Using sudo as root

105 views
Skip to first unread message

Dustin C. Hatch

unread,
Apr 4, 2014, 9:02:01 AM4/4/14
to ansible...@googlegroups.com
In my environment, when a VM is first provisioned, it has no users
other than root, and root has no password. The machines are pre-seeded
with an authorized SSH key so I can log in as root remotely to finish
the set up. These machines have SELinux enforcing the strict policy,
so even logging in as root is insufficient to make any changes, I have
to use sudo to get to the sysadm_r role. Unfortunately, it seems that
Ansible thinks it is smarter than I am, and refuses to run my modules
in sudo if the remote user is root, so everything fails with
permission denied errors.

Is there a way I can force or trick Ansible into running my plays
through sudo, even when logged in as root?

Note: one of the steps in my playbook is to set up another user that
will be used for all subsequent Ansible runs; only the initial set up
needs to be run as root.

Dustin C. Hatch
http://dustin.hatch.name/

Michael DeHaan

unread,
Apr 4, 2014, 11:16:54 AM4/4/14
to ansible...@googlegroups.com
"Unfortunately, it seems that
Ansible thinks it is smarter than I am, and refuses to run my modules
in sudo if the remote user is root, so everything fails with
permission denied errors."

This is true because sudo to the same user causes problems on lots of systems.

This is the first I've heard of sudo to root from root giving different behavior than being root.

Can you share some more details about your SELinux policy configuration?   


--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAP8b%3Ddz06Gvm--LLgpWF3sDyU%3DQQdWRepO%2B8QYQnui1okhMz6A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Dustin C. Hatch

unread,
Apr 4, 2014, 11:42:37 AM4/4/14
to ansible...@googlegroups.com
On Fri, Apr 4, 2014 at 10:16 AM, Michael DeHaan <mic...@ansible.com> wrote:
> "Unfortunately, it seems that
> Ansible thinks it is smarter than I am, and refuses to run my modules
> in sudo if the remote user is root, so everything fails with
> permission denied errors."
>
> This is true because sudo to the same user causes problems on lots of
> systems.
>
> This is the first I've heard of sudo to root from root giving different
> behavior than being root.
>
> Can you share some more details about your SELinux policy configuration?
>
>
It's the default Gentoo strict policy. Essentially the problem is that
when root logs in via ssh, it gets staff_r, and needs to transition to
sysadm_r in order to actually do anything. Normally, one would use
newrole to do the transition, but since root has no password, it can't
authenticate. These machines have the following entry in sudoers:

root ALL = (ALL) ROLE=sysadm_r TYPE=sysadm_t ALL

This allows root to transition to sysadm_r in order to run commands,
without needing to authenticate. It works perfectly from the command
line, but since Ansible won't run through sudo, root can't get the
sysadm_r role.

Michael DeHaan

unread,
Apr 4, 2014, 2:09:28 PM4/4/14
to ansible...@googlegroups.com
Curious.  Perhaps a global config setting for "prevent_apparent_useless_sudo" is needed.

IIRC, this caused problems with prompts in some cases -- but maybe it didn't and someone was optimizing something that didn't need to be optimized.


--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

Dustin C. Hatch

unread,
Apr 4, 2014, 3:34:08 PM4/4/14
to ansible...@googlegroups.com
On Fri, Apr 4, 2014 at 1:09 PM, Michael DeHaan <mic...@ansible.com> wrote:
> Curious. Perhaps a global config setting for
> "prevent_apparent_useless_sudo" is needed.
>
> IIRC, this caused problems with prompts in some cases -- but maybe it didn't
> and someone was optimizing something that didn't need to be optimized.
>
>
I'm guessing this was a configuration issue (http://xkcd.com/1343/),
and maybe Ansible should try to work around it by default, but it
should not ignore what I've explicitly told it to do. If you're okay
with a configuration setting to override this behavior, I'll try to
get a patch that implements it.

Michael DeHaan

unread,
Apr 4, 2014, 9:54:04 PM4/4/14
to ansible...@googlegroups.com
A config setting seems reasonable.  I hate that I don't remember how we got down this path, but I think there's a good chance in some cases extra-sudo was causing issues for people.


--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages