Develop Reference

Ansible playbook with become_method=pbrun not working

I am a beginner on Ansible. I am trying to run command as a db user and we have pbrun setup for changing users in my company.
Below is how my pbrun policy is defined as :
[ RunAs User ] [ Command ]
root /bin/su - couchbase
root /bin/su - enterprisedb
From ansible.cfg (only sharing privilege_escalation part):
[privilege_escalation]
become=true
become_method=pbrun
become_user=''
become_ask_pass=False
become_flags: '/bin/su - enterprisedb'
From playbook :
$ cat ping.yml
- name: Test
hosts: all
gather_facts: false
any_errors_fatal: false
tasks:
- shell: whoami
register: output
- debug:
msg: "{{output.stdout}}"
Below is how I am running playbook.
ansible-playbook -i sample.host1.list ping.yml -k -vvvv
Output :
$ ansible-playbook -i sample.host1.list ping.yml -k -vvvv
ansible-playbook 2.8.12
config file = /home/ads_username/ansible_work_dir/ansible.cfg
configured module search path = [u'/adshome/ads_username/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 2.7.5 (default, Sep 26 2019, 13:23:47) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
Using /home/ads_username/ansible_work_dir/ansible.cfg as config file
SSH password:
setting up inventory plugins
host_list declined parsing /home/ads_username/ansible_work_dir/sample.host1.list as it did not pass it's verify_file() method
auto declined parsing /home/ads_username/ansible_work_dir/sample.host1.list as it did not pass it's verify_file() method
yaml declined parsing /home/ads_username/ansible_work_dir/sample.host1.list as it did not pass it's verify_file() method
Parsed /home/ads_username/ansible_work_dir/sample.host1.list inventory source with ini plugin
Loading callback plugin debug of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/debug.pyc
Loading callback plugin profile_tasks of type aggregate, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/profile_tasks.pyc
PLAYBOOK: ping.yml ******************************************************************************************************************************************
Positional arguments: ping.yml
ask_pass: True
become_method: pbrun
inventory: (u'/home/ads_username/ansible_work_dir/sample.host1.list',)
forks: 5
tags: (u'all',)
verbosity: 4
connection: paramiko
timeout: 10
become: True
1 plays in ping.yml
PLAY [Adding VM to inventory] *******************************************************************************************************************************
META: ran handlers
TASK [shell] ************************************************************************************************************************************************
task path: /home/ads_username/ansible_work_dir/ping.yml:6
Wednesday 10 November 2021 15:21:32 -0700 (0:00:00.053) 0:00:00.053 ****
<server_name.region.company.com> ESTABLISH PARAMIKO SSH CONNECTION FOR USER: None on PORT 22 TO server_name.region.company.com
<server_name.region.company.com> EXEC /bin/bash -c '( umask 77 && mkdir -p "` echo /tmp `"&& mkdir /tmp/ansible-tmp-1636582892.39-15614-57850062632655 && echo ansible-tmp-1636582892.39-15614-57850062632655="` echo /tmp/ansible-tmp-1636582892.39-15614-57850062632655 `" ) && sleep 0'
<server_name.region.company.com> Attempting python interpreter discovery
<server_name.region.company.com> EXEC /bin/bash -c 'echo PLATFORM; uname; echo FOUND; command -v '"'"'/usr/bin/python'"'"'; command -v '"'"'python3.7'"'"'; command -v '"'"'python3.6'"'"'; command -v '"'"'python3.5'"'"'; command -v '"'"'python2.7'"'"'; command -v '"'"'python2.6'"'"'; command -v '"'"'/usr/libexec/platform-python'"'"'; command -v '"'"'/usr/bin/python3'"'"'; command -v '"'"'python'"'"'; echo ENDFOUND && sleep 0'
<server_name.region.company.com> Python interpreter discovery fallback (pipelining support required for extended interpreter discovery)
Using module file /usr/lib/python2.7/site-packages/ansible/modules/commands/command.py
<server_name.region.company.com> PUT /adshome/ads_username/.ansible/tmp/ansible-local-155953Afqz2/tmpgNQgMu TO /tmp/ansible-tmp-1636582892.39-15614-57850062632655/AnsiballZ_command.py
<server_name.region.company.com> EXEC /bin/bash -c 'chmod u+x /tmp/ansible-tmp-1636582892.39-15614-57850062632655/ /tmp/ansible-tmp-1636582892.39-15614-57850062632655/AnsiballZ_command.py && sleep 0'
<server_name.region.company.com> EXEC /bin/bash -c 'echo BECOME-SUCCESS-sgemmsfapenzvcsbxdnbjneynirmhzkl; echo "/usr/bin/python /tmp/ansible-tmp-1636582892.39-15614-57850062632655/AnsiballZ_command.py"|pbrun /bin/su - enterprisedb && sleep 0'
<server_name.region.company.com> EXEC /bin/bash -c 'rm -f -r /tmp/ansible-tmp-1636582892.39-15614-57850062632655/ > /dev/null 2>&1 && sleep 0'
[WARNING]: Platform linux on host server_name.region.company.com is using the discovered Python interpreter at /usr/bin/python, but future installation of
another Python interpreter could change this. See https://docs.ansible.com/ansible/2.8/reference_appendices/interpreter_discovery.html for more information.
fatal: [server_name.region.company.com]: FAILED! => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"rc": 2
}
MSG:
MODULE FAILURE
See stdout/stderr for the exact error
MODULE_STDOUT:
Last login: Wed Nov 10 15:21:02 MST 2021
/usr/bin/python: can't open file '/tmp/ansible-tmp-1636582892.39-15614-57850062632655/AnsiballZ_command.py': [Errno 13] Permission denied
PLAY RECAP **************************************************************************************************************************************************
server_name.region.company.com : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Wednesday 10 November 2021 15:21:35 -0700 (0:00:03.141) 0:00:03.194 ****
===============================================================================
shell ------------------------------------------------------------------------------------------------------------------------------------------------ 3.14s
/home/ads_username/ansible_work_dir/ping.yml:6 --------------------------------------------------------------------------------------------------------------------
Please help guide me on what is wrong in my setup and if it is possible to make this work without changing anything in my pbrun policy.

