removing some unusued files. Paramiko alt was an experiment to attempt pipeline for paramiko, ssh_old is the non-pipelining-supported earlier
version of the OpenSSH transport, which is configurable now and unified.
This commit is contained in:
parent
35def422a3
commit
33857855ad
2 changed files with 0 additions and 684 deletions
|
@ -1,344 +0,0 @@
|
||||||
# (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
|
|
||||||
#
|
|
||||||
# This file is part of Ansible
|
|
||||||
#
|
|
||||||
# Ansible is free software: you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by
|
|
||||||
# the Free Software Foundation, either version 3 of the License, or
|
|
||||||
# (at your option) any later version.
|
|
||||||
#
|
|
||||||
# Ansible is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
|
|
||||||
|
|
||||||
# ---
|
|
||||||
# The paramiko transport is provided because many distributions, in particular EL6 and before
|
|
||||||
# do not support ControlPersist in their SSH implementations. This is needed on the Ansible
|
|
||||||
# control machine to be reasonably efficient with connections. Thus paramiko is faster
|
|
||||||
# for most users on these platforms. Users with ControlPersist capability can consider
|
|
||||||
# using -c ssh or configuring the transport in ansible.cfg.
|
|
||||||
|
|
||||||
import warnings
|
|
||||||
import os
|
|
||||||
import pipes
|
|
||||||
import socket
|
|
||||||
import random
|
|
||||||
import logging
|
|
||||||
import traceback
|
|
||||||
import fcntl
|
|
||||||
import sys
|
|
||||||
from termios import tcflush, TCIFLUSH
|
|
||||||
from binascii import hexlify
|
|
||||||
from ansible.callbacks import vvv
|
|
||||||
from ansible import errors
|
|
||||||
from ansible import utils
|
|
||||||
from ansible import constants as C
|
|
||||||
|
|
||||||
AUTHENTICITY_MSG="""
|
|
||||||
paramiko: The authenticity of host '%s' can't be established.
|
|
||||||
The %s key fingerprint is %s.
|
|
||||||
Are you sure you want to continue connecting (yes/no)?
|
|
||||||
"""
|
|
||||||
|
|
||||||
# prevent paramiko warning noise -- see http://stackoverflow.com/questions/3920502/
|
|
||||||
HAVE_PARAMIKO=False
|
|
||||||
with warnings.catch_warnings():
|
|
||||||
warnings.simplefilter("ignore")
|
|
||||||
try:
|
|
||||||
import paramiko
|
|
||||||
HAVE_PARAMIKO=True
|
|
||||||
logging.getLogger("paramiko").setLevel(logging.WARNING)
|
|
||||||
except ImportError:
|
|
||||||
pass
|
|
||||||
|
|
||||||
class MyAddPolicy(object):
|
|
||||||
"""
|
|
||||||
Based on AutoAddPolicy in paramiko so we can determine when keys are added
|
|
||||||
and also prompt for input.
|
|
||||||
|
|
||||||
Policy for automatically adding the hostname and new host key to the
|
|
||||||
local L{HostKeys} object, and saving it. This is used by L{SSHClient}.
|
|
||||||
"""
|
|
||||||
|
|
||||||
def __init__(self, runner):
|
|
||||||
self.runner = runner
|
|
||||||
|
|
||||||
def missing_host_key(self, client, hostname, key):
|
|
||||||
|
|
||||||
if C.HOST_KEY_CHECKING:
|
|
||||||
|
|
||||||
fcntl.lockf(self.runner.process_lockfile, fcntl.LOCK_EX)
|
|
||||||
fcntl.lockf(self.runner.output_lockfile, fcntl.LOCK_EX)
|
|
||||||
|
|
||||||
old_stdin = sys.stdin
|
|
||||||
sys.stdin = self.runner._new_stdin
|
|
||||||
fingerprint = hexlify(key.get_fingerprint())
|
|
||||||
ktype = key.get_name()
|
|
||||||
|
|
||||||
# clear out any premature input on sys.stdin
|
|
||||||
tcflush(sys.stdin, TCIFLUSH)
|
|
||||||
|
|
||||||
inp = raw_input(AUTHENTICITY_MSG % (hostname, ktype, fingerprint))
|
|
||||||
sys.stdin = old_stdin
|
|
||||||
if inp not in ['yes','y','']:
|
|
||||||
fcntl.flock(self.runner.output_lockfile, fcntl.LOCK_UN)
|
|
||||||
fcntl.flock(self.runner.process_lockfile, fcntl.LOCK_UN)
|
|
||||||
raise errors.AnsibleError("host connection rejected by user")
|
|
||||||
|
|
||||||
fcntl.lockf(self.runner.output_lockfile, fcntl.LOCK_UN)
|
|
||||||
fcntl.lockf(self.runner.process_lockfile, fcntl.LOCK_UN)
|
|
||||||
|
|
||||||
|
|
||||||
key._added_by_ansible_this_time = True
|
|
||||||
|
|
||||||
# existing implementation below:
|
|
||||||
client._host_keys.add(hostname, key.get_name(), key)
