Matteo Scandolo | 6288d5a | 2017-08-08 13:05:26 -0700 | [diff] [blame^] | 1 | |
| 2 | # Copyright 2017-present Open Networking Foundation |
| 3 | # |
| 4 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | # you may not use this file except in compliance with the License. |
| 6 | # You may obtain a copy of the License at |
| 7 | # |
| 8 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | # |
| 10 | # Unless required by applicable law or agreed to in writing, software |
| 11 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | # See the License for the specific language governing permissions and |
| 14 | # limitations under the License. |
| 15 | |
| 16 | |
Andrea Campanella | edfdbca | 2017-02-01 17:33:47 -0800 | [diff] [blame] | 17 | # (c) 2012, Michael DeHaan <michael.dehaan@gmail.com> |
| 18 | # |
| 19 | # This file is part of Ansible |
| 20 | # |
| 21 | # Ansible is free software: you can redistribute it and/or modify |
| 22 | # it under the terms of the GNU General Public License as published by |
| 23 | # the Free Software Foundation, either version 3 of the License, or |
| 24 | # (at your option) any later version. |
| 25 | # |
| 26 | # Ansible is distributed in the hope that it will be useful, |
| 27 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 28 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 29 | # GNU General Public License for more details. |
| 30 | # |
| 31 | # You should have received a copy of the GNU General Public License |
| 32 | # along with Ansible. If not, see <http://www.gnu.org/licenses/>. |
| 33 | # |
| 34 | |
| 35 | import os |
| 36 | import re |
| 37 | import subprocess |
| 38 | import shlex |
| 39 | import pipes |
| 40 | import random |
| 41 | import select |
| 42 | import fcntl |
| 43 | import hmac |
| 44 | import pwd |
| 45 | import gettext |
| 46 | import pty |
| 47 | from hashlib import sha1 |
| 48 | import ansible.constants as C |
| 49 | from ansible.callbacks import vvv |
| 50 | from ansible import errors |
| 51 | from ansible import utils |
| 52 | |
| 53 | class Connection(object): |
| 54 | ''' ssh based connections ''' |
| 55 | |
| 56 | def __init__(self, runner, host, port, user, password, private_key_file, *args, **kwargs): |
| 57 | self.runner = runner |
| 58 | self.host = host |
| 59 | self.ipv6 = ':' in self.host |
| 60 | self.port = port |
| 61 | self.user = str(user) |
| 62 | self.password = password |
| 63 | self.private_key_file = private_key_file |
| 64 | self.HASHED_KEY_MAGIC = "|1|" |
| 65 | self.has_pipelining = True |
| 66 | #self.instance_id = "instance-00000045" # C.get_config(C.p, "xos", "instance_id", "INSTANCE_ID", None) |
| 67 | #self.instance_name = "onlab_hpc-355" # C.get_config(C.p, "xos", "instance_name", "SLIVER_NAME", None) |
| 68 | |
| 69 | inject={} |
| 70 | inject= utils.combine_vars(inject, self.runner.inventory.get_variables(self.host)) |
| 71 | |
| 72 | self.instance_id = inject["instance_id"] |
| 73 | self.instance_name = inject["instance_name"] |
| 74 | |
| 75 | fcntl.lockf(self.runner.process_lockfile, fcntl.LOCK_EX) |
| 76 | self.cp_dir = utils.prepare_writeable_dir('$HOME/.ansible/cp',mode=0700) |
| 77 | fcntl.lockf(self.runner.process_lockfile, fcntl.LOCK_UN) |
| 78 | |
| 79 | def connect(self): |
