Sudo option hangs when running simple shell commands
2,526 views
Skip to first unread message
Samnang Sen
Sep 25, 2013, 2:37:00 PM9/25/13
to ansible...@googlegroups.com
This hangs and I have to kill the process. I don't want to use -K since I'd rather use passwordless ssh.
Now, if I pass the sudo command via the shell, it works just fine.
# ansible -i hosts webserver1 -m shell -a "sudo /sbin/service httpd restart"
Walid
Sep 25, 2013, 2:49:56 PM9/25/13
to ansible...@googlegroups.com
which connection transport are you using? did you try differnet ones, and try to use the new -vvvv option to debug ssh connections
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Samnang Sen
Sep 25, 2013, 2:52:11 PM9/25/13
to ansible...@googlegroups.com
Looks like I'm stuck here ...
<oqn-01-web1> ESTABLISH CONNECTION FOR USER: deployment on PORT 22 TO oqn-01-web1
<oqn-01-web1> EXEC /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-1380135044.57-157834591122680 && chmod a+rx $HOME/.ansible/tmp/ansible-1380135044.57-157834591122680 && echo $HOME/.ansible/tmp/ansible-1380135044.57-157834591122680'
<oqn-01-web1> REMOTE_MODULE command /sbin/service httpd restart
<oqn-01-web1> PUT /tmp/tmppxQ9cr TO /home/deploy/.ansible/tmp/ansible-1380135044.57-157834591122680/command
<oqn-01-web1> EXEC /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=gjnesgjnrperpmifmojteiocwhyyfsrj] password: " -u root /bin/sh -c '"'"'/usr/bin/python /home/deploy/.ansible/tmp/ansible-1380135044.57-157834591122680/command; rm -rf /home/deploy/.ansible/tmp/ansible-1380135044.57-157834591122680/ >/dev/null 2>&1'"'"''
James Cammarata
Sep 25, 2013, 4:33:20 PM9/25/13
to ansible...@googlegroups.com
You need to specify -K when using sudo, as it is waiting at a prompt for a sudo password.
--
James Cammarata <jcamm...@ansibleworks.com>
Sr. Software Engineer, AnsibleWorks, Inc.
http://www.ansibleworks.com/
Sr. Software Engineer, AnsibleWorks, Inc.
http://www.ansibleworks.com/
Samnang Sen
Sep 25, 2013, 4:38:12 PM9/25/13
to ansible...@googlegroups.com
But I thought if I'm using passwordless SSH it shouldn't matter?
James Cammarata
Sep 25, 2013, 4:40:04 PM9/25/13
to ansible...@googlegroups.com
It does, because sudo may not be passwordless. Using -k is for ssh, -K is for sudo.
Michael DeHaan
Sep 25, 2013, 7:52:37 PM9/25/13
to ansible...@googlegroups.com
Always why I prefer long form options every time :)
Phil Franks
Nov 18, 2013, 2:06:10 PM11/18/13
to ansible...@googlegroups.com
Sorry to be digging up an old thread. I ran into this issue to and the issue is not always simply sudo/password/-K issue.
sudo is often configured to only allow certain commands to run via sudo. For example, a developer that may restart a web service, but not administer the rest of the system. After tracing logs, I believe ansible does not support this.
For example, sudo is configured with the follow authorisation:
%tomcat7 ALL=(ALL) NOPASSWD: /usr/sbin/service tomcat7 restart
User runs 'sudo service tomcat7 restart' in a shell directly:
==> /var/log/auth.log <==
Nov 18 18:49:46 host sudo: username : TTY=pts/0 ; PWD=/home/username ; USER=root ; COMMAND=/usr/sbin/service tomcat7 restart
Nov 18 18:49:46 host sudo: pam_unix(sudo:session): session opened for user root by username(uid=0)
Nov 18 18:49:52 host sudo: pam_unix(sudo:session): session closed for user root
Ansible playbook task service: name=tomcat7 state=restarted:
==> /var/log/auth.log <==
Nov 18 18:48:54 host sudo: username : TTY=pts/6 ; PWD=/home/username ; USER=root ; COMMAND=/bin/sh -c echo SUDO-SUCCESS-uwsxighxnhfaaspfrokwpdvxgnjycdil; /usr/bin/python <snip>
The ansible call is wrapped and sudo called using /bin/sh which sudo does not allow.
Is there a workaround for this, other than granting the user sudo access to everything?
sudo is often configured to only allow certain commands to run via sudo. For example, a developer that may restart a web service, but not administer the rest of the system. After tracing logs, I believe ansible does not support this.
For example, sudo is configured with the follow authorisation:
%tomcat7 ALL=(ALL) NOPASSWD: /usr/sbin/service tomcat7 restart
User runs 'sudo service tomcat7 restart' in a shell directly:
==> /var/log/auth.log <==
Nov 18 18:49:46 host sudo: username : TTY=pts/0 ; PWD=/home/username ; USER=root ; COMMAND=/usr/sbin/service tomcat7 restart
Nov 18 18:49:46 host sudo: pam_unix(sudo:session): session opened for user root by username(uid=0)
Nov 18 18:49:52 host sudo: pam_unix(sudo:session): session closed for user root
Ansible playbook task service: name=tomcat7 state=restarted:
==> /var/log/auth.log <==
Nov 18 18:48:54 host sudo: username : TTY=pts/6 ; PWD=/home/username ; USER=root ; COMMAND=/bin/sh -c echo SUDO-SUCCESS-uwsxighxnhfaaspfrokwpdvxgnjycdil; /usr/bin/python <snip>
The ansible call is wrapped and sudo called using /bin/sh which sudo does not allow.
Is there a workaround for this, other than granting the user sudo access to everything?
Michael DeHaan
Nov 19, 2013, 10:59:22 PM11/19/13
to ansible...@googlegroups.com
"sudo is often configured to only allow certain commands to run via sudo"
Correct, this is not how ansible works.
We simply don't invoke chown, modules are reusable pieces of code and we don't require them to be preinstalled.
Jacob Weber
Apr 26, 2014, 2:45:33 PM4/26/14
to ansible...@googlegroups.com
Sorry to bring up this old thread again, but I'm running into the same issue as Phil.
I'd like to have a user that has sudo access to restart Apache but not, say, delete it.
How do people typically handle this? Is it possible to create users that can run ansible modules like "service" as sudo, without having sudo rights to run every command?
Or is the expectation that Ansible should have full sudo access?
JW
Michael DeHaan
Apr 28, 2014, 10:05:37 AM4/28/14
to ansible...@googlegroups.com
I'm sorry, you can't define sudo access to do specific commands this way.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f1d0cb31-1631-44b5-b4ae-bf0d41bec087%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages