Ansible with a rotating sudo password - ansible

I have a system that has a rotating token based sudo password that changes every 30 seconds or so. I'm using Ansible with privilege escalation. I know I can pass in the --ask-su-pass option - but the problem I've run into is at the time of asking the password is one thing - yet it changes by the time Ansible actually attempts to sudo.
Is there a way to get prompted at the time of sudo-ing?
Ansible Script
---
- name: Install & Setup Docker
hosts: ece
become: true
tasks:
- name: Install Required Packages
yum:
name:
- "yum-utils"
- "device-mapper-persistent-data"
- "lvm2"
state: latest
register: yum_result
- debug:
var: yum_result
verbosity: 2
What happens when I run:
PLAY [Install & Setup Docker]
TASK [Gathering Facts]
********************************************************************************************************************************************************* fatal: [xxxx]: FAILED! => {"changed": false, "module_stderr":
"Shared connection to xxxx closed.\r\n", "module_stdout":
"sudo: a password is required\r\n", "msg": "MODULE FAILURE\nSee
stdout/stderr for the exact error", "rc": 1}
to retry, use: --limit
So obviously I need a password for sudo. The problem is the sudo password is a rotating password so every 30 seconds or so it changes
I can use the --ask-su-pass flag to enter a sudo password - but by the time i get to the first time its used i get:
fatal: [xxxx]: FAILED! => {"msg": "Incorrect sudo password"}
because the password has since changed since I've entered it. Trying to figure out if i can get a prompt at the point where its trying to enter the sudo password on the remote system

Related

Ansible: systemd fails. Which sudo permissions are needed?

Ansible 2.9, Linux Ubuntu 18.
I'm getting the following error with Ansible, when trying to change the status of a service with 'systemd'.
failed: [host.domain.com] (item=service_1) => {"ansible_loop_var": "item", "changed": false, "item": "service_1", "module_stderr": "Shared connection to host.domain.com closed.\r\n", "module_stdout": "\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
- name: Stop services
ansible.builtin.systemd:
name: "{{ serv }}"
state: stopped
with_servs:
- service_1
- service_2
- service_3
become: yes
The code above works fine with an account that has full sudo access (same as root privileges)
This will fail as shown above with an account having limited sudo access (sudo access to specific commands, such as /bin/systemctl * service_1*, /bin/systemctl * service_2*, /bin/systemctl * service_3*
Which sudo permissions are needed to run ansible.builtin.systemd? I'm trying to find out what command Ansible sends to the device to check if I gave the right permissions to the account, but no success on finding that yet (any hints?).
At first change your with_servs to loop: ist much easier to writes playbooks with loop. Set become as a globall var for playbook. Workaround for this can be exec. a coomand by module commands but it's not recomennded because, in every sitatuion it will be executing this commands even when service is stopped.

Error when I am trying to execute show version into a Cisco device

I am trying to learn Ansible but I have some problems: I did a simple playbook, my first one, but it didn't work well: I am able to connect to my device with user teste and password teste and also execute the command.
fatal: [ansible_user=teste]: FAILED! => {"changed": false, "msg":
"command timeout triggered, timeout value is 10 secs.\nSee the timeout
setting options in the Network Debug and Troubleshooting Guide."}
fatal: [ansible_password=teste]: FAILED! => {"changed": false, "msg":
"command timeout triggered, timeout value is 10 secs.\nSee the timeout
setting options in the Network Debug and Troubleshooting Guide."}
fatal: [192.168.0.103]: FAILED! => {"changed": false, "msg": "command
timeout triggered, timeout value is 10 secs.\nSee the timeout setting
options in the Network Debug and Troubleshooting Guide."}
This is my playbook:
---
- name: First Play
hosts: routers
gather_facts: False
connection: local
tasks:
- name: Fist Task
ios_command:
commands: show version
register: version
Do you have any idea of what I am doing wrong?
well, I have to change my host file:
this way did not work:
[routers]
192.168.0.103
ansible_user=teste
ansible_password=teste
after check in the internet, I tried this way and worked fine:
[routers]
192.168.0.103
[routers:vars]
ansible_user=teste
ansible_password=teste
ansible_connection=network_cli
ansible_network_os=ios
The was issue was resolved after adding the username and password in the hosts file

