When executing ansible playbook with command: ansible-playbook 2_installJsReport.yml
CentOS 7.6
Ansible 2.7.10
i get an error saying:
TASK [make jsreport start at system restart] >*****************************************************************************>**************************************
fatal: [localhost]: FAILED! => {"changed": true, "cmd": ["pm2", "startup"], >"delta": "0:00:00.601130", "end": "2019-04-24 12:59:33.091819", "msg": "non->zero return code", "rc": 1, "start": "2019-04-24 12:59:32.490689", "stderr": >"", "stderr_lines": [], "stdout": "[PM2] Init System found: systemd\n[PM2] To >setup the Startup Script, copy/paste the following command:\nsudo env >PATH=$PATH:/home/username/.nvm/versions/node/v8.11.3/bin >/home/username/.nvm/versions/node/v8.11.3/lib/node_modules/pm2/bin/pm2 >startup systemd -u username --hp /home/username", "stdout_lines": ["[PM2] >Init System found: systemd", "[PM2] To setup the Startup Script, copy/paste >the following command:", "sudo env >PATH=$PATH:/home/username/.nvm/versions/node/v8.11.3/bin >/home/username/.nvm/versions/node/v8.11.3/lib/node_modules/pm2/bin/pm2 >startup systemd -u username --hp /home/username"]}
Ansible script
---
- hosts: localhost
tasks:
- name: make jsreport start at system restart
command: pm2 startup
The "error" message contains instructions you are supposed to follow to configure the startup:
[PM2] Init System found: systemd
[PM2] To setup the Startup Script, copy/paste the following command:
sudo env PATH=$PATH:/home/username/.nvm/versions/node/v8.11.3/bin /home/username/.nvm/versions/node/v8.11.3/lib/node_modules/pm2/bin/pm2 startup systemd -u username --hp /home/username
If you follow those instructions, it suggests that you should replace your task with something like:
---
- hosts: localhost
tasks:
- name: make jsreport start at system restart
become: true
command: pm2 startup systemd -u username --hp /home/username
environment:
PATH: "{{ ansible_env.PATH }}"
Related
I want to perform administrative tasks with ansible in a secure environment:
On the server :
root is not activated
we connect throught ssh to a not sudoer account (public/private key, I usually use ssh-agent not to type the passphrase each and every time)
change to a user which belongs to sudo group
then we perform administrative tasks
Here is the command I execute :
ansible-playbook install_update.yaml -K
the playbook :
---
- hosts: server
tasks:
- name: install
apt:
name: python-apt
state: latest
- name: update
become: yes
become_user: admin_account
become_method: su
apt:
name: "*"
state: latest
The hosts file :
[server]
192.168.1.50 ansible_user=ssh_account
But this doesn't allow me to do the tasks: for this particular playbook, It raises this error :
fatal: [192.168.1.50]: FAILED! => {"changed": false, "msg": "'/usr/bin/apt-get upgrade --with-new-pkgs ' failed: E: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: Permission denied)\nE: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?\n", "rc": 100, "stdout": "", "stdout_lines": []}
which gives the idea that there is a privilege issue...
I would be really glad if someone had an idea !!
Best regards
PS: I have added to sudoers file the nopasswd for this admin account and if I run this playbook it works :
---
- hosts: pi
tasks:
- name: install
apt:
name: python-apt
state: latest
- name: update
become: yes
become_method: su
become_user: rasp_admin
shell: bash -c "sudo apt update"
I guess that when I changed user via su command from ssh_account, I would like to specify that with the admin_accound, my commands have to be run with sudo, but I failed finding the right way to do it...any ideas ??
PS: a workarround is to download a shell file et execute it with ansible but I find it is not satisfying...any other idea ?
I get puzzled a lot of time with the following issue.
I try so launch a process (here just a silly java -version) using async feature.
I run the ansible-playbook using my user which has a remote account as sudoer in the docker host. The other account with which I'd like to start the command is toto
So I wrote this
- name: test escalation
shell: id ; echo "shell says toto"
become: true
become_user: "toto"
tags:
- escalation
vars:
ansible_ssh_pipelining: true
- name: java escalation
shell:
cmd: "/data/tools/java/jdk8u232-b09/bin/java -version &"
async: 10
# Don't wait
poll: 0
become: true
become_user: "toto"
tags:
- escalation
vars:
ansible_ssh_pipelining: true
If i run this, I have
TASK [java escalation] ************************************************************************************************************
fatal: [main]: FAILED! => {"msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chown: changing ownership of '/var/tmp/ansible-tmp-1587484730.23-27264-164045960304097/': Operation not permitted\nchown: changing ownership of '/var/tmp/ansible-tmp-1587484730.23-27264-164045960304097/AnsiballZ_command.py': Operation not permitted\nchown: changing ownership of '/var/tmp/ansible-tmp-1587484730.23-27264-164045960304097/async_wrapper.py': Operation not permitted\n}). For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}
Did anybody had the same issue ?
ansible --version
ansible 2.9.7
If I do not use the async feature (I can use any value for poll)
- name: java escalation
shell:
cmd: "/data/tools/java/jdk8u232-b09/bin/java -version &"
# async: 10
# Don't wait
poll: 0
become: true
become_user: "toto"
tags:
- escalation
vars:
ansible_ssh_pipelining: true
It works fine
TASK [ java escalation] ************************************************************************************************************
changed: [main] => {"changed": true, "cmd": "/data/tools/java/jdk8u232-b09/bin/java -version &", "delta": "0:00:00.034427", "end": "2020-04-21 15:59:46.402081", "rc": 0, "start": "2020-04-21 15:59:46.367654", "stderr": "openjdk version \"1.8.0_232\"\nOpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_232-b09)\nOpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.232-b09, mixed mode)", "stderr_lines": ["openjdk version \"1.8.0_232\"", "OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_232-b09)", "OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.232-b09, mixed mode)"], "stdout": "", "stdout_lines": []}
I want to make the command via Ansible:
curl -sL https://deb.nodesource.com/setup | sudo bash -
How can I do it via Ansible? Now I have:
- name: Add repository
command: curl -sL https://deb.nodesource.com/setup | sudo bash -
But it throw error:
[WARNING]: Consider using get_url or uri module rather than running curl
fatal: [127.0.0.1]: FAILED! => {"changed": true, "cmd": ["curl", "-sL", "https://deb.nodesource.com/setup", "|", "sudo", "bash", "-"], "delta": "0:00:00.006202", "end": "2017-12-27 15:11:55.441754", "msg": "non-zero return code", "rc": 2, "start": "2017-12-27 15:11:55.435552", "stderr": "curl: option -: is unknown\ncurl: try 'curl --help' or 'curl --manual' for more information", "stderr_lines": ["curl: option -: is unknown", "curl: try 'curl --help' or 'curl --manual' for more information"], "stdout": "", "stdout_lines": []}
You can:
- name: Add repository
shell: curl -sL https://deb.nodesource.com/setup | sudo bash -
args:
warn: no
shell to allow pipes, warn: no to suppress warning.
But if I were you, I'd use apt_key + apt_repository Ansible modules to create self explaining playbook that also support check_mode runs.
Consider using the get_url or uri module rather than running curl.
For example:
- name: Download Node.js setup script
get_url: url=https://deb.nodesource.com/setup dest=/opt mode=755
- name: Setup Node.js
command: /opt/setup
- name: Install Node.js (JavaScript run-time environment)
apt: name=nodejs state=present
If you only wants to remove the warning message, you can use shell module (https://docs.ansible.com/ansible/latest/modules/shell_module.html#examples) and add the property
args:
warn: no
Below of shell property command, but it's not a good practice ignore warnings, it's better if you consider use the get_url module (https://docs.ansible.com/ansible/latest/modules/get_url_module.html#examples), for example for a Node 10 installation in a Centos 7, you can use:
- name: Download NodeJs script
get_url:
url: https://rep.nodesource.com/setup_10.x
dest: /opt/nodesetup
mode: 0755
- name: Execute setup NodeJs script
shell: /opt/nodesetup
- name: Install NodeJs
yum:
name: nodejs
state: present
For others versions or OS, yo can change the repo "https://rep.nodesource.com/setup_10.x" for example for "https://deb.nodesource.com/setup_10.x" and the setup and install commands accord with the SO.
I'm having an issue where the Ansible service module is failing due to a sudo password issue:
fatal: [192.168.1.10]: FAILED! => {"changed": false, "failed": true, "module_stderr": "Shared connection to 192.168.1.10 closed.\r\n", "module_stdout": "sudo: a password is required\r\n", "msg": "MODULE FAILURE", "rc": 1}
to retry, use: --limit #/Volumes/HD/Users/user/Ansible/playbooks/stop-homeassistant.retry
My playbook has just one task, to stop the service. It looks like:
---
- hosts: 192.168.1.10
tasks:
- name: Stop Homeassistant
become: true
service: name=home-assistant#homeassistant state=stopped enabled=yes
Or, in the case of systemd:
systemd: state=stopped name=home-assistant#homeassistant enabled=yes
I'm running the playbook like so:
ansible-playbook -u homeassistant playbooks/stop-homeassistant.yml
However, passwordless sudo is setup for that user on that box (in /etc/sudoers.d):
homeassistant ALL=(ALL) NOPASSWD:/bin/systemctl restart home-assistant#homeassistant
homeassistant ALL=(ALL) NOPASSWD:/bin/systemctl stop home-assistant#homeassistant
If I ssh into that box as homeassistant, and I run:
sudo systemctl stop home-assistant#homeassistant
The home-assistant#homeassistant service will stop cleanly without asking for a sudo password.
Any idea why the systemctl command would run perfectly as the user on the box, but then fail in the service/systemd module?
Try configuring passwordless sudo on your target machines:
homeassistant ALL=NOPASSWD: ALL
Configuring specific commands with a NOPASSWD flag in /etc/sudoers does not work with Ansible.
Details here: https://github.com/ansible/ansible/issues/5712
Ok, please modify your playbook as below:
hosts: 192.168.1.10
remote_user: home-assistant
become: true
become_method: sudo
become_user: root
tasks:
- name: Stop Homeassistant
become: true
service: name=home-assistant#homeassistant state=stopped enabled=yes
Now,
Run as ansible-playbook <playbook-name>.
If above command fails due to password, please run as
ansible-playbook playbook.yml --user=<username> --extra-vars "ansible_sudo_pass=<yourPassword>"
I've been having some trouble with restarting the SSH daemon with Ansible.
I'm using the latest software as of May 11 2015 (Ansible 1.9.1 / Vagrant 1.7.2 / VirtualBox 4.3.26 / Host: OS X 10.10.1 / Guest: ubuntu/trusty64)
tl;dr: There appears to be something wrong with the way I'm invoking the service syntax.
Problem With Original Use Case (Handler)
Playbook
- hosts: all
- remote_user: vagrant
- tasks:
...
- name: Forbid SSH root login
sudo: yes
lineinfile: dest=/etc/ssh/sshd_config regexp="^PermitRootLogin" line="permitRootLogin no" state=present
notify:
- restart ssh
...
- handlers:
- name: restart ssh
sudo: yes
service: name=ssh state=restarted
Output
NOTIFIED: [restart ssh]
failed: [default] => {"failed": true}
FATAL: all hosts have already failed -- aborting
The nginx handler completed successfully with nearly identical syntax.
Task Also Fails
Playbook
- name: Restart SSH server
sudo: yes
service: name=ssh state=restarted
Same output as the handler use case.
Ad Hoc Command Also Fails
Shell
> ansible all -i ansible_inventory -u vagrant -k -m service -a "name=ssh state=restarted"
Inventory
127.0.0.1:8022
Output
127.0.0.1 | FAILED >> {
"failed": true,
"msg": ""
}
Shell command in box works
When I SSH in and run the usual command, everything works fine.
> vagrant ssh
> sudo service ssh restart
ssh stop/waiting
ssh start/running, process 7899
> echo $?
0
Command task also works
Output
TASK: [Restart SSH server] ****************************************************
changed: [default] => {"changed": true, "cmd": ["service", "ssh", "restart"], "delta": "0:00:00.060220", "end": "2015-05-11 07:59:25.310183", "rc": 0, "start": "2015-05-11 07:59:25.249963", "stderr": "", "stdout": "ssh stop/waiting\nssh start/running, process 8553", "warnings": ["Consider using service module rather than running service"]}
As we can see in the warning, we're supposed to use the service module, but I'm still not sure where the snag is.
As the comments above state, this is an Ansible issue that will apparently be fixed in the 2.0 release.
I just changed my handler to use the command module and moved on:
- name: restart sshd
command: service ssh restart