| 80 | ''' connect to the remote host ''' |
| 81 | |
| 82 | vvv("ESTABLISH CONNECTION FOR USER: %s" % self.user, host=self.host) |
| 83 | |
| 84 | self.common_args = [] |
| 85 | extra_args = C.ANSIBLE_SSH_ARGS |
| 86 | if extra_args is not None: |
| 87 | # make sure there is no empty string added as this can produce weird errors |
| 88 | self.common_args += [x.strip() for x in shlex.split(extra_args) if x.strip()] |
| 89 | else: |
| 90 | self.common_args += ["-o", "ControlMaster=auto", |
| 91 | "-o", "ControlPersist=60s", |
| 92 | "-o", "ControlPath=%s" % (C.ANSIBLE_SSH_CONTROL_PATH % dict(directory=self.cp_dir))] |
| 93 | |
| 94 | self.common_args += ["-o", "ProxyCommand ssh -q -i %s %s@%s" % (self.private_key_file, self.instance_id, self.host)] |
| 95 | |
| 96 | cp_in_use = False |
| 97 | cp_path_set = False |
| 98 | for arg in self.common_args: |
| 99 | if "ControlPersist" in arg: |
| 100 | cp_in_use = True |
| 101 | if "ControlPath" in arg: |
| 102 | cp_path_set = True |
| 103 | |
| 104 | if cp_in_use and not cp_path_set: |
| 105 | self.common_args += ["-o", "ControlPath=%s" % (C.ANSIBLE_SSH_CONTROL_PATH % dict(directory=self.cp_dir))] |
| 106 | |
| 107 | if not C.HOST_KEY_CHECKING: |
| 108 | self.common_args += ["-o", "StrictHostKeyChecking=no"] |
| 109 | |
| 110 | if self.port is not None: |
| 111 | self.common_args += ["-o", "Port=%d" % (self.port)] |
| 112 | if self.private_key_file is not None: |
| 113 | self.common_args += ["-o", "IdentityFile=\"%s\"" % os.path.expanduser(self.private_key_file)] |
| 114 | elif self.runner.private_key_file is not None: |
| 115 | self.common_args += ["-o", "IdentityFile=\"%s\"" % os.path.expanduser(self.runner.private_key_file)] |
| 116 | if self.password: |
| 117 | self.common_args += ["-o", "GSSAPIAuthentication=no", |
| 118 | "-o", "PubkeyAuthentication=no"] |
| 119 | else: |
| 120 | self.common_args += ["-o", "KbdInteractiveAuthentication=no", |
| 121 | "-o", "PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey", |
| 122 | "-o", "PasswordAuthentication=no"] |
| 123 | if self.user != pwd.getpwuid(os.geteuid())[0]: |
| 124 | self.common_args += ["-o", "User="+self.user] |
| 125 | self.common_args += ["-o", "ConnectTimeout=%d" % self.runner.timeout] |
| 126 | |
| 127 | return self |
| 128 | |
| 129 | def _run(self, cmd, indata): |
| 130 | if indata: |
| 131 | # do not use pseudo-pty |
| 132 | p = subprocess.Popen(cmd, stdin=subprocess.PIPE, |
| 133 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
| 134 | stdin = p.stdin |
| 135 | else: |
| 136 | # try to use upseudo-pty |
| 137 | try: |
| 138 | # Make sure stdin is a proper (pseudo) pty to avoid: tcgetattr errors |
| 139 | master, slave = pty.openpty() |
| 140 | p = subprocess.Popen(cmd, stdin=slave, |
| 141 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
| 142 | stdin = os.fdopen(master, 'w', 0) |
| 143 | os.close(slave) |
| 144 | except: |
| 145 | p = subprocess.Popen(cmd, stdin=subprocess.PIPE, |
| 146 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
| 147 | stdin = p.stdin |
| 148 | |
| 149 | return (p, stdin) |
| 150 | |
| 151 | def _password_cmd(self): |
| 152 | if self.password: |
| 153 | try: |
| 154 | p = subprocess.Popen(["sshpass"], stdin=subprocess.PIPE, |
| 155 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
| 156 | p.communicate() |
| 157 | except OSError: |
| 158 | raise errors.AnsibleError("to use the 'ssh' connection type with passwords, you must install the sshpass program") |
| 159 | (self.rfd, self.wfd) = os.pipe() |
| 160 | return ["sshpass", "-d%d" % self.rfd] |
| 161 | return [] |
| 162 | |
| 163 | def _send_password(self): |
| 164 | if self.password: |
| 165 | os.close(self.rfd) |
| 166 | os.write(self.wfd, "%s\n" % self.password) |
| 167 | os.close(self.wfd) |
| 168 | |
| 169 | def _communicate(self, p, stdin, indata, su=False, sudoable=False, prompt=None): |
| 170 | fcntl.fcntl(p.stdout, fcntl.F_SETFL, fcntl.fcntl(p.stdout, fcntl.F_GETFL) & ~os.O_NONBLOCK) |
| 171 | fcntl.fcntl(p.stderr, fcntl.F_SETFL, fcntl.fcntl(p.stderr, fcntl.F_GETFL) & ~os.O_NONBLOCK) |
| 172 | # We can't use p.communicate here because the ControlMaster may have stdout open as well |
| 173 | stdout = '' |
| 174 | stderr = '' |
| 175 | rpipes = [p.stdout, p.stderr] |
| 176 | if indata: |
| 177 | try: |
| 178 | stdin.write(indata) |
| 179 | stdin.close() |
| 180 | except: |
| 181 | raise errors.AnsibleError('SSH Error: data could not be sent to the remote host. Make sure this host can be reached over ssh') |
| 182 | # Read stdout/stderr from process |
| 183 | while True: |
| 184 | rfd, wfd, efd = select.select(rpipes, [], rpipes, 1) |
| 185 | |
| 186 | # fail early if the sudo/su password is wrong |
| 187 | if self.runner.sudo and sudoable: |
| 188 | if self.runner.sudo_pass: |
| 189 | incorrect_password = gettext.dgettext( |
| 190 | "sudo", "Sorry, try again.") |
| 191 | if stdout.endswith("%s\r\n%s" % (incorrect_password, |
| 192 | prompt)): |
| 193 | raise errors.AnsibleError('Incorrect sudo password') |
| 194 | |
| 195 | if stdout.endswith(prompt): |
| 196 | raise errors.AnsibleError('Missing sudo password') |
| 197 | |
| 198 | if self.runner.su and su and self.runner.su_pass: |
| 199 | incorrect_password = gettext.dgettext( |
| 200 | "su", "Sorry") |
| 201 | if stdout.endswith("%s\r\n%s" % (incorrect_password, prompt)): |
| 202 | raise errors.AnsibleError('Incorrect su password') |
| 203 | |
| 204 | if p.stdout in rfd: |
| 205 | dat = os.read(p.stdout.fileno(), 9000) |
| 206 | stdout += dat |
| 207 | if dat == '': |
| 208 | rpipes.remove(p.stdout) |
| 209 | if p.stderr in rfd: |
| 210 | dat = os.read(p.stderr.fileno(), 9000) |
| 211 | stderr += dat |
| 212 | if dat == '': |
| 213 | rpipes.remove(p.stderr) |
| 214 | # only break out if no pipes are left to read or |
| 215 | # the pipes are completely read and |
| 216 | # the process is terminated |
| 217 | if (not rpipes or not rfd) and p.poll() is not None: |
| 218 | break |
| 219 | # No pipes are left to read but process is not yet terminated |
| 220 | # Only then it is safe to wait for the process to be finished |
| 221 | # NOTE: Actually p.poll() is always None here if rpipes is empty |
| 222 | elif not rpipes and p.poll() == None: |
| 223 | p.wait() |
| 224 | # The process is terminated. Since no pipes to read from are |
| 225 | # left, there is no need to call select() again. |
| 226 | break |
| 227 | # close stdin after process is terminated and stdout/stderr are read |
| 228 | # completely (see also issue #848) |
| 229 | stdin.close() |
| 230 | return (p.returncode, stdout, stderr) |
| 231 | |
| 232 | def not_in_host_file(self, host): |
| 233 | if 'USER' in os.environ: |
| 234 | user_host_file = os.path.expandvars("~${USER}/.ssh/known_hosts") |
| 235 | else: |
| 236 | user_host_file = "~/.ssh/known_hosts" |
| 237 | user_host_file = os.path.expanduser(user_host_file) |
| 238 | |
| 239 | host_file_list = [] |
| 240 | host_file_list.append(user_host_file) |
| 241 | host_file_list.append("/etc/ssh/ssh_known_hosts") |
| 242 | host_file_list.append("/etc/ssh/ssh_known_hosts2") |
| 243 | |
| 244 | hfiles_not_found = 0 |
| 245 | for hf in host_file_list: |
| 246 | if not os.path.exists(hf): |
| 247 | hfiles_not_found += 1 |
| 248 | continue |
| 249 | try: |
| 250 | host_fh = open(hf) |
| 251 | except IOError, e: |
| 252 | hfiles_not_found += 1 |
| 253 | continue |
| 254 | else: |
| 255 | data = host_fh.read() |
| 256 | host_fh.close() |
| 257 | |
| 258 | for line in data.split("\n"): |
| 259 | if line is None or " " not in line: |
| 260 | continue |
| 261 | tokens = line.split() |
| 262 | if tokens[0].find(self.HASHED_KEY_MAGIC) == 0: |
| 263 | # this is a hashed known host entry |
| 264 | try: |
| 265 | (kn_salt,kn_host) = tokens[0][len(self.HASHED_KEY_MAGIC):].split("|",2) |
| 266 | hash = hmac.new(kn_salt.decode('base64'), digestmod=sha1) |
| 267 | hash.update(host) |
| 268 | if hash.digest() == kn_host.decode('base64'): |
| 269 | return False |
| 270 | except: |
| 271 | # invalid hashed host key, skip it |
| 272 | continue |
| 273 | else: |
| 274 | # standard host file entry |
| 275 | if host in tokens[0]: |
| 276 | return False |
| 277 | |
| 278 | if (hfiles_not_found == len(host_file_list)): |
| 279 | vvv("EXEC previous known host file not found for %s" % host) |
| 280 | return True |
| 281 | |
| 282 | def exec_command(self, cmd, tmp_path, sudo_user=None, sudoable=False, executable='/bin/sh', in_data=None, su_user=None, su=False): |
| 283 | ''' run a command on the remote host ''' |
| 284 | |
| 285 | ssh_cmd = self._password_cmd() |
| 286 | ssh_cmd += ["ssh", "-C"] |
| 287 | if not in_data: |
| 288 | # we can only use tty when we are not pipelining the modules. piping data into /usr/bin/python |
| 289 | # inside a tty automatically invokes the python interactive-mode but the modules are not |
| 290 | # compatible with the interactive-mode ("unexpected indent" mainly because of empty lines) |
| 291 | ssh_cmd += ["-tt"] |
| 292 | if utils.VERBOSITY > 3: |
| 293 | ssh_cmd += ["-vvv"] |
| 294 | else: |
| 295 | ssh_cmd += ["-q"] |
| 296 | ssh_cmd += self.common_args |
| 297 | |
| 298 | if self.ipv6: |
| 299 | ssh_cmd += ['-6'] |
| 300 | #ssh_cmd += [self.host] |
| 301 | ssh_cmd += [self.instance_name] |
| 302 | |
| 303 | if su and su_user: |
| 304 | sudocmd, prompt, success_key = utils.make_su_cmd(su_user, executable, cmd) |
| 305 | prompt_re = re.compile(prompt) |
| 306 | ssh_cmd.append(sudocmd) |
| 307 | elif not self.runner.sudo or not sudoable: |
| 308 | prompt = None |
| 309 | if executable: |
| 310 | ssh_cmd.append(executable + ' -c ' + pipes.quote(cmd)) |
| 311 | else: |
| 312 | ssh_cmd.append(cmd) |
| 313 | else: |
| 314 | sudocmd, prompt, success_key = utils.make_sudo_cmd(sudo_user, executable, cmd) |
| 315 | ssh_cmd.append(sudocmd) |
| 316 | |
| 317 | vvv("EXEC %s" % ssh_cmd, host=self.host) |
| 318 | |
| 319 | not_in_host_file = self.not_in_host_file(self.host) |
| 320 | |
| 321 | if C.HOST_KEY_CHECKING and not_in_host_file: |
| 322 | # lock around the initial SSH connectivity so the user prompt about whether to add |
| 323 | # the host to known hosts is not intermingled with multiprocess output. |
| 324 | fcntl.lockf(self.runner.process_lockfile, fcntl.LOCK_EX) |
| 325 | fcntl.lockf(self.runner.output_lockfile, fcntl.LOCK_EX) |
| 326 | |
| 327 | # create process |
| 328 | (p, stdin) = self._run(ssh_cmd, in_data) |
| 329 | |
| 330 | self._send_password() |
| 331 | |
| 332 | if (self.runner.sudo and sudoable and self.runner.sudo_pass) or \ |
| 333 | (self.runner.su and su and self.runner.su_pass): |
| 334 | # several cases are handled for sudo privileges with password |
| 335 | # * NOPASSWD (tty & no-tty): detect success_key on stdout |
| 336 | # * without NOPASSWD: |
| 337 | # * detect prompt on stdout (tty) |
| 338 | # * detect prompt on stderr (no-tty) |
| 339 | fcntl.fcntl(p.stdout, fcntl.F_SETFL, |
| 340 | fcntl.fcntl(p.stdout, fcntl.F_GETFL) | os.O_NONBLOCK) |
| 341 | fcntl.fcntl(p.stderr, fcntl.F_SETFL, |
| 342 | fcntl.fcntl(p.stderr, fcntl.F_GETFL) | os.O_NONBLOCK) |
| 343 | sudo_output = '' |
| 344 | sudo_errput = '' |
| 345 | |
| 346 | while True: |
| 347 | if success_key in sudo_output or \ |
| 348 | (self.runner.sudo_pass and sudo_output.endswith(prompt)) or \ |
| 349 | (self.runner.su_pass and prompt_re.match(sudo_output)): |
| 350 | break |
| 351 | |
| 352 | rfd, wfd, efd = select.select([p.stdout, p.stderr], [], |
| 353 | [p.stdout], self.runner.timeout) |
| 354 | if p.stderr in rfd: |
| 355 | chunk = p.stderr.read() |
| 356 | if not chunk: |
| 357 | raise errors.AnsibleError('ssh connection closed waiting for sudo or su password prompt') |
| 358 | sudo_errput += chunk |
| 359 | incorrect_password = gettext.dgettext( |
| 360 | "sudo", "Sorry, try again.") |
| 361 | if sudo_errput.strip().endswith("%s%s" % (prompt, incorrect_password)): |
| 362 | raise errors.AnsibleError('Incorrect sudo password') |
| 363 | elif sudo_errput.endswith(prompt): |
| 364 | stdin.write(self.runner.sudo_pass + '\n') |
| 365 | |
| 366 | if p.stdout in rfd: |
| 367 | chunk = p.stdout.read() |
| 368 | if not chunk: |
| 369 | raise errors.AnsibleError('ssh connection closed waiting for sudo or su password prompt') |
| 370 | sudo_output += chunk |
| 371 | |
| 372 | if not rfd: |
| 373 | # timeout. wrap up process communication |
| 374 | stdout = p.communicate() |
| 375 | raise errors.AnsibleError('ssh connection error waiting for sudo or su password prompt') |
| 376 | |
| 377 | if success_key not in sudo_output: |
| 378 | if sudoable: |
| 379 | stdin.write(self.runner.sudo_pass + '\n') |
| 380 | elif su: |
| 381 | stdin.write(self.runner.su_pass + '\n') |
| 382 | |
| 383 | (returncode, stdout, stderr) = self._communicate(p, stdin, in_data, su=su, sudoable=sudoable, prompt=prompt) |
| 384 | |
| 385 | if C.HOST_KEY_CHECKING and not_in_host_file: |
| 386 | # lock around the initial SSH connectivity so the user prompt about whether to add |
| 387 | # the host to known hosts is not intermingled with multiprocess output. |
| 388 | fcntl.lockf(self.runner.output_lockfile, fcntl.LOCK_UN) |
