Ansible: Timeout (12s) waiting for privilege escalation prompt - ansible

Ansible 2.9.27. Target is Linux CentOs7
'become sudo' always fails with the error Timeout (12s) waiting for privilege escalation prompt
When I try manually, sudo su takes about 60 seconds to return a prompt. I don't know why, but I'd like to know how to change the timeout so that Ansible waits more time for become.
I've tried different solutions I found in StackOverflow, such as running with -c paramiko, but they didn't work.
<myhostname.com> ESTABLISH SSH CONNECTION FOR USER: myuserid
<myhostname.com> SSH: EXEC sshpass -d8 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'User="myuserid"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o ControlPath=/home/myuserid/.ansible/xx/e123e1234e myhostname.com '/bin/sh -c '"'"'rm -f -r /tmp/myuserid/ansible/ansible-tmp-12334567890/ > /dev/null 2>&1 && sleep 0'"'"''
<myhostname.com> (0, '', '')
fatal: [myhostname.com]: FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: \r\n"

There are multiple ways, one way is to set environment variable as below
export ANSIBLE_TIMEOUT=120;
Run the playbook on same terminal where environment variable is set.

Related

What does sleep 0 do in a shell script and what does it do if it used in the ansible SSH config to append after each command?

What does sleep 0 do in a shell script? I read the man page for sleep and it says "delay for a specified amount of time" And the argument NUMBER specifies this time in SECONDS (by default).
But I see ansible using sh -c 'echo ~ec2-user && sleep 0' to start with each task.
Also, it uses this at the end of each remote command it is firing.
I didn't find any special case mention of sleep 0 on the man page and based on the functionality of the sleep command it doesn't make any sense to have sleep 0.
The sleep command on my server is from GNU coreutils 8.22
After looking into this for some more time, here are few things that I have learned,
this is a SSH configuration given to the ansible,
each time ansible using SSH to execute a task it is running SSH with -C with multiple options. These are not part of playbook or task.
I looked for ansible configuration on ansible page here. Checked all files and Env variables but found nothing related to ssh
Checked the /etc/ssh/ssh_config there are not all the parameters/arguments that I see in the SSH that ansible is doing
In the inventory as well the host is mentioned just like this
ansible_host=localhost ansible_user=ec2-user
e.g. log lines at the beginning when ansible executes any task:
<localhost> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ec2-user"' -o C
onnectTimeout=120 -o ControlPath=/home/ec2-user/.ansible/cp/6bc5a26ee4 localhost '/bin/sh -c '"'"'echo ~ec2-user && sleep 0'"'"''
<localhost> (0, '/home/ec2-user\n', '')
<localhost> ESTABLISH SSH CONNECTION FOR USER: ec2-user
I'm executing an ansible playbook written by one team, there is no one in that team I can talk to. I'm struggling to find where Ansible is taking all these arguments it is using in each SSH and why is it using this sleep 0

Ansible privilege escalation become without -u flag

How is it possible to become a certain user without the -u flag (sudo su test_user instead of sudo su -u test_user)
Inventory (hosts)
[example]
test0001.example.org ansible_become_user=test_user ansible_become=true
ansible.cfg:
[defaults]
timeout=30
[privilege_escalation]
become_method="sudo"
become_flags="su"
And on the target machine:
$ sudo -l
User foo may run the following commands on test0001:
(root) NOPASSWD: /bin/su test_user
Running the playbook now fails with:
<test0001> (0, b'', b'')
<test0001> ESTABLISH SSH CONNECTION FOR USER: None
<test0001> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=30 -o ControlPath=/home/foo/.ansible/cp/c7eeb339b6 -tt test0001 '/bin/sh -c '"'"'sudo su -u test_user /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-geolooxawvydfclkjnetjajadmffqjvz ; /usr/bin/python /var/tmp/ansible-tmp-1578410709.7699296-180938533114945/AnsiballZ_setup.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
fatal: [test0001]: FAILED! => {
"msg": "Timeout (32s) waiting for privilege escalation prompt: \r\nWe trust you have received the usual lecture from the local System\r\nAdministrator. It usually boils down to these three things:\r\n\r\n #1) Respect the privacy of others.\r\n #2) Think before you type.\r\n #3) With great power comes great responsibility.\r\n\r\n"
}
And that is because it tries to become test_user with sudo su -u test_user. I actually want it to become test_user with sudo su test_user (so without the -u flag). How would it be possible to tell ansible not to include the -u flag?
Note that I am not able to change the sudoers files.

