* pfexec become plugin: fix broken defaults for illumos/SmartOS
The pfexec become plugin has had incorrect defaults since it was
migrated from Ansible core, making it unusable on illumos without
manual workarounds:
1. become_flags defaulted to '-H -S -n' which are sudo flags.
pfexec does not accept any of these options, causing:
'exec: illegal option -- H'
2. wrap_exe defaulted to false. Unlike sudo, pfexec does not
interpret shell constructs internally. Since Ansible generates
compound commands (echo BECOME-SUCCESS-xxx ; python3), these
must be wrapped in /bin/sh -c for pfexec to execute them.
These issues were originally reported in 2016 (ansible/ansible#15642),
migrated to community.general as #3671, and partially fixed by PR #3889
in 2022 (which corrected quoting but not the defaults). Users have had
to work around this with explicit inventory settings ever since.
Changes:
- become_flags default: '-H -S -n' -> '' (empty)
- wrap_exe default: false -> true
- build_become_command: handle empty flags cleanly
- Updated tests to match corrected defaults
- Added test for custom flags
- Improved wrap_exe description to explain why it should be enabled
* Update changelog fragment with PR number
* Fix ruff formatting in test_pfexec.py
* Address review feedback from russoz
Remove redundant 'should generally be left enabled' description line
and simplify become command return by removing unnecessary flags
conditional.
* Fix unit test regexes for empty default flags
Match double space in test assertions when become_flags defaults to
empty string, consistent with doas, dzdo, and pbrun test patterns.
* pfexec become plugin: deprecate wrap_exe default rather than flipping
Changing the wrap_exe default from false to true is a breaking change
for the narrow case (e.g. ansible.builtin.raw) where the current default
does work, so deprecate instead: remove the default, emit a deprecation
warning when the option is unset, and treat that as false for now.
Build the become command with " ".join() so an empty become_flags no
longer produces a stray double space.
Tests set wrap_exe explicitly so the deprecation warning does not fire
during unit runs.
* pfexec become plugin: target 14.0.0 for wrap_exe deprecation
Per felixfontein's review, switch the deprecation target for the wrap_exe
default from community.general 15.0.0 to 14.0.0, and reword the option
description to mark the current default as deprecated rather than just
"changing in a future release".
* incus, machinectl, run0 - fix become over pty connections
Four small fixes across three plugins, all discovered while trying to
use community.general.machinectl (and later community.general.run0)
as become methods over the community.general.incus connection.
Core bug: machinectl and run0 both set require_tty = True, but the
incus connection plugin was ignoring that hint and invoking
'incus exec' without -t. Honor require_tty by passing -t, mirroring
what the OpenSSH plugin does with -tt.
Once the pty is in place, both become plugins emit terminal control
sequences (window-title OSC, ANSI reset) around the child command
that land in captured stdout alongside the module JSON and trip the
result parser with "Module invocation had junk after the JSON data".
Suppress that decoration at the source by prefixing the constructed
shell command with SYSTEMD_COLORS=0. TERM=dumb would work too but
has a wider blast radius (it also affects interactive tools inside
the become-user session); SYSTEMD_COLORS is the documented
systemd-scoped knob.
run0 was also missing pipelining = False. When run0 is used over a
connection that honors require_tty, ansible's pipelining sends the
module source on stdin to remote python3, which cannot be forwarded
cleanly through the pty chain and hangs indefinitely. Disable
pipelining the same way community.general.machinectl already does.
Also add tests/unit/plugins/become/test_machinectl.py mirroring the
existing test_run0.py. machinectl had no unit test coverage before,
which is why CI did not catch the SYSTEMD_COLORS=0 prefix change
when the equivalent run0 change broke test_run0_basic/test_run0_flags.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Update changelogs/fragments/11771-incus-machinectl-run0-become-pty.yml
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
* fix ruff case UP031
* refactor backslashout of f-string for the sake of old Pythons
* add changelog frag
* Update plugins/modules/imc_rest.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* scaleway_user_data: fix bug and make it an f-string
* reformat
---------
Co-authored-by: Felix Fontein <felix@fontein.de>
* Adjust all __future__ imports:
for i in $(grep -REl "__future__.*absolute_import" plugins/ tests/); do
sed -e 's/from __future__ import .*/from __future__ import annotations/g' -i $i;
done
* Remove all UTF-8 encoding specifications for Python source files:
for i in $(grep -REl '[-][*]- coding: utf-8 -[*]-' plugins/ tests/); do
sed -e '/^# -\*- coding: utf-8 -\*-/d' -i $i;
done
* Remove __metaclass__ = type:
for i in $(grep -REl '__metaclass__ = type' plugins/ tests/); do
sed -e '/^__metaclass__ = type/d' -i $i;
done
* Experimental change from OpenIndiana
* resolve pfexec problem, by removing superfluous quotes
* reimplement "wrap_exe"
* remove spaces arround keyword argument assignment
* adapted pfexec unit test
* Try to fix quoting of test expression
* Fix quoting of test expression by replacing ' with "
* Add changelog fragment
* Move licenses to LICENSES/, run add-license.py, add LICENSES/MIT.txt.
* Replace 'Copyright:' with 'Copyright'
sed -i 's|Copyright:\(.*\)|Copyright\1|' $(rg -l 'Copyright:')
Co-authored-by: Maxwell G <gotmax@e.email>
* Add support for `sudo su -` using password auth
Allow users to run Ansible tasks through `sudo su -` using password auth
- Feature Pull Request
sudosu
So I have been using this at various customers for bootstrapping Ansible mostly.
Often you have an existing setup where there is a user that has root-access enabled through sudo, but only to run `su` to log using the user's password.
In these specific cases the root password is unique to the system and therefore not an easy way to automate bootstrapping.
Having a `sudo su -` become option **with password prompt** is not possible with the existing become methods (neither sudo nor su can be used) by abusing `become_exe` or `become_flags`.
This fixesansible/ansible#12686
* Fix all reported issues
* Add unit tests
* Apply suggestions from code review
* Update plugins/become/sudosu.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update tests/unit/plugins/become/test_sudosu.py
Co-authored-by: Felix Fontein <felix@fontein.de>
* Update tests/unit/plugins/become/test_sudosu.py
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Felix Fontein <felix@fontein.de>
* Fix become plugins.
* Fix become unit tests to avoid play_context.make_become_cmd.
* Remove hack.
* Remove explicit defaults. Adjust tests to be more like Ansible itself.
* Forgot two lines.
* Rewrite tests (again).
* Rename play_context -> task, add possibility to pass var_options.
* Add var_options variants.
* Properly test overwriting.
