[Bug][ansible.builtin.shell] Non UTF-8 encoded data running a ls command with become_user

[gngrossi]

Is there an existing issue for this?

• There are no existing issues.

Bug description

Trying to use become_user and run an ls command. The su command worked (confirmed in the the z/OS syslog).

IBM z/OS Ansible core Version

v1.9.0

IBM Z Open Automation Utilities

v1.2.5 (default)

IBM Enterprise Python

v3.11.x (default)

ansible-version

v2.16.x (default)

z/OS version

v2.5 (default)

Ansible module

No response

Playbook verbosity output.

vars:
ansible_remote_tmp: "/tmp"
CMD00: "ls /tmp"
USR01: "MQUSSADM"

tasks:
- name: Become {{USR01}} and run {{CMD00}} command
shell:
cmd: "{{CMD00}}"
become: true
become_method: su
become_user: "{{USR01}}"
become_flags: "-s"

Escalation succeeded
(0, b"\x8e#\x82\xc4\xc7/>\xc5\xc1\xc0\x82\x9a\x80\xc8\xca\xcd\xc1\x8c\x80\x82\xcb\xc8\xc0?\xcd\xc8\x82\x9a\x80\x82\x07\xc8_\xf8\x82\x8c\x80\x82\xcb\xc8\xc0\xc1\xca\xca\x82\x9a\x80\x82\x82\x8c\x80\x82\xca\xc4\x82\x9a\x80\x90\x8c\x80\x82\xc4_\xc0\x82\x9a\x80\x82%\xcb\x80\x07\xc8_\xf8\x82\x8c\x80\x82\xcb\xc8/\xca\xc8\x82\x9a\x80\x82\x16\x90\x16\x94\x05\x90\x94\x05\x16\x98\x80\x91\x16\x9a\x90\x93\x9a\x95\x94\x06\x04\x94\x99\x91\x95\x94\x82\x8c\x80\x82\xc1>\xc0\x82\x9a\x80\x82\x16\x90\x16\x94\x05\x90\x94\x05\x16\x98\x80\x91\x16\x9a\x90\x93\x9a\x95\x94\x06\x98\x90\x94\x04\x95\x90\x82\x8c\x80\x82\xc0\xc1%\xc8/\x82\x9a\x80\x82\x90\x9a\x90\x90\x9a\x90\x90\x06\x90\x95\x95\x95\x99\x96\x82\x8c\x80\x82_\xcb\xc5\x82\x9a\x80\x82\x82\x8c\x80\x82\xd1>\xce?\xc4/\xc8\xd1?>\x82\x9a\x80#\x82_?\xc0\xcd%\xc1^/\xca\xc5\xcb\x82\x9a\x80#\x82^\xca/\xcf^\xf8/\xca/\xcb\x82\x9a\x80\x82%\xcb\x80\x07\xc8\xf8\x82\x8c\x80\x82^\xcd\xcb\xc1\xcb^\xcb\xc7\xc1%%\x82\x9a\x80\xc8\xca\xcd\xc1\x8c\x80\x82\xc1\xcc\xf8/>\xc0^/\xca\xc5\xcd_\xc1>\xc8^\xce/\xca\xcb\x82\x9a\x80\xc8\xca\xcd\xc1\x8c\x80\x82\xcb\xc8\xc0\xd1>^/\xc0\xc0^>\xc1\xcf%\xd1>\xc1\x82\x9a\x80\xc8\xca\xcd\xc1\x8c\x80\x82\xcb\xc8\xca\xd1\xf8^\xc1_\xf8\xc8^\xc1>\xc0\xcb\x82\x9a\x80\xc8\xca\xcd\xc1\x8c\x80\x82/\xca\xc5\xce\x82\x9a\x80>\xcd%%\x8c\x80\x82\xc4\xc7\xc0\xd1\xca\x82\x9a\x80>\xcd%%\x8c\x80\x82\xc1\xcc\xc1\xc4\xcd\xc8/\xc2%\xc1\x82\x9a\x80>\xcd%%\x8c\x80\x82\xc4\xca\xc1/\xc8\xc1\xcb\x82\x9a\x80>\xcd%%\x8c\x80\x82\xca\xc1_?\xce\xc1\xcb\x82\x9a\x80>\xcd%%\x8c\x80\x82\xcb\xc8\xc0\xd1>\x82\x9a\x80>\xcd%%'''\x8e", b'Shared connection to mvs-sysd closed.\r\n') <mvs-sysd> ESTABLISH SSH CONNECTION FOR USER: @02858 <mvs-sysd> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=2222 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="@02858"' -o ConnectTimeout=15 -o 'ControlPath="/home/me/.ansible/cp/b5b2dc9cb5"' mvs-sysd '/bin/sh -c '"'"'rm -f -r /tmp/ansible-tmp-1714323833.5791962-13648-30753762687926/ > /dev/null 2>&1 && sleep 0'"'"'' <mvs-sysd> (0, b'', b'') [DEPRECATION WARNING]: Non UTF-8 encoded data replaced with "?" while displaying text to stdout/stderr, this is temporary and will become an error. This feature will be removed in version 2.18. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. fatal: [mvs-sysd]: FAILED! => { "changed": false, "module_stderr": "Shared connection to mvs-sysd closed.\r\n", "module_stdout": "?#?/>???Ȃ?\u0007?_?ʂ?Ă?_?%ˀ\u0007?_?/?Ȃ?\u0016?\u0016?\u0005?\u0005\u0016?\u0016?\u0006\u0004?>?\u0016?\u0016?\u0005?\u0005\u0016?\u0016?\u0006?\u0004?%?/?\u0006?_?ł?>???/??>?#?_??%?^/?˂?#?^?/?^?/?/_˂?%ˀ\u0007?_?^?^?%%?/>?^/?_?>?^?/?˂?>^/?^>?%?>?^?_?^?>?˂?/?΂?>?%%?ʂ?>?%%?/?%?>?%%?/?˂?>?%%?_??˂?>?%%?>?>?%%'''?",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 0
}

