Ansible playbook should exit Immediately when it learns Incorrect sudo password is entered

[abhijith...@gmail.com]

Hello Everyone,

I am trying to find a way to add a check where playbook will exit Immediately if incorrect sudo password is entered by a user. As of now, If incorrect password is entered ansible would execute the playbook and each host will through error on the screen as Incorrect sudo password. I am using -K option along with my ansible command to prompt for sudo password. (I cannot store the password anywhere on the server to validate). 

FAILED! => {"msg": "Incorrect sudo password"}

Is there a way Ansible would not execute the playbook & not throw errors for each host as soon as it learns that the sudo password is Incorrect for one host and exit the playbook ?

[Jordan Borean]

Create a task that runs at the become with become: yes. That will tell you if the password is valid or not and will stop the executable if it fails.

[Jordan Borean]

s/runs at the become/runs at the beginning/

[abhijith...@gmail.com]

Hi Jordan,

Thanks for the response. Could you give me an example of how it should look like ? I am using become: true at the top for all my tasks. Please see below for reference:

---

- hosts: sme,lb,smike

  remote_user: ops

  become: true

  strategy: free

  tasks:

    - name: Check the service status pre-upgrade

      shell: bin/smctl.sh status | grep "are running"

      register: shell_result

      failed_when: "'ALL are running' not in shell_result.stdout"

      ignore_errors: true

      tags: servicestatus

      args:

        chdir: "{{ ZSINSTANCE }}"

[Jordan Borean]

Ahh I misunderstood what you are asking for, here is one way it could potentially be done

- name: verify we can connect and become works
  gather_facts: no
  become: yes
  any_errors_fatal: yes

  tasks:
  - name: run a simple module with become to verify it works
    ping:


- name: continue playbook once we know we can connect and become works
  remote_user: ops
  become: yes
  strategy: free
  tasks:
  ....  # add the normal tasks here

This runs 2 plays in your playbook where the first will run a simple command with become to verify that it works for all hosts and then continue onto the next play which is your normal one. When you specify "any_errors_fatal"[1] it will abort the play with a failure and Ansible will not continue onto the 2nd play as the first failed.

https://docs.ansible.com/ansible/latest/user_guide/playbooks_error_handling.html#aborting-the-play

[Brian Coca]

this should not be default as hosts can have different password configured and run successfully

[eric.b....@nasa.gov]

Correct me if I'm wrong, but an ansible command/playbook will only prompt you once for the sudo password; therefore, it's safe to assume that if you're running a single command/play on multiple hosts, they have the same sudo password.

[Brian Coca]

From prompt, yes, but you also have ansible_sudo_pass to set
individual (or group of) hosts, having one does not discount the
other.

--
----------
Brian Coca

[abhijith...@gmail.com]

Hi Jordan,

I can try this but the problem here will be If there are any hosts which are unreachable then bcz of the fatal error ansible would exit out which I don't want to happen. Is there any special way to check only for the purpose of authentication ?