ansible ssh error during pre ping to cisco device

Could not connect to Cisco router using Ansible 2.3.1.0
straight from linux ssh cisco#172.1.1.2 works
but the ansible -m ping all doesnt.
Maybe it's clear where could be a problem from this output:
[osboxes#osboxes ~]$ ansible -m ping servers -vvv
Using /etc/ansible/ansible.cfg as config file
META: ran handlers
Using module file /usr/lib/python2.7/site-packages/ansible/modules/system/ping.py
<172.1.1.2> ESTABLISH SSH CONNECTION FOR USER: cisco
<172.1.1.2> SSH: EXEC sshpass -d12 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o User=cisco -o ConnectTimeout=10 -o ControlPath=/home/osboxes/.ansible/cp/1ed8487ad4 172.1.1.2 '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
<172.1.1.2> (0, '\r\nLine has invalid autocommand "/bin/sh -c \'echo ~ && sleep 0\'"', '')
<172.1.1.2> ESTABLISH SSH CONNECTION FOR USER: cisco
<172.1.1.2> SSH: EXEC sshpass -d12 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o User=cisco -o ConnectTimeout=10 -o ControlPath=/home/osboxes/.ansible/cp/1ed8487ad4 172.1.1.2 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo Line has invalid autocommand "/bin/sh -c '"'"'"'"'"'"'"'"'echo ~ && sleep 0'"'"'"'"'"'"'"'"'"/.ansible/tmp/ansible-tmp-1499178341.35-260752414357590 `" && echo ansible-tmp-1499178341.35-260752414357590="` echo Line has invalid autocommand "/bin/sh -c '"'"'"'"'"'"'"'"'echo ~ && sleep 0'"'"'"'"'"'"'"'"'"/.ansible/tmp/ansible-tmp-1499178341.35-260752414357590 `" ) && sleep 0'"'"''
<172.1.1.2> (0, '\r\nLine has invalid autocommand "/bin/sh -c \'( umask 77 && mkdir -p "` echo Line has invalid autocommand "/bin/sh -c \'"\'"\'echo ~ && sleep 0\'"\'"\'"/.ansible/tmp/ansible-tmp-1499178341.35-260752414357590 `" && echo ansible-tmp-1499178341.35-260752414357590="` echo Line has invalid autocomma"', 'muxclient: master hello exchange failed\r\n')
<172.1.1.2> PUT /tmp/tmpacZGSy TO "` echo Line has invalid autocomma"/ping.py
<172.1.1.2> SSH: EXEC sshpass -d12 sftp -o BatchMode=no -b - -C -o ControlMaster=auto -o ControlPersist=60s -o User=cisco -o ConnectTimeout=10 -o ControlPath=/home/osboxes/.ansible/cp/1ed8487ad4 '[172.1.1.2]'
<172.1.1.2> (255, '', 'Connection closed\r\n')
172.1.1.2 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Connection closed\r\n",
"unreachable": true
thanks for any tips.
Try adding:
ansible_connection = local
To either [all:vars] or [servers:var] in your inventory file:
/[path]/ansible/hosts
If needed you can also add:
ansible_ssh_pass=some_password
ansible_ssh_user=username
To the inventory file
It looks as if you're connecting to a Cisco device. As IOS doesn't offer a /bin/sh command, you won't be able to use ansible's ping module (or any other standard module, for that matter).
You could however try to do something with the raw module, which allows to send commands without going through the module subsystem. There seem to be some bugs related to that module when it comes to Cisco devices, though, so you might need to update to a very recent ansible version.

