Run script that requires 'sudo' on remote hosts.

[R-JRI]

Hi, all

We have an application stop/start script that starts/stops application without root privilege and with 'sudo'.

If I am on the host, I login as the application user and then run the script to stop/start application as 'sudo application_stop_start.sh stop/start'.

On the ansible server (v2.7), I created a simple test file. The application user ID is the same on ansible host and remote node (ssh authentication has no problem)

  tasks:
    - name: run script to stop/start application
      command: sudo /usr/local/bin/application_stop_start.sh stop

It ran successfully on the remote host with a warning message.

PLAY [Stop application] *********************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************************************************************************
ok: [host1]

TASK [run application_stop_start.sh script to stop application] **********************************************************************************************************************************************************************************************
 [WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running sudo

changed: [host1]

PLAY RECAP **********************************************************************************************************************************************************************************************************************************
host1               : ok=2    changed=1    unreachable=0    failed=0

I don't need 'become' and 'become_user' at least since the UID is the same. Tried to use 'become_method = sudo' and remove 'sudo' from 'command: /usr/local/bin/application_stop_start.sh stop' and it did not work. Does anyone have any suggestions?

Thanks.

[Sebastian Meyer]

On 27.03.19 21:29, R-JRI wrote:
> I don't need 'become' and 'become_user' at least since the UID is the same.
> Tried to use 'become_method = sudo' and remove 'sudo' from 'command:
> /usr/local/bin/application_stop_start.sh stop' and it did not work. Does
> anyone have any suggestions?
> Thanks.

You still need `become: true`, since you want to _become_ root executing
this script. Just setting the become_method to sudo won't do anything.

Sebastian

>

--
Sebastian Meyer
Linux Consultant & Trainer
Mail: me...@b1-systems.de

B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537

[Raghavendra Rao]

 'become' is used for privilege escalation. Meaning "Whether to automatically switch user on the managed
host (typically to root) after connecting". Though you have same UIDs on both control node and managed host, don't forget that the UID on managed host needs root privileges to run 'application_stop_start.sh' (as you are running sudo to run that command normally as well).

Tried to use 'become_method = sudo' and remove 'sudo' from 'command: /usr/local/bin/application_stop_start.sh stop' and it did not work. Does anyone have any suggestions?

 

You need to inform ansible about these two things:

become = true

become_user = root

become_method = sudo

Put this under ansible.cfg of your pwd and it should run fine.

-R.Rao

[R-JRI]

Hi, Sebastian

I did not say clearly. I checked my ansible.cfg and it has 'become = true' in it and ran failed.

[R-JRI]

Hi, Raghavendra

Added 'become_user = root' in ansible.cfg and ran failed with below message:

TASK [Gathering Facts] **********************************************************************************************************************************************************************************************************************
fatal: [host1]: FAILED! => {"changed": false, "module_stderr": "Shared connection to host1 closed.\r\n", "module_stdout": "Sorry, user appsadmin is not allowed to execute '/bin/sh -c echo BECOME-SUCCESS-fxdiujleiigrbgciqkixarzuxhsbngrr; /usr/bin/python /u/appadmin/.ansible/tmp/ansible-tmp-1553780641.69-82349845573466/AnsiballZ_setup.py' as root on host1.\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

[Sebastian Meyer]

Hi,

On 28.03.19 14:49, R-JRI wrote:
> TASK [Gathering Facts]
> **********************************************************************************************************************************************************************************************************************
> fatal: [host1]: FAILED! => {"changed": false, "module_stderr": "Shared
> connection to host1 closed.\r\n", "module_stdout": "Sorry, user appsadmin
> is not allowed to execute '/bin/sh -c echo
> BECOME-SUCCESS-fxdiujleiigrbgciqkixarzuxhsbngrr; /usr/bin/python
> /u/appadmin/.ansible/tmp/ansible-tmp-1553780641.69-82349845573466/AnsiballZ_setup.py'
> as root on host1.\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the
> exact error", "rc": 1}

If the user you use with ansible is only allowed to execute this script
with sudo and not use sudo for ALL, then you are right to use

command: sudo /usr/local/bin/application_stop_start.sh stop

You may want to add

warn: no

See:
https://docs.ansible.com/ansible/latest/modules/command_module.html?highlight=warn

[R-JRI]

Thanks Sebastian.

I added warning option as you suggested and the warning message went away and applications can be stopped/started.