apt module fails with non-root sudoer ("Permission denied")

232 views

Skip to first unread message

Kevin Jaquier

unread,

Oct 15, 2015, 11:49:28 AM10/15/15

to Ansible Project

I'm having trouble executing my script from a user with sudo access instead of root.

I'm getting "permission denied" errors when playing the playbook, but if I execute the commands manually on the server it works just fine.

I did use "become" to execute the tasks with sudo and the right user.

The (relevant part of the) playbook :

---

- hosts: all

remote_user: "{{ user }}"

become: yes

become_user: "{{ user }}"

become_method: sudo

tasks:

- name: Install useful system tools

apt: name={{ item }} state=present

with_items:

- vim

- nano

- htop

- git

- subversion

- tig

- ncdu

- nodejs-legacy

- npm

- mesa-utils

Ansible output :

$ ansible-playbook -K -i test site.yml -vvvv

SUDO password:

PLAY [all] ********************************************************************

GATHERING FACTS ***************************************************************

<[the server address]> ESTABLISH CONNECTION FOR USER: [the user name]

<[the server address]> REMOTE_MODULE setup

<[the server address]> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/kevin/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=[the user name] -o ConnectTimeout=10 [the server address] /bin/sh -c 'mkdir

-p /tmp/ansible-tmp-1444921321.94-213782579685333 && chmod a+rx

/tmp/ansible-tmp-1444921321.94-213782579685333 && echo

/tmp/ansible-tmp-1444921321.94-213782579685333'

<[the server address]> PUT /tmp/tmpk_hOEu TO /tmp/ansible-tmp-1444921321.94-213782579685333/setup

-k && sudo -H -S -p "[sudo via ansible,

key=upzdhdqqnkqtecoipruvaisazfdvjubv] password: " -u [the user name]

/bin/sh -c '"'"'echo BECOME-SUCCESS-upzdhdqqnkqtecoipruvaisazfdvjubv;

LANG=C LC_CTYPE=C /usr/bin/python

/tmp/ansible-tmp-1444921321.94-213782579685333/setup'"'"''

ok: [[the server address]]

TASK: [Install useful system tools] *******************************************

<[the server address]> ESTABLISH CONNECTION FOR USER: [the user name]

<[the server address]> REMOTE_MODULE apt name=vim,nano,htop,git,subversion,tig,ncdu,nodejs-legacy,npm state=present

-p /tmp/ansible-tmp-1444921350.8-236765363664782 && chmod a+rx

/tmp/ansible-tmp-1444921350.8-236765363664782 && echo

/tmp/ansible-tmp-1444921350.8-236765363664782'

<[the server address]> PUT /tmp/tmpTE3idg TO /tmp/ansible-tmp-1444921350.8-236765363664782/apt

-k && sudo -H -S -p "[sudo via ansible,

key=puwtzrscvqsbjbiqrhkjwxdxmszgeduz] password: " -u [the user name]

/bin/sh -c '"'"'echo BECOME-SUCCESS-puwtzrscvqsbjbiqrhkjwxdxmszgeduz;

LANG=C LC_CTYPE=C /usr/bin/python

/tmp/ansible-tmp-1444921350.8-236765363664782/apt'"'"''

failed: [[the server address]] => (item=vim,nano,htop,git,subversion,tig,ncdu,nodejs-legacy,npm,mesa-utils) => {"failed": true, "item": "vim,nano,htop,git,subversion,tig,ncdu,nodejs-legacy,npm,mesa-utils"}

stderr: E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)

E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?

msg: '/usr/bin/apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" install 'htop' 'subversion' 'tig' 'ncdu' 'nodejs-legacy' 'npm' 'mesa-utils'' failed: E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)

E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?

FATAL: all hosts have already failed -- aborting

(Note : i'm still providing sudo password for other tasks that also don't work without root)

Also relevant :

$ ansible --version

ansible 1.9.4

configured module search path = None

$ ssh [the user name]@[the server address]

Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-30-generic x86_64)

...

[the user name]@[the server name]:~$ sudo -l

Matching Defaults entries for [the user name] on [the server name]:

env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+=SSH_AUTH_SOCK

User [the user name] may run the following commands on vm02:

(ALL : ALL) ALL

(ALL : ALL) NOPASSWD: ALL

Markus Ellers

unread,

Oct 15, 2015, 5:35:05 PM10/15/15

to Ansible Project

I think this way you are telling ansible to use sudo to execute the apt command as {{ user }}

But you need it to become {{ user }} and the use sudo to execute the apt command as root.

To do this in ansible you can tell ansible to use sudo per task and use the become for the play and then use sudo to root on the task

Try

---

- hosts: all

remote_user: "{{ user }}"

become: yes

become_user: "{{ user }}"

become_method: su

tasks:

- name: Install useful system tools

apt: name={{ item }} state=present

sudo: yes

sudo_user: root

with_items:

- vim

- nano

- htop

.....

On the other hand, if on you machine everyone is allowed to do everything as root anyway, why do you want to become another user? you yould just:

- hosts: all

remote_user: "{{ user }}"

sudo: true

tasks:

- name: Install useful system tools

apt: name={{ item }} state=present

with_items:

- vim

- nano

- htop

....

Reply all

Reply to author

Forward

0 new messages