Description of problem: This issue was uncovered while investigating a potential customer issue in a different ticket: https://bugzilla.redhat.com/show_bug.cgi?id=1846621 It is possible to get into a stuck state if: 1. A playbook is trying to be run with Escalate privileges checked 2. The credential record attached to the playbook doesn't have a `become_password` set (is `nil`) Version-Release number of selected component (if applicable): 5.11.0 How reproducible: Always (given the above conditions) Steps to Reproduce: 1. Enable EmbeddedAnsible 2. Include a plabook repo 3. Create a new machine credential that doesn't have a become password 4. Ensure said become_password is `nil` (instructions for doing this below) 5. Create a Ansible Playbook service that checks `Esclate Privileges` 6. Run said playbook service Actual results: The `ansible-runner` process hangs with last line of output being "BECOME Password:", similar to what is below ansible-playbook 2.9.9 config file = /root/.ansible.cfg configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python3.6/site-packages/ansible executable location = /usr/bin/ansible-playbook python version = 3.6.8 (default, Dec 5 2019, 15:45:45) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)] Using /root/.ansible.cfg as config file BECOME password: Expected results: Runs successfully without timing out. Additional info: 1. Already fixed with https://github.com/ManageIQ/manageiq/pull/20282 2. To view the output without waiting for the process to fully timeout, after about 5 minutes have passed from ordering the playbook, you can run the following: $ sudo cat /tmp/ansible-runner202000101-1234-7890abc/artifacts/result/stdout The above is a uniq tmp dir that is generated, so the exact directory might be different then what is on your system. If only running one playbook service at a time, this should be the only directory with this structure. 3. To ensure that the machine credential is `nil`, you can run the following in a terminal for testing the fail case, you can run the following in a console $ vmdb $ bin/rails c irb> ManageIQ::Providers::EmbeddedAnsible::AutomationManager::MachineCredential.where(:name => "s-cfme-ansible").first.update(:become_password => nil)
New commit detected on ManageIQ/manageiq/ivanchuk: https://github.com/ManageIQ/manageiq/commit/b90a4aed9d8c91a3e06768dc9e39b7ace2e60a8b commit b90a4aed9d8c91a3e06768dc9e39b7ace2e60a8b Author: Nick Carboni <ncarboni> AuthorDate: Thu Jun 18 13:33:56 2020 +0000 Commit: Satoe Imaishi <simaishi> CommitDate: Wed Aug 19 15:18:59 2020 +0000 Merge pull request #20282 from NickLaMuro/embedded_ansible_fix_ask_become_pass [Ansible::Runner] Fix --ask-become-method for machine credentials (cherry picked from commit 7e3a476285e26e3ff16abb76256bf18c31746bb8) https://bugzilla.redhat.com/show_bug.cgi?id=1858079 lib/ansible/runner.rb | 1 - lib/ansible/runner/credential/machine_credential.rb | 4 +- spec/lib/ansible/runner/credential/machine_credential_spec.rb | 24 +- spec/lib/ansible/runner_spec.rb | 2 +- 4 files changed, 23 insertions(+), 8 deletions(-)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: CloudForms 5.0.8 security, bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:4134