wait_for and local_action comes back with an error about sudo

2,042 views
Skip to first unread message

Mark Maas

unread,
Nov 7, 2012, 8:54:46 AM11/7/12
to ansible...@googlegroups.com
Hi List,

I'm trying to reboot a server from a playlist and then have the playlist wait for the server to come back before continuing with it's next action.

So this is the playbook part:
---
- hosts: 10.137.0.145
  user: mark
  sudo: true
  vars:
   hostname: servername01
   sid: ABC2
  tasks:
  - name: Make /etc/hostname/ correct
    action: lineinfile dest=/etc/hostname backup=true state=present regexp=^ line='$hostname'
  - name: Reboot
    action: command /sbin/reboot
  - name: Wait for it to come back
    local_action: wait_for host=10.137.0.145 port=22 delay=5 timeout=300
<other actions follow this>

And this is the error it gives me:
sudo password:

PLAY [10.137.0.145] *********************

GATHERING FACTS *********************
ok: [10.137.0.145]

TASK: [Make /etc/hostname/ correct] *********************
ok: [10.137.0.145] => {"changed": false, "msg": ""}

TASK: [Reboot] *********************
changed: [10.137.0.145] => {"changed": true, "cmd": ["/sbin/reboot"], "delta": "0:00:00.069021", "end": "2012-11-07 14:51:07.350678", "rc": 0, "start": "2012-11-07 14:51:07.281657", "stderr": "", "stdout": ""}

TASK: [Wait for it to come back] *********************
fatal: [10.137.0.145] => sudo with password is presently only supported on the 'paramiko' (SSH) and native 'ssh' connection types

FATAL: all hosts have already failed -- aborting

PLAY RECAP *********************
10.137.0.145                   : ok=3    changed=1    unreachable=1    failed=0

So I'm doing something wrong here. Any idea's?

Thanks,
Mark

Michael DeHaan

unread,
Nov 7, 2012, 9:02:32 AM11/7/12
to ansible...@googlegroups.com
You're not doing anything wrong, but the local connection plugin
doesn't yet support sudo with a password:

https://github.com/ansible/ansible/blob/devel/lib/ansible/runner/connection_plugins/local.py

Suggestion is to allow passwordless sudo or to patch the module.

--Michael
> --
>
>

Mark Maas

unread,
Nov 7, 2012, 10:09:19 AM11/7/12
to ansible...@googlegroups.com
Ah that's why.. Makes sense.

Can I make the assumption that a lot of you are just running ansible from the root user?

Michael DeHaan

unread,
Nov 7, 2012, 10:16:04 AM11/7/12
to ansible...@googlegroups.com
Nope.

local_action is a corner case, and many of us *do* have sudo
configured to not require a password, or are not using local_action.

You may wish to do "delegate_to: localhost" instead.

I think for a while we didn't assume localhost was "-c local" but it's
a bit of a damned if we do, damned if we don't scenario -- you get
equal questions either way. (why do I need to be able to SSH into
myself, etc).
> --
>
>

Brian Coca

unread,
Nov 7, 2012, 10:21:12 AM11/7/12
to ansible...@googlegroups.com
Not really, 

I have encountered this issue also, I'm looking at how to solve this in a way that works for others and that makes sense to integrate into ansible.

-- 
Brian Coca
Stultorum infinitus est numerus
0110000101110010011001010110111000100111011101000010000001111001011011110111010100100000011100110110110101100001011100100111010000100001

Mark Maas

unread,
Nov 7, 2012, 10:21:58 AM11/7/12
to ansible...@googlegroups.com
Don't get me wrong, I still think ansible is a beautifull tool in mijn toolkit. The quirks are more or less obvious and are easily solvable all from the main "ansible" server.

NOPASSWD is on it's way. ;-)

Mark

Michael DeHaan

unread,
Nov 7, 2012, 10:25:34 AM11/7/12
to ansible...@googlegroups.com
@bcoca -- thanks -- I figure if you can get this figured out, we may
be able to support the --ask-sudo-pass for -c ssh as well.
> --
>
>

Daniel Hokka Zakrisson

unread,
Nov 7, 2012, 10:33:50 AM11/7/12
to ansible...@googlegroups.com
Michael DeHaan wrote:
> @bcoca -- thanks -- I figure if you can get this figured out, we may
> be able to support the --ask-sudo-pass for -c ssh as well.

It is already supported. Regular passwords are what aren't.

