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n'))) self._flags['become_success'] = True suppress_output = True elif sudoable and self.check_incorrect_password(l): display.debug("become_error: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n'))) self._flags['become_error'] = True elif sudoable and self.check_missing_password(l): display.debug("become_nopasswd_error: (source=%s, state=%s): '%s'" % (source, state, l.rstrip('\r\n'))) self._flags['become_nopasswd_error'] = True if not suppress_output: output.append(l) # The chunk we read was most likely a series of complete lines, but just # in case the last line was incomplete (and not a prompt, which we would # have removed from the output), we retain it to be processed with the # next chunk. remainder = '' if output and not output[-1].endswith('\n'): remainder = output[-1] output = output[:-1] return ''.join(output), remainder if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): # This is separate from _run() because we need to do the same thing for stdout # and stderr. def _examine_output(self, source, state, b_chunk, sudoable): ''' Takes a string, extracts complete lines from it, tests to see if they are a prompt, error message, etc., and sets appropriate flags in self. Prompt and success lines are removed. Returns the processed (i.e. possibly-edited) output and the unprocessed remainder (to be processed with the next chunk) as strings. ''' output = [] for b_line in b_chunk.splitlines(True): display_line = to_text(b_line).rstrip('\r\n') suppress_output = False # display.debug("Examining line (source=%s, state=%s): '%s'" % (source, state, display_line)) if self._play_context.prompt and self.check_password_prompt(b_line): display.debug("become_prompt: (source=%s, state=%s): '%s'" % (source, state, display_line)) self._flags['become_prompt'] = True suppress_output = True elif self._play_context.success_key and self.check_become_success(b_line): display.debug("become_success: (source=%s, state=%s): '%s'" % (source, state, display_line)) self._flags['become_success'] = True suppress_output = True elif sudoable and self.check_incorrect_password(b_line): display.debug("become_error: (source=%s, state=%s): '%s'" % (source, state, display_line)) self._flags['become_error'] = True elif sudoable and self.check_missing_password(b_line): display.debug("become_nopasswd_error: (source=%s, state=%s): '%s'" % (source, state, display_line)) self._flags['become_nopasswd_error'] = True if not suppress_output: output.append(b_line) # The chunk we read was most likely a series of complete lines, but just # in case the last line was incomplete (and not a prompt, which we would # have removed from the output), we retain it to be processed with the # next chunk. remainder = b'' if output and not output[-1].endswith(b'\n'): remainder = output[-1] output = output[:-1] return b''.join(output), remainder # only used from Ansible version 2.3 on forward def _bare_run(self, cmd, in_data, sudoable=True, checkrc=True): ''' Starts the command and communicates with it until it ends. ''' display_cmd = list(map(shlex_quote, map(to_text, cmd))) display.vvv(u'SSH: EXEC {0}'.format(u' '.join(display_cmd)), host=self.host) # Start the given command. If we don't need to pipeline data, we can try # to use a pseudo-tty (ssh will have been invoked with -tt). If we are # pipelining data, or can't create a pty, we fall back to using plain # old pipes. p = None if isinstance(cmd, (text_type, binary_type)): cmd = to_bytes(cmd) else: cmd = map(to_bytes, cmd) if not in_data: try: # Make sure stdin is a proper pty to avoid tcgetattr errors master, slave = pty.openpty() if PY3 and self._play_context.password: p = subprocess.Popen(cmd, stdin=slave, stdout=subprocess.PIPE, stderr=subprocess.PIPE, pass_fds=self.sshpass_pipe) else: p = subprocess.Popen(cmd, stdin=slave, stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdin = os.fdopen(master, 'wb', 0) os.close(slave) except (OSError, IOError): p = None if not p: if PY3 and self._play_context.password: p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, pass_fds=self.sshpass_pipe) else: p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdin = p.stdin # If we are using SSH password authentication, write the password into # the pipe we opened in _build_command. if self._play_context.password: os.close(self.sshpass_pipe[0]) try: os.write(self.sshpass_pipe[1], to_bytes(self._play_context.password) + b'\n') except OSError as e: # Ignore broken pipe errors if the sshpass process has exited. if e.errno != errno.EPIPE or p.poll() is None: raise os.close(self.sshpass_pipe[1]) # # SSH state machine # # Now we read and accumulate output from the running process until it # exits. Depending on the circumstances, we may also need to write an # escalation password and/or pipelined input to the process. states = [ 'awaiting_prompt', 'awaiting_escalation', 'ready_to_send', 'awaiting_exit' ] # Are we requesting privilege escalation? Right now, we may be invoked # to execute sftp/scp with sudoable=True, but we can request escalation # only when using ssh. Otherwise we can send initial data straightaway. state = states.index('ready_to_send') if b'ssh' in cmd: if self._play_context.prompt: # We're requesting escalation with a password, so we have to # wait for a password prompt. state = states.index('awaiting_prompt') display.debug(u'Initial state: %s: %s' % (states[state], self._play_context.prompt)) elif self._play_context.become and self._play_context.success_key: # We're requesting escalation without a password, so we have to # detect success/failure before sending any initial data. state = states.index('awaiting_escalation') display.debug(u'Initial state: %s: %s' % (states[state], self._play_context.success_key)) # We store accumulated stdout and stderr output from the process here, # but strip any privilege escalation prompt/confirmation lines first. # Output is accumulated into tmp_*, complete lines are extracted into # an array, then checked and removed or copied to stdout or stderr. We # set any flags based on examining the output in self._flags. b_stdout = b_stderr = b'' b_tmp_stdout = b_tmp_stderr = b'' self._flags = dict( become_prompt=False, become_success=False, become_error=False, become_nopasswd_error=False ) # select timeout should be longer than the connect timeout, otherwise # they will race each other when we can't connect, and the connect # timeout usually fails timeout = 2 + self._play_context.timeout for fd in (p.stdout, p.stderr): fcntl.fcntl(fd, fcntl.F_SETFL, fcntl.fcntl(fd, fcntl.F_GETFL) | os.O_NONBLOCK) # TODO: bcoca would like to use SelectSelector() when open # filehandles is low, then switch to more efficient ones when higher. # select is faster when filehandles is low. selector = selectors.DefaultSelector() selector.register(p.stdout, selectors.EVENT_READ) selector.register(p.stderr, selectors.EVENT_READ) # If we can send initial data without waiting for anything, we do so # before we start polling if states[state] == 'ready_to_send' and in_data: self._send_initial_data(stdin, in_data) state += 1 try: while True: poll = p.poll() events = selector.select(timeout) # We pay attention to timeouts only while negotiating a prompt. if not events: # We timed out if state <= states.index('awaiting_escalation'): # If the process has already exited, then it's not really a # timeout; we'll let the normal error handling deal with it. if poll is not None: break self._terminate_process(p) raise AnsibleError('Timeout (%ds) waiting for privilege escalation prompt: %s' % (timeout, to_native(b_stdout))) # Read whatever output is available on stdout and stderr, and stop # listening to the pipe if it's been closed. for key, event in events: if key.fileobj == p.stdout: b_chunk = p.stdout.read() if b_chunk == b'': # stdout has been closed, stop watching it selector.unregister(p.stdout) # When ssh has ControlMaster (+ControlPath/Persist) enabled, the # first connection goes into the background and we never see EOF # on stderr. If we see EOF on stdout, lower the select timeout # to reduce the time wasted selecting on stderr if we observe # that the process has not yet existed after this EOF. Otherwise # we may spend a long timeout period waiting for an EOF that is # not going to arrive until the persisted connection closes. timeout = 1 b_tmp_stdout += b_chunk display.debug("stdout chunk (state=%s):\n>>>%s<<<\n" % (state, to_text(b_chunk))) elif key.fileobj == p.stderr: b_chunk = p.stderr.read() if b_chunk == b'': # stderr has been closed, stop watching it selector.unregister(p.stderr) b_tmp_stderr += b_chunk display.debug("stderr chunk (state=%s):\n>>>%s<<<\n" % (state, to_text(b_chunk))) # We examine the output line-by-line until we have negotiated any # privilege escalation prompt and subsequent success/error message. # Afterwards, we can accumulate output without looking at it. if state < states.index('ready_to_send'): if b_tmp_stdout: b_output, b_unprocessed = self._examine_output('stdout', states[state], b_tmp_stdout, sudoable) b_stdout += b_output b_tmp_stdout = b_unprocessed if b_tmp_stderr: b_output, b_unprocessed = self._examine_output('stderr', states[state], b_tmp_stderr, sudoable) b_stderr += b_output b_tmp_stderr = b_unprocessed else: b_stdout += b_tmp_stdout b_stderr += b_tmp_stderr b_tmp_stdout = b_tmp_stderr = b'' # If we see a privilege escalation prompt, we send the password. # (If we're expecting a prompt but the escalation succeeds, we # didn't need the password and can carry on regardless.) if states[state] == 'awaiting_prompt': if self._flags['become_prompt']: display.debug('Sending become_pass in response to prompt') stdin.write(to_bytes(self._play_context.become_pass) + b'\n') self._flags['become_prompt'] = False state += 1 elif self._flags['become_success']: state += 1 # We've requested escalation (with or without a password), now we # wait for an error message or a successful escalation. if states[state] == 'awaiting_escalation': if self._flags['become_success']: display.debug('Escalation succeeded') self._flags['become_success'] = False state += 1 elif self._flags['become_error']: display.debug('Escalation failed') self._terminate_process(p) self._flags['become_error'] = False raise AnsibleError('Incorrect %s password' % self._play_context.become_method) elif self._flags['become_nopasswd_error']: display.debug('Escalation requires password') self._terminate_process(p) self._flags['become_nopasswd_error'] = False raise AnsibleError('Missing %s password' % self._play_context.become_method) elif self._flags['become_prompt']: # This shouldn't happen, because we should see the "Sorry, # try again" message first. display.debug('Escalation prompt repeated') self._terminate_process(p) self._flags['become_prompt'] = False raise AnsibleError('Incorrect %s password' % self._play_context.become_method) # Once we're sure that the privilege escalation prompt, if any, has # been dealt with, we can send any initial data and start waiting # for output. if states[state] == 'ready_to_send': if in_data: self._send_initial_data(stdin, in_data) state += 1 # Now we're awaiting_exit: has the child process exited? If it has, # and we've read all available output from it, we're done. if poll is not None: if not selector.get_map() or not events: break # We should not see further writes to the stdout/stderr file # descriptors after the process has closed, set the select # timeout to gather any last writes we may have missed. timeout = 0 continue # If the process has not yet exited, but we've already read EOF from # its stdout and stderr (and thus no longer watching any file # descriptors), we can just wait for it to exit. elif not selector.get_map(): p.wait() break # Otherwise there may still be outstanding data to read. finally: selector.close() # close stdin after process is terminated and stdout/stderr are read # completely (see also issue #848) stdin.close() if C.HOST_KEY_CHECKING: if cmd[0] == b"sshpass" and p.returncode == 6: raise AnsibleError('Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support ' 'this. Please add this host\'s fingerprint to your known_hosts file to manage this host.') controlpersisterror = b'Bad configuration option: ControlPersist' in b_stderr or b'unknown configuration option: ControlPersist' in b_stderr if p.returncode != 0 and controlpersisterror: raise AnsibleError('using -c ssh on certain older ssh versions may not support ControlPersist, set ANSIBLE_SSH_ARGS="" ' '(or ssh_args in [ssh_connection] section of the config file) before running again') # If we find a broken pipe because of ControlPersist timeout expiring (see #16731), # we raise a special exception so that we can retry a connection. controlpersist_broken_pipe = b'mux_client_hello_exchange: write packet: Broken pipe' in b_stderr if p.returncode == 255 and controlpersist_broken_pipe: raise AnsibleControlPersistBrokenPipeError('SSH Error: data could not be sent because of ControlPersist broken pipe.') if p.returncode == 255 and in_data and checkrc: raise AnsibleConnectionFailure('SSH Error: data could not be sent to remote host "%s". Make sure this host can be reached over ssh' % self.host) return (p.returncode, b_stdout, b_stderr) if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): @_ssh_retry def _run(self, cmd, in_data, sudoable=True, checkrc=True): """Wrapper around _bare_run that retries the connection """ return self._bare_run(cmd, in_data, sudoable, checkrc) if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): def _run(self, cmd, in_data, sudoable=True): ''' Starts the command and communicates with it until it ends. ''' display_cmd = map(to_unicode, map(pipes.quote, cmd)) display.vvv(u'SSH: EXEC {0}'.format(u' '.join(display_cmd)), host=self.host) # Start the given command. If we don't need to pipeline data, we can try # to use a pseudo-tty (ssh will have been invoked with -tt). If we are # pipelining data, or can't create a pty, we fall back to using plain # old pipes. p = None if isinstance(cmd, (text_type, binary_type)): cmd = to_bytes(cmd) else: cmd = map(to_bytes, cmd) if not in_data: try: # Make sure stdin is a proper pty to avoid tcgetattr errors master, slave = pty.openpty() p = subprocess.Popen(cmd, stdin=slave, stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdin = os.fdopen(master, 'w', 0) os.close(slave) except (OSError, IOError): p = None if not p: p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdin = p.stdin # If we are using SSH password authentication, write the password into # the pipe we opened in _build_command. if self._play_context.password: os.close(self.sshpass_pipe[0]) os.write(self.sshpass_pipe[1], "{0}\n".format(to_bytes(self._play_context.password))) os.close(self.sshpass_pipe[1]) ## SSH state machine # # Now we read and accumulate output from the running process until it # exits. Depending on the circumstances, we may also need to write an # escalation password and/or pipelined input to the process. states = [ 'awaiting_prompt', 'awaiting_escalation', 'ready_to_send', 'awaiting_exit' ] # Are we requesting privilege escalation? Right now, we may be invoked # to execute sftp/scp with sudoable=True, but we can request escalation # only when using ssh. Otherwise we can send initial data straightaway. state = states.index('ready_to_send') if b'ssh' in cmd: if self._play_context.prompt: # We're requesting escalation with a password, so we have to # wait for a password prompt. state = states.index('awaiting_prompt') display.debug('Initial state: %s: %s' % (states[state], self._play_context.prompt)) elif self._play_context.become and self._play_context.success_key: # We're requesting escalation without a password, so we have to # detect success/failure before sending any initial data. state = states.index('awaiting_escalation') display.debug('Initial state: %s: %s' % (states[state], self._play_context.success_key)) # We store accumulated stdout and stderr output from the process here, # but strip any privilege escalation prompt/confirmation lines first. # Output is accumulated into tmp_*, complete lines are extracted into # an array, then checked and removed or copied to stdout or stderr. We # set any flags based on examining the output in self._flags. stdout = stderr = '' tmp_stdout = tmp_stderr = '' self._flags = dict( become_prompt=False, become_success=False, become_error=False, become_nopasswd_error=False ) # select timeout should be longer than the connect timeout, otherwise # they will race each other when we can't connect, and the connect # timeout usually fails timeout = 2 + self._play_context.timeout rpipes = [p.stdout, p.stderr] for fd in rpipes: fcntl.fcntl(fd, fcntl.F_SETFL, fcntl.fcntl(fd, fcntl.F_GETFL) | os.O_NONBLOCK) # If we can send initial data without waiting for anything, we do so # before we call select. if states[state] == 'ready_to_send' and in_data: self._send_initial_data(stdin, in_data) state += 1 while True: rfd, wfd, efd = select.select(rpipes, [], [], timeout) # We pay attention to timeouts only while negotiating a prompt. if not rfd: if state <= states.index('awaiting_escalation'): # If the process has already exited, then it's not really a # timeout; we'll let the normal error handling deal with it. if p.poll() is not None: break self._terminate_process(p) raise AnsibleError('Timeout (%ds) waiting for privilege escalation prompt: %s' % (timeout, stdout)) # Read whatever output is available on stdout and stderr, and stop # listening to the pipe if it's been closed. if p.stdout in rfd: chunk = p.stdout.read() if chunk == '': rpipes.remove(p.stdout) tmp_stdout += chunk display.debug("stdout chunk (state=%s):\n>>>%s<<<\n" % (state, chunk)) if p.stderr in rfd: chunk = p.stderr.read() if chunk == '': rpipes.remove(p.stderr) tmp_stderr += chunk display.debug("stderr chunk (state=%s):\n>>>%s<<<\n" % (state, chunk)) # We examine the output line-by-line until we have negotiated any # privilege escalation prompt and subsequent success/error message. # Afterwards, we can accumulate output without looking at it. if state < states.index('ready_to_send'): if tmp_stdout: output, unprocessed = self._examine_output('stdout', states[state], tmp_stdout, sudoable) stdout += output tmp_stdout = unprocessed if tmp_stderr: output, unprocessed = self._examine_output('stderr', states[state], tmp_stderr, sudoable) stderr += output tmp_stderr = unprocessed else: stdout += tmp_stdout stderr += tmp_stderr tmp_stdout = tmp_stderr = '' # If we see a privilege escalation prompt, we send the password. # (If we're expecting a prompt but the escalation succeeds, we # didn't need the password and can carry on regardless.) if states[state] == 'awaiting_prompt': if self._flags['become_prompt']: display.debug('Sending become_pass in response to prompt') stdin.write('{0}\n'.format(to_bytes(self._play_context.become_pass ))) self._flags['become_prompt'] = False state += 1 elif self._flags['become_success']: state += 1 # We've requested escalation (with or without a password), now we # wait for an error message or a successful escalation. if states[state] == 'awaiting_escalation': if self._flags['become_success']: display.debug('Escalation succeeded') self._flags['become_success'] = False state += 1 elif self._flags['become_error']: display.debug('Escalation failed') self._terminate_process(p) self._flags['become_error'] = False raise AnsibleError('Incorrect %s password' % self._play_context.become_method) elif self._flags['become_nopasswd_error']: display.debug('Escalation requires password') self._terminate_process(p) self._flags['become_nopasswd_error'] = False raise AnsibleError('Missing %s password' % self._play_context.become_method) elif self._flags['become_prompt']: # This shouldn't happen, because we should see the "Sorry, # try again" message first. display.debug('Escalation prompt repeated') self._terminate_process(p) self._flags['become_prompt'] = False raise AnsibleError('Incorrect %s password' % self._play_context.become_method) # Once we're sure that the privilege escalation prompt, if any, has # been dealt with, we can send any initial data and start waiting # for output. if states[state] == 'ready_to_send': if in_data: self._send_initial_data(stdin, in_data) state += 1 # Now we're awaiting_exit: has the child process exited? If it has, # and we've read all available output from it, we're done. if p.poll() is not None: if not rpipes or not rfd: break # When ssh has ControlMaster (+ControlPath/Persist) enabled, the # first connection goes into the background and we never see EOF # on stderr. If we see EOF on stdout and the process has exited, # we're probably done. We call select again with a zero timeout, # just to make certain we don't miss anything that may have been # written to stderr between the time we called select() and when # we learned that the process had finished. if p.stdout not in rpipes: timeout = 0 continue # If the process has not yet exited, but we've already read EOF from # its stdout and stderr (and thus removed both from rpipes), we can # just wait for it to exit. elif not rpipes: p.wait() break # Otherwise there may still be outstanding data to read. # close stdin after process is terminated and stdout/stderr are read # completely (see also issue #848) stdin.close() if C.HOST_KEY_CHECKING: if cmd[0] == b"sshpass" and p.returncode == 6: raise AnsibleError('Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. Please add this host\'s fingerprint to your known_hosts file to manage this host.') controlpersisterror = 'Bad configuration option: ControlPersist' in stderr or 'unknown configuration option: ControlPersist' in stderr if p.returncode != 0 and controlpersisterror: raise AnsibleError('using -c ssh on certain older ssh versions may not support ControlPersist, set ANSIBLE_SSH_ARGS="" (or ssh_args in [ssh_connection] section of the config file) before running again') if p.returncode == 255 and in_data: raise AnsibleConnectionFailure('SSH Error: data could not be sent to the remote host. Make sure this host can be reached over ssh') return (p.returncode, stdout, stderr) def _exec_command(self, cmd, in_data=None, sudoable=True): ''' run a command on the remote host ''' super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable) display.vvv(u"ESTABLISH SSH CONNECTION FOR USER: {0}".format(self._play_context.remote_user), host=self._play_context.remote_addr) # we can only use tty when we are not pipelining the modules. piping # data into /usr/bin/python inside a tty automatically invokes the # python interactive-mode but the modules are not compatible with the # interactive-mode ("unexpected indent" mainly because of empty lines) if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): ssh_executable = self._play_context.ssh_executable if in_data: if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): cmd = self._build_command('ssh', self.host, cmd) if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): cmd = self._build_command(ssh_executable, self.host, cmd) else: if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): cmd = self._build_command('ssh', '-tt', self.host, cmd) if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): cmd = self._build_command(ssh_executable, '-tt', self.host, cmd) (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=sudoable) return (returncode, stdout, stderr) def dir_print(self,obj): for attr_name in dir(obj): try: attr_value = getattr(obj, attr_name) print(attr_name, attr_value, callable(attr_value)) except: pass # # Main public methods # def exec_command(self, cmd, in_data=None, sudoable=False): ''' run a command on the chroot ''' display.vvv('XXX exec_command: %s' % cmd) super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable) if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): ssh_executable = self._play_context.ssh_executable ##print dir(self) ##print dir(self._play_context) ##print self._play_context._attributes #self.dir_print(self._play_context) #vm = self._play_context.get_ds() #print( vm ) #raise "blah" h = self.container_name if (self.lxc_version == 2): lxc_cmd = 'sudo -i lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \ % (pipes.quote(h), pipes.quote(cmd)) elif (self.lxc_version == 1): lxc_cmd = 'sudo -i lxc-attach --name %s -- /bin/sh -c %s' \ % (pipes.quote(h), pipes.quote(cmd)) if in_data: if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): cmd = self._build_command('ssh', self.host, lxc_cmd) if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): cmd = self._build_command(ssh_executable, self.host, lxc_cmd) else: if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): cmd = self._build_command('ssh', '-tt', self.host, lxc_cmd) if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): cmd = self._build_command(ssh_executable, '-tt', self.host, lxc_cmd) #self.ssh.exec_command(lxc_cmd,in_data,sudoable) (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=sudoable) return (returncode, stdout, stderr) def put_file(self, in_path, out_path): ''' transfer a file from local to lxc ''' super(Connection, self).put_file(in_path, out_path) if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): display.vvv('XXX put_file %s %s' % (in_path,out_path)) if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): display.vvv(u"PUT {0} TO {1}".format(in_path, out_path), host=self.host) ssh_executable = self._play_context.ssh_executable if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): if not os.path.exists(in_path): raise errors.AnsibleFileNotFound("file or module does not exist: %s" % in_path) if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): if not os.path.exists(to_bytes(in_path, errors='surrogate_or_strict')): raise AnsibleFileNotFound("file or module does not exist: {0}".format(to_native(in_path))) with open(in_path,'r') as in_f: in_data = in_f.read() cmd = ('cat > %s; echo -n done' % pipes.quote(out_path)) h = self.container_name if (self.lxc_version == 2): lxc_cmd = 'sudo lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \ % (pipes.quote(h), pipes.quote(cmd)) elif (self.lxc_version == 1): lxc_cmd = 'sudo lxc-attach --name %s -- /bin/sh -c %s' \ % (pipes.quote(h), pipes.quote(cmd)) if in_data: if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): cmd = self._build_command('ssh', self.host, lxc_cmd) if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): cmd = self._build_command(ssh_executable, self.host, lxc_cmd) else: if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): cmd = self._build_command('ssh', '-tt', self.host, lxc_cmd) if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): cmd = self._build_command(ssh_executable, '-tt', self.host, lxc_cmd) #self.ssh.exec_command(lxc_cmd,in_data,sudoable) (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=False) return (returncode, stdout, stderr) def fetch_file(self, in_path, out_path): ''' fetch a file from lxc to local ''' super(Connection, self).fetch_file(in_path, out_path) if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): display.vvv('XXX fetch_file %s %s' % (in_path,out_path)) if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): display.vvv(u"FETCH {0} TO {1}".format(in_path, out_path), host=self.host) ssh_executable = self._play_context.ssh_executable if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): cmd = ('cat %s' % pipes.quote(in_path)) if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): cmd = ('cat < %s' % pipes.quote(in_path)) h = self.container_name if (self.lxc_version == 2): lxc_cmd = 'sudo lxc exec %s --mode=non-interactive -- /bin/sh -c %s' \ % (pipes.quote(h), pipes.quote(cmd)) elif (self.lxc_version == 1): lxc_cmd = 'sudo lxc-attach --name %s -- /bin/sh -c %s' \ % (pipes.quote(h), pipes.quote(cmd)) if LooseVersion(ansible_version) < LooseVersion('2.3.0.0'): in_data = None if in_data: cmd = self._build_command('ssh', self.host, lxc_cmd) else: cmd = self._build_command('ssh', '-tt', self.host, lxc_cmd) (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=False) if returncode != 0: raise AnsibleError("failed to transfer file from {0}:\n{1}\n{2}".format(in_path, stdout, stderr)) with open(out_path,'w') as out_f: out_f.write(stdout) if LooseVersion(ansible_version) >= LooseVersion('2.3.0.0'): cmd = self._build_command(ssh_executable, self.host, lxc_cmd) (returncode, stdout, stderr) = self._run(cmd, None, sudoable=False) if returncode != 0: raise AnsibleError("failed to transfer file from {0}:\n{1}\n{2}".format(in_path, stdout, stderr)) with open(out_path,'w') as out_f: out_f.write(stdout) return (returncode, stdout, stderr) # only used from Ansible version 2.3 on forward def reset(self): # If we have a persistent ssh connection (ControlPersist), we can ask it to stop listening. cmd = self._build_command(self._play_context.ssh_executable, '-O', 'stop', self.host) controlpersist, controlpath = self._persistence_controls(cmd) if controlpersist: display.vvv(u'sending stop: %s' % cmd) p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout, stderr = p.communicate() status_code = p.wait() if status_code != 0: raise AnsibleError("Cannot reset connection:\n%s" % stderr) self.close() def close(self): ''' terminate the connection; nothing to do here ''' display.vvv('XXX close') super(Connection, self).close() #self.ssh.close() self._connected = False ' href='#n1632'>1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685 1686 1687 1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785 1786 1787 1788 1789 1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801 1802 1803 1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949 1950 1951 1952 1953 1954 1955 1956 1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026 2027 2028 2029 2030 2031 2032 2033 2034 2035 2036 2037 2038 2039 2040 2041 2042 2043 2044 2045 2046 2047 2048 2049 2050 2051 2052 2053 2054 2055 2056 2057 2058 2059 2060 2061 2062 2063 2064 2065 2066 2067 2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086 2087 2088 2089 2090 2091 2092 2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119 2120 2121 2122 2123 2124 2125 2126 2127 2128 2129 2130 2131 2132 2133 2134 2135 2136 2137 2138 2139 2140 2141 2142 2143 2144 2145 2146 2147 2148 2149 2150 2151 2152 2153 2154 2155 2156 2157 2158 2159 2160 2161 2162 2163 2164 2165 2166 2167 2168 2169 2170 2171 2172 2173 2174 2175 2176 2177 2178 2179 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216 2217 2218 2219 2220 2221 2222 2223 2224 2225 2226 2227 2228 2229 2230 2231 2232 2233 2234 2235 2236 2237 2238 2239 2240 2241 2242 2243 2244 2245 2246 2247 2248 2249 2250 2251 2252 2253 2254 2255 2256 2257 2258 2259 2260 2261 2262 2263 2264 2265 2266 2267 2268 2269 2270 2271 2272 2273 2274 2275 2276 2277 2278 2279 2280 2281 2282 2283 2284 2285 2286 2287 2288 2289 2290 2291 2292 2293 2294 2295 2296 2297 2298 2299 2300 2301 2302 2303 2304 2305 2306 2307 2308 2309 2310 2311 2312 2313 2314 2315 2316 2317 2318 2319 2320 2321 2322 2323 2324 2325 2326 2327 2328 2329 2330 2331 2332 2333 2334 2335 2336 2337 2338 2339 2340 2341 2342 2343 2344 2345 2346 2347 2348 2349 2350 2351 2352 2353 2354 2355 2356 2357 2358 2359 2360 2361 2362 2363 2364 2365 2366 2367 2368 2369 2370 2371 2372 2373 2374 2375 2376 2377 2378 2379 2380 2381 2382 2383 2384 2385 2386 2387 2388 2389 2390 2391 2392 2393 2394 2395 2396 2397 2398 2399 2400 2401 2402 2403 2404 2405 2406 2407 2408 2409 2410 2411 2412 2413 2414 2415 2416 2417 2418 2419 2420 2421 2422 2423 2424 2425 2426 2427 2428 2429 2430 2431 2432 2433 2434 2435 2436 2437 2438