Skip to content

For sudo that requires a password, this PR takes the pw from a file #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
toddtomashek-c2l wants to merge 3 commits into
base: main
Choose a base branch
from
Open

For sudo that requires a password, this PR takes the pw from a file #37

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
bf28880
For sudo that requires a password, this PR takes the pw from a file
toddtomashek-c2l Dec 4, 2025
1099a41
Update core/lib/system/config-vars.sh
toddtomashek-c2l Dec 23, 2025
439230a
Merge branch 'main' into feature-become-pass
toddtomashek-c2l Dec 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions core/lib/add-node.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ add_inference_nodes_playbook() {

invoke_prereq_workflows "$@"

ansible-playbook -i "${INVENTORY_PATH}" playbooks/cluster.yml --become --become-user=root
ansible-playbook -i "${INVENTORY_PATH}" playbooks/cluster.yml --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}"


}
Expand Down Expand Up @@ -55,4 +55,4 @@ add_worker_node() {
echo -e "${GREEN}| Please stand by while the NRI CPU Balloons are being re-applied... |${NC}"
echo -e "${BLUE}------------------------------------------------------------------------------${NC}"
fi
}
}
4 changes: 2 additions & 2 deletions core/lib/cluster/config/cluster-config-init.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,5 @@ deploy_cluster_config_playbook() {
tags=""
fi

ansible-playbook -i "${INVENTORY_PATH}" playbooks/deploy-cluster-config.yml --become --become-user=root --extra-vars "secret_name=${cluster_url} cert_file=${cert_file} key_file=${key_file}" --tags "$tags"
}
ansible-playbook -i "${INVENTORY_PATH}" playbooks/deploy-cluster-config.yml --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}" --extra-vars "secret_name=${cluster_url} cert_file=${cert_file} key_file=${key_file}" --tags "$tags"
}
2 changes: 1 addition & 1 deletion core/lib/cluster/deployment/cluster-purge.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ run_reset_playbook() {
fi

ansible-playbook -i "${INVENTORY_PATH}" playbooks/deploy-keycloak-controller.yml --extra-vars "delete_pv_on_purge=${delete_pv_on_purge}"
ansible-playbook -i "${INVENTORY_PATH}" --become --become-user=root reset.yml -e "confirm_reset=yes reset_nodes=false"
ansible-playbook -i "${INVENTORY_PATH}" --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}" reset.yml -e "confirm_reset=yes reset_nodes=false"
# Check the exit status of the Ansible playbook command
if [ $? -eq 0 ]; then
echo "Cluster reset playbook execution completed successfully."
Expand Down
4 changes: 2 additions & 2 deletions core/lib/cluster/deployment/fresh-install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,5 +190,5 @@ fresh_installation() {

run_fresh_install_playbook() {
echo "Running the cluster.yml playbook to set up the Kubernetes cluster..."
ansible-playbook -i "${INVENTORY_PATH}" --become --become-user=root cluster.yml
}
ansible-playbook -i "${INVENTORY_PATH}" --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}" cluster.yml
}
2 changes: 1 addition & 1 deletion core/lib/cluster/nodes/add-node.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ add_inference_nodes_playbook() {

invoke_prereq_workflows "$@"

ansible-playbook -i "${INVENTORY_PATH}" playbooks/cluster.yml --become --become-user=root
ansible-playbook -i "${INVENTORY_PATH}" playbooks/cluster.yml --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}"

}

Expand Down
4 changes: 2 additions & 2 deletions core/lib/cluster/nodes/remove-node.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ remove_inference_nodes_playbook() {
return 1
fi
invoke_prereq_workflows "$@"
ansible-playbook -i "${INVENTORY_PATH}" playbooks/remove_node.yml --become --become-user=root -e node="$worker_nodes_to_remove" -e allow_ungraceful_removal=true
ansible-playbook -i "${INVENTORY_PATH}" playbooks/remove_node.yml --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}" -e node="$worker_nodes_to_remove" -e allow_ungraceful_removal=true
}

remove_worker_node() {
Expand All @@ -35,4 +35,4 @@ remove_worker_node() {
echo "| Node is being removed from Intel AI for Enterprise Inference! |"
echo "------------------------------------------------------------------------"