|
|
||||||
|
|
||||||
# host keys are actually saved in close() function below
|
|
||||||
# in order to control ordering.
|
|
||||||
|
|
||||||
|
|
||||||
# keep connection objects on a per host basis to avoid repeated attempts to reconnect
|
|
||||||
|
|
||||||
SSH_CONNECTION_CACHE = {}
|
|
||||||
SFTP_CONNECTION_CACHE = {}
|
|
||||||
|
|
||||||
class Connection(object):
|
|
||||||
''' SSH based connections with Paramiko '''
|
|
||||||
|
|
||||||
def __init__(self, runner, host, port, user, password, private_key_file, *args, **kwargs):
|
|
||||||
|
|
||||||
self.ssh = None
|
|
||||||
self.sftp = None
|
|
||||||
self.runner = runner
|
|
||||||
self.host = host
|
|
||||||
self.port = port
|
|
||||||
self.user = user
|
|
||||||
self.password = password
|
|
||||||
self.private_key_file = private_key_file
|
|
||||||
self.has_pipelining = True
|
|
||||||
|
|
||||||
def _cache_key(self):
|
|
||||||
return "%s__%s__" % (self.host, self.user)
|
|
||||||
|
|
||||||
def connect(self):
|
|
||||||
cache_key = self._cache_key()
|
|
||||||
if cache_key in SSH_CONNECTION_CACHE:
|
|
||||||
self.ssh = SSH_CONNECTION_CACHE[cache_key]
|
|
||||||
else:
|
|
||||||
self.ssh = SSH_CONNECTION_CACHE[cache_key] = self._connect_uncached()
|
|
||||||
return self
|
|
||||||
|
|
||||||
def _connect_uncached(self):
|
|
||||||
''' activates the connection object '''
|
|
||||||
|
|
||||||
if not HAVE_PARAMIKO:
|
|
||||||
raise errors.AnsibleError("paramiko is not installed")
|
|
||||||
|
|
||||||
vvv("ESTABLISH CONNECTION FOR USER: %s on PORT %s TO %s" % (self.user, self.port, self.host), host=self.host)
|
|
||||||
|
|
||||||
ssh = paramiko.SSHClient()
|
|
||||||
|
|
||||||
self.keyfile = os.path.expanduser("~/.ssh/known_hosts")
|
|
||||||
|
|
||||||
if C.HOST_KEY_CHECKING:
|
|
||||||
ssh.load_system_host_keys()
|
|
||||||
ssh.set_missing_host_key_policy(MyAddPolicy(self.runner))
|
|
||||||
|
|
||||||
allow_agent = True
|
|
||||||
if self.password is not None:
|
|
||||||
allow_agent = False
|
|
||||||
try:
|
|
||||||
if self.private_key_file:
|
|
||||||
key_filename = os.path.expanduser(self.private_key_file)
|
|
||||||
elif self.runner.private_key_file:
|
|
||||||
key_filename = os.path.expanduser(self.runner.private_key_file)
|
|
||||||
else:
|
|
||||||
key_filename = None
|
|
||||||
ssh.connect(self.host, username=self.user, allow_agent=allow_agent, look_for_keys=True,
|
|
||||||
key_filename=key_filename, password=self.password,
|
|
||||||
timeout=self.runner.timeout, port=self.port)
|
|
||||||
except Exception, e:
|
|
||||||
msg = str(e)
|
|
||||||
if "PID check failed" in msg:
|
|
||||||
raise errors.AnsibleError("paramiko version issue, please upgrade paramiko on the machine running ansible")
|
|
||||||
elif "Private key file is encrypted" in msg:
|
|
||||||
msg = 'ssh %s@%s:%s : %s\nTo connect as a different user, use -u <username>.' % (
|
|
||||||
self.user, self.host, self.port, msg)
|
|
||||||
raise errors.AnsibleConnectionFailed(msg)
|
|
||||||
else:
|
|
||||||
raise errors.AnsibleConnectionFailed(msg)
|
|
||||||
|
|
||||||
return ssh
|
|
||||||
|
|
||||||
def exec_command(self, cmd, tmp_path, sudo_user=None, sudoable=False, executable='/bin/sh', in_data=None, su=None, su_user=None):
|
|
||||||
''' run a command on the remote host '''
|
|
||||||
|
|
||||||
bufsize = 4096
|
|
||||||
try:
|
|
||||||
chan = self.ssh.get_transport().open_session()
|
|
||||||
except Exception, e:
|
|
||||||
msg = "Failed to open session"
|
|
||||||
if len(str(e)) > 0:
|
|
||||||
msg += ": %s" % str(e)
|
|
||||||
raise errors.AnsibleConnectionFailed(msg)
|
|
||||||
|
|
||||||
if not (self.runner.sudo and sudoable) and not (self.runner.su and su) or in_data:
|
|
||||||
if executable:
|
|
||||||
quoted_command = executable + ' -c ' + pipes.quote(cmd)
|
|
||||||
else:
|
|
||||||
quoted_command = cmd
|
|
||||||
vvv("EXEC ALT no-tty %s" % quoted_command, host=self.host)
|
|
||||||
chan.exec_command(quoted_command)
|
|
||||||
else:
|
|
||||||
# sudo usually requires a PTY (cf. requiretty option), therefore
|
|
||||||
# we give it one by default (pty=True in ansble.cfg), and we try
|
|
||||||
# to initialise from the calling environment
|
|
||||||
if C.PARAMIKO_PTY:
|
|
||||||
chan.get_pty(term=os.getenv('TERM', 'vt100'),
|
|
||||||
width=int(os.getenv('COLUMNS', 0)),
|
|
||||||
height=int(os.getenv('LINES', 0)))
|
|
||||||
shcmd, prompt, success_key = utils.make_sudo_cmd(sudo_user, executable, cmd)
|
|
||||||
vvv("EXEC %s" % shcmd, host=self.host)
|
|
||||||
sudo_output = ''
|
|
||||||
try:
|
|
||||||
chan.exec_command(shcmd)
|
|
||||||
if self.runner.sudo_pass or self.runner.su_pass:
|
|
||||||
while not sudo_output.endswith(prompt) and success_key not in sudo_output:
|
|
||||||
chunk = chan.recv(bufsize)
|
|
||||||
if not chunk:
|
|
||||||
if 'unknown user' in sudo_output:
|
|
||||||
raise errors.AnsibleError(
|
|
||||||
'user %s does not exist' % sudo_user)
|
|
||||||
else:
|
|
||||||
raise errors.AnsibleError('ssh connection ' +
|
|
||||||
'closed waiting for password prompt')
|
|
||||||
sudo_output += chunk
|
|
||||||
if success_key not in sudo_output:
|
|
||||||
if sudoable:
|
|
||||||
chan.sendall(self.runner.sudo_pass + '\n')
|
|
||||||
elif su:
|
|
||||||
chan.sendall(self.runner.su_pass + '\n')
|
|
||||||
except socket.timeout:
|
|
||||||
raise errors.AnsibleError('ssh timed out waiting for sudo.\n' + sudo_output)
|
|
||||||
|
|
||||||
if in_data:
|
|
||||||
try:
|
|
||||||
stdin = chan.makefile('wb')
|
|
||||||
stdin.write(in_data)
|
|
||||||
chan.shutdown_write()
|
|
||||||
except Exception, e:
|
|
||||||
raise errors.AnsibleError('SSH Error: data could not be sent to the remote host. Make sure this host can be reached over ssh.')
|
|
||||||
|
|
||||||
stdout = ''.join(chan.makefile('rb', bufsize))
|
|
||||||
stderr = ''.join(chan.makefile_stderr('rb', bufsize))
|
|
||||||
|
|
||||||
return (chan.recv_exit_status(), '', stdout, stderr)
|
|
||||||
|
|
||||||
def put_file(self, in_path, out_path):
|
|
||||||
''' transfer a file from local to remote '''
|
|
||||||
vvv("PUT %s TO %s" % (in_path, out_path), host=self.host)
|
|
||||||
if not os.path.exists(in_path):
|
|
||||||
raise errors.AnsibleFileNotFound("file or module does not exist: %s" % in_path)
|
|
||||||
try:
|
|
||||||
self.sftp = self.ssh.open_sftp()
|
|
||||||
except Exception, e:
|
|
||||||
raise errors.AnsibleError("failed to open a SFTP connection (%s)" % e)
|
|
||||||
try:
|
|
||||||
self.sftp.put(in_path, out_path)
|
|
||||||
except IOError:
|
|
||||||
raise errors.AnsibleError("failed to transfer file to %s" % out_path)
|
|
||||||
|
|
||||||
def _connect_sftp(self):
|
|
||||||
cache_key = "%s__%s__" % (self.host, self.user)
|
|
||||||
if cache_key in SFTP_CONNECTION_CACHE:
|
|
||||||
return SFTP_CONNECTION_CACHE[cache_key]
|
|
||||||
else:
|
|
||||||
result = SFTP_CONNECTION_CACHE[cache_key] = self.connect().ssh.open_sftp()
|
|
||||||
return result
|
|
||||||
|
|
||||||
def fetch_file(self, in_path, out_path):
|
|
||||||
''' save a remote file to the specified path '''
|
|
||||||
vvv("FETCH %s TO %s" % (in_path, out_path), host=self.host)
|
|
||||||
try:
|
|
||||||
self.sftp = self._connect_sftp()
|
|
||||||
except Exception, e:
|
|
||||||
raise errors.AnsibleError("failed to open a SFTP connection (%s)", e)
|
|
||||||
try:
|
|
||||||
self.sftp.get(in_path, out_path)
|
|
||||||
except IOError:
|
|
||||||
raise errors.AnsibleError("failed to transfer file from %s" % in_path)
|
|
||||||
|
|
||||||
def _any_keys_added(self):
|
|
||||||
added_any = False
|
|
||||||
for hostname, keys in self.ssh._host_keys.iteritems():
|
|
||||||
for keytype, key in keys.iteritems():
|
|
||||||
added_this_time = getattr(key, '_added_by_ansible_this_time', False)
|
|
||||||
if added_this_time:
|
|
||||||
return True
|
|
||||||
return False
|
|
||||||
|
|
||||||
def _save_ssh_host_keys(self, filename):
|
|
||||||
'''
|
|
||||||
not using the paramiko save_ssh_host_keys function as we want to add new SSH keys at the bottom so folks
|
|
||||||
don't complain about it :)
|
|
||||||
'''
|
|
||||||
|
|
||||||
if not self._any_keys_added():
|
|
||||||
return False
|
|
||||||
|
|
||||||
path = os.path.expanduser("~/.ssh")
|
|
||||||
if not os.path.exists(path):
|
|
||||||
os.makedirs(path)
|
|
||||||
|
|
||||||
f = open(filename, 'w')
|
|
||||||
for hostname, keys in self.ssh._host_keys.iteritems():
|
|
||||||
for keytype, key in keys.iteritems():
|
|
||||||
# was f.write
|
|
||||||
added_this_time = getattr(key, '_added_by_ansible_this_time', False)
|
|
||||||
if not added_this_time:
|
|
||||||
f.write("%s %s %s\n" % (hostname, keytype, key.get_base64()))
|
|
||||||
for hostname, keys in self.ssh._host_keys.iteritems():
|
|
||||||
for keytype, key in keys.iteritems():
|
|
||||||
added_this_time = getattr(key, '_added_by_ansible_this_time', False)
|
|
||||||
if added_this_time:
|
|
||||||
f.write("%s %s %s\n" % (hostname, keytype, key.get_base64()))
|
|
||||||
f.close()
|
|
||||||
|
|
||||||
def close(self):
|
|
||||||
''' terminate the connection '''
|
|
||||||
cache_key = self._cache_key()
|
|
||||||
SSH_CONNECTION_CACHE.pop(cache_key, None)
|
|
||||||
SFTP_CONNECTION_CACHE.pop(cache_key, None)
|
|
||||||
if self.sftp is not None:
|
|
||||||
self.sftp.close()
|
|
||||||
|
|
||||||
if C.PARAMIKO_RECORD_HOST_KEYS and self._any_keys_added():
|
|
||||||
|
|
||||||
# add any new SSH host keys -- warning -- this could be slow
|
|
||||||
lockfile = self.keyfile.replace("known_hosts",".known_hosts.lock")
|
|
||||||
dirname = os.path.dirname(self.keyfile)
|
|
||||||
if not os.path.exists(dirname):
|
|
||||||
os.makedirs(dirname)
|
|
||||||
|
|
||||||
KEY_LOCK = open(lockfile, 'w')
|
|
||||||
fcntl.lockf(KEY_LOCK, fcntl.LOCK_EX)
|
|
||||||
try:
|
|
||||||
# just in case any were added recently
|
|
||||||
self.ssh.load_system_host_keys()
|
|
||||||
self.ssh._host_keys.update(self.ssh._system_host_keys)
|
|
||||||
self._save_ssh_host_keys(self.keyfile)
|
|
||||||
except:
|
|
||||||
# unable to save keys, including scenario when key was invalid
|
|
||||||
# and caught earlier
|
|
||||||
traceback.print_exc()
|
|
||||||
pass
|
|
||||||
fcntl.lockf(KEY_LOCK, fcntl.LOCK_UN)
|
|
||||||
|
|
||||||
self.ssh.close()
