Ansible : Must install the sshpass program - ansible

Ansible command:
ansible all -m module-name -o -e "ansible_user=username ansible_password=password"
Giving following error :
host-ip | FAILED! => {"msg": "to use the 'ssh' connection type with passwords, you must install the sshpass program"}

Install sshpass:
apt-get update
apt-get- install sshpass
if not This error can solved by exporting environment variable.
export ANSIBLE_HOST_KEY_CHECKING=False
If not try to create a file ansible.cfg in your current folder with the following contents:
[defaults]
host_key_checking = false

Related

How to fix "Unreachable" when ping windows with ansible over ssh?

I'm trying to use Ansible with ssh for interact with Windows machines
i have successfully install OpenSSH on a Windows machine that mean i can connect from linux to windows with:
ssh username#ipAdresse
i've tried using a lot of version of ansible (2.6, 2.7.12, 2.7.14, 2.8.5 and 2.8.6) and i always test if i can ping an other Linux machine with this line(it work):
ansible linux -m ping
There is my hosts file
[windows]
192.***.***.***
[linux]
192.***.***.***
[all:vars]
ansible_connection=ssh
ansible_user=root
[windows:vars]
ansible_ssh_pass=*******
remote_tmp=C:\Users\root\AppData\Local\Temp\
become_method=runas
there is the error with verbose:
[root#oel76-template ~]# ansible windows -m win_ping -vvv
ansible 2.8.6
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.5 (default, Aug 7 2019, 08:19:52) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39.0.1)]
Using /etc/ansible/ansible.cfg as config file
host_list declined parsing /etc/ansible/hosts as it did not pass it's verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass it's verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass it's verify_file() method
Parsed /etc/ansible/hosts inventory source with ini plugin
META: ran handlers
<192.***.***.***> ESTABLISH SSH CONNECTION FOR USER: root
<192.***.***.***> SSH: EXEC sshpass -d8 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'User="root"' -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/91df1ca379 192.168.46.99 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo C:/Users/root/AppData/Local/Temp/ansible-tmp-1571839448.66-279092717123794 `" && echo ansible-tmp-1571839448.66-279092717123794="` echo C:/Users/root/AppData/Local/Temp/ansible-tmp-1571839448.66-279092717123794 `" ) && sleep 0'"'"''
<192.***.***.***> (1, '', 'The system cannot find the path specified.\r\n')
<192.***.***.***> Failed to connect to the host via ssh: The system cannot find the path specified.
192.***.***.*** | UNREACHABLE! => {
"changed": false,
"msg": "Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: ( umask 77 && mkdir -p \"` echo C:/Users/root/AppData/Local/Temp/ansible-tmp-1571839448.66-279092717123794 `\" && echo ansible-tmp-1571839448.66-279092717123794=\"` echo C:/Users/root/AppData/Local/Temp/ansible-tmp-1571839448.66-279092717123794 `\" ), exited with result 1",
"unreachable": true
}
I don't know what i'm doing wrong, i also try to change the remote_tmp in ansible.cfg but nothing more.
Actual value for remote_tmp=C:/Users/root/AppData/Local/Temp
Any idea ?
To use SSH as the connection to a Windows host (starting from Ansible 2.8), set the following variables in the inventory:
ansible_connection=ssh
ansible_shell_type=cmd/powershell (Set either cmd or powershell not both)
Finally, the inventory file:
[windows]
192.***.***.***
[all:vars]
ansible_connection=ssh
ansible_user=root
[windows:vars]
ansible_password='*******'
ansible_shell_type=cmd
Note for the variable ansible_password. Use single quotation for password with special characters.
Ok solved, the problem was
ansible_ssh_pass=*****
the correct syntax is
ansible_password=*****

Ansible sudo command without password checking

I would like to use ansible in a full automated context, where I cannot manually type passwords. To deal with this, I connect the servers with SSH public key, and I whitelisted severals commands such as apt-get install * in my sudoers configuration so I do not need a password to run them. For instance sudo apt-get install git.
However if the setting become is True in a playbook, ansible asks me for a password it does not need.
How can I tell ansible to run a command as sudo, without asking me a password?
Do you know another way to install apt packages without password?
Should I use another become method?
sudoers conf
myuser ALL = NOPASSWD: /usr/bin/apt-get install *
ansible
- name: install the latest version of ntpdate
package:
name: ntpdate
state: latest
become: True
Produces this output:
failed: [x.x.x.x] (item=ntpdate) => {"failed": true, "item": "python3-dev", "module_stderr": "", "module_stdout": "sudo: a password is required\r\n", "msg": "MODULE FAILURE", "rc": 1}
The simple answer is that you cannot do it without enabling all commands (or at least python).
Ansible does not run the commands as you expect it to run. It runs Python scripts. You can see the exact command when you execute ansible-playbook with -vvv. They are much more complex and to enable them you would have to add them to sudoers, for example:
sudo -H -S -n -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-xxxxxx;
/usr/bin/python /var/www/.ansible/tmp/ansible-tmp-xxxxxxxx/apt.py;
rm -rf "/var/www/.ansible/tmp/ansible-tmp-xxxxxxxx/" > /dev/null 2>&1'"'"'
&& sleep 0
The tricky part is that all spaces, quotes, and other special characters are relevant and until you get the correct command pattern by trial and error, replacing characters with wildcards, the system will not allow the command to run with elevated privileges. Effectively you won't be able to whitelist all the commands Ansible runs.
The only exception is raw module which runs the given command intact.
In all the Ansible playbooks I have worked on, I had to do only 2 things so that tasks run with become:True
Create file /etc/sudoers.d/demo on the target hosts with below content:
demo ALL=(ALL) NOPASSWD:ALL
Copy ssh id from Ansible host to target host using ssh-copy-id
template/without_sudo
%sudo ALL=(ALL) NOPASSWD: ALL
%sudo ALL=(ALL) NOPASSWD: /sbin/poweroff, /sbin/reboot, /sbin/shutdown
tasks/main.yml
- name: Sudoers no password
raw: echo '{{ user_password }}' | sudo -S sh -c 'echo "{{ lookup('file', 'templates/without_sudo') }}" > /etc/sudoers.d/without_sudo'
no sudo for the rest of the ansible command
You can use the ansible 'command' module with sudo as part of the command, instead of 'become: yes'
- name: install the latest version of ntpdate
command: 'sudo apt-get update ntpdate'
The downside is that this is much less portable. The upside is, it works... and you only need to whitelist the specific command.
in my opinion, if you set your node with =(ALL) NOPASSWD:ALL. then anybody: including the hackers can access your nodes.
so what I can suggest ,
ansible-playbook <name>.yml --ask-sudo-pass
this will ask your node sudo password. and u can execute ur operation, as I guess you know ur node's credential.

How to include host variables inside raw adhoc commands (to be run on the guest)?

For example, if the following variable is defined on the Ansible host:
export TEST=new_dir
How can that variable be added to an adhoc -m raw command:
ansible -m raw -a 'mkdir /home/user/$TEST'
Such that Ansible host command runs mkdir /home/user/new_dir on the guest machine?
How can this be achieved?
With help of env lookup:
ansible -m raw -a 'mkdir /home/user/{{ lookup("env","TEST") }}'

ansible sudo: sorry, you must have a tty to run sudo

I need to run playbooks on Vagrant boxes and on aws when I setup environment with cloud formation.
In Vagrant file I use ansible-local and everything works fine
name: Setup Unified Catalog Webserver
hosts: 127.0.0.1
connection: local
become: yes
become_user: root
roles: generic
However when I create instance in AWS the ansible playbook fails with error:
sudo: sorry, you must have a tty to run sudo
This happen because it is run as root and it doesnt have tty. But I dont know how to fix it without making change in /etc/sudoers to allow !requiretty
Is there any flags I can setup in ansible.cfg or in my Cloud Formation template?
"#!/bin/bash\n", "\n", "
echo 'Installing Git'\n","
yum --nogpgcheck -y install git ansible htop nano wget\n",
"wget https://s3.eu-central-1.amazonaws.com/XXX -O /root/.ssh/id_rsa\n",
"chmod 600 /root/.ssh/id_rsa\n",
"ssh-keyscan 172.31.7.235 >> /root/.ssh/known_hosts\n",
"git clone git#172.31.7.235:something/repo.git /root/repo\n",
"ansible-playbook /root/env/ansible/test.yml\n
I was able to fix this by setting the transport = paramiko configuration in ansible.cfg.
I have found the following solutions for myself:
1. Change requiretty in /etc/sudoers with sed run playbooks and change it back.
"#!/bin/bash\n", "\n", "
echo 'Installing Git'\n","
yum --nogpgcheck -y install git ansible htop nano wget\n",
"wget https://s3.eu-central-1.amazonaws.com/xx/ansible -O /root/.ssh/id_rsa\n",
"chmod 600 /root/.ssh/id_rsa\n",
"ssh-keyscan 172.31.9.231 >> /root/.ssh/known_hosts\n",
"git clone git#172.31.5.254:somerepo/dev.git /root/dev\n",
"sed -i 's/Defaults requiretty/Defaults !requiretty/g' /etc/sudoers\n",
"\n",
"ansible-playbook /root/dev/env/ansible/uk.yml\n",
"\n",
"sed -i 's/Defaults !requiretty/Defaults requiretty/g' /etc/sudoers\n"
OR
2. In ansible playbook specify variable:
- name: Setup
hosts: 127.0.0.1
connection: local
sudo: {{ require_sudo }}
roles:
- generic
Run in AWS Cloud Formation template would be
"ansible-playbook -e require_sudo=False /root/dev/env/ansible/uk.yml\n"
And for Vagrant in ansible.cfg it can be specified
require_sudo=True
Also in CF template may identify who is running and the pass variable
ansible-playbook -e$(id -u |egrep '^0$' > /dev/null && require_sudo=False || require_sudo=True; echo "require_sudo=$require_sudo") /apps/ansible/uk.yml
If you need to specific connection: paramiko within just one playbook versus a global configuration in ansible.cfg, you can add connection: paramiko following in the playbook, example:
- name: Run checks after deployments
hosts: all
# https://github.com/paramiko/paramiko/issues/1369
connection: paramiko
gather_facts: True

Can I use sudo in Ansible with connection "local"?

I give up, just can't understand how to use Ansible with "connection: local" + "sudo: yes".
I have something like:
ansible-playbook ansible/desktop.yml
- hosts: localhost
connection: local
...
tasks:
- apt_repository: repo='ppa:alexey-smirnov/deadbeef'
sudo: yes
I've also tried sudo_user: ... param, sudo before the command, ansible-playbook --sudo and --ask-sudo-pass
Currently:
failed: [localhost] => {"failed": true}
msg: [Errno 13] Permission denied
How should it be executed?
ansible --version
ansible 1.7.2
Try
ansible-playbook -i <inventory> ansible/desktop.yml -u <local user who can sudo with password> --ask-sudo-pass
This will make ansible use the remote user you mentioned in -u. And when it uses that user to sudo, it will ask you for sudo password.
Here's another method (also works with ansible become: syntax):
sudo su -c "ansible-playbook <your playbook name and options>"

Resources