Develop Reference

Using become in ansible locally

I am trying to understand --become in order to use ansible to do some local task on my centos. I tried several ansible modules (copy, unarchive) with become that each result with diffetent kind of errors.
Platform used: centos 7
Ansible (installed in a python 3 virtual env) version:
(ansible) [maadam#linux update_centos]$ ansible --version
ansible 2.10.16
config file = None
configured module search path = ['/home/maadam/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/maadam/Sources/python/venv/ansible/lib64/python3.6/site-packages/ansible
executable location = /home/maadam/Sources/python/venv/ansible/bin/ansible
python version = 3.6.8 (default, Nov 16 2020, 16:55:22) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
I tried to reproduice the example provided by #techraf in this issue to test become: Using --become for ansible_connection=local.
I used the same playbook:
---
- hosts: localhost
gather_facts: no
connection: local
tasks:
- command: whoami
register: whoami
- debug:
var: whoami.stdout
So I hope the same result as this:
(ansible) [maadam#linux update_centos]$ sudo whoami
root
Whithout become:
ansible) [maadam#linux update_centos]$ ansible-playbook playbook.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost
does not match 'all'
PLAY [localhost] ***************************************************************************************
TASK [command] *****************************************************************************************
changed: [localhost]
TASK [debug] *******************************************************************************************
ok: [localhost] => {
"whoami.stdout": "maadam"
}
PLAY RECAP *********************************************************************************************
localhost : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
With become I have this error:
(ansible) [maadam#linux update_centos]$ ansible-playbook playbook.yml --become
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost
does not match 'all'
PLAY [localhost] ***************************************************************************************
TASK [command] *****************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "/var/tmp/sclPip796: line 8: -H: command not found\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 127}
PLAY RECAP *********************************************************************************************
localhost : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
So I don't understand what I am missing with become.
Thanks for your helps

in ansible.cfg file check for the become_method. you can use "sudo su -".

I don't know if I handle this correctly but if I run my playbook as root, I have no error:
(ansible) [maadam#linux update_centos]$ sudo ansible-playbook playbook.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
PLAY [localhost] **************************************************************************************************************************************************************************************************
TASK [command] ****************************************************************************************************************************************************************************************************
changed: [localhost]
TASK [debug] ******************************************************************************************************************************************************************************************************
ok: [localhost] => {
"whoami.stdout": "root"
}
PLAY RECAP ********************************************************************************************************************************************************************************************************
localhost : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Not sure it is the right way to doing things in local with ansible. Sure if you are already root, no need for privilege escalation.

OSError: [Errno 1] Operation not permitted in ansible

From my CentOS(Ansible controller host) trying to run below playbook.
Ansible version:-
$ ansible --version
ansible 2.9.21
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.6/site-packages/ansible
executable location = /usr/bin/ansible
python version = 3.6.8 (default, Aug 24 2020, 17:57:11) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
---
- hosts: pro-server
become: yes
remote_user: root
tasks:
- name: Set authorized key taken from file
ansible.posix.authorized_key:
user: root
state: present
key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}"
It fails with below error.
$ ansible-playbook -i hosts add-ssh-key.yml
PLAY [pro-server] ****************************************************************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************************************************
ok: [50.51.52.24]
TASK [Set authorized key taken from file] ********************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: OSError: [Errno 1] Operation not permitted
fatal: [50.51.52.24]: FAILED! => {"changed": false, "msg": "Unable to make /tmp/tmp73HusP into to /root/.ssh/authorized_keys, failed final rename from /root/.ssh/.ansible_tmpy4MPxlauthorized_keys: [Errno 1] Operation not permitted"}
PLAY RECAP ****************************************************************************************************************************************************
50.51.52.24 : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
added the following to /etc/ansible/ansible.cfg. However still same problem persists.
allow_world_readable_tmpfiles = True
Any pointer to solve this problem will be helpful. Thank you.

As discussed in the comments, the problem is an 'a' attribute set on the authorized_keys file.
From man chattr:
A file with the 'a' attribute set can only be open in append mode for writing. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
This can be fixed using the file module:
- name: make sure the 'a' attribute is removed from the authorized_keys-file
file:
path: '/root/.ssh/authorized_keys'
attributes: '-a'

How do I confirm the reason why the ansible task does not in running list

When I execute the playbook, only one task will be displayed
playbook: test.yaml
play #1 (lab): lab TAGS: []
tasks:
Install pip TAGS: []
And when I execute the playbook, it is indeed normal
PLAY [lab] *****************************************************************************************************************************
TASK [Gathering Facts] *****************************************************************************************************************
ok: [my_ipaddress]
TASK [Install pip] *********************************************************************************************************************
ok: [my_ipaddress]
PLAY RECAP *****************************************************************************************************************************
my_ipaddress : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
and in /var/log/ansible.log also look normal as same as Execution output
So the question is, do I have to do less settings? Why is there a task that is not in the execution list, or there are other debug outputs that can display more detailed output information?
here is my ansible configuration
OS version:Ubuntu 18.04.5 LTS
ansible version:
ansible 2.9.12
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/primula/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/primula/.local/lib/python3.6/site-packages/ansible
executable location = /home/primula/.local/bin/ansible
python version = 3.6.9 (default, Jul 17 2020, 12:50:27) [GCC 8.4.0]
my playbook:
---
- hosts: lab
roles:
- { role: apache2, become: yes }
- { role: pip, become: yes }
apache2 role configuration
path:/etc/ansible/roles/apache2/tasks/maim.yaml
---
- name: Install apache2
apt:
name: apache2
update_cache: yes
pip role configuration
path:/etc/ansible/roles/pip/tasks/main.yaml
---
- name: Install pip
apt:
name: python-pip
update_cache: yes
here is my ansible invotory & ansible.cfg
invotory
[lab]
<ipaddress> ansible_ssh_user=<user_name> ansible_ssh_pass='<ssh_pass>' ansible_become_user=<root_user> ansible_become=true ansible_become_pass='<root_pass>'
ansible.cfg
[defaults]
private_key_file = /root/.ssh/id_rsa
roles_path = /etc/ansible/roles
inventory = /etc/ansible/hosts
timeout = 10
log_path = /var/log/ansible.log
deprecation_warnings = False
strategy = debug
any_errors_fatal = True

The task that is not on your execution list when using ansible-playbook --list-tasks your_playbook.yml is the one related to fact gathering done by the setup module
It is an implicit automatic task that is turned on by default for all hosts in your play. If implicit, it is not reported by the above command.
You can control fact gathering at play level with the gather_facts play keyword, e.g.
---
- name: Some play without facts gathering
hosts: my_group
gather_facts: false
tasks:
- name: dummy demo task
debug:
msg: I am dummy task
Regarding your question about a more detailed output, you can turn on ansible(-playbook) verbose mode with the -v(vv) switch (the more vs, the more details).

Ansible Tower fetching file job returns OK but no file present at local machine

I have a lab that consists of an Ansible Tower system and Ubuntu Desktop client. I've successfuly created and executed some playbooks to update and install packages and everythig was OK. Now i want to fetch /var/log/syslog from remote Ubuntu desktop to my Ansible Tower system. My playbook is:
---
- hosts: Ubuntu_18.04_Desktops
tasks:
- name: Get /var/log/syslog
fetch:
src: /var/log/syslog
dest: /tmp
Running this playbook shows the result:
PLAY [Ubuntu_18.04_Desktops] ***************************************************
TASK [Gathering Facts] *********************************************************
ok: [192.168.1.165]
TASK [Get /var/log/syslog] *****************************************************
changed: [192.168.1.165]
PLAY RECAP *********************************************************************
192.168.1.165 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
But no file is present at /tmp directory of Tower server.
I've tried to use 'flat' directive and to save file to my home's folder, but no success.

I found the problem - Ansible Tower (AWX in my case) stores fetched files in ansible/awx_task container's filesystem.

Ansible Tower's Job Isolation system hides certain paths from you and redirects them to a safe location.
If you do want to use the system's /tmp, you can open Tower Settings -> Jobs -> add /tmp to paths to expose to isolated jobs.
Note that if you need the security to not expose /tmp to all Tower jobs, you should not do this.

Two different version of ansible gives two different outputs for same ansible playbook

- hosts: Ebonding
become: yes
become_method: sudo
tasks
- name: Clearing cache of Server4
file: path=/weblogic/bea/user_projects/domains/tmp state=absent
become: yes
become_user: wls10
Ansible version 2.0.0.0 run the above playbook successfully::
PLAY ***************************************************************************
TASK [setup] *******************************************************************
ok: [ggnqinfa2]
TASK [Clearing cache of Server4] ***********************************************
ok: [ggnqinfa2]
PLAY RECAP *********************************************************************
ggnqinfa2 : ok=2 changed=0 unreachable=0 failed=0
But latest version of ansible 2.5.0rc2 encountered below error::
PLAY [Ebonding] *****************************************************************************************************************************************************
TASK [Gathering Facts] **********************************************************************************************************************************************
ok: [ggnqinfa2]
TASK [Clearing cache of Server4] ************************************************************************************************************************************
fatal: [ggnqinfa2]: FAILED! => {"msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 2, err: chown: /var/tmp/ansible-tmp-1520704924.34-191458796685785/: Not owner\nchown: /var/tmp/ansible-tmp-1520704924.34-191458796685785/file.py: Not owner\n}). For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}
PLAY RECAP **********************************************************************************************************************************************************
ggnqinfa2 : ok=1 changed=0 unreachable=0 failed=1
How can i run this playbook by latest version of ansible successfully?

Chances are the user you're using (wls10) does not have write access to the remote temporary directory /var/tmp.
This can be overridden using ansible.cfg and set via remote_tmp to a directory you have write-access to -- or, a "normal temp directory" (like /tmp) that has the sticky bit set.
For more info, see
http://docs.ansible.com/ansible/latest/intro_configuration.html#remote-tmp