apt module fails with non-root sudoer ("Permission denied")

[Kevin Jaquier]

I'm having trouble executing my script from a user with sudo access instead of root.

I'm getting "permission denied" errors when playing the playbook, but if I execute the commands manually on the server it works just fine.

I did use "become" to execute the tasks with sudo and the right user.

The (relevant part of the) playbook :

---
- hosts: all
  remote_user: "{{ user }}"
  become: yes
  become_user: "{{ user }}"
  become_method: sudo


  tasks:


    - name: Install useful system tools
      apt: name={{ item }} state=present
      with_items:
        - vim
        - nano
        - htop
        - git
        - subversion
        - tig
        - ncdu
        - nodejs-legacy
        - npm
        - mesa-utils

Ansible output :

$ ansible-playbook -K -i test site.yml -vvvv
SUDO password:


PLAY [all] ********************************************************************


GATHERING FACTS ***************************************************************
<[the server address]> ESTABLISH CONNECTION FOR USER: [the user name]
<[the server address]> REMOTE_MODULE setup
<[the server address]> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/kevin/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=[the user name] -o ConnectTimeout=10 [the server address] /bin/sh -c 'mkdir
 -p /tmp/ansible-tmp-1444921321.94-213782579685333 && chmod a+rx
 /tmp/ansible-tmp-1444921321.94-213782579685333 && echo
/tmp/ansible-tmp-1444921321.94-213782579685333'
<[the server address]> PUT /tmp/tmpk_hOEu TO /tmp/ansible-tmp-1444921321.94-213782579685333/setup
<[the server address]> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/kevin/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=[the user name] -o ConnectTimeout=10 [the server address] /bin/sh -c 'chmod a+r /tmp/ansible-tmp-1444921321.94-213782579685333/setup'
<[the server address]> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/kevin/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=[the user name] -o ConnectTimeout=10 [the server address] /bin/sh -c 'sudo
 -k && sudo -H -S -p "[sudo via ansible,
key=upzdhdqqnkqtecoipruvaisazfdvjubv] password: " -u [the user name]
/bin/sh -c '"'"'echo BECOME-SUCCESS-upzdhdqqnkqtecoipruvaisazfdvjubv;
LANG=C LC_CTYPE=C /usr/bin/python
/tmp/ansible-tmp-1444921321.94-213782579685333/setup'"'"''
<[the server address]> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/kevin/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=[the user name] -o ConnectTimeout=10 [the server address] /bin/sh -c 'rm -rf /tmp/ansible-tmp-1444921321.94-213782579685333/ >/dev/null 2>&1'
ok: [[the server address]]


TASK: [Install useful system tools] *******************************************
<[the server address]> ESTABLISH CONNECTION FOR USER: [the user name]
<[the server address]> REMOTE_MODULE apt name=vim,nano,htop,git,subversion,tig,ncdu,nodejs-legacy,npm state=present
<[the server address]> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/kevin/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=[the user name] -o ConnectTimeout=10 [the server address] /bin/sh -c 'mkdir
 -p /tmp/ansible-tmp-1444921350.8-236765363664782 && chmod a+rx
/tmp/ansible-tmp-1444921350.8-236765363664782 && echo
/tmp/ansible-tmp-1444921350.8-236765363664782'
<[the server address]> PUT /tmp/tmpTE3idg TO /tmp/ansible-tmp-1444921350.8-236765363664782/apt
<[the server address]> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/kevin/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=[the user name] -o ConnectTimeout=10 [the server address] /bin/sh -c 'chmod a+r /tmp/ansible-tmp-1444921350.8-236765363664782/apt'
<[the server address]> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/kevin/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=[the user name] -o ConnectTimeout=10 [the server address] /bin/sh -c 'sudo
 -k && sudo -H -S -p "[sudo via ansible,
key=puwtzrscvqsbjbiqrhkjwxdxmszgeduz] password: " -u [the user name]
/bin/sh -c '"'"'echo BECOME-SUCCESS-puwtzrscvqsbjbiqrhkjwxdxmszgeduz;
LANG=C LC_CTYPE=C /usr/bin/python
/tmp/ansible-tmp-1444921350.8-236765363664782/apt'"'"''
<[the server address]> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/kevin/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=[the user name] -o ConnectTimeout=10 [the server address] /bin/sh -c 'rm -rf /tmp/ansible-tmp-1444921350.8-236765363664782/ >/dev/null 2>&1'
failed: [[the server address]] => (item=vim,nano,htop,git,subversion,tig,ncdu,nodejs-legacy,npm,mesa-utils) => {"failed": true, "item": "vim,nano,htop,git,subversion,tig,ncdu,nodejs-legacy,npm,mesa-utils"}
stderr: E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?


msg: '/usr/bin/apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold"   install 'htop' 'subversion' 'tig' 'ncdu' 'nodejs-legacy' 'npm' 'mesa-utils'' failed: E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)
E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?