| 389 | fcntl.lockf(self.runner.process_lockfile, fcntl.LOCK_UN) |
| 390 | controlpersisterror = 'Bad configuration option: ControlPersist' in stderr or \ |
| 391 | 'unknown configuration option: ControlPersist' in stderr |
| 392 | |
| 393 | if C.HOST_KEY_CHECKING: |
| 394 | if ssh_cmd[0] == "sshpass" and p.returncode == 6: |
| 395 | raise errors.AnsibleError('Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. Please add this host\'s fingerprint to your known_hosts file to manage this host.') |
| 396 | |
| 397 | if p.returncode != 0 and controlpersisterror: |
| 398 | raise errors.AnsibleError('using -c ssh on certain older ssh versions may not support ControlPersist, set ANSIBLE_SSH_ARGS="" (or ssh_args in [ssh_connection] section of the config file) before running again') |
| 399 | if p.returncode == 255 and (in_data or self.runner.module_name == 'raw'): |
| 400 | raise errors.AnsibleError('SSH Error: data could not be sent to the remote host. Make sure this host can be reached over ssh') |
| 401 | |
| 402 | return (p.returncode, '', stdout, stderr) |
| 403 | |
| 404 | def put_file(self, in_path, out_path): |
| 405 | ''' transfer a file from local to remote ''' |
| 406 | vvv("PUT %s TO %s" % (in_path, out_path), host=self.host) |
| 407 | if not os.path.exists(in_path): |
| 408 | raise errors.AnsibleFileNotFound("file or module does not exist: %s" % in_path) |
| 409 | cmd = self._password_cmd() |
| 410 | |
| 411 | host = self.host |
| 412 | if self.ipv6: |
| 413 | host = '[%s]' % host |
| 414 | |
| 415 | if C.DEFAULT_SCP_IF_SSH: |
| 416 | cmd += ["scp"] + self.common_args |
| 417 | cmd += [in_path,host + ":" + pipes.quote(out_path)] |
| 418 | indata = None |
| 419 | else: |
| 420 | cmd += ["sftp"] + self.common_args + [host] |
| 421 | indata = "put %s %s\n" % (pipes.quote(in_path), pipes.quote(out_path)) |
| 422 | |
| 423 | (p, stdin) = self._run(cmd, indata) |
| 424 | |
| 425 | self._send_password() |
| 426 | |
| 427 | (returncode, stdout, stderr) = self._communicate(p, stdin, indata) |
| 428 | |
| 429 | if returncode != 0: |
| 430 | raise errors.AnsibleError("failed to transfer file to %s:\n%s\n%s" % (out_path, stdout, stderr)) |
| 431 | |
| 432 | def fetch_file(self, in_path, out_path): |
| 433 | ''' fetch a file from remote to local ''' |
| 434 | vvv("FETCH %s TO %s" % (in_path, out_path), host=self.host) |
| 435 | cmd = self._password_cmd() |
| 436 | |
| 437 | host = self.host |
| 438 | if self.ipv6: |
| 439 | host = '[%s]' % host |
| 440 | |
| 441 | if C.DEFAULT_SCP_IF_SSH: |
| 442 | cmd += ["scp"] + self.common_args |
| 443 | cmd += [host + ":" + in_path, out_path] |
| 444 | indata = None |
| 445 | else: |
| 446 | cmd += ["sftp"] + self.common_args + [host] |
| 447 | indata = "get %s %s\n" % (in_path, out_path) |
| 448 | |
| 449 | p = subprocess.Popen(cmd, stdin=subprocess.PIPE, |
| 450 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
| 451 | self._send_password() |
| 452 | stdout, stderr = p.communicate(indata) |
| 453 | |
| 454 | if p.returncode != 0: |
| 455 | raise errors.AnsibleError("failed to transfer file from %s:\n%s\n%s" % (in_path, stdout, stderr)) |
| 456 | |
| 457 | def close(self): |
| 458 | ''' not applicable since we're executing openssh binaries ''' |
| 459 | pass |
| 460 | |