}
}
4 changes: 2 additions & 2 deletions core/lib/cluster/state/cluster-state-check.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@

check_cluster_state() {
echo "Checking the state of the Kubernetes cluster..."
ansible-playbook -i inventory/mycluster/hosts.yaml --become --become-user=root upgrade-cluster.yml --check
ansible-playbook -i inventory/mycluster/hosts.yaml --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}" upgrade-cluster.yml --check
# Check the exit status of the Ansible playbook command
if [ $? -eq 0 ]; then
echo "Kubernetes cluster state check completed successfully."
Expand All @@ -15,6 +15,6 @@ check_cluster_state() {

run_k8s_cluster_wait() {
echo "Waiting for Kubernetes control plane to become ready..."
ansible -i "${INVENTORY_PATH}" kube_control_plane -m wait_for -a "port=6443 timeout=600" --become --become-user=root
ansible -i "${INVENTORY_PATH}" kube_control_plane -m wait_for -a "port=6443 timeout=600" --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}"
return $?
}
4 changes: 2 additions & 2 deletions core/lib/components/intel-base-operator.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,11 @@ run_deploy_habana_ai_operator_playbook() {
else
gaudi_operator=""
fi
ansible-playbook -i "${INVENTORY_PATH}" --become --become-user=root playbooks/deploy-habana-ai-operator.yml --extra-vars "gaudi_operator=${gaudi_operator}"
ansible-playbook -i "${INVENTORY_PATH}" --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}" playbooks/deploy-habana-ai-operator.yml --extra-vars "gaudi_operator=${gaudi_operator}"
if [ $? -eq 0 ]; then
echo "The deploy-habana-ai-operator.yml playbook ran successfully."
else
echo "The deploy-habana-ai-operator.yml playbook encountered an error."
exit 1
fi
}
}
4 changes: 2 additions & 2 deletions core/lib/components/observability-controller.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,6 @@ deploy_observability_playbook() {
tags+="deploy_logging,"
fi
tags="${tags%,}"
ansible-playbook -i "${INVENTORY_PATH}" playbooks/deploy-observability.yml --become --become-user=root --extra-vars "secret_name=${cluster_url} cert_file=${cert_file} key_file=${key_file} deploy_observability=${deploy_observability} deploy_logging=${deploy_logging} observability_stack_chart_version=${observability_stack_chart_version}" --tags "$tags" --vault-password-file "$vault_pass_file"
ansible-playbook -i "${INVENTORY_PATH}" playbooks/deploy-observability.yml --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}" --extra-vars "secret_name=${cluster_url} cert_file=${cert_file} key_file=${key_file} deploy_observability=${deploy_observability} deploy_logging=${deploy_logging} observability_stack_chart_version=${observability_stack_chart_version}" --tags "$tags" --vault-password-file "$vault_pass_file"

}
}
1 change: 1 addition & 0 deletions core/lib/system/config-vars.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ HOMEDIR="$(pwd)"
KUBESPRAYDIR="$(dirname "$(realpath "$0")")/kubespray"
VENVDIR="$(dirname "$(realpath "$0")")/kubespray225-venv"
INVENTORY_PATH="${KUBESPRAYDIR}/inventory/mycluster/hosts.yaml"
BECOME_PASSWORD_FILE="$(dirname "$(realpath "$0")")/inventory/.become-passfile"
# Set the default values for the parameters
cluster_url=""
cert_file=""
Expand Down
18 changes: 9 additions & 9 deletions core/lib/system/precheck/prereq-check.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,14 +120,14 @@ run_system_prerequisites_check() {
echo "Updating system package lists..."
if command -v apt &> /dev/null; then
echo "Updating package lists using apt Ubuntu..."
if sudo apt update; then
if sudo -S apt update < "${BECOME_PASSWORD_FILE}"; then
Copy link

Copilot AI Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sudo -S approach with file redirection is less secure than the ansible --become-password-file method used elsewhere. The password could be exposed in process listings and shell history. Consider refactoring these package management operations into an ansible playbook to maintain consistent security practices throughout the codebase.

Copilot uses AI. Check for mistakes.
echo -e "${GREEN}Package lists updated successfully${NC}"
else
echo -e "${YELLOW}Package list update failed, continuing anyway${NC}"
fi
elif command -v dnf &> /dev/null; then
echo "Updating package lists using dnf (RHEL/CentOS)..."
if sudo dnf check-update || [ $? -eq 100 ]; then
if sudo -S dnf check-update < "${BECOME_PASSWORD_FILE}" || [ $? -eq 100 ]; then
Copy link

Copilot AI Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sudo -S approach with file redirection is less secure than the ansible --become-password-file method used elsewhere. The password could be exposed in process listings and shell history. Consider refactoring these package management operations into an ansible playbook to maintain consistent security practices throughout the codebase.

Copilot uses AI. Check for mistakes.
echo -e "${GREEN} Package lists updated successfully${NC}"
else
echo -e "${YELLOW} Package list update failed, continuing anyway${NC}"
Expand Down Expand Up @@ -217,10 +217,10 @@ run_system_prerequisites_check() {
if [ ${#other_deps[@]} -gt 0 ]; then
if command -v dnf &> /dev/null; then
echo "Installing dependencies using dnf RHEL..."
sudo dnf install -y "${other_deps[@]}"
sudo -S dnf install -y "${other_deps[@]}" < "${BECOME_PASSWORD_FILE}"
Copy link

Copilot AI Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sudo -S approach with file redirection is less secure than the ansible --become-password-file method used elsewhere. The password could be exposed in process listings and shell history. Consider refactoring these package management operations into an ansible playbook to maintain consistent security practices throughout the codebase.

