Does Ansible have to run as root? sudo and --become-user

[Mike Schlottman]

I have just started looking into Ansible and have built a server on Centos 7.   I generally don't run anything as root so I created an ansible account and group and chown -R ansible:ansible /etc/ansible.

I assumed that this would be OK, but as I start experimenting with commands, it does not seem to use sudo the way I had expected.

As expected this fails because the ansible user does not have access to read /etc/shadow.

-sh-4.2$ ansible localhost -a '/bin/cat /etc/shadow'

localhost | FAILED | rc=1 >>

/bin/cat: /etc/shadow: Permission denied

When I try -b and --become-user root, I get this.

-sh-4.2$ ansible localhost -a '/bin/cat /etc/shadow' -b --become-user root

localhost | FAILED | rc=0 >>

MODULE FAILURE

/var/log/secure shows the following.

Sep 13 11:39:43 ansible sudo: servacct_ansible : TTY=pts/3 ; PWD=/home/servacct_ansible ; USER=root ; COMMAND=/bin/sh -c echo BECOME-SUCCESS-jjadcdyvpoluzchkhvkophnzqvhoxrcz; LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/bin/python /home/servacct_ansible/.ansible/tmp/ansible-tmp-1473784783.91-193737108086693/command; rm -rf "/home/servacct_ansible/.ansible/tmp/ansible-tmp-1473784783.91-193737108086693/" > /dev/null 2>&

Am I using --become-user incorrectly?

[Brian Coca]

Using --become-user only sets the user, it does not force using become, you need --become to do that.

This is because you can set using privilege escalation in the inventory also and this lets you mix/match settings.

----------

Brian Coca

[Kai Stian Olstad]

On 13. sep. 2016 18:41, Mike Schlottman wrote:
> I have just started looking into Ansible and have built a server on Centos
> 7. I generally don't run anything as root so I created an ansible account
> and group and chown -R ansible:ansible /etc/ansible.
>
> I assumed that this would be OK, but as I start experimenting with
> commands, it does not seem to use sudo the way I had expected.

It's perfectly OK to create a user, Ansible work great with sudo.

> As expected this fails because the ansible user does not have access to
> read /etc/shadow.
>
> -sh-4.2$ ansible localhost -a '/bin/cat /etc/shadow'
> localhost | FAILED | rc=1 >>
> /bin/cat: /etc/shadow: Permission denied
>
> When I try -b and --become-user root, I get this.
> -sh-4.2$ ansible localhost -a '/bin/cat /etc/shadow' -b --become-user root
> localhost | FAILED | rc=0 >>
> MODULE FAILURE
>

[snip]

>
>
> Am I using --become-user incorrectly?

I would not say so. What you are missng is the sudo password.

The become user is default root, so you do not need to specify that.
And you are using -b for become.
But you must provide the sudo password if you don't have NOPASSWORD in
sudoers.

So this should work for you:
ansible localhost -a 'cat /etc/shadow' -b --ask-sudo-pass

--
Kai Stian Olstad

[Mike Schlottman]

I thought  the -b and --become do the same thing.

If I run this command as root, it works.   If I run it as a non-root user, I get the MODULE FAILURE error.

ansible localhost -a '/bin/cat /etc/shadow' --become --become-user root

[Mike Schlottman]

I found the problem by using the -m service instead of -a.    The root user does not have permission to read the ansible tmp files because the home directory is an nfs mount.    I'll move the ansible user out of the NFS directory and that should fix things.

-sh-4.2$ ansible localhost -m service -a "name=rsyslog state=restarted" --become --become-user root

localhost | FAILED! => {

    "changed": false,

    "failed": true,

    "module_stderr": "",

    "module_stdout": "/usr/bin/python: can't open file '/home/servacct_ansible/.ansible/tmp/ansible-tmp-1473791346.09-103884258170467/service': [Errno 13] Permission denied\r\n",

    "msg": "MODULE FAILURE",

    "parsed": false

}