Ansible not becoming super user
2,727 views
Skip to first unread message
Aaron Axisa
Mar 22, 2016, 3:06:42 PM3/22/16
to Ansible Project
I have the following playbook
---
- name: myPlaybook
hosts: "{{machine_to_setup}}"
remote_user: "{{user_to_use}}"
become: yes
roles:
# Install Gosa - part 1
- { role: gosa, become: yes }
(I know become is duplicated.
With the following role content:
---
# Requires Ansible version 2.1 onwards
# Installing the yum EPEL repository
- name: Download rpm Package for EPEL
get_url:
url: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
dest: /tmp/epel.rpm
mode: 0777
force: true
- name: Install EPEL Package
yum:
name: /tmp/epel.rpm
state: present
And I am running the command from ansible tower on ansible 2.1 using the following parameters:
user_to_use: sshUser
Yet during the Install EPEL Package stage I get the following error:
fatal: [192.168.20.4]: FAILED! => {"changed": true, "failed": true, "invocation": {"module_args": {"conf_file": null, "disable_gpg_check": false, "disablerepo": null, "enablerepo": null, "exclude": null, "install_repoquery": true, "list": null, "name": ["/tmp/epel.rpm"], "state": "present", "update_cache": false, "validate_certs": true}, "module_name": "yum"}, "msg": "You need to be root to perform this command.\n", "rc": 1, "results": ["Loaded plugins: fastestmirror\n"]}
Which is mainly : "You need to be root to perform this command"
So why is ansible not becoming a super user even though I am clearly telling it to.
Brian Coca
Mar 22, 2016, 3:08:30 PM3/22/16
to ansible...@googlegroups.com
run with -vvvv to see what ansible is doing.
----------
Brian Coca
Aaron Axisa
Mar 22, 2016, 3:25:59 PM3/22/16
to Ansible Project
TASK [gosa : Install EPEL Package] ********************************************* task path: /var/lib/awx/projects/_8__bitbucket_ldap/ansible/roles/gosa/tasks/main.yml:15 <192.168.20.4> ESTABLISH SSH CONNECTION FOR USER: sshUser <192.168.20.4> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s) <192.168.20.4> SSH: ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled: (-o)(StrictHostKeyChecking=no) <192.168.20.4> SSH: ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set: (-o)(User=sshUser) <192.168.20.4> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10) <192.168.20.4> SSH: PlayContext set ssh_common_args: () <192.168.20.4> SSH: PlayContext set ssh_extra_args: () <192.168.20.4> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r) <192.168.20.4> SSH: EXEC sshpass -d19 ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o User=sshUser -o ConnectTimeout=10 -o ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r -tt 192.168.20.4 '/bin/sh -c '"'"'( umask 22 && mkdir -p "` echo /tmp/ansible-tmp-1458673360.76-40131931109713 `" && echo "` echo /tmp/ansible-tmp-1458673360.76-40131931109713 `" )'"'"'' <192.168.20.4> PUT /tmp/tmp79QZ0d TO /tmp/ansible-tmp-1458673360.76-40131931109713/yum <192.168.20.4> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s) <192.168.20.4> SSH: ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled: (-o)(StrictHostKeyChecking=no) <192.168.20.4> SSH: ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set: (-o)(User=sshUser) <192.168.20.4> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10) <192.168.20.4> SSH: PlayContext set ssh_common_args: () <192.168.20.4> SSH: PlayContext set sftp_extra_args: () <192.168.20.4> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r) <192.168.20.4> SSH: EXEC sshpass -d19 sftp -b - -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o User=sshUser -o ConnectTimeout=10 -o ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r '[192.168.20.4]' <192.168.20.4> ESTABLISH SSH CONNECTION FOR USER: sshUser <192.168.20.4> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s) <192.168.20.4> SSH: ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled: (-o)(StrictHostKeyChecking=no) <192.168.20.4> SSH: ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set: (-o)(User=sshUser) <192.168.20.4> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10) <192.168.20.4> SSH: PlayContext set ssh_common_args: () <192.168.20.4> SSH: PlayContext set ssh_extra_args: () <192.168.20.4> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r) <192.168.20.4> SSH: EXEC sshpass -d19 ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o User=sshUser -o ConnectTimeout=10 -o ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r -tt 192.168.20.4 '/bin/sh -c '"'"'chmod a+r /tmp/ansible-tmp-1458673360.76-40131931109713/yum'"'"'' <192.168.20.4> ESTABLISH SSH CONNECTION FOR USER: sshUser <192.168.20.4> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s) <192.168.20.4> SSH: ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled: (-o)(StrictHostKeyChecking=no) <192.168.20.4> SSH: ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set: (-o)(User=sshUser) <192.168.20.4> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10) <192.168.20.4> SSH: PlayContext set ssh_common_args: () <192.168.20.4> SSH: PlayContext set ssh_extra_args: () <192.168.20.4> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r) <192.168.20.4> SSH: EXEC sshpass -d19 ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o User=sshUser -o ConnectTimeout=10 -o ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r -tt 192.168.20.4 '/bin/sh -c '"'"'su machineAdmin -c '"'"'"'"'"'"'"'"'/bin/sh -c '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-lfogtfnclgywxqhqkuojrrwwqbimgrad; LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/bin/python -tt /tmp/ansible-tmp-1458673360.76-40131931109713/yum'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"''"'"'"'"'"'"'"'"''"'"'' <192.168.20.4> ESTABLISH SSH CONNECTION FOR USER: sshUser <192.168.20.4> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s) <192.168.20.4> SSH: ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled: (-o)(StrictHostKeyChecking=no) <192.168.20.4> SSH: ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set: (-o)(User=sshUser) <192.168.20.4> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10) <192.168.20.4> SSH: PlayContext set ssh_common_args: () <192.168.20.4> SSH: PlayContext set ssh_extra_args: () <192.168.20.4> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r) <192.168.20.4> SSH: EXEC sshpass -d19 ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o User=sshUser -o ConnectTimeout=10 -o ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r -tt 192.168.20.4 '/bin/sh -c '"'"'rm -f -r /tmp/ansible-tmp-1458673360.76-40131931109713/ > /dev/null 2>&1'"'"'' fatal: [192.168.20.4]: FAILED! => {"changed": true, "failed": true, "invocation": {"module_args": {"conf_file": null, "disable_gpg_check": false, "disablerepo": null, "enablerepo": null, "exclude": null, "install_repoquery": true, "list": null, "name": ["/tmp/epel.rpm"], "state": "present", "update_cache": false, "validate_certs": true}, "module_name": "yum"}, "msg": "You need to be root to perform this command.\n", "rc": 1, "results": ["Loaded plugins: fastestmirror\n"]} [WARNING]: Failure when attempting to use callback plugin (</usr/lib/python2.7 /site-packages/awx/plugins/callback/job_event_callback.JobCallbackModule object at 0x7fe7a4496c10>): 'unicode' object has no attribute 'get'
Brandon McCraw
Mar 22, 2016, 4:31:08 PM3/22/16
to Ansible Project
From what I understand of 'become' it only specifies that you want to allow user escalation. It doesn't actually escalate to a super user. You'll need to use additional directives to escalate to super-user as described here:
Directives
These can be set from play to task level, but are overriden by connection variables as they can be host specific.
become
set to ‘true’/’yes’ to activate privilege escalation.
become_user
set to user with desired privileges, the user you ‘become’, NOT the user you login as. Does NOT imply become: yes, to allow it to be set at host level.
become_method
at play or task level overrides the default method set in ansible.cfg, set to ‘sudo’/’su’/’pbrun’/’pfexec’/’doas’
So, try this
- name: myPlaybook
hosts: "{{machine_to_setup}}"
remote_user: "{{user_to_use}}"
become: yes
become_user: "{{user_to_use}}"
become_method: sudo
Brian Coca
Mar 22, 2016, 4:35:04 PM3/22/16
to ansible...@googlegroups.com
So in the first debug I see "su machineAdmin" which might not have access to the specific action if yum is giving you that message.
@Brandon, this is useless:
remote_user: "{{user_to_use}}"
become: yes
become_user: "{{user_to_use}}"
^ that is the same as writing sudo 'myself', the become_user is the user you TURN INTO, the remote_user is the one you login as and that TURNS INTO the become_user.
--
----------
Brian Coca
Aaron Axisa
Mar 22, 2016, 4:47:26 PM3/22/16
to Ansible Project
If i run the yum install as the machineAdmin user it is fine on the machine. Ansible is somehow losing the privledges?
And it's using su machineAdmin cause ansible tower is configured that the sshUser's privelege escalation is of type su and with credentials for machineAdmin
(In reality both machineAdmin and sshUser are sudoers and hence an execute the command)
And it's using su machineAdmin cause ansible tower is configured that the sshUser's privelege escalation is of type su and with credentials for machineAdmin
(In reality both machineAdmin and sshUser are sudoers and hence an execute the command)
Benjamin Redling
Mar 22, 2016, 4:48:25 PM3/22/16
to ansible...@googlegroups.com
On 2016-03-22 20:25, Aaron Axisa wrote:
> TASK [gosa : Install EPEL Package]
> ********************************************* task path:
> /var/lib/awx/projects/_8__bitbucket_ldap/ansible/roles/gosa/tasks/main.yml:15<192.168.20.4>
> ESTABLISH SSH CONNECTION FOR USER: sshUser<192.168.20.4> SSH:
Have you setup sshUser in sudoers for password less privilege elevation?
> TASK [gosa : Install EPEL Package]
> ********************************************* task path:
> /var/lib/awx/projects/_8__bitbucket_ldap/ansible/roles/gosa/tasks/main.yml:15<192.168.20.4>
> ESTABLISH SSH CONNECTION FOR USER: sshUser<192.168.20.4> SSH:
Benjamin
--
FSU Jena | JULIELab.de/Staff/Benjamin+Redling.html
vox: +49 3641 9 44323 | fax: +49 3641 9 44321
Aaron Axisa
Mar 22, 2016, 5:12:47 PM3/22/16
to Ansible Project
If i go into visudo (centos) I have the following
sshUser ALL=(ALL) NOPASSWD: ALL
machineAdmin ALL=(ALL) NOPASSWD: ALL
so yes?
Brian Coca
Mar 22, 2016, 5:15:44 PM3/22/16
to ansible...@googlegroups.com
I believe the issue is you are using become wrong, as per that sudoers file you can just leave the `become_user: root` and it will work logging in either as sshuser or machineadmin (also `become_method: sudo`), or just don't set them as those are the defaults.
----------
Brian Coca
Aaron Axisa
Mar 22, 2016, 5:25:51 PM3/22/16
to Ansible Project
Updating the ansible credentials to leave out the privelege escalation worked thanks
Reply all
Reply to author
Forward
0 new messages