using either command or validate on visudo with no stdout is always a fatal result.....

179 views
Skip to first unread message

Paul McDonough

unread,
Apr 3, 2017, 3:49:28 PM4/3/17
to Ansible Project
I'm trying to use either lineinfile or blockinfile to make a change to a sudoers.ansible file then copy this back over the sudoers once its validated as correctly formatted. 

I can see that the changes go ahead and I can manually run visudo -q -c -f and get no error meaning the file is ok.

Ansible seems to be interpreting to no stderr as an rc:1 failed result and the playbook crashes out... .was told this isnt a bug and is a question so any assistance would be great.

Details below : 

ANSIBLE VERSION
ansible 2.2.0.0
  config file =
  configured module search path = Default w/o overrides
CONFIGURATION
OS / ENVIRONMENT
SUMMARY

If you attempt to validate changes to a /etc/sudoers file - even if it is a sudoers.ansible, etc it will fail if you attempt to validate or run via command visudo -q -c -f /etc/sudoers.ansible with no stdout

STEPS TO REPRODUCE
 basic check command 


  - name: Final sudoers file check before copying tmp back
    become: yes
    command: 'visudo -q -cf /etc/sudoers.ansible'
    register: checkok

it also fails if you attempt to run as a validate from lineinfile or blockinfile like 

validate: 'visudo -q -c -f %s'
EXPECTED RESULTS

Expected to pass and register as 'ok'

ACTUAL RESULTS
TASK [Final sudoers file check before copying tmp back] ************************
task path: /Users/<snip>/provision_lab.yml:143
Using module file /Library/Python/2.7/site-packages/ansible/modules/core/commands/command.py
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: <snip>
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1491238255.64-78253062874287 `" && echo ansible-tmp-1491238255.64-78253062874287="` echo $HOME/.ansible/tmp/ansible-tmp-1491238255.64-78253062874287 `" ) && sleep 0'
<127.0.0.1> PUT /var/folders/sj/zdn5tb0d51q_20z4gm0myg700000gn/T/tmpqDb6kH TO /Users/<snip>/.ansible/tmp/ansible-tmp-1491238255.64-78253062874287/command.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /Users/<snip>/.ansible/tmp/ansible-tmp-1491238255.64-78253062874287/ /Users/<snip>/.ansible/tmp/ansible-tmp-1491238255.64-78253062874287/command.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'sudo -H -S  -p "[sudo via ansible, key=wtmauitocwoynsgcjeydluockganqqnp] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-wtmauitocwoynsgcjeydluockganqqnp; /usr/bin/python /Users/<snip>/.ansible/tmp/ansible-tmp-1491238255.64-78253062874287/command.py; rm -rf "/Users/<snip>/.ansible/tmp/ansible-tmp-1491238255.64-78253062874287/" > /dev/null 2>&1'"'"' && sleep 0'
fatal: [localhost]: FAILED! => {
    "changed": true,
    "cmd": [
        "visudo",
        "-q",
        "-cf",
        "/etc/sudoers.ansible"
    ],
    "delta": "0:00:00.008161",
    "end": "2017-04-03 17:50:55.807571",
    "failed": true,
    "invocation": {
        "module_args": {
            "_raw_params": "visudo -q -cf /etc/sudoers.ansible",
            "_uses_shell": false,
            "chdir": null,
            "creates": null,
            "executable": null,
            "removes": null,
            "warn": true
        },
        "module_name": "command"
    },
    "rc": 1,
    "start": "2017-04-03 17:50:55.799410",
    "stderr": "",
    "stdout": "",
    "stdout_lines": [],
    "warnings": []
}

TASK [Final sudoers file check before copying tmp back] ************************
fatal: [localhost]: FAILED! => {"changed": true, "cmd": "visudo -q -c -f /etc/sudoers.ansible", "delta": "0:00:00.018836", "end": "2017-04-03 17:12:29.915562", "failed": true, "rc": 1, "start": "2017-04-03 17:12:29.896726", "stderr": "", "stdout": "", "stdout_lines": [], "warnings": []}

Brian Coca

unread,
Apr 3, 2017, 4:00:20 PM4/3/17
to Ansible Project
Try giving the full path to visudo.

----------
Brian Coca

Kai Stian Olstad

unread,
Apr 3, 2017, 4:07:05 PM4/3/17
to ansible...@googlegroups.com
On 03. april 2017 21:28, Paul McDonough wrote:
> I'm trying to use either lineinfile or blockinfile to make a change to a
> sudoers.ansible file then copy this back over the sudoers once its
> validated as correctly formatted.
>
> I can see that the changes go ahead and I can manually run visudo -q -c -f
> and get no error meaning the file is ok.

Since you are using -q no output will be printed, even if there is an
error in the file.
You need to check(echo $?) the return code, if it's 1 then the file
contains one or more errors.


> Ansible seems to be interpreting to no stderr as an rc:1 failed result and
> the playbook crashes out... .was told this isnt a bug and is a question so
> any assistance would be great.

visudo is returning error code 1 because there is error(s) in the file,
that's why Ansible fails.
There are one or more errors in the file so visudo reports return code 1.
In Ansible return code >0 is default an error and the task fails.

--
Kai Stian Olstad
Reply all
Reply to author
Forward
0 new messages