ansible asks for sudo password but local command does not

2,369 views
Skip to first unread message

Mike Michel

unread,
Sep 15, 2016, 12:51:24 PM9/15/16
to Ansible Project
Hi,

i am having trouble to execute a command which needs sudo on the remote host. when i execute it directly on the host with sudo there is no ask for password but when using ansible it fails with "sudo: a password is required

i don't have root rights on the remote and i am using a jumphost. i tried all the "become" vodoo but no luck yet.

---
- hosts: loadbalancer
  vars:
    ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q john@IP"'
  tasks:
  - command: yum install htop


ansible-playbook -vvvvvvvvvvv play.yml -l a-host  -i hosts.yml -u john -b

"module_stdout": "sudo: a password is required\r\n", "msg": "MODULE FAILURE", "parsed": false}


When i am directly on the target host as user john "sudo yum install htop" works without asking for a password so i guess NOPASSWD is set for john. I don't even have a password. I connect via ssh key.

Any ideas?

Paul Tötterman

unread,
Sep 16, 2016, 4:03:36 AM9/16/16
to Ansible Project
When i am directly on the target host as user john "sudo yum install htop" works without asking for a password so i guess NOPASSWD is set for john. I don't even have a password. I connect via ssh key.

Ansible doesn't do this:

    ssh john@a-host sudo yum install htop


Ansible uploads a python script which is run using sudo. Something like:

    scp tmp-script john@a-host:~/.ansible/tmp/...
    ssh john@a-host sudo python ~/.ansble/tmp/...


So sudo NOPASSWD for yum doesn't help.

Cheers,
Paul 

Alexander H. Laughlin

unread,
Sep 19, 2016, 1:18:00 PM9/19/16
to Ansible Project
Is there a reason you're not using the yum module?

Mike Michel

unread,
Sep 19, 2016, 3:21:20 PM9/19/16
to Ansible Project
@paul
thx, though i knew it works like that i did not came to the idea to ask for python permission, what i did now.

@alexaner
same problem as it is still python which gets executed:

sudo -H -S -n -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-mukfdpvotlpobkadiwdhuktbihrwsnnr; LANG=en_US.utf8 LC_ALL=en_US.utf8 LC_MESSAGES=en_US.utf8 /usr/bin/python /home/john/.ansible/tmp/ansible-tmp-1474312334.89-150221606981760/setup; rm -rf "/home/john/.ansible/tmp/ansible-tmp-1474312334.89-150221606981760/" > /dev/null 2>&1'"'"'"'"'"'"'"'"' && sleep 0'"'"''

Paul Tötterman

unread,
Sep 20, 2016, 2:10:17 AM9/20/16
to Ansible Project
sudo -H -S -n -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-mukfdpvotlpobkadiwdhuktbihrwsnnr; LANG=en_US.utf8 LC_ALL=en_US.utf8 LC_MESSAGES=en_US.utf8 /usr/bin/python /home/john/.ansible/tmp/ansible-tmp-1474312334.89-150221606981760/setup; rm -rf "/home/john/.ansible/tmp/ansible-tmp-1474312334.89-150221606981760/" > /dev/null 2>&1'"'"'"'"'"'"'"'"' && sleep 0'"'"''

Ok, I said "something like", because I didn't have a machine to dig up the details on. But clearly you were able to do that. Look at the command. It's sudo ... /bin/sh .

So NOPASSWD: for /bin/sh. But really you should just give wildcard NOPASSWD for running ansible. There's very little difference in NOPASSWD for /bin/sh and everything. Or input the password using --ask-become-pass

Cheers,
Paul

Mike Michel

unread,
Sep 22, 2016, 3:24:15 AM9/22/16
to Ansible Project
jep, NOPASSWD: for /bin/sh did it. I don't have (or should i say "had") root on the target server. 

thanks

Mike
Reply all
Reply to author
Forward
0 new messages