Run playbook against Openstack with Ansible Tower

I am trying to run a simple playbook against Openstack in admin tenant using Ansible Tower, both running on localhost. Here is the script:
--- #
- hosts: localhost
gather_facts: no
connection: local
tasks:
- name: Security Group
os_security_group:
state: present
name: example
I have done the following configuration:
Credentials:
Template:
Inventory test:
With this configuration, I am getting this error:
TASK [Security Group] **********************************************************
13:35:48
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
Any idea what can be? Looks like is a credential problem.
Untick Enable Privilege Escalation - it's not necessary. Your OpenStack privilege/authorisation will be tied to your OpenStack credentials (admin in this case), not the user running the Ansible task.

ansible win_user, create is fine, but replaying playbook fails

I am able to create a user on a windows server as part of a playbook, but when the playbook is re-run, the create task fails.
I'm trying to work out if I am missing something.
playbook:
---
# vim: set filetype=ansible ff=unix ts=2 sw=2 ai expandtab :
#
# Playbook to configure the environment
- hosts: createuser
tasks:
- name: create user
run_once: true
win_user:
name: gary
password: 'B0bP4ssw0rd123!^'
password_never_expires: true
account_disabled: no
account_locked: no
password_expired: no
state: present
groups:
- Administrators
- Users
if I run the playbook when the user does not exist, the create works fine.
When I re-run, I get:
PLAY [createuser] *******************************************************************************************************************************************************************************************************************
TASK [Gathering Facts] **************************************************************************************************************************************************************************************************************
ok: [dsy-demo-mssql02]
TASK [create user] ******************************************************************************************************************************************************************************************************************
fatal: [dsy-demo-mssql02]: FAILED! => {"changed": false, "failed": true, "msg": "Exception calling \"ValidateCredentials\" with \"2\" argument(s): \"The network path was not found.\r\n\""}
I have verified that I can logon to the server using the created user credentials.
Anyone seen this before, or understand what can be happening?
It looks to me like it might be the
run_once: true
is only telling the task to run once. For the ansible documentation on that delegation you can go here https://docs.ansible.com/ansible/playbooks_delegation.html#run-once

How can a user with SSH keys authentication have sudo powers in Ansible? [duplicate]

This question already has answers here:
Missing sudo password in Ansible
(14 answers)
Ansible: sudo without password
(3 answers)
Closed 4 years ago.
I create a vm in the azure cloud with the following ansible script:
---
- name: azure playbook
hosts: localhost
vars_files: ['vars.yaml']
tasks:
- name: Create VM with defaults
azure_rm_virtualmachine:
resource_group: "{{account_prefix}}_rg"
vm_size: Standard_D1
name: "{{account_prefix}}-vm1"
storage_account_name: "{{account_prefix}}store1"
network_interface_names: "{{account_prefix}}vm1eth0"
ssh_password_enabled: false
admin_username: owen
ssh_public_keys:
- { path: /home/owen/.ssh/authorized_keys,
key_data: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH0q4pmdkJcc/JPVJui5uWMV12GsJAsDCosfUSSFZfTIx92bb9FC3hx1zU7tD1+Zw3aQW13m6ZS2T ... YnvieSbdD3v}
image:
offer: CentOS
publisher: OpenLogic
sku: '7.2'
version: latest
but when running a further script to add another user:
---
- name: create user
hosts: my-vm1.westeurope.cloudapp.azure.com
# vars_files: ['vars.yaml']
remote_user: owen
tasks:
- name: Create User
user:
name: andrea
password: $6$rounds=656000$1AspdTb0lfOSc5yM$bAkPgHkuHwap/j6f0P88WxOdjxq3MCRO7/qgufYB.s/4t4k99wwtu/.../
group: users
shell: /bin/bash
become: true
I get "sudo: a password is required" error:
PLAY [create user] *************************************************************
TASK [setup] *******************************************************************
fatal: [my-vm1.westeurope.cloudapp.azure.com]: FAILED! => {"changed": false, "failed": true, "module_stderr": "", "module_stdout": "sudo: a password is required\r\n", "msg": "MODULE FAILURE", "parsed": false}
NO MORE HOSTS LEFT *************************************************************
to retry, use: --limit #8-add-admin-user-to-vm-with-userpswd-already.retry
My inventory looks like this:
my-vm1.westeurope.cloudapp.azure.com ansible_ssh_private_key_file=/home/myuser/.ssh/id_rsa ansible_user=owen ansible_become=true
So how can the user have sudo privileges and so use ansible 'become' and the like?
Note that the same result happens when ansible_user and ansible_become are omitted from the inventory file.
EDIT: If I ssh on to the vm as owen (from the box with the ssh private key, that created the vm) then I am able to run sudo visudo -f /etc/sudoers and access that file. So does owