How to run "sudo command" as ssh user without switching to become_user?

[Kevin]

Hi,

  I'm connecting to my host as "user1" and my become user name is "user2". The only account that has sudo privs to run the "do-something" command is user1.

Attempt 1:

  I'm trying to run the following task, but it doesn't work because ansible isn't providing the password to the host and it sits there until it times out:

task:

- name: apply configurator on {{ inventory_hostname }}

 become: false

 shell: "sudo /usr/bin/do-something"

output:

<times-out> 

Attempt 2:

 I then tried to run the following task, but it doesn't work because it runs as user2, but that's not what I want because user2 doesn't have sudo privs:

task:

- name: apply configurator on {{ inventory_hostname }}

 become: true

 shell: "/usr/bin/do-something"

output:

fatal: [host]: FAILED! => {"changed": true, "cmd": "/usr/bin/do-something", "delta": "0:00:00.027783", "end": "2018-03-01 21:46:58.719945", "msg": "non-zero return code", "rc": 126, "start": "2018-03-01 21:46:58.692162", "stderr": "/bin/sh: /usr/bin/do-something: Permission denied", "stderr_lines": ["/bin/sh: /usr/bin/do-something: Permission denied"], "stdout": "", "stdout_lines": []} 

Attempt 3:

 I then try to run the following task, but it hangs as it waits for credentials for user2's password, which ansible will not provide (even it it worked):

task:

- name: apply configurator on {{ inventory_hostname }}

 become: true

 shell: "sudo /usr/bin/do-something"

output:

<times-out> 

  I've even tried setting the become_user to user1, but that doesn't work either. Using "sudo" in the shell command causes it to hang because a prompt for password is waiting whereas keeping "sudo" out gets me another permission error.

  Any help is greatly appreciated.

Thanks,
Kevin
 

[Tony Chia]

Try adding this to your /etc/sudoers file so you don't get prompted

some_user        ALL=(ALL)       NOPASSWD: ALL

[Kevin]

Hi Tony,

  Thanks for the tip. Unfortunately, I can't modify this file, but I did find a solution! Although, it does look like there may be a bug in Ansible (version 2.4.2.0).

  It's worth noting that I had the following in my inventory group vars file:

ansible_become_user: user2

  I tried the following task:

- name: Configurator command needs to be run
become_user: root
shell: "/usr/bin/do-something"

  Which also didn't work because ansible reported that I didn't have privileges (same error as I reported above with attempts 2).

  Later, I removed then ansible_become_user variable setting from my inventory group vars file and re-ran the task with success!

  Looking at the variable precedence documentation, it says that task variable settings are higher precedence then inventory group variables.

  I'm I looking at this the wrong way? Or shouldn't this have worked by setting the become_user to root in the task no matter what's in the inventory group vars file?

Thanks,

Kevin

[Kevin]

Hi,

  Ok, clearly I'm a newbie!

  I changed the inventory group vars to the following and it works as expected:

become_user: user2

  The documentation reads as if ansible_become_user and become_user are synonyms of each other. Clearly not!

 Thanks,

Kevin

[Brian Coca]

They are not the same, but they are related, 'ansible_become_user' is
a 'connection variable' which has higher precedence than 'become_user'
which is a playbook keyword.

The former is meant to be specific to a host/group of hosts to provide
a way to deal with heterogeneous environments, the latter is a way to
make play/task specific usage and expected to work in more homogeneous
environments.

--
----------
Brian Coca