become_user question
746 views
Skip to first unread message
Ben Watson
May 6, 2015, 2:09:56 PM5/6/15
to ansible...@googlegroups.com
First some background info:
- Using Ansible 1.9.0.1
- All hosts are Ubuntu 14.04
- My Ansible-fu level: novice (couple/few weeks of use)
I'm trying to cobble together a streamlined development system using Jenkins + Ansible. I've made a lot of headway thus far, but am running into an unexpected behavior that has me stumped.
I have a host named devops-ansible and another host named devops-db. On these hosts, I have user accounts for myself (ben). Using Ansible, I created an account named jenkins on both machines that is a service account meant to run a jenkins-slave program that will communicate to a master CI server.
I've got passwordless SSH working (e.g. SSH certs) between the hosts working for both users (ben and jenkins). Furthermore, there is an entry in /etc/sudoers for the jenkins group to be able to use passwordless sudo for all commands on both hosts:
- i.e.: %jenkins ALL = NOPASSWD: ALL
Where I first ran into this problem was installing a Postgres database on devops-db via a playbook executed by jenkins on devops-ansible. When the playbook runs, it can connect to devops-db just fine and used the apt module to install Postgres without issue by setting sudo to yes in the task (but I don't have to run the play with --ask-sudo-pass).
However, I'm at that point where I need to add database users as the user postgres, which was created by virtue of installing the database. I've tried every combination of sudo/sudo_user and become/become_user/become_method that I can think of an consistently run into the following errors:
- The majority of the time, I observe: "Missing become password" on stdout of devops-ansible
- If I change become_method to su, then it appears to hang (presumably waiting for password input?) and I have to kill it via CTRL+C
To illustrate the behavior, I created a series of simple "whoami" tasks as follows:
- name: Normal Task
command: /usr/bin/whoami
register: n_task
- debug: var=n_task
- name: Sudo Task
command: /usr/bin/whoami
sudo: yes
register: s_task
- debug: var=s_task
- name: Privilege Escalation Task
command: /usr/bin/whoami
become: yes
become_user: "{{postgresql_admin_user}}"
become_method: sudo
register: pe_task
- debug: var=pe_task
Note: the variable postgresql_admin_user resolves to postgres
Below is the stdout as observed when run as jenkins on devops-ansible
TASK: [anxs-postgresql | Normal Task] *****************************************
<devops-db> ESTABLISH CONNECTION FOR USER: jenkins
<devops-db> REMOTE_MODULE command /usr/bin/whoami
<devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 devops-db /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1430932819.87-66566461752335 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1430932819.87-66566461752335 && echo $HOME/.ansible/tmp/ansible-tmp-1430932819.87-66566461752335'
<devops-db> PUT /tmp/tmphNhLih TO /var/lib/jenkins/.ansible/tmp/ansible-tmp-1430932819.87-66566461752335/command
<devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 devops-db /bin/sh -c 'LANG=C LC_CTYPE=C /usr/bin/python /var/lib/jenkins/.ansible/tmp/ansible-tmp-1430932819.87-66566461752335/command; rm -rf /var/lib/jenkins/.ansible/tmp/ansible-tmp-1430932819.87-66566461752335/ >/dev/null 2>&1'
changed: [devops-db] => {"changed": true, "cmd": ["/usr/bin/whoami"], "delta": "0:00:00.003596", "end": "2015-05-06 12:20:20.489499", "rc": 0, "start": "2015-05-06 12:20:20.485903", "stderr": "", "stdout": "jenkins", "warnings": []}
TASK: [anxs-postgresql | debug var=n_task] ************************************
<devops-db> ESTABLISH CONNECTION FOR USER: jenkins
ok: [devops-db] => {
"var": {
"n_task": {
"changed": true,
"cmd": [
"/usr/bin/whoami"
],
"delta": "0:00:00.003596",
"end": "2015-05-06 12:20:20.489499",
"invocation": {
"module_args": "/usr/bin/whoami",
"module_name": "command"
},
"rc": 0,
"start": "2015-05-06 12:20:20.485903",
"stderr": "",
"stdout": "jenkins",
"stdout_lines": [
"jenkins"
],
"warnings": []
}
}
}
TASK: [anxs-postgresql | Sudo Task] *******************************************
<devops-db> ESTABLISH CONNECTION FOR USER: jenkins
<devops-db> REMOTE_MODULE command /usr/bin/whoami
<devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 devops-db /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1430932820.05-171310724077328 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1430932820.05-171310724077328 && echo $HOME/.ansible/tmp/ansible-tmp-1430932820.05-171310724077328'
<devops-db> PUT /tmp/tmpfRaznB TO /var/lib/jenkins/.ansible/tmp/ansible-tmp-1430932820.05-171310724077328/command
<devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 devops-db /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=pozuyfielrfgovoplpbakzjuflxuzboo] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-pozuyfielrfgovoplpbakzjuflxuzboo; LANG=C LC_CTYPE=C /usr/bin/python /var/lib/jenkins/.ansible/tmp/ansible-tmp-1430932820.05-171310724077328/command; rm -rf /var/lib/jenkins/.ansible/tmp/ansible-tmp-1430932820.05-171310724077328/ >/dev/null 2>&1'"'"''
changed: [devops-db] => {"changed": true, "cmd": ["/usr/bin/whoami"], "delta": "0:00:00.010214", "end": "2015-05-06 12:20:20.832838", "rc": 0, "start": "2015-05-06 12:20:20.822624", "stderr": "", "stdout": "root", "warnings": []}
TASK: [anxs-postgresql | debug var=s_task] ************************************
<devops-db> ESTABLISH CONNECTION FOR USER: jenkins
ok: [devops-db] => {
"var": {
"s_task": {
"changed": true,
"cmd": [
"/usr/bin/whoami"
],
"delta": "0:00:00.010214",
"end": "2015-05-06 12:20:20.832838",
"invocation": {
"module_args": "/usr/bin/whoami",
"module_name": "command"
},
"rc": 0,
"start": "2015-05-06 12:20:20.822624",
"stderr": "",
"stdout": "root",
"stdout_lines": [
"root"
],
"warnings": []
}
}
}
TASK: [anxs-postgresql | Privilege Escalation Task] ***************************
<devops-db> ESTABLISH CONNECTION FOR USER: jenkins
<devops-db> REMOTE_MODULE command /usr/bin/whoami
<devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 devops-db /bin/sh -c 'mkdir -p /tmp/ansible-tmp-1430932820.42-42861004344608 && chmod a+rx /tmp/ansible-tmp-1430932820.42-42861004344608 && echo /tmp/ansible-tmp-1430932820.42-42861004344608'
<devops-db> PUT /tmp/tmptC6NoD TO /tmp/ansible-tmp-1430932820.42-42861004344608/command
<devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 devops-db /bin/sh -c 'chmod a+r /tmp/ansible-tmp-1430932820.42-42861004344608/command'
<devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 devops-db /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=jbwdiylloxvtejdifemgantwsahulmsr] password: " -u postgres /bin/sh -c '"'"'echo BECOME-SUCCESS-jbwdiylloxvtejdifemgantwsahulmsr; LANG=C LC_CTYPE=C /usr/bin/python /tmp/ansible-tmp-1430932820.42-42861004344608/command'"'"''
fatal: [devops-db] => Missing become password
FATAL: all hosts have already failed -- abortingThe SSH session below should illustrate that, at the OS level, my users are good to go privilege-wise:
ben@devops-ansible:~/Development/ansible-playbooks/BenDevEnv$ sudo su - jenkins
[sudo] password for ben:
jenkins@devops-ansible:~$ ssh devops-db
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-49-generic i686)
* Documentation: https://help.ubuntu.com/
63 packages can be updated.
55 updates are security updates.
Last login: Wed May 6 12:20:20 2015 from laptop
jenkins@devops-db:~$ sudo su postgres
postgres@devops-db:/var/lib/jenkins$Any advice?
v/r
Ben
Ben Watson
May 6, 2015, 3:49:05 PM5/6/15
to ansible...@googlegroups.com
So I may have solved my own problem. I'll go ahead and post my results here for completeness sake.
This (and a series of tasks that attempted priviledge escalation for the postgresql_user module) would throw the "Missing become password" error.
I found a nice role definition for postgres on GitHub that I'm adapting for my own use (this is one of the things I love about Ansible).
One of the tasks in the role looked like this originally:
- name: PostgreSQL | Make sure the PostgreSQL users are present
postgresql_user:
name: "{{item.name}}"
password: "{{item.pass | default('pass')}}"
port: "{{postgresql_port}}"
state: present
login_user: "{{postgresql_admin_user}}"
sudo: yes
sudo_user: "{{postgresql_admin_user}}"
with_items: postgresql_users
when: postgresql_users|length > 0I changed the above task by substituting sudo syntax with become syntax in hopes I could try different become_method options to no avail. As it turns out, I've removed both the sudo and become constructs from this task and it executed fine.
But, I don't know why it executed fine.
v/r
Ben
Reply all
Reply to author
Forward
0 new messages