Issues with sudo_user

[Jacek]

Hi,

I'm using "ansible 1.9 (devel b11be68249) last updated 2015/03/17 12:39:00 (GMT +000)" and am facing an issue with the 'sudo_user' switch.

My role fails on the postgres user not being able to be authenticated.

The ansible command host is Ubuntu, ansible target is localhost

My playbook looks like this:

---------------------------------

- hosts: db_server

  sudo: yes

  roles:

    - esc-db-init

    - { role: esc-db, sudo_user: postgres }

---------------------------------

and a few initial tasks of the esc-db role look like this:

---------------------------------

- name: Create the database user

  postgresql_user: name={{ db_user }} password={{ db_password }}

- name: Create databeses required by the server

  postgresql_db: name=connexience   encoding='UTF-8' owner={{ db_user }} state=present

- postgresql_db: name=logeventsdb   encoding='UTF-8' owner={{ db_user }} state=present

- postgresql_db: name=performancedb encoding='UTF-8' owner={{ db_user }} state=present

...

----------------------------------

Running this with the latest ansible fails on the postgresql_user task with error:

-----------------------------------

failed: [localhost] => {"failed": true}

msg: unable to connect to database: FATAL:  Peer authentication failed for user "postgres"

-----------------------------------

But when I modify the first task of the esc-db role:

----------------------------------

- name: Create the database user

  postgresql_user: name={{ db_user }} password={{ db_password }}

  sudo_user: postgres

- name: Create databeses required by the server

  postgresql_db: name=connexience   encoding='UTF-8' owner={{ db_user }} state=present

- postgresql_db: name=logeventsdb   encoding='UTF-8' owner={{ db_user }} state=present

- postgresql_db: name=performancedb encoding='UTF-8' owner={{ db_user }} state=present

...

----------------------------------

The first task runs ok but the role fails on the next one with exactly the same error. It looks like 'sudo_user: postgres' set at the playbook level isn't properly passed down to the role.

The problem doesn't appear on an earlier version: "ansible 1.9 (devel ffb281d96c) last updated 2015/03/03 19:12:13 (GMT +100)"

Any help appreciated.

  Cheers,

  Jacek

[Brian Coca]

So issue seems to be when sudo_user is set at role level, not at play level.


--
Brian Coca

[Jacek]

Hi Brian,

Not really. If sudo_user is set only at the play level the sudo user is root:

------- excerpt from the stdout when running with -vvvv --------

"[sudo via ansible, key=vksodlsoxtyvcfgxeosslbsttkfqyzcb] password: " -u root /bin/sh -c 

---------------------------

If it is set at the task level too, it's correct:

---------------------------

"[sudo via ansible, key=zprftkljnlzogwijomrqivtiiebwqqqs] password: " -u postgres /bin/sh -c 

---------------------------

  Jacek

[Brian Coca]

can you show test with the issue at the play level? i cannot
reproduce, i used the following:

- hosts: testmachine
sudo: yes
sudo_user: nobody
tasks:
- template:
src: testfile
dest: /tmp/z
mode: 0600
with -vvvv i can see:
/bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible,
key=cxwmwhlrjpfrghjcbaabmtadbvgcgouq] password: " -u nobody /bin/sh -c
'"'"'echo BECOME-SUCCESS-cxwmwhlrjpfrghjcbaabmtadbvgcgouq; LANG=C
LC_CTYPE=C /usr/bin/python
/tmp/ansible-tmp-1426689710.81-275921666186925/copy'"'"''

[Jacek]

What do you mean by 'show test'?

Did you try when the target machine (your 'testmachine') is set to localhost in the inventory?

[Brian Coca]

same result if host is localhost, i can reproduce the issue with roles
not picking up sudo_user but not with a play.




--
Brian Coca

[Jacek]

Sorry, I need to leave now but will get back to you with an example later today.

  Cheers,

  Jacek

[Matt Martz]

Could it be related to https://github.com/ansible/ansible/issues/10475 ?

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8kB8PXVZvy9F%3Dfyvi561BgzivMQh2d35YRkhUBBK3CZNQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Matt Martz
@sivel
sivel.net

[Brian Coca]

No, that is probably a path in the old code that bypasses sudo if you
are already root.


--
Brian Coca

[Brian Coca]

tested with 1.8.4, putting sudo_user on role does not seem to work either.

--
Brian Coca

[Jacek]

Hi All,

I'm sending the play and role for you to check (see below).

It doesn't work right (shows 'postgres', 'root') with:

ansible 1.9 (devel 73f5a1fcdd) last updated 2015/03/19 13:38:54 (GMT +000)

  lib/ansible/modules/core: (detached HEAD 76198a8223) last updated 2015/03/19 13:39:04 (GMT +000)

  lib/ansible/modules/extras: (detached HEAD cb848fcd9e) last updated 2015/03/19 13:39:04 (GMT +000)

  v2/ansible/modules/core: (detached HEAD 34784b7a61) last updated 2015/03/17 12:39:06 (GMT +000)

  v2/ansible/modules/extras: (detached HEAD 46e316a20a) last updated 2015/03/19 13:39:04 (GMT +000)

  configured module search path = None

It does work correctly (shows 'postgres', 'postgres') with: 

ansible 1.9 (devel ffb281d96c) last updated 2015/03/19 13:32:20 (GMT +000)

  lib/ansible/modules/core: (detached HEAD 618806aeeb) last updated 2015/03/19 13:36:08 (GMT +000)

  lib/ansible/modules/extras: (detached HEAD 945da71ce4) last updated 2015/03/19 13:36:08 (GMT +000)

  v2/ansible/modules/core: (detached HEAD 34784b7a61) last updated 2015/03/17 12:39:06 (GMT +000)

  v2/ansible/modules/extras: (detached HEAD 650d740a3a) last updated 2015/03/19 13:36:09 (GMT +000)

  configured module search path = None

--------- test.yml ------

---

- hosts: db_server

  sudo: yes

  roles:

    - { role: test-sudo, sudo_user: postgres }

------------------------------

--------- roles/test-sudo/tasks/main.yml -------

---

- name: First task

  command: /usr/bin/whoami

  sudo_user: postgres

  register: first_task

- debug: var=first_task.stdout

- name: Second task

  command: /usr/bin/whoami

  register: second_task

- debug: var=second_task.stdout

------------------------------

  Best,

  Jacek

[Brian Coca]

Works as expected, setting sudo_user at role level is not supported.
You can set it at play or task level.

--
Brian Coca

[Jacek]

Do you mean that within my original example I'll need:

--------

- hosts: db_server

  sudo: yes

  roles:

    - esc-db-init

- hosts: db_server

  sudo: yes

  sudo_user: postgres

  roles:

    - esc-db

--------

instead of:

--------

- hosts: db_server

  sudo: yes

  roles:

    - esc-db-init

    - { role: esc-db, sudo_user: postgres }

--------

That's more hassle than it was previously... Is this going to be supported again? I've been using this play for about half a year, so it's only relatively recent change.

  Jacek

[Brian Coca]

I'm looking at the previous stable version 1.8.4 and it does not work
there, in which version did this work for you?



--
Brian Coca

[Jacek]

I always worked with sources straight from github. Previously, it worked with 1.7.? (can't remember exactly) then, sometime in Feb or earlier, I updated to 1.9 (ffb281d96c) and it was ok, too.