|
|
||||||
|
|
|
@ -1,340 +0,0 @@
|
||||||
# (c) 2012, Michael DeHaan <michael.dehaan@gmail.com>
|
|
||||||
#
|
|
||||||
# This file is part of Ansible
|
|
||||||
#
|
|
||||||
# Ansible is free software: you can redistribute it and/or modify
|
|
||||||
# it under the terms of the GNU General Public License as published by
|
|
||||||
# the Free Software Foundation, either version 3 of the License, or
|
|
||||||
# (at your option) any later version.
|
|
||||||
#
|
|
||||||
# Ansible is distributed in the hope that it will be useful,
|
|
||||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
# GNU General Public License for more details.
|
|
||||||
#
|
|
||||||
# You should have received a copy of the GNU General Public License
|
|
||||||
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
#
|
|
||||||
|
|
||||||
import os
|
|
||||||
import subprocess
|
|
||||||
import shlex
|
|
||||||
import pipes
|
|
||||||
import random
|
|
||||||
import select
|
|
||||||
import fcntl
|
|
||||||
import hmac
|
|
||||||
import pwd
|
|
||||||
import gettext
|
|
||||||
import pty
|
|
||||||
from hashlib import sha1
|
|
||||||
import ansible.constants as C
|
|
||||||
from ansible.callbacks import vvv
|
|
||||||
from ansible import errors
|
|
||||||
from ansible import utils
|
|
||||||
|
|
||||||
class Connection(object):
|
|
||||||
''' ssh based connections '''
|
|
||||||
|
|
||||||
def __init__(self, runner, host, port, user, password, private_key_file, *args, **kwargs):
|
|
||||||
self.runner = runner
|
|
||||||
self.host = host
|
|
||||||
self.ipv6 = ':' in self.host
|
|
||||||
self.port = port
|
|
||||||
self.user = user
|
|
||||||
self.password = password
|
|
||||||
self.private_key_file = private_key_file
|
|
||||||
self.HASHED_KEY_MAGIC = "|1|"
|
|
||||||
self.has_pipelining = False
|
|
||||||
|
|
||||||
fcntl.lockf(self.runner.process_lockfile, fcntl.LOCK_EX)
|
|
||||||
self.cp_dir = utils.prepare_writeable_dir('$HOME/.ansible/cp',mode=0700)
|
|
||||||
fcntl.lockf(self.runner.process_lockfile, fcntl.LOCK_UN)
|
|
||||||
|
|
||||||
def connect(self):
|
|
||||||
''' connect to the remote host '''
|
|
||||||
|
|
||||||
vvv("ESTABLISH CONNECTION FOR USER: %s" % self.user, host=self.host)
|
|
||||||
|
|
||||||
self.common_args = []
|
|
||||||
extra_args = C.ANSIBLE_SSH_ARGS
|
|
||||||
if extra_args is not None:
|
|
||||||
self.common_args += shlex.split(extra_args)
|
|
||||||
else:
|
|
||||||
self.common_args += ["-o", "ControlMaster=auto",
|
|
||||||
"-o", "ControlPersist=60s",
|
|
||||||
"-o", "ControlPath=%s" % (C.ANSIBLE_SSH_CONTROL_PATH % dict(directory=self.cp_dir))]
|
|
||||||
|
|
||||||
cp_in_use = False
|
|
||||||
cp_path_set = False
|
|
||||||
for arg in self.common_args:
|
|
||||||
if arg.find("ControlPersist") != -1:
|
|
||||||
cp_in_use = True
|
|
||||||
if arg.find("ControlPath") != -1:
|
|
||||||
cp_path_set = True
|
|
||||||
|
|
||||||
if cp_in_use and not cp_path_set:
|
|
||||||
self.common_args += ["-o", "ControlPath=%s" % (C.ANSIBLE_SSH_CONTROL_PATH % dict(directory=self.cp_dir))]
|
|
||||||
|
|
||||||
if not C.HOST_KEY_CHECKING:
|
|
||||||
self.common_args += ["-o", "StrictHostKeyChecking=no"]
|
|
||||||
|
|
||||||
if self.port is not None:
|
|
||||||
self.common_args += ["-o", "Port=%d" % (self.port)]
|
|
||||||
if self.private_key_file is not None:
|
|
||||||
self.common_args += ["-o", "IdentityFile="+os.path.expanduser(self.private_key_file)]
|
|
||||||
elif self.runner.private_key_file is not None:
|
|
||||||
self.common_args += ["-o", "IdentityFile="+os.path.expanduser(self.runner.private_key_file)]
|
|
||||||
if self.password:
|
|
||||||
self.common_args += ["-o", "GSSAPIAuthentication=no",
|
|
||||||
"-o", "PubkeyAuthentication=no"]
|
|
||||||
else:
|
|
||||||
self.common_args += ["-o", "KbdInteractiveAuthentication=no",
|
|
||||||
"-o", "PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey",
|
|
||||||
"-o", "PasswordAuthentication=no"]
|
|
||||||
if self.user != pwd.getpwuid(os.geteuid())[0]:
|
|
||||||
self.common_args += ["-o", "User="+self.user]
|
|
||||||
self.common_args += ["-o", "ConnectTimeout=%d" % self.runner.timeout]
|
|
||||||
|
|
||||||
return self
|
|
||||||
|
|
||||||
def _password_cmd(self):
|
|
||||||
if self.password:
|
|
||||||
try:
|
|
||||||
p = subprocess.Popen(["sshpass"], stdin=subprocess.PIPE,
|
|
||||||
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
||||||
p.communicate()
|
|
||||||
except OSError:
|
|
||||||
raise errors.AnsibleError("to use the 'ssh' connection type with passwords, you must install the sshpass program")
|
|
||||||
(self.rfd, self.wfd) = os.pipe()
|
|
||||||
return ["sshpass", "-d%d" % self.rfd]
|
|
||||||
return []
|
|
||||||
|
|
||||||
def _send_password(self):
|
|
||||||
if self.password:
|
|
||||||
os.close(self.rfd)
|
|
||||||
os.write(self.wfd, "%s\n" % self.password)
|
|
||||||
os.close(self.wfd)
|
|
||||||
|
|
||||||
def not_in_host_file(self, host):
|
|
||||||
host_file = os.path.expanduser(os.path.expandvars("~${USER}/.ssh/known_hosts"))
|
|
||||||
if not os.path.exists(host_file):
|
|
||||||
print "previous known host file not found"
|
|
||||||
return True
|
|
||||||
host_fh = open(host_file)
|
|
||||||
data = host_fh.read()
|
|
||||||
host_fh.close()
|
|
||||||
for line in data.split("\n"):
|
|
||||||
if line is None or line.find(" ") == -1:
|
|
||||||
continue
|
|
||||||
tokens = line.split()
|
|
||||||
if tokens[0].find(self.HASHED_KEY_MAGIC) == 0:
|
|
||||||
# this is a hashed known host entry
|
|
||||||
try:
|
|
||||||
(kn_salt,kn_host) = tokens[0][len(self.HASHED_KEY_MAGIC):].split("|",2)
|
|
||||||
hash = hmac.new(kn_salt.decode('base64'), digestmod=sha1)
|
|
||||||
hash.update(host)
|
|
||||||
if hash.digest() == kn_host.decode('base64'):
|
|
||||||
return False
|
|
||||||
except:
|
|
||||||
# invalid hashed host key, skip it
|
|
||||||
continue
|
|
||||||
else:
|
|
||||||
# standard host file entry
|
|
||||||
if host in tokens[0]:
|
|
||||||
return False
|
|
||||||
return True
|
|
||||||
|
|
||||||
def exec_command(self, cmd, tmp_path, sudo_user=None, sudoable=False, executable='/bin/sh', in_data=None, su=False, su_user=None):
|
|
||||||
''' run a command on the remote host '''
|
|
||||||
|
|
||||||
if in_data:
|
|
||||||
raise errors.AnsibleError("Internal Error: this module does not support optimized module pipelining")
|
|
||||||
|
|
||||||
ssh_cmd = self._password_cmd()
|
|
||||||
ssh_cmd += ["ssh", "-tt"]
|
|
||||||
if utils.VERBOSITY > 3:
|
|
||||||
ssh_cmd += ["-vvv"]
|
|
||||||
else:
|
|
||||||
ssh_cmd += ["-q"]
|
|
||||||
ssh_cmd += self.common_args
|
|
||||||
|
|
||||||
if self.ipv6:
|
|
||||||
ssh_cmd += ['-6']
|
|
||||||
ssh_cmd += [self.host]
|
|
||||||
|
|
||||||
if su and su_user:
|
|
||||||
sudocmd, prompt, success_key = utils.make_su_cmd(su_user, executable, cmd)
|
|
||||||
ssh_cmd.append(sudocmd)
|
|
||||||
elif not self.runner.sudo or not sudoable:
|
|
||||||
if executable:
|
|
||||||
ssh_cmd.append(executable + ' -c ' + pipes.quote(cmd))
|
|
||||||
else:
|
|
||||||
ssh_cmd.append(cmd)
|
|
||||||
else:
|
|
||||||
sudocmd, prompt, success_key = utils.make_sudo_cmd(sudo_user, executable, cmd)
|
|
||||||
ssh_cmd.append(sudocmd)
|
|
||||||
|
|
||||||
vvv("EXEC %s" % ssh_cmd, host=self.host)
|
|
||||||
|
|
||||||
not_in_host_file = self.not_in_host_file(self.host)
|
|
||||||
|
|
||||||
if C.HOST_KEY_CHECKING and not_in_host_file:
|
|
||||||
# lock around the initial SSH connectivity so the user prompt about whether to add
|
|
||||||
# the host to known hosts is not intermingled with multiprocess output.
|
|
||||||
fcntl.lockf(self.runner.process_lockfile, fcntl.LOCK_EX)
|
|
||||||
fcntl.lockf(self.runner.output_lockfile, fcntl.LOCK_EX)
|
|
||||||
|
|
||||||
|
|
||||||
try:
|
|
||||||
# Make sure stdin is a proper (pseudo) pty to avoid: tcgetattr errors
|
|
||||||
master, slave = pty.openpty()
|
|
||||||
p = subprocess.Popen(ssh_cmd, stdin=slave,
|
|
||||||
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
||||||
stdin = os.fdopen(master, 'w', 0)
|
|
||||||
os.close(slave)
|
|
||||||
except:
|
|
||||||
p = subprocess.Popen(ssh_cmd, stdin=subprocess.PIPE,
|
|
||||||
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
||||||
stdin = p.stdin
|
|
||||||
|
|
||||||
self._send_password()
|
|
||||||
|
|
||||||
if (self.runner.sudo and sudoable and self.runner.sudo_pass) or \
|
|
||||||
(self.runner.su and su and self.runner.su_pass):
|
|
||||||
fcntl.fcntl(p.stdout, fcntl.F_SETFL,
|
|
||||||
fcntl.fcntl(p.stdout, fcntl.F_GETFL) | os.O_NONBLOCK)
|
|
||||||
sudo_output = ''
|
|
||||||
while not sudo_output.endswith(prompt) and success_key not in sudo_output:
|
|
||||||
rfd, wfd, efd = select.select([p.stdout], [],
|
|
||||||
[p.stdout], self.runner.timeout)
|
|
||||||
if p.stdout in rfd:
|
|
||||||
chunk = p.stdout.read()
|
|
||||||
if not chunk:
|
|
||||||
raise errors.AnsibleError('ssh connection closed waiting for sudo or su password prompt')
|
|
||||||
sudo_output += chunk
|
|
||||||
else:
|
|
||||||
stdout = p.communicate()
|
|
||||||
raise errors.AnsibleError('ssh connection error waiting for sudo or su password prompt')
|
|
||||||
|
|
||||||
if success_key not in sudo_output:
|
|
||||||
if sudoable:
|
|
||||||
stdin.write(self.runner.sudo_pass + '\n')
|
|
||||||
elif su:
|
|
||||||
stdin.write(self.runner.su_pass + '\n')
|
|
||||||
fcntl.fcntl(p.stdout, fcntl.F_SETFL, fcntl.fcntl(p.stdout, fcntl.F_GETFL) & ~os.O_NONBLOCK)
|
|
||||||
|
|
||||||
# We can't use p.communicate here because the ControlMaster may have stdout open as well
|
|
||||||
stdout = ''
|
|
||||||
stderr = ''
|
|
||||||
rpipes = [p.stdout, p.stderr]
|
|
||||||
while True:
|
|
||||||
rfd, wfd, efd = select.select(rpipes, [], rpipes, 1)
|
|
||||||
|
|
||||||
# fail early if the sudo/su password is wrong
|
|
||||||
if self.runner.sudo and sudoable and self.runner.sudo_pass:
|
|
||||||
incorrect_password = gettext.dgettext(
|
|
||||||
"sudo", "Sorry, try again.")
|
|
||||||
if stdout.endswith("%s\r\n%s" % (incorrect_password, prompt)):
|
|
||||||
raise errors.AnsibleError('Incorrect sudo password')
|
|
||||||
|
|
||||||
if self.runner.su and su and self.runner.su_pass:
|
|
||||||
incorrect_password = gettext.dgettext(
|
|
||||||
"su", "su: Authentication failure")
|
|
||||||
if stdout.endswith("%s\r\n%s" % (incorrect_password, prompt)):
|
|
||||||
raise errors.AnsibleError('Incorrect su password')
|
|
||||||
|
|
||||||
if p.stdout in rfd:
|
|
||||||
dat = os.read(p.stdout.fileno(), 9000)
|
|
||||||
stdout += dat
|
|
||||||
if dat == '':
|
|
||||||
rpipes.remove(p.stdout)
|
|
||||||
if p.stderr in rfd:
|
|
||||||
dat = os.read(p.stderr.fileno(), 9000)
|
|
||||||
stderr += dat
|
|
||||||
if dat == '':
|
|
||||||
rpipes.remove(p.stderr)
|
|
||||||
# only break out if we've emptied the pipes, or there is nothing to
|
|
||||||
# read from and the process has finished.
|
|
||||||
if (not rpipes or not rfd) and p.poll() is not None:
|
|
||||||
break
|
|
||||||
# Calling wait while there are still pipes to read can cause a lock
|
|
||||||
elif not rpipes and p.poll() == None:
|
|
||||||
p.wait()
|
|
||||||
# the process has finished and the pipes are empty,
|
|
||||||
# if we loop and do the select it waits all the timeout
|
|
||||||
break
|
|
||||||
stdin.close() # close stdin after we read from stdout (see also issue #848)
|
|
||||||
|
|
||||||
if C.HOST_KEY_CHECKING and not_in_host_file:
|
|
||||||
# lock around the initial SSH connectivity so the user prompt about whether to add
|
|
||||||
# the host to known hosts is not intermingled with multiprocess output.
|
|
||||||
fcntl.lockf(self.runner.output_lockfile, fcntl.LOCK_UN)
|
|
||||||
fcntl.lockf(self.runner.process_lockfile, fcntl.LOCK_UN)
|
|
||||||
|
|
||||||
if C.HOST_KEY_CHECKING:
|
|
||||||
if ssh_cmd[0] == "sshpass" and p.returncode == 6:
|
|
||||||
raise errors.AnsibleError('Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. Please add this host\'s fingerprint to your known_hosts file to manage this host.')
|
|
||||||
|
|
||||||
controlpersisterror = stderr.find('Bad configuration option: ControlPersist') != -1 or stderr.find('unknown configuration option: ControlPersist') != -1
|
|
||||||
if p.returncode != 0 and controlpersisterror:
|
|
||||||
raise errors.AnsibleError('using -c ssh on certain older ssh versions may not support ControlPersist, set ANSIBLE_SSH_ARGS="" (or ansible_ssh_args in the config file) before running again')
|
|
||||||
|
|
||||||
return (p.returncode, '', stdout, stderr)
|
|
||||||
|
|
||||||
def put_file(self, in_path, out_path):
|
|
||||||
''' transfer a file from local to remote '''
|
|
||||||
vvv("PUT %s TO %s" % (in_path, out_path), host=self.host)
|
|
||||||
if not os.path.exists(in_path):
|
|
||||||
raise errors.AnsibleFileNotFound("file or module does not exist: %s" % in_path)
|
|
||||||
cmd = self._password_cmd()
|
|
||||||
|
|
||||||
host = self.host
|
|
||||||
if self.ipv6:
|
|
||||||
host = '[%s]' % host
|
|
||||||
|
|
||||||
if C.DEFAULT_SCP_IF_SSH:
|
|
||||||
cmd += ["scp"] + self.common_args
|
|
||||||
cmd += [in_path,host + ":" + pipes.quote(out_path)]
|
|
||||||
indata = None
|
|
||||||
else:
|
|
||||||
cmd += ["sftp"] + self.common_args + [host]
|
|
||||||
indata = "put %s %s\n" % (pipes.quote(in_path), pipes.quote(out_path))
|
|
||||||
|
|
||||||
p = subprocess.Popen(cmd, stdin=subprocess.PIPE,
|
|
||||||
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
||||||
self._send_password()
|
|
||||||
stdout, stderr = p.communicate(indata)
|
|
||||||
|
|
||||||
if p.returncode != 0:
|
|
||||||
raise errors.AnsibleError("failed to transfer file to %s:\n%s\n%s" % (out_path, stdout, stderr))
|
|
||||||
|
|
||||||
def fetch_file(self, in_path, out_path):
|
|
||||||
''' fetch a file from remote to local '''
|
|
||||||
vvv("FETCH %s TO %s" % (in_path, out_path), host=self.host)
|
|
||||||
cmd = self._password_cmd()
|
|
||||||
|
|
||||||
host = self.host
|
|
||||||
if self.ipv6:
|
|
||||||
host = '[%s]' % host
|
|
||||||
|
|
||||||
if C.DEFAULT_SCP_IF_SSH:
|
|
||||||
cmd += ["scp"] + self.common_args
|
|
||||||
cmd += [host + ":" + in_path, out_path]
|
|
||||||
indata = None
|
|
||||||
else:
|
|
||||||
cmd += ["sftp"] + self.common_args + [host]
|
|
||||||
indata = "get %s %s\n" % (in_path, out_path)
|
|
||||||
|
|
||||||
p = subprocess.Popen(cmd, stdin=subprocess.PIPE,
|
|
||||||
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
|
|
||||||
self._send_password()
|
|
||||||
stdout, stderr = p.communicate(indata)
|
|
||||||
|
|
||||||
if p.returncode != 0:
|
|
||||||
raise errors.AnsibleError("failed to transfer file from %s:\n%s\n%s" % (in_path, stdout, stderr))
|
|
||||||
|
|
||||||
def close(self):
|
|
||||||
''' not applicable since we're executing openssh binaries '''
|
|
||||||
pass
|
|
||||||
|
|
Loading…
Reference in a new issue