Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jinja expressions are not evaluated in (not only) credential variables #1083

Open
mordekasg opened this issue May 27, 2024 · 14 comments
Open
Labels
affects-0.3 Issues related to 0.3.X Mitogen releases bug Code feature that hinders desired execution outcome

Comments

@mordekasg
Copy link

mordekasg commented May 27, 2024

OS / Environment

Debian 12

Ansible version

ansible [core 2.14.17]
  config file = /home/test/host/ansible/ansible.cfg
  configured module search path = ['/home/test/host/ansible/local_modules']
  ansible python module location = /home/test/env.ansible/lib/python3.11/site-packages/ansible
  ansible collection location = /home/test/host/ansible/collections:/usr/share/ansible/collections
  executable location = /home/test/env.ansible/bin/ansible
  python version = 3.11.2 (main, May  2 2024, 11:59:08) [GCC 12.2.0] (/home/test/env.ansible/bin/python)
  jinja version = 3.1.4
  libyaml = True

Environment variables for strategy plugin

ANSIBLE_STRATEGY=mitogen_linear
ANSIBLE_STRATEGY_PLUGINS=/home/test/env.ansible/src/mitogen/ansible_mitogen/plugins/strategy

Mitogen version

v0.3.12

Problem

Jinja expressions are not evaluated by mitogen plugin

How to reproduce

Description

Ansible host: srv1 has credentials configured using Jinja expressions from vault/hostvars variables.
Ansible host: srv2 has credentials configured directly as host variables.

Vault file

Path: vault.test.yml

ANSIBLE_LOCALHOST_SRVS_USER: "testusr"
ANSIBLE_LOCALHOST_SRVS_PASSWORD: "okmqwe123"
ANSIBLE_LOCALHOST_SRVS_BECOME_USER: "root"
ANSIBLE_LOCALHOST_SRVS_BECOME_PASSWORD: "okmqwe123"

Inventory file

Path: inventory/local/local.yml

all:
  children:
    test_srvs:
      hosts:
        srv1:
          host_ip: 127.0.0.1
          ansible_host: "{{ host_ip }}"
          ansible_user: "{{ ANSIBLE_LOCALHOST_SRVS_USER }}"
          ansible_password: "{{ ANSIBLE_LOCALHOST_SRVS_PASSWORD }}"
          ansible_become_user: "{{ ANSIBLE_LOCALHOST_SRVS_BECOME_USER }}"
          ansible_become_password: "{{ ANSIBLE_LOCALHOST_SRVS_BECOME_PASSWORD }}"
          ansible_ssh_user: "{{ ansible_user }}"
          ansible_ssh_password: "{{ ansible_password }}"
        srv2:
          ansible_host: 127.0.0.1
          ansible_user: testusr
          ansible_password: okmqwe123
          ansible_become_user: root
          ansible_become_password: okmqwe123
          ansible_ssh_user: testusr
          ansible_ssh_password: okmqwe123

Commands

regular user
ansible -e @vault.test.yml -i inventory/local/local.yml -m ping test_srvs
superuser - become
ansible -b -e @vault.test.yml -i inventory/local/local.yml -m ping test_srvs

Output

regular user
srv1 | UNREACHABLE! => {
    "changed": false,
    "msg": "EOF on stream; last 100 lines received:\nhostname contains invalid characters\r",
    "unreachable": true
}
srv2 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
superuser - become
srv1 | UNREACHABLE! => {
    "changed": false,
    "msg": "EOF on stream; last 100 lines received:\nhostname contains invalid characters\r",
    "unreachable": true
}
srv2 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

Commands with verbose

regular user
ansible -e @vault.test.yml -i inventory/local/local.yml -m ping srv1 -vvvv
superuser - become
ansible -b -e @vault.test.yml -i inventory/local/local.yml -m ping srv1 -vvvv

Output

[mux 871642] 20:15:32.461360 D mitogen.parent: command line for Connection(None): ssh -o "LogLevel ERROR" -l "{{ ansible_user }}" -o "Compression yes" -o "ServerAliveInterval 30" -o "ServerAliveCountMax 10" -o "StrictHostKeyChecking no" -o "UserKnownHostsFile /dev/null" -o "GlobalKnownHostsFile /dev/null" -C -o ControlMaster=no -o ControlPersist=60s "{{ host_ip }}" /usr/bin/python3 [...]

Expected result

srv1 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}
srv2 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

Source of the problem

Ansible: ansible/ansible@6d2d476

Similar issues

Ansible

Paramiko plugin: ansible/ansible#78509
Ansible: ansible/ansible#76590

Mitogen

#905
#978
#1022
#1040
#1079
#1116

@mordekasg mordekasg added affects-0.3 Issues related to 0.3.X Mitogen releases bug Code feature that hinders desired execution outcome labels May 27, 2024
@mordekasg
Copy link
Author

Tested on latest release: 0.3.9.
Result is still the same.

@golebiewsky
Copy link

I have the same issue 👍

@moreati
Copy link
Member

moreati commented Oct 6, 2024

With PR #1114 merged into master the Ansible connection password (e.g. ansible_password, ansible_ssh_pass) is templated. Now that I've found a reasonable way to do this, others should follow.

@moreati
Copy link
Member

moreati commented Oct 7, 2024

Ansible connection password (e.g. ansible_password, ansible_ssh_pass) is templated

Now released in 0.3.12

@mordekasg
Copy link
Author

mordekasg commented Oct 8, 2024

Ansible connection password (e.g. ansible_password, ansible_ssh_pass) is templated

Now released in 0.3.12

That`s great news!

I have tested on 0.3.12 and templated ansible_password, ansible_ssh_pass are working.

According to this issue: #1116, after new version release, also templated ansible_user, ansible_ssh_user will be working.

I have added PR: #1148, which will allow to template ansible_become_password attribute.

After those 2 PR`s released, feel free to close this issue!

@marbud0
Copy link

marbud0 commented Oct 8, 2024

That`s great news!

I have tested on 0.3.12 and templated ansible_password, ansible_ssh_pass are working.

According to this issue: #1116, after new version release, also templated ansible_user, ansible_ssh_user will be working.

I have added PR: #1148, which will allow to template ansible_become_password attribute.

After those 2 PR`s released, feel free to close this issue!

This problem also affects the ansible_host variable.. It's kind of hinted to in the subject, but not showed in the example.. Can we use this issue to cover this or should I file a new issue?

@mordekasg
Copy link
Author

mordekasg commented Oct 8, 2024

This problem also affects the ansible_host variable.. It's kind of hinted to in the subject, but not showed in the example.. Can we use this issue to cover this or should I file a new issue?

I updated my post and extended example to some extent.

It`s great idea to use this issue to cover also ansible_host variable.

moreati added a commit to mordekasg/mitogen that referenced this issue Oct 14, 2024
moreati pushed a commit to mordekasg/mitogen that referenced this issue Oct 14, 2024
moreati added a commit to mordekasg/mitogen that referenced this issue Oct 14, 2024
This reads the become username from the `become_user` attribute of the play
context, to the `"become_user"` option of the loaded become plugin. This has
been supported by vanilla Ansible since Ansible 2.10 (ansible-base 2.10).

To support this I've also switched from using the `play_context.become` (a
bool), to `connection.become` (an instance of the appropriate) become plugin.

New tests have been added, modelled on those for templated connection
parameters (see mitogen-hq#1147, mitogen-hq#1153, mitogen-hq#1159).

See
- ansible/ansible@480b106

refs mitogen-hq#1083

Co-authored-by: mordek <m.pirog@bonasoft.pl>
moreati added a commit that referenced this issue Oct 16, 2024
ansible_mitogen: Support templated `become_user`
@moreati
Copy link
Member

moreati commented Oct 16, 2024

Mitogen 0.3.14 is out. It includes support for templated ansible_become_user, `become_user, etc. Thanks to @mordekasg.

@moreati
Copy link
Member

moreati commented Oct 28, 2024

Mitogen 0.3.15 is out. It supports templated SSH arguments and become password.

moreati added a commit to moreati/mitogen that referenced this issue Oct 29, 2024
Uses the same fallback for (mitogen_sudo et al) as become_exe (see mitogen-hq#1173).

The new `Spec.become_flags()` is not yet explicitly tested. Note that it
returns a string (matching the Ansible option of the same name), whereas
Spec.sudo_args() returns a list.

refs mitogen-hq#1083
moreati added a commit to moreati/mitogen that referenced this issue Oct 29, 2024
Uses the same fallback for (mitogen_sudo et al) as become_exe (see mitogen-hq#1173).

The new `Spec.become_flags()` is not yet explicitly tested. Note that it
returns a string (matching the Ansible option of the same name), whereas
`Spec.sudo_args()` returns a list.

refs mitogen-hq#1083
moreati added a commit to moreati/mitogen that referenced this issue Oct 29, 2024
@moreati
Copy link
Member

moreati commented Nov 5, 2024

Mitogen 0.3.16 is out with support for templating the Ansible SSH command (e.g. ansible_ssh_executable), the become command (e.g. ansible_become_exe), and the become command arguments (e.g. ansible_become_flags)

@moreati
Copy link
Member

moreati commented Nov 5, 2024

I think that leaves

Become plugins (e.g. sudo)

  • become
  • become_method

Connection plugins (e.g. ssh)

  • host
  • host_key_checking
  • private_key_file
  • python_path
  • timeout

@moreati
Copy link
Member

moreati commented Nov 7, 2024

Mitogen v0.3.17 is out. Templated ssh key, templated host key checking, and templated host address.

@moreati
Copy link
Member

moreati commented Nov 7, 2024

Bonus release: 0.3.18 with support for templating the become flag (ansible_become) and the become method (ansible_become_method).

@moreati
Copy link
Member

moreati commented Nov 7, 2024

I'll probably target ansible_interpreter_python next. It will probably take longer, a week or two.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
affects-0.3 Issues related to 0.3.X Mitogen releases bug Code feature that hinders desired execution outcome
Projects
None yet
Development

No branches or pull requests

4 participants