Skip confirmation in Ansible during deleting node with Kubspray

I'm trying to run Ansible playbook remove-node.yml from Kubespray repository.
But when I run a job I get an error:
TASK [check confirmation] ******************************************************
fatal: [node61]: FAILED! => {"changed": false, "msg": "Delete nodes confirmation failed"}
I'm doing it through GitLabCI and here is my .gitlab-ci.yml:
stages:
- deploy
image: ***/releases/kubespray:v2.12.5
variables:
ANSIBLE_HOST_KEY_CHECKING: "False"
before_script:
- mkdir -p ~/.ssh
- echo "$id_rsa" | base64 -d > ~/.ssh/id_rsa
- chmod -R 700 ~/.ssh
delete_node:
stage: deploy
when: manual
script:
- ansible-playbook -v -u root --key-file=~/.ssh/id_rsa --extra-vars skip_confirmation=yes -i inventory/hosts.ini /kubespray/remove-node.yml -e "node=node61"
I've tried check_confirmation, skip_confirmation=true, True or 'true' and other variations, but none of them works

The required variable is delete_nodes_confirmation not skip_confirmation.
So the answer is delete_nodes_confirmation=yes.

Can you run your script like this?
ansible-playbook -v -u root --key-file=~/.ssh/id_rsa -i inventory/hosts.ini /kubespray/remove-node.yml --extra-var "node=node61 skip_confirmation=true"

How to detect UNREACHABLE HOSTS in Ansible

Below is my playbook
- name: Play 1.5 - Check each target
hosts: all_hosts
ignore_unreachable: yes
ignore_errors: yes
gather_facts: true
tasks:
- raw: "echo {{ inventory_hostname }} is UNREACHABLE"
delegate_to: localhost
when: <Need help with the when condition here>
I need help with the when condition in the above playbook.
When i run the play against unreachable hosts the debug output clearly shows that the output is in JSON format and there must a variable that captures inventory_host connection status
Please see the output below:
TASK [Gathering Facts] *************************************************************************************************************************************************
task path: /app/Ansible/playbook/check/check.yml:55
<10.9.80.111> Attempting python interpreter discovery
<10.9.80.111> ESTABLISH SSH CONNECTION FOR USER: root
<10.9.80.111> SSH: EXEC ssh -o 'IdentityFile="/app/automation/ssh_keys/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no 10.9.80.111 '/bin/sh -c '"'"'echo PLATFORM; uname; echo FOUND; command -v '"'"'"'"'"'"'"'"'/usr/bin/python'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.7'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.6'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python3.5'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python2.7'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python2.6'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'/usr/libexec/platform-python'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'/usr/bin/python3'"'"'"'"'"'"'"'"'; command -v '"'"'"'"'"'"'"'"'python'"'"'"'"'"'"'"'"'; echo ENDFOUND && sleep 0'"'"''
<10.9.80.111> (255, '', 'ssh: connect to host 10.9.80.111 port 22: Connection timed out\r\n')
[WARNING]: Unhandled error in Python interpreter discovery for host 10.9.80.111: Failed to connect to the host via ssh: ssh: connect to host 10.9.80.111 port 22:
Connection timed out
Using module file /usr/lib/python2.7/site-packages/ansible/modules/system/setup.py
Pipelining is enabled.
<10.9.80.111> ESTABLISH SSH CONNECTION FOR USER: root
<10.9.80.111> SSH: EXEC ssh -o 'IdentityFile="/app/axmw/misc_automation/ssh_keys/axmw_id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o StrictHostKeyChecking=no 10.9.80.111 '/bin/sh -c '"'"'/usr/bin/python && sleep 0'"'"''
fatal: [10.9.80.111]: UNREACHABLE! => {
"changed": false,
"msg": "Data could not be sent to remote host \"10.9.80.111\". Make sure this host can be reached over ssh: ssh: connect to host 10.9.80.111 port 22: Connection timed out\r\n",
"skip_reason": "Host 10.9.80.111 is unreachable",
"unreachable": true
}
META: ran handlers
From the output above i want to get the variable that has the below values:
fatal: [10.9.80.111]: UNREACHABLE! => {
"changed": false,
"msg": "Data could not be sent to remote host \"10.9.80.111\". Make sure this host can be reached over ssh: ssh: connect to host 10.9.80.111 port 22: Connection timed out\r\n",
"skip_reason": "Host 10.9.80.111 is unreachable",
"unreachable": true
Thus, I wish to capture the unreachable": true status from there.
Can someone please guide ?

you can use changed_when , when the changed is false, get the unreachable host
- name: Test connection and gather facts
hosts: all
serial: 1
gather_facts: true
ignore_unreachable: yes
become: false
tasks:
- name: Test connection
shell: hostname
register: connection_output
ignore_unreachable: yes
- debug: var=connection_output.changed
ignore_errors: yes
- name: print the list of unreachable servers
lineinfile:
line: "{{ connection_output.msg }}"
dest: "/tmp/AnsibleConnectionCheck.txt"
insertafter: EOF
become: false
delegate_to: 127.0.0.1
run_once: true
ignore_errors: yes
changed_when: False
Today I just finished this playbook :) Hope it will helpful for you!