FATAL: all hosts have already failed -- aborting
(Note : i'm still providing sudo password for other tasks that also don't work without root)

Also relevant :

$ ansible --version
ansible 1.9.4
  configured module search path = None
$ ssh [the user name]@[the server address]
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-30-generic x86_64)
...
[the user name]@[the server name]:~$ sudo -l
Matching Defaults entries for [the user name] on [the server name]:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+=SSH_AUTH_SOCK


User [the user name] may run the following commands on vm02:
    (ALL : ALL) ALL
    (ALL : ALL) NOPASSWD: ALL

[Santosh Jambhlikar]

I use following which works for me

sudo: yes

but user has sudo to ALL prilvilges 

...

[Kevin Jaquier]

That's what I'm doing here, as the "sudo" option have been deprecated in favor of "become".

And my user also have all the privileges (see the output of "sudo -l"). At least if I understand correctly. Anyway it do have the required privilege I can "sudo apt-get install" something with this user and it works.

[Santosh Jambhlikar]

Try removing all parameters and add "sudo: yes" only ( like below)

---
- hosts: all
  sudo: yes

  tasks:


    - name: Install useful system tools
      apt: name={{ item }} state=present
      with_items:
        - vim
        - nano

Sent with MailTrack

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/qKc091c74Kc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0cedfb66-db4b-4a6c-8a6d-8d4614fdd9ad%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kevin Jaquier]

I tried and it worked, obviously, because the task is actually run with root (instead of my user with sudo access) which is not what I wanted.

That's why I'm using "become_user" (equivalent of the now deprecated "sudo_user"), in order to use sudo with my user and not root.

Below the Ansible output :

$ ansible-playbook -K -i test site.yml -vvvv

SUDO password: 

PLAY [all] ******************************************************************** 

GATHERING FACTS *************************************************************** 

<[the server name]> ESTABLISH CONNECTION FOR USER: [the user name]

<[the server name]> REMOTE_MODULE setup

<[the server name]> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/kevin/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=[the user name] -o ConnectTimeout=10 [the server name] /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1445011786.98-96385272343300 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1445011786.98-96385272343300 && echo $HOME/.ansible/tmp/ansible-tmp-1445011786.98-96385272343300'

<[the server name]> PUT /tmp/tmpzsyZR5 TO /home/[the user name]/.ansible/tmp/ansible-tmp-1445011786.98-96385272343300/setup

<[the server name]> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/kevin/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=[the user name] -o ConnectTimeout=10 [the server name] /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=xlkvnygczvuuuxouqlysjwveacqafobo] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-xlkvnygczvuuuxouqlysjwveacqafobo; LANG=C LC_CTYPE=C /usr/bin/python /home/[the user name]/.ansible/tmp/ansible-tmp-1445011786.98-96385272343300/setup; rm -rf /home/[the user name]/.ansible/tmp/ansible-tmp-1445011786.98-96385272343300/ >/dev/null 2>&1'"'"''

ok: [[the server name]]

TASK: [Install useful system tools] ******************************************* 

<[the server name]> ESTABLISH CONNECTION FOR USER: [the user name]

<[the server name]> REMOTE_MODULE apt name=vim,nano,htop,git,subversion,tig,ncdu,nodejs-legacy,npm,mesa-utils state=present

<[the server name]> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/kevin/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=[the user name] -o ConnectTimeout=10 [the server name] /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1445011796.4-117959804841916 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1445011796.4-117959804841916 && echo $HOME/.ansible/tmp/ansible-tmp-1445011796.4-117959804841916'

<[the server name]> PUT /tmp/tmpDRxOC1 TO /home/[the user name]/.ansible/tmp/ansible-tmp-1445011796.4-117959804841916/apt

<[the server name]> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/kevin/.ansible/cp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=[the user name] -o ConnectTimeout=10 [the server name] /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=zkgarkbubgpvcowmyibknwzfzyeoksnf] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-zkgarkbubgpvcowmyibknwzfzyeoksnf; LANG=C LC_CTYPE=C /usr/bin/python /home/[the user name]/.ansible/tmp/ansible-tmp-1445011796.4-117959804841916/apt; rm -rf /home/[the user name]/.ansible/tmp/ansible-tmp-1445011796.4-117959804841916/ >/dev/null 2>&1'"'"''

changed: [[the server name]] => 

[Markus Ellers]

If you combine become_user with sudo: yes it will do what you want. You can leave sudo_user out.

[Kevin Jaquier]

"ERROR: sudo params ("become", "become_user") and su params ("sudo", "sudo_user") cannot be used together"

However, it will indeed do what I want if I combine "become: yes" with become_user (as "become" is a replacement for "sudo", see http://docs.ansible.com/ansible/become.html).

That's exactly what I was doing in the first place.

The issue, which is why I'm posting here, is that by doing this I got a "Permission denied" error, even though I DO have the permissions as I can do it manually on an SSH terminal with the same user.

[Markus Ellers]

ah, sorry about that. You would have to use sudo on the task and become on the overall play. You can not user both "side by side".

But you are right, you can and should achieve that without the old sudo stuff, I only suggested that because it works for me right now.

Now, I went back and tried to achieve the same thing using only the become params (ssh into other machine, su to another user and execute sudo commands as this user).

unfortunately I was not able to achieve this. The only way was to specify the use of sudo as part of a command/shell/raw command. but not as a parameter to a task :-/

It seems that ansible expects the remote user to have all the sudo rights or directly su to a user having the proper rights.