Copilot uses AI. Check for mistakes.
elif command -v apt &> /dev/null; then
echo "Installing dependencies using apt Ubuntu..."
sudo apt update && sudo apt install -y "${other_deps[@]}"
sudo -S apt update < "${BECOME_PASSWORD_FILE}" && sudo -S apt install -y "${other_deps[@]}" < "${BECOME_PASSWORD_FILE}"
Copy link

Copilot AI Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using sudo -S with password file redirection exposes the password in the process command line and can leave it in shell history. Additionally, reading from the same file twice in a compound command may cause issues if the file contains only one password line. Consider using ansible-playbook with --become-password-file for consistency with the rest of the PR, or use a more secure method like sudo's NOPASSWD configuration or askpass helper.

Copilot uses AI. Check for mistakes.
else
echo -e "${RED}Unsupported package manager. This script supports RHEL (dnf) and Ubuntu (apt) only.${NC}"
echo -e "${YELLOW}Please install manually:${NC}"
Expand All @@ -237,26 +237,26 @@ run_system_prerequisites_check() {
python_version=$($python3_interpreter -c "import sys; print(f'{sys.version_info.major}.{sys.version_info.minor}')")
if [[ "$python_version" == "3.11" ]]; then
echo "Installing python3.11-pip using dnf (RHEL 9)..."
if ! sudo dnf install -y python3.11-pip; then
if ! sudo -S dnf install -y python3.11-pip < "${BECOME_PASSWORD_FILE}"; then
Copy link

Copilot AI Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sudo -S approach with file redirection is less secure than the ansible --become-password-file method used elsewhere. The password could be exposed in process listings and shell history. Consider refactoring these package management operations into an ansible playbook to maintain consistent security practices throughout the codebase.

Copilot uses AI. Check for mistakes.
echo -e "${RED}Failed to install python3.11-pip using dnf${NC}"
exit 1
fi
elif [[ "$python_version" == "3.12" ]]; then
echo "Installing python3.12-pip using dnf (RHEL 9)..."
if ! sudo dnf install -y python3.12-pip; then
if ! sudo -S dnf install -y python3.12-pip < "${BECOME_PASSWORD_FILE}"; then
Copy link

Copilot AI Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sudo -S approach with file redirection is less secure than the ansible --become-password-file method used elsewhere. The password could be exposed in process listings and shell history. Consider refactoring these package management operations into an ansible playbook to maintain consistent security practices throughout the codebase.

Copilot uses AI. Check for mistakes.
echo -e "${RED}Failed to install python3.12-pip using dnf${NC}"
exit 1
fi
else
echo "Installing python3-pip using dnf (RHEL 9)..."
if ! sudo dnf install -y python3-pip; then
if ! sudo -S dnf install -y python3-pip < "${BECOME_PASSWORD_FILE}"; then
Copy link

Copilot AI Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sudo -S approach with file redirection is less secure than the ansible --become-password-file method used elsewhere. The password could be exposed in process listings and shell history. Consider refactoring these package management operations into an ansible playbook to maintain consistent security practices throughout the codebase.

Copilot uses AI. Check for mistakes.
echo -e "${RED}Failed to install python3-pip using dnf${NC}"
exit 1
fi
fi
elif command -v apt &> /dev/null; then
echo "Installing python3-pip using apt (Ubuntu 22/24)..."
if ! sudo apt install -y python3-pip; then
if ! sudo -S apt install -y python3-pip < "${BECOME_PASSWORD_FILE}"; then
Copy link

Copilot AI Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sudo -S approach with file redirection is less secure than the ansible --become-password-file method used elsewhere. The password could be exposed in process listings and shell history. Consider refactoring these package management operations into an ansible playbook to maintain consistent security practices throughout the codebase.

Copilot uses AI. Check for mistakes.
echo -e "${RED}Failed to install python3-pip using apt${NC}"
exit 1
fi
Expand Down Expand Up @@ -298,4 +298,4 @@ run_system_prerequisites_check() {

echo -e "${GREEN}System prerequisites check completed successfully.${NC}"
return 0
}
}
4 changes: 2 additions & 2 deletions core/lib/system/precheck/readiness-check.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,11 @@ run_infrastructure_readiness_check() {
echo -e "${YELLOW}Please ensure the inventory file exists and contains the correct host information.${NC}"
return 1
fi
if ansible-playbook -i "${INVENTORY_PATH}" --become --become-user=root --extra-vars "brownfield_deployment=true" playbooks/inference-precheck.yml; then
if ansible-playbook -i "${INVENTORY_PATH}" --become --become-user=root --become-password-file="${BECOME_PASSWORD_FILE}" --extra-vars "brownfield_deployment=true" playbooks/inference-precheck.yml; then
echo -e "${GREEN}Infrastructure readiness check completed successfully.${NC}"
return 0
else
echo -e "${RED}Infrastructure readiness check failed. Please resolve the issues before proceeding.${NC}"
return 1
fi
}
}