Thank you so much Yvette Lau! I've been looking for this everywhere. Here is my implementation of the same logic with win_ping:
---
- hosts: all
gather_facts: no
become: yes
tasks:
- name: Win_Ping
win_ping:
register: WinPingResult
ignore_unreachable: yes
- debug: var=WinPingResult.changed
ignore_errors: yes
- name: Printing errors
debug:
msg: "{{ WinPingResult.msg }}"
run_once: yes
changed_when: False

Ansible lineinfile give an error with /etc/hosts

I have this simple task in my role:
- name: Updating the /etc/hosts
lineinfile: dest=/etc/hosts line="192.168.99.100 {{ item }}"
with_items:
- domain1.com
- domain2.com
tags: etc
When I run my Ansible playbook:
robe:ansible-develop robe$ ansible-playbook -i inventory develop-env.yml -vvvv --extra-vars "user=`whoami`" --tags etc --become-user=robe --ask-become-pass
SUDO password:
PLAY [127.0.0.1] **************************************************************
GATHERING FACTS ***************************************************************
<127.0.0.1> REMOTE_MODULE setup
<127.0.0.1> EXEC ['/bin/sh', '-c', 'mkdir -p /tmp/ansible-tmp-1446050161.27-256837595805154 && chmod a+rx /tmp/ansible-tmp-1446050161.27-256837595805154 && echo /tmp/ansible-tmp-1446050161.27-256837595805154']
<127.0.0.1> PUT /var/folders/x1/dyrdksh50tj0z2szv3zx_9rc0000gq/T/tmpMYjnXz TO /tmp/ansible-tmp-1446050161.27-256837595805154/setup
<127.0.0.1> EXEC ['/bin/sh', '-c', 'chmod a+r /tmp/ansible-tmp-1446050161.27-256837595805154/setup']
<127.0.0.1> EXEC /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=rqphpqfpcbsifqtnwflmmlmpwrcnkpqe] password: " -u robe /bin/sh -c '"'"'echo BECOME-SUCCESS-rqphpqfpcbsifqtnwflmmlmpwrcnkpqe; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /tmp/ansible-tmp-1446050161.27-256837595805154/setup'"'"''
<127.0.0.1> EXEC ['/bin/sh', '-c', 'rm -rf /tmp/ansible-tmp-1446050161.27-256837595805154/ >/dev/null 2>&1']
ok: [127.0.0.1]
TASK: [docker-tool-box | Updating the /etc/hosts] *****************************
<127.0.0.1> REMOTE_MODULE lineinfile dest=/etc/hosts line="192.168.99.100 ptxrt.com"
<127.0.0.1> EXEC ['/bin/sh', '-c', 'mkdir -p /tmp/ansible-tmp-1446050161.49-9492873099893 && chmod a+rx /tmp/ansible-tmp-1446050161.49-9492873099893 && echo /tmp/ansible-tmp-1446050161.49-9492873099893']
<127.0.0.1> PUT /var/folders/x1/dyrdksh50tj0z2szv3zx_9rc0000gq/T/tmpyLOGd6 TO /tmp/ansible-tmp-1446050161.49-9492873099893/lineinfile
<127.0.0.1> EXEC ['/bin/sh', '-c', u'chmod a+r /tmp/ansible-tmp-1446050161.49-9492873099893/lineinfile']
<127.0.0.1> EXEC /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=nofwziqxytbhjwhluhtzdfcqclqjuypv] password: " -u robe /bin/sh -c '"'"'echo BECOME-SUCCESS-nofwziqxytbhjwhluhtzdfcqclqjuypv; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /tmp/ansible-tmp-1446050161.49-9492873099893/lineinfile'"'"''
<127.0.0.1> EXEC ['/bin/sh', '-c', 'rm -rf /tmp/ansible-tmp-1446050161.49-9492873099893/ >/dev/null 2>&1']
failed: [127.0.0.1] => (item=ptxrt.com) => {"failed": true, "item": "ptxrt.com"}
msg: The destination directory (/private/etc) is not writable by the current user.
FATAL: all hosts have already failed -- aborting
PLAY RECAP ********************************************************************
to retry, use: --limit #/Users/robe/develop-env.retry
127.0.0.1 : ok=1 changed=0 unreachable=0 failed=1
I don't understand why the error msg said:
msg: The destination directory (/private/etc) is not writable by the current user.
The correct directory should be /etc/hosts.
Any clue?
I am working on MacOS.
My playbook is:
- hosts: 127.0.0.1
connection: local
become: yes
become_method: sudo
become_user: "{{user}}"
roles:
- role-1
- role-2
I put the become_user by command line. So all my roles are running with become. And it still doesn't work.

On OSX the /etc/ folder is actually a symlink to the /private/etc/ folder - hence the error. (Ansible is just transparently following the symlink).
As for the error you're going to need to run the task with become: yes (sudo permissions) to be able to write to /etc/hosts/
Edit based on update and commments
To get the correct privileges to edit the hosts file you need to be root. Setting become: yes on the task is good enough for this for OSX as Ansible will default to sudo as the become method and root as the user.
To specify the sudo password you can do one of two things.
Use --ask-become-pass on the command line and Ansible will prompt you when it needs it
Use the ansible_become_pass variable on the group or host in the inventory file. E.g. localhost ansible_become_pass=batman
Note that the Ansible docs recommend against 2 and using 1 so as not to store your password in plain text.

running an ansible local task in a remote playbook

I'm trying to get this task to run locally (on the machine that is running the playbook) :
- name: get the local repo's branch name
local_action: git branch | awk '/^\*/{print $2}'
register: branchName
I tried plenty of variations with no success
all other tasks are meant to run on the target host, which is why running the whole playbook local is not an option
TASK: [get the local repo's branch name] **************************************
<127.0.0.1> REMOTE_MODULE git branch | awk '/^\*/{print $2}'
<127.0.0.1> EXEC ['/bin/sh', '-c', 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1407258765.57-75899426008172 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1407258765.57-75899426008172 && echo $HOME/.ansible/tmp/ansible-tmp-1407258765.57-75899426008172']
<127.0.0.1> PUT /tmp/tmpQVocvw TO /home/max/.ansible/tmp/ansible-tmp-1407258765.57-75899426008172/git
<127.0.0.1> EXEC ['/bin/sh', '-c', '/usr/bin/python /home/max/.ansible/tmp/ansible-tmp-1407258765.57-75899426008172/git; rm -rf /home/max/.ansible/tmp/ansible-tmp-1407258765.57-75899426008172/ >/dev/null 2>&1']
failed: [portal-dev] => {"failed": true}
msg: this module requires key=value arguments (['branch', '|', 'awk', '/^\\*/{print $2}'])
FATAL: all hosts have already failed -- aborting
update:
I have followed bkan's suggestion (bellow), and got a bit further, but
- name: get the local repo's branch name
local_action: command git branch | (awk '/^\*/{print $2}')
sudo: no
register: branchName
now the git command gets launched but not correctly (see error below).
note that this command runs perfectly as a "shell" but unfortunately there is no local_shell equivalent of local_action ...
failed: [portal-dev] => {"changed": true, "cmd": ["git", "branch", "|", "(awk", "/^\\*/{print $2})"], "delta": "0:00:00.002980", "end": "2014-08-05 18:00:01.293632", "rc": 129, "start": "2014-08-05 18:00:01.290652"}
stderr: usage: git branch [options] [-r | -a] [--merged | --no-merged]
or: git branch [options] [-l] [-f] <branchname> [<start-point>]
or: git branch [options] [-r] (-d | -D) <branchname>...
or: git branch [options] (-m | -M) [<oldbranch>] <newbranch>
...

The format for local_action is:
local_action: <module_name> <arguments>
In your example, Ansible thinks you are trying to use the git module and throws an error because you don't have the correct arguments for the git module. Here is how it should look:
local_action: shell git branch | awk '/^\*/{print $2}'
Source: http://docs.ansible.com/playbooks_delegation.html#delegation