become_user not being honored?

[Sam Sen]

Running Ansible 2.1. If I use sudo in front of the command, it works. if I remove and use "become_user: root" it does not work. I've also tried setting "become: True" and I get the same results.

Works:

- name: restart web server
  shell: sudo /etc/init.d/aria_services restart
  when: install_rpm_results|success
  register: restart_services_result
  failed_when: "'FAIL' in restart_services_result.stdout"
  ignore_errors: True

Expected Results:

"stdout": "Creating /web bind mounts\n=== stop ===\n== no PID means no KILL ==\nClearing wsdl and symfony cache files\n=== start ===\nQuery API OK\nNGUI API OK\nCore API OK\nAdmin API OK\nFailed ARC/VIE API\n2 attempted: 2 started, 2 stopped",
        "stdout_lines": [
            "Creating /web bind mounts",
            "=== stop ===",
            "== no PID means no KILL ==",
            "Clearing wsdl and symfony cache files",
            "=== start ===",
            "Query API OK",
            "NGUI API OK",
            "Core API OK",
            "Admin API OK",
            "Failed ARC/VIE API",
            "2 attempted: 2 started, 2 stopped"
        ],

Does not work:

- name: restart web server
  shell: /etc/init.d/aria_services restart
  when: install_rpm_results|success
  register: restart_services_result
  failed_when: "'FAIL' in restart_services_result.stdout"
  ignore_errors: True
  become_user: root

Actual Results:

"stderr": "Password: su: Authentication information cannot be recovered\ncat: /etc/aria/services: Permission denied",
        "stdout": "No aria services found",

[Kai Stian Olstad]

On 26. mai 2016 18:22, Sam Sen wrote:
> Does not work:
>
> - name: restart web server
> shell: /etc/init.d/aria_services restart
> when: install_rpm_results|success
> register: restart_services_result
> failed_when: "'FAIL' in restart_services_result.stdout"
> ignore_errors: True
> become_user: root

become_user only says which user to be used. To actually use become/sudo
you need to add become: true

become_user default to root so you do not need to specify it if you like
having less code.

--
Kai Stian Olstad

[Sam Sen]

Ok so i removed become_user and added "become: true"

now it's asking for a password. 

TASK [restart web server] ******************************************************

fatal: [127.0.0.1]: FAILED! => {"changed": false, "failed": true, "module_stderr": "sudo: a password is required\n", "module_stdout": "", "msg": "MODULE FAILURE", "parsed": false}

My sudo entry shows this.

%deployment     ALL=(ALL)       NOPASSWD: DEPLOYMENT

Cmnd_Alias      DEPLOYMENT_CMDS = /etc/init.d/aria_services restart, /etc/init.d/aria_services start, /etc/init.d/aria_services stop,

[Matt Martz]

Ansible requires the ability to run any command via sudo, it does not work with a restricted set of commands, as it executes python via /bin/sh.  It does not directly run those commands that you have restricted that group to.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c87c253a-8aa3-4d13-b38d-727f1ec418c4%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Matt Martz
@sivel
sivel.net

[Sam Sen]

Ok, so then why does it work if I add "sudo" in front of the command?

Is this the become directive handles sudo differently?

[Johannes Kastl]

On 26.05.16 21:10 Matt Martz wrote:
> Ansible requires the ability to run any command via sudo, it does not work
> with a restricted set of commands, as it executes python via /bin/sh. It
> does not directly run those commands that you have restricted that group to.

And instead of allowing your user (the one ansible connects as and
runs sudo) to run all commands without a password, I would rather save
the sudo password in a ansible-vault encrypted file on the controller:

ansible-vault edit host_vars/foobar.yml

for the host foobar, and create an entry 'become_pass: xyz' for the
password xyz.

Johannes

[Matt Martz]

In the case where you put `sudo` in the command, then the command ansible runs from within the python script contains sudo.

In the case where you use become, and don't put sudo in the command, the python script is being executed with sudo, and not the inner specified command itself.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/64c39915-1eaa-4103-9f73-ad9fe1d02814%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Johannes Kastl]

On 26.05.16 21:13 Sam Sen wrote:
> Ok, so then why does it work if I add "sudo" in front of the command?

Because then ansible starts a shell and calls that exact command you
tell it to run. And thus sudo kicks in, as the command is allowed, and
runs it.

Johannes

[Sam Sen]

So I'm kind of SOL then if Ansible removes "sudo"

[Johannes Kastl]

On 26.05.16 21:51 Sam Sen wrote:
> So I'm kind of SOL then if Ansible removes "sudo"

I'm not sure what you mean. Why should ansible remove sudo?

If you can't change the sudo policy on the target, simply use your
task with the shell module. Or supply the sudo password via ansible-vault.

If you can change the sudo policy, you could grant your user (or a
special ansible user) the right to call all commands without passwords.

The choice is yours.

Johannes

[Sam Sen]

Nevermind, i misunderstood the notes on the become module page. I will continue to use shell w/ sudo.