Remote Machine unreachable while trying to ping through ansible

This is my hosts file :
[openstack]
ec2-54-152-162-0.compute-1.amazonaws.com
I am trying to ping it using the following command :
ansible openstack -u redhat -m ping -vvvv
I got the following response :
Loaded callback minimal of type stdout, v2.0
Using module file /usr/lib/python2.7/site-packages/ansible-2.2.0-py2.7.egg/ansible/modules/core/system/ping.py
<ec2-54-152-162-0.compute-1.amazonaws.com> ESTABLISH SSH CONNECTION FOR USER: redhat
<ec2-54-152-162-0.compute-1.amazonaws.com> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o Port=22 -o 'IdentityFile="/home/centos/AnsibleKeyPair.pem"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=redhat -o ConnectTimeout=10 -o ControlPath=/home/centos/.ansible/cp/ansible-ssh-%h-%p-%r ec2-54-152-162-0.compute-1.amazonaws.com '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1480529571.83-128837972481874 `" && echo ansible-tmp-1480529571.83-128837972481874="` echo $HOME/.ansible/tmp/ansible-tmp-1480529571.83-128837972481874 `" ) && sleep 0'"'"''
ec2-54-152-162-0.compute-1.amazonaws.com | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh.",
"unreachable": true
}
NOTE : I am able to connect to centos machines properly. But, I can't ping Ubuntu and Redhat machines. My controller machine is Centos. What might the problem be?
I solved it finally by using the following command :
ansible openstack -u ec2-user -m ping
I have been typing -u redhat but AWS has already given a name to it automatically ec2-user
"ESTABLISH SSH CONNECTION FOR USER: None" - this means that it is trying to ssh this host using a blank username which will not work.
Two solutions:
Edit the hosts file to include ansible_user=ubuntu (or whatever user your flavor uses, i.e. ec2-user for amazon linux)
[openstack]
ec2-54-204-230-203.compute-1.amazonaws.com ansibler_user=ubuntu
Just call it with the -u ubuntu when calling the playbook (or again whatever your flavor uses).
ansible openstack -u ubuntu -m ping -vvvv
Hope this helps!
--Edit--
(this is what helped me do it)
1.) Add your ssh key to the ~/.ssh directory
touch ~/.ssh/mykey.pem
2.) Enter ssh-agent bash mode
ssh-agent bash
3.) Ehange its permissionschmod
chmod 600 ~/.ssh/mykey.pem
4.) Make a path for ansible to use the permission
ssh-add ~/.ssh/mykey.pem
In your command line, use argument -k to ask ssh passwork:
ansible openstack -u redhat -m ping -k

Error: Failed to connect to the host via ssh

I am trying to learn ansible, and am following the o'riley Ansible Up and running book.
In the getting started section of the book, it asks me to install ansible, virtualbox and vagrant and then via CLI run:
vagrant init ubuntu/trusty64
vagrant up
Afterwards I can ssh into the VM via vagrant ssh or via:
ssh vagrant#127.0.0.1 -p 2222 -i /Users/XXX/playbooks/.vagrant/machines/default/virtualbox/private_key
Next is creating the hosts file which looks like this:
testserver ansible_ssh_host=127.0.0.1 ansible_ssh_port=2222 \ ansible_ssh_user=vagrant \ ansible_ssh_private_key_file=.vagrant/machines/default/virtualbox/private_key
Lastly is running this command:
ansible testserver -i hosts -m ping
Which gets me:
testserver | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh.",
"unreachable": true
}
Adding -vvv gets me:
No config file found; using defaults
<127.0.0.1> ESTABLISH SSH CONNECTION FOR USER: None
<127.0.0.1> SSH: EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=60s -o Port=2222 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/Users/XXX/.ansible/cp/ansible-ssh-%h-%p-%r 127.0.0.1 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1468541275.7-255802522359895 `" && echo ansible-tmp-1468541275.7-255802522359895="` echo $HOME/.ansible/tmp/ansible-tmp-1468541275.7-255802522359895 `" ) && sleep 0'"'"''
testserver | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh.",
"unreachable": true
}
I tried modifying ansible_ssh_private_key_file in the hosts file to point to the full path of the private key, but that still didn't work:
ansible testserver -i hosts -m ping -vvv
No config file found; using defaults
<127.0.0.1> ESTABLISH SSH CONNECTION FOR USER: None
<127.0.0.1> SSH: EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=60s -o Port=2222 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/Users/XXX/.ansible/cp/ansible-ssh-%h-%p-%r 127.0.0.1 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1468541370.61-137685863794569 `" && echo ansible-tmp-1468541370.61-137685863794569="` echo $HOME/.ansible/tmp/ansible-tmp-1468541370.61-137685863794569 `" ) && sleep 0'"'"''
testserver | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh.",
"unreachable": true
}
This is my Ansible version:
ansible --version
ansible 2.1.0.0
config file =
configured module search path = Default w/o override
Anyone have any ideas why ansible isn't connecting to my vagrant VM?
I don't see any of your inventory variables past the first one taking effect in the ssh command. Does your inventory file really look like this?
testserver ansible_ssh_host=127.0.0.1 ansible_ssh_port=2222 \ ansible_ssh_user=vagrant \ ansible_ssh_private_key_file=.vagrant/machines/default/virtualbox/private_key
You shouldn't have backslashes in there. The direct reformatting is
testserver ansible_ssh_host=127.0.0.1 ansible_ssh_port=2222 ansible_ssh_user=vagrant ansible_ssh_private_key_file=.vagrant/machines/default/virtualbox/private_key
However, in the long run you probably want to split these out into separate host_vars files.

Resources