Daniel
> --
>
>

Daniel Hokka Zakrisson

unread,
Nov 7, 2012, 10:35:15 AM11/7/12
to ansible...@googlegroups.com
Mark Maas wrote:
> Hi List,
>
> I'm trying to reboot a server from a playlist and then have the playlist
> wait for the server to come back before continuing with it's next action.
>
> So this is the playbook part:
>
> ---
> - hosts: 10.137.0.145
> user: mark
> sudo: true
> vars:
> hostname: servername01
> sid: ABC2
> tasks:
> - name: Make /etc/hostname/ correct
> action: lineinfile dest=/etc/hostname backup=true state=present
> regexp=^ line='$hostname'
> - name: Reboot
> action: command /sbin/reboot
> - name: Wait for it to come back
> local_action: wait_for host=10.137.0.145 port=22 delay=5 timeout=300

What you want here is a
sudo: False
to disable sudo for this task.

Daniel

> <other actions follow this>
>
>
> And this is the error it gives me:
>
> sudo password:
>
> PLAY [10.137.0.145] *********************
>
> GATHERING FACTS *********************
> ok: [10.137.0.145]
>
> TASK: [Make /etc/hostname/ correct] *********************
> ok: [10.137.0.145] => {"changed": false, "msg": ""}
>
> TASK: [Reboot] *********************
> changed: [10.137.0.145] => {"changed": true, "cmd": ["/sbin/reboot"],
> "delta": "0:00:00.069021", "end": "2012-11-07 14:51:07.350678", "rc": 0,
> "start": "2012-11-07 14:51:07.281657", "stderr": "", "stdout": ""}
>
> TASK: [Wait for it to come back] *********************
> fatal: [10.137.0.145] => sudo with password is presently only supported on
> the 'paramiko' (SSH) and native 'ssh' connection types
>
> FATAL: all hosts have already failed -- aborting
>
> PLAY RECAP *********************
> 10.137.0.145 : ok=3 changed=1 unreachable=1
> failed=0
>
>
> So I'm doing something wrong here. Any idea's?
>
> Thanks,
> Mark
>
> --
>
>
>

Michael DeHaan

unread,
Nov 7, 2012, 10:47:56 AM11/7/12
to ansible...@googlegroups.com
Not neccessarily, suppose you want to sudo.

Mark Maas

unread,
Nov 7, 2012, 3:03:43 PM11/7/12
to ansible...@googlegroups.com
Indeed, the only thing that seems to work with wait_for is to use NOPASSWD on ALL the servers which is a big no-no in my book.
NOPASSWD on the ansible server is one thing, but on all of them....

Is there another way I can do this without resorting to that?

mmaas@pmgtansible:~/playbooks/binck$ cat ./test.yml
---
- hosts: 10.137.0.145
  user: xxxxxxxx
  sudo: true
  vars:
   hostname: ansible-testserver
   sid: XYS6
  tasks:
  - name: Make /etc/hostname/ correct
    action: lineinfile dest=/etc/hostname backup=true state=present regexp=^ line='$hostname'
  - name: Reboot
    action: command /sbin/reboot

  - name: Wait for it to come back
    action: wait_for host=10.137.0.145 port=22 delay=5 timeout=300
    delegate_to: 127.0.0.1

  - name: Make /etc/hosts/ correct
    action: lineinfile dest=/etc/hosts backup=true state=present regexp=^127.0.1.1 line='127.0.1.1       ${hostname}.XXXXXXXXX.nv ${hostname}'
 
  - name: Alter /etc/init.d/oracle-xe
    action: lineinfile dest=/etc/init.d/oracle-xe backup=true state=present regexp=^ORACLE_SID= line='ORACLE_SID=$sid'
    notify:
      - restart oracle


  handlers:
  - name: restart oracle
    action: service name=oracle-xe state=restarted

Michael DeHaan

unread,
Nov 7, 2012, 3:18:08 PM11/7/12
to ansible...@googlegroups.com
Fix the local connection module to make it support taking the password.
> --
>
>

Mark Maas

unread,
Nov 7, 2012, 3:22:34 PM11/7/12
to ansible...@googlegroups.com
On Wednesday, November 7, 2012 9:18:10 PM UTC+1, Michael DeHaan wrote:
Fix the local connection module to make it support taking the password.

Excellent, except you may not want my code ;-) Still learning simple lists and dictionaries. It'l be a while. 

Michael DeHaan

unread,
Nov 7, 2012, 3:39:08 PM11/7/12
to ansible...@googlegroups.com
temporary workaround:

delegate_to: 127.0.0.2
(versus local_action)

will almost definitely make it not use the local connection
> --
>
>

Mark Maas

unread,
Nov 8, 2012, 1:16:07 AM11/8/12
to ansible...@googlegroups.com
Excellent! Thanks!
Reply all
Reply to author
Forward
0 new messages