Ansible configuration.

[defaults]
forks = 25
inventory = ~/playbooks/inventory.yml
host_key_checking = False
remote_port = 2222
timeout = 15
#deprecation_warnings = False

[ssh_connection]
pipelining = True

Contents of the inventory

MA1:
  hosts:
    mvs-sysd:
      ansible_python_interpreter: "env PYTHONSTDINENCODING=cp1047 \
                                   /hewitt/zopentools/python311/usr/lpp/IBM/cyp/v3r11/pyz/bin/python3"
  vars:
    ansible_user: "@02858"

Contents of group_vars or host_vars

No response

[richp405]

We will switch this to a discussion, because it relates to Ansible community module, not to our specific product. We may be able to help with environment, or become user options.

[gngrossi]

Sounds good. Once it works for the non-root functional ID, I plan to test BPXROOT as well.
thanks

[ddimatos]

Hi @gngrossi - we are happy to help but would like to point out that this community supports z/OS modules, where this is a module from ansible.builtin being run on z/OS. We are happy to help but I wanted to point out that distinction; we do work with the ansible community when necessary.

The error here is not related to privilege escalation, once you get past this encoding issue, I suspect you will have a privilege escalation error to which I can direct you to a blog how to use privilege escalation after the encoding issue is resolved.

I don't know if you are using our community modules but whether or not you are, there are some common environment variables that are needed that even ansible.builtin needs to correctly run commands.

I don't typically use inventory to manage env vars so I will point out at our preferred way. You can choose a sample and see how we configure environment variables or you can review the verbose explanation here.

If you want a simple more direct approach to trouble shoot, we have an example in this discussion here at #657.

If you are not using ZOAU , you could remove them (although I highly recommend you consider that so you can use this communities modules), then if that is the case you could reduce the env vars down and place them in your playbook, and if it still errors, please share the ansible-core version and the verbose log with command:

ANSIBLE_DEBUG=1 ansible-playbook -i inventory your-playbook.yml -vvvv

You can try adding these minimally if you are not using ZOAU to your playbook (even if you leave zoau in , there is no harm), if you are review the linked discussion and use those in your playbook.

• hosts: all
  gather_facts: no
  vars:
  PYZ: "/hewitt/zopentools/python311/usr/lpp/IBM/cyp/v3r11/pyz"
  ansible_pipelining: yes
  ansible_python_interpreter: "{{ PYZ }}/bin/python3"

  environment:
  _BPXK_AUTOCVT: "ON"
  LIBPATH: "{{ PYZ }}/lib:/lib:/usr/lib:."
  PATH: "{{ PYZ }}/bin:/bin:/var/bin"
  _CEE_RUNOPTS: "FILETAG(AUTOCVT,AUTOTAG) POSIX(ON)"
  _TAG_REDIR_ERR: "txt"
  _TAG_REDIR_IN: "txt"
  _TAG_REDIR_OUT: "txt"
  LANG: "C"
  PYTHONSTDINENCODING: "cp1047"

[gngrossi]

Hello, @ddimatos, thanks for the information...much appreciated.

I am not sure why this configuration would be causing encoding issues for su privilege escalation.
All of my previous testing has been good. Also, we use sudo on z/OS and I'm running into a different issue for that...more to come.
Which issue on github should I be posting this on (zos python)?
thanks

--

Summary
I have successfully tested running ad-hoc ansible commands and several playbooks, invoking modules from the ibm.ibm_zos_core
collection.
Use cases tested:
ansible all -m ping
ansible all --list-hosts
ansible all -m gather_facts
ansible all -m gather_facts --limit mvs-sysd
ansible all -m shell -a "ls /tmp/gary"
ansible all -m shell -a "/tmp/gary/Y.sh"

Modules tested:
zos_data_set
zos_find
zos_gather_facts
zos_job_output
zos_job_query
zos_job_submit
zos_operator
zos_ping
zos_script
zos_tso_command

inventory.yml

MA1:
hosts:
mvs-sysd:
ansible_python_interpreter: "env PYTHONSTDINENCODING=cp1047
/hewitt/zopentools/python311/usr/lpp/IBM/cyp/v3r11/pyz/bin/python3"
vars:
ansible_user: "@02858"

--

ansible.cfg

[defaults]
forks = 25
inventory = ~/playbooks/inventory.yml
host_key_checking = False
remote_port = 2222
timeout = 15

[ssh_connection]
pipelining = True

[sudo_become_plugin]
executable = /usr/lpp/ported/bin/sudo

[privilege_escalation]
become_user = BPXROOT

--

group_vars

MA1.yml

ZOAU_HOME: /hewitt/zopentools/zoau1258
PYZ_HOME: /hewitt/zopentools/python311/usr/lpp/IBM/cyp/v3r11/pyz

ansible_python_interpreter: "{{PYZ_HOME}}/bin/python3"

environment_vars:
LIBPATH: "{{ZOAU_HOME}}/lib:{{PYZ_HOME}}/lib:/lib:/usr/lib:."
PATH: "{{ZOAU_HOME}}/bin:{{PYZ_HOME}}/bin:/bin:/usr/sbin:."

PYTHONSTDINENCODING: "cp1047"
LANG: "C"

_BPXK_AUTOCVT: "ON"
_CEE_RUNOPTS: "FILETAG(AUTOCVT,AUTOTAG) POSIX(ON)"
_TAG_REDIR_IN: "txt"
_TAG_REDIR_OUT: "txt"
_TAG_REDIR_ERR: "txt"

[ddimatos]

Hi @gngrossi - thank you for the update.

Regarding "All of my previous testing has been good" could you expand on previous so know your baseline that you are comparing to?

Also, did your previous testing use IBM z/OS Python version 3.9?

This could just be formatting but the group_vars are they actually like this (not indented properly?) , using a block quote preserves indentation.

Can you provide the verbose log, as it is now I can't know that env vars are actually seen by the playbook, hence also my need to ask about the indentation, if I see the verbose log I can see what is passed over to z/OS for environment varialbes.

When you say you have run modules ad-hoc, know many of our modules don't work that way because of our environment variables , they don't carry over to ansible, hence its always safest to use a playbook, while we intend to change that in ansible-core its outside the scope of our offering and is done so as stretch work.

As for "Which issue on github should I be posting this on (zos python)?" , its not an easy explanation but issues with modules that are not part of this community which are non z/OS modules , those issues should go to https://github.com/ansible/ansible but you are not likely to make progress there, they are not z/OS experts and limit their help to issues that can be reproduced on x86 , so even though our development team enters into that community to work on issues we have very limited bandwidth and when we do its either tied to a S&S case where our expertise is needed or we are trying to improve ansible-core's posture on z/OS. In other words, this is probably the best place to help you with ansible-core's issue as we have both sets of skills, but should note issues not related to our modules get a much lower priority.

[gngrossi]

Here's the result from trying to use sudo. A system abend SEC6 U0000 REASON=0594E04B

Need to define to program control using extattr +p ?
If so, which files?
/bin/sh
/bin/env
/hewitt/zopentools/python311/usr/lpp/IBM/cyp/v3r11/pyz/bin/python3.11

Output
TASK [Run ps -ef command using sudo] ***********************************************************************************************
fatal: [mvs-sysd]: FAILED! => {"changed": false, "module_stderr": "", "module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 137}

z/OS SYSLOG
IEF450I @028588 STEP1 - ABEND=SEC6 U0000 REASON=0594E04B

USS syslog
May 6 15:03:52 SYSD sudo: @02858 : TTY=unknown ; PWD=/u/@02858 ; USER=BPXROOT ; GROUP=@ISHLD ;
COMMAND=/bin/sh -c echo BECOME-SUCCESS-mgxfgflmjjetslbujxizuenvnebbufyg ;
LIBPATH=/hewitt/zopentools/zoau1258/lib:/hewitt/zopentools/python311/usr/lpp/IBM/cyp/v3r11/pyz/lib:/lib:/usr/lib:.
PATH=/hewitt/zopentools/zoau1258/bin:/hewitt/zopentools/python311/usr/lpp/IBM/cyp/v3r11/pyz/bin:/bin:/usr/sbin:.
PYTHONSTDINENCODING=cp1047 LANG=C _BPXK_AUTOCVT=ON _CEE_RUNOPTS='FILETAG(AUTOCVT,AUTOTAG) POSIX(ON)'
_TAG_REDIR_IN=txt _TAG_REDIR_OUT=txt _TAG_REDIR_ERR=txt
env PYTHONSTDINENCODING=cp1047 /hewitt/zopentools/python311/usr/lpp/IBM/cyp/v3r11/pyz/bin/python3

[ddimatos]

In addition to the above questions, are you using z/OS open tools sudo port which I have been wanting to test but won't be able to for some time. I am happy to listen and if there is something I can see , I can advise but the best course of action would be for our team to try the port with Ansible who do know how to debug it but we won't be able to for some time.

[gngrossi]

Sorry for the confusion.
My first ansible testing started a few weeks ago using zoau1258 and python 3.11.5.
The ad-hoc ansible commands I'm using are modules from ansible.builtin. I use playbooks for all ibm.ibm_zos_core modules.

Testing has been successful thus far, except for using su and IBM's sudo.

ansible-playbook GG.yml -vvv

ansible-playbook [core 2.16.6]
config file = /home/me/playbooks/ansible.cfg
configured module search path = ['/home/me/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/me/.local/lib/python3.11/site-packages/ansible
ansible collection location = /home/me/.ansible/collections:/usr/share/ansible/collections
executable location = /home/me/.local/bin/ansible-playbook
python version = 3.11.5 (main, Oct 25 2023, 16:19:59) [GCC 8.5.0 20210514 (Red Hat 8.5.0-20)] (/usr/bin/python3.11)
jinja version = 3.1.3
libyaml = True
Using /home/me/playbooks/ansible.cfg as config file
host_list declined parsing /home/me/playbooks/inventory.yml as it did not pass its verify_file() method
script declined parsing /home/me/playbooks/inventory.yml as it did not pass its verify_file() method
Parsed /home/me/playbooks/inventory.yml inventory source with yaml plugin
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: GG.yml *******************************************************************************************************************
1 plays in GG.yml

PLAY [MA1] *************************************************************************************************************************

TASK [Run ps -ef command using sudo] ***********************************************************************************************
task path: /home/me/playbooks/GG.yml:17
Using module file /home/me/.local/lib/python3.11/site-packages/ansible/modules/command.py
Pipelining is enabled.
ESTABLISH SSH CONNECTION FOR USER: @02858
SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=2222 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="@02858"' -o ConnectTimeout=15 -o 'ControlPath="/home/me/.ansible/cp/b5b2dc9cb5"' mvs-sysd '/bin/sh -c '"'"'/usr/lpp/ported/bin/sudo -H -S -n -u BPXROOT /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-mzwlxncvdcjmlthesanwfqvfxvpiszgr ; LIBPATH=/hewitt/zopentools/zoau1258/lib:/hewitt/zopentools/python311/usr/lpp/IBM/cyp/v3r11/pyz/lib:/lib:/usr/lib:. PATH=/hewitt/zopentools/zoau1258/bin:/hewitt/zopentools/python311/usr/lpp/IBM/cyp/v3r11/pyz/bin:/bin:/usr/sbin:. PYTHONSTDINENCODING=cp1047 LANG=C _BPXK_AUTOCVT=ON _CEE_RUNOPTS='"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'FILETAG(AUTOCVT,AUTOTAG) POSIX(ON)'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' _TAG_REDIR_IN=txt _TAG_REDIR_OUT=txt _TAG_REDIR_ERR=txt env PYTHONSTDINENCODING=cp1047 /hewitt/zopentools/python311/usr/lpp/IBM/cyp/v3r11/pyz/bin/python3'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation succeeded
(137, b'', b'')
Failed to connect to the host via ssh:
fatal: [mvs-sysd]: FAILED! => {
"changed": false,
"module_stderr": "",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 137
}

[gngrossi]

I am on Discord for the System Z Enthusiasts channel.

[gngrossi]

Regarding sudo, I have yet to get the sudo port from ZOSOpenTools to work. We are using IBM's original ported tools version which still works on z/OS 2.5 and 3.1.
thanks

[ddimatos]

@gngrossi - I am on Discord as well, I overlooked this response.
This community only supports ibm_zos_core content, for ansible-core, ported tools of any sort, you would need to visit those communities, in other words, our entitlement support is limited here, we reserve extra time for IBM and RH support cases where we can work with Red Hat, Ansible community and dig down into the internals to see what could be causing an issue but this community support does not provide that.

You would go to those communities to try to resolve a sudo port, while zopenTools is now part of z/OS, sudo is not something we have tried and to be clear, its not part of ibm_zos_core, so we are limited in what we can offer assistance on.

We could continue to answer questions but we can't perform recreates with the current caseload we have for items out of scope. I hope you can understand. While I would like to try the ports, it will be some time still.

[ddimatos]

For reference here is our support documentation: https://github.com/ansible-collections/ibm_zos_core?tab=readme-ov-file#support

Support
As Red Hat Ansible Certified Content, this collection is entitled to support through Ansible Automation Platform (AAP). After creating a Red Hat support case, if it is determined the issue belongs to IBM, Red Hat will instruct you to create an IBM support case and share the case number with Red Hat so that a collaboration can begin between Red Hat and IBM.

If a support case cannot be opened with Red Hat and the collection has been obtained either from Galaxy or GitHub, there is community support available at no charge. Community support is limited to the collection; community support does not include any of the Ansible Automation Platform components, IBM Z Open Automation Utilities, IBM Open Enterprise SDK for Python or ansible-core.

The current supported versions of this collection can be found listed under the release section.

[gngrossi]

@ddimatos Thanks for information...much appreciated.
I am testing (with Igor Todorovski) the ZOSOpenTools sudo port. I am optimistic it will make its way to the Open Enterprise Foundation very soon. We've been using the legacy IBM Ported Tools sudo version (Sudo version 1.7.2p2). For z/OS automation, sudo is a requirement for us.
thank again

[ddimatos]

@gngrossi its good to know that sudo is a requirement, never had heard that before, it does interest me so I will see what we can also plan around trying it out and seeing if there is or what the ansible-core issues are with it and privilege escalation.

[gngrossi]

@ddimatos I just started testing Ansible with z/OS. Using controlled z/OS privilege escalation is something we've been using for a long time, utilizing sudo, along with BPX profiles in the RACF SURROGAT class. With RHEL, we extensively use sudo.
More to come.
thanks

[gngrossi]

@ddimatos Using Sudo version 1.9.15p5 from the zopen community github repo, I was able to successfully use
become: true
become_method: sudo

[gngrossi]

@ddimatos Trying to use...
become: true
become_method: su
become_user: "{{USR01}}"

...was not successful.

It looks like the become user worked using su.