ansible 使用密码运行 cmd 'sudo rootsh' 的剧本

Question

I need to run cmd on sles12 sp5 server using cmd - "sudo rootsh" on remote node using ansible playbook. This prompts for root pwd. How to pass the password during ansible playbook execution time? i tried the following playbook but it errors timeout issue.

--
- hosts: '{{ host }}'
  gather_facts: yes
  tasks:
    - name: Get current user on remote
      become: yes
      become_exe: "sudo rootsh"
      become_method: sudo
      become_user: root
      become_flags: -i
      command: whoami
      register: out
    - debug:
        msg: "{{out}}"


Error msg:
-------------
TASK [Get current user on remote] *******************************************************************************************
fatal: [host.iil.corp.com]: FAILED! => {"msg": "Timeout (32s) waiting for privilege escalation prompt: Subject to corp's Global Employee and Global Contingent Worker Privacy Notices\r\n(see https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html )\r\nall system access and delegated/privileged activity on the corp network\r\nmay be logged for auditing and security purposes, including your username \r\nand commands used.   Log records may be retained for up to 1 year.\r\n\r\nWe trust you have received the usual lecture from the local System\r\nAdministrator. It usually boils down to these three things:\r\n\r\n    #1) Respect the privacy of others.\r\n    #2) Think before you type.\r\n    #3) With great power comes great responsibility.\r\n\r\nRemember you may use 'sudo -l' to review a list of authorized commands.\r\n\r\n"}

Answer 1

For security reasons, user is forced to use 'sudo rootsh' to execute the commands as root user. With ansible playbook, its a blocker. I need a help on this usecase to run any command with 'sudo rootsh'. Below are the attempts that i tried but vain.

Try1:

 cat testroot.yaml
---
- hosts: '{{ host }}'
  gather_facts: yes
  tasks:
    - name: Get current user on remote
      ansible.builtin.shell: |
        whoami
      become: true
      register: out
    - debug:
        msg: "{{ out }}"



vmansible01:/home/testuser/access_audit_automation_jan172023 # ansible-playbook -i hosts testroot.yaml -e "host=hostname.corp.domain.com" --ask-become-pass -k
[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with Ansible 2.12. Current
version: 3.6.15 (default, Sep 15 2021, 14:20:42) [GCC]. This feature will be removed from ansible-core in version 2.12.
Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
SSH password:
BECOME password[defaults to SSH password]:

PLAY [hostname.corp.domain.com] ************************************************************************************************

TASK [Gathering Facts] ******************************************************************************************************
[WARNING]: Platform linux on host hostname.corp.domain.com is using the discovered Python interpreter at /usr/bin/python, but
future installation of another Python interpreter could change the meaning of that path. See
https://docs.ansible.com/ansible-core/2.11/reference_appendices/interpreter_discovery.html for more information.
ok: [hostname.corp.domain.com]

TASK [Get current user on remote] *******************************************************************************************
fatal: [hostname.corp.domain.com]: FAILED! => {"changed": false, "module_stderr": "Shared connection to hostname.corp.domain.com closed.\r\n", "module_stdout": "Subject to Corp's Global Employee and Global Contingent Worker Privacy Notices\r\n(see https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html )\r\nall system access and delegated/privileged activity on the Corp network\r\nmay be logged for auditing and security purposes, including your username \r\nand commands used.   Log records may be retained for up to 1 year.\r\n\r\nWe trust you have received the usual lecture from the local System\r\nAdministrator. It usually boils down to these three things:\r\n\r\n    #1) Respect the privacy of others.\r\n    #2) Think before you type.\r\n    #3) With great power comes great responsibility.\r\n\r\nRemember you may use 'sudo -l' to review a list of authorized commands.\r\n\r\n\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

PLAY RECAP ******************************************************************************************************************
hostname.corp.domain.com      : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Try2:

---
- hosts: '{{ host }}'
  gather_facts: yes
  tasks:
    - name: Get current user on remote
      ansible.builtin.shell: |
        whoami
      become: true
      become_method: sudo
      become_exe: "sudo rootsh"
      become_flags: -i
      register: out
    - debug:
        msg: "{{ out }}"


ansible-playbook -i hosts testroot.yaml -e "host=hostname.corp.domain.com" --ask-become-pass -k
[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with Ansible 2.12. Current
version: 3.6.15 (default, Sep 15 2021, 14:20:42) [GCC]. This feature will be removed from ansible-core in version 2.12.
Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
SSH password:
BECOME password[defaults to SSH password]:

PLAY [hostname.corp.domain.com] ************************************************************************************************

TASK [Get current user on remote] *******************************************************************************************
fatal: [hostname.corp.domain.com]: FAILED! => {"changed": false, "module_stderr": "Shared connection to hostname.corp.domain.com closed.\r\n", "module_stdout": "Subject to Corp's Global Employee and Global Contingent Worker Privacy Notices\r\n(see https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html )\r\nall system access and delegated/privileged activity on the Corp network\r\nmay be logged for auditing and security purposes, including your username \r\nand commands used.   Log records may be retained for up to 1 year.\r\n\r\nWe trust you have received the usual lecture from the local System\r\nAdministrator. It usually boils down to these three things:\r\n\r\n    #1) Respect the privacy of others.\r\n    #2) Think before you type.\r\n    #3) With great power comes great responsibility.\r\n\r\nRemember you may use 'sudo -l' to review a list of authorized commands.\r\n\r\nAuthenticate with testuser's password: \r\nsudo: timed out reading password\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

PLAY RECAP ******************************************************************************************************************
hostname.corp.domain.com      : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0