Implement #9572 Add parameter sudo to inventory plugin iocage #9573
Conversation
ansibullbot
added
feature
This comment was marked as outdated.
This comment was marked as outdated.
ansibullbot
added
the
needs_revision
ansibullbot
added
the
needs_ci
felixfontein
added
check-before-release
ansibullbot
removed
needs_ci
plugins/inventory/iocage.py
Outdated
| if env: | ||
| cmd_list.append('--preserve-env') |
There was a problem hiding this comment.
Hi @vbotka thanks for another contribution!
IIRC sudo allows you to specify which env vars should be passed. If that's feasible here, it would be better than preserving all env vars.
There was a problem hiding this comment.
Thank you for pointing this out. Instead of optionally passing the selected environment I added the option sudo_preserve_env (default=true) to preserve the complete environment (default) or none. This reduces the complexity of this plugin. The administrators can:
- configure the user's environment, including root, in the systems
- leave env empty
- disable sudo_preserve_env.
This solves the problem for now. We can add option sudo_preserve_env_list later if needed. I don't want to invest too much into this "iocage dhcp root non-sense".
There was a problem hiding this comment.
Fair enough. I would only make the default for sudo_preserve_env set to false, so the default is the most secure of the two options. If an admin really needs to pass some env var, they must be explicit about it.
There was a problem hiding this comment.
For the record, I consider these sudo options a workaround for the DHCP addresses. There is no reason an unprivileged user can't read a jail DHCP address like a fixed one. The problem is the dhclient lease file is not readable. For example,
# ls -la /zroot/iocage/jails/test_112/root/var/db/dhclient.leases.epair0b
---------- 1 root wheel 2835 Jan 20 17:31 /zroot/iocage/jails/test_112/root/var/db/dhclient.leases.epair0bTherefore, the iocage developers decided to run jexec which needs root
# jexec ioc-test_112 ifconfig epair0b inet
epair0b: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=8<VLAN_MTU>
inet 10.1.0.147 netmask 0xffffff00 broadcast 10.1.0.255
A systemic approach would be to configure devd.conf inside a jail to create a public readable IP file, for example,
notify 0 {
match "system" "IFNET";
match "subsystem" "epair0b";
match "type" "ADDR_ADD";
action "/usr/local/bin/devd_actions/write_ip.sh &";
};
Then, the inventory plugin could read the IP from this file.
Co-authored-by: Felix Fontein <[email protected]>
Co-authored-by: Felix Fontein <[email protected]>
Co-authored-by: Felix Fontein <[email protected]>
| get_properties: | ||
| description: | ||
| - Get jails' properties. | ||
| Creates dictionary C(iocage_properties) for each added host. | ||
| type: boolean | ||
| type: bool |
There was a problem hiding this comment.
Out of curiosity, why did you change this to bool? Both bool and boolean work for plugins (only for modules you need to stick to bool).
There was a problem hiding this comment.
Ansible Galaxy also doesn't recognize boolean, for example inventory iocage.
JFYI, the mess is bigger:
-
ansible.builtin.constructed option leading_separator type=boolean is resulting in missing default.
-
ansible.builtin.constructed option use_vars_plugins is missing completely. Also in "ansible-doc -t inventory community.general.iocage"
This is valid for all community.general inventory plugins which extend constructed
extends_documentation_fragment:
- constructedThere was a problem hiding this comment.
I don't think there is an option use_vars_plugins. I cannot find it either in ansible-core nor in community.general. Do you mean use_extra_vars?
The missing default is likely because boolean is not recognized as the same as bool and there's a check treating falsy values as an empty string... I'm wondering if the same happens with 0 and integer...
This is definitely a bug in galaxy_ng.
There was a problem hiding this comment.
The check for boolean is missing here: https://github.com/ansible/ansible-hub-ui/blob/master/src/components/render-plugin-doc.tsx#L695
There was a problem hiding this comment.
I don't think there is an option
use_vars_plugins.
See
shell> ansible-doc -t inventory ansible.builtin.constructedquoting:
use_vars_plugins Normally, for performance reasons, vars plugins get executed after the inventory sources
complete the base inventory, this option allows for getting vars related
to hosts/groups from those plugins.
The host_group_vars (enabled by default) 'vars plugin' is the one
responsible for reading host_vars/ and group_vars/ directories.
This will execute all vars plugins, even those that are not supposed to
execute at the 'inventory' stage. See vars plugins docs for details on
'stage'.
Implicit groups, such as 'all' or 'ungrouped', need to be explicitly
defined in any previous inventory to apply the corresponding group_vars
default: false
type: boolean
There was a problem hiding this comment.
Ah, you mean the ansible.builtin.constructed inventory plugin, not the ansible.builtin.constructed docs fragment. The latter does not have this option, only the former. That's also why the iocage inventory plugin doesn't have this option either, because it's not part of the shared code, but restricted to the constructed inventory plugin (which also uses the shared code).
There was a problem hiding this comment.
Right. It's counterintuitive. When I'm used to writing a constructed configuration I don't expect any option to be missing without warning. When used, it's silently ignored unless you enable "strict: true" (default: false).
There was a problem hiding this comment.
It is confusing indeed.
About the boolean bug: I created ansible/ansible-hub-ui#5415 to fix it.
felixfontein
removed
the
check-before-release
Backport to stable-10: 💚 backport PR created✅ Backport PR branch: Backported as #9605 🤖 @patchback |
* Add parameter sudo to inventory plugin iocage #9572 * Add changelog fragment. * Fix error: Expected string in description of sudo. * Fix No2 error: Expected string in description of sudo. * Fix documentation type bool * Update changelogs/fragments/9573-iocage-inventory-sudo.yml Co-authored-by: Alexei Znamensky <[email protected]> * Add option sudo_preserve_env default=true * Fix DOCUMENTATION. * Set sudo_preserve_env default=false. * Update changelogs/fragments/9573-iocage-inventory-sudo.yml Co-authored-by: Felix Fontein <[email protected]> * Update plugins/inventory/iocage.py Co-authored-by: Felix Fontein <[email protected]> * Update plugins/inventory/iocage.py Co-authored-by: Felix Fontein <[email protected]> --------- Co-authored-by: Alexei Znamensky <[email protected]> Co-authored-by: Felix Fontein <[email protected]> (cherry picked from commit 8f29976)
… sudo to inventory plugin iocage (#9605) Implement #9572 Add parameter sudo to inventory plugin iocage (#9573) * Add parameter sudo to inventory plugin iocage #9572 * Add changelog fragment. * Fix error: Expected string in description of sudo. * Fix No2 error: Expected string in description of sudo. * Fix documentation type bool * Update changelogs/fragments/9573-iocage-inventory-sudo.yml Co-authored-by: Alexei Znamensky <[email protected]> * Add option sudo_preserve_env default=true * Fix DOCUMENTATION. * Set sudo_preserve_env default=false. * Update changelogs/fragments/9573-iocage-inventory-sudo.yml Co-authored-by: Felix Fontein <[email protected]> * Update plugins/inventory/iocage.py Co-authored-by: Felix Fontein <[email protected]> * Update plugins/inventory/iocage.py Co-authored-by: Felix Fontein <[email protected]> --------- Co-authored-by: Alexei Znamensky <[email protected]> Co-authored-by: Felix Fontein <[email protected]> (cherry picked from commit 8f29976) Co-authored-by: Vladimir Botka <[email protected]>
SUMMARY
Implement #9572 Add parameter sudo to inventory plugin iocage.
ISSUE TYPE
COMPONENT NAME
iocage.py
ADDITIONAL INFORMATION
Tested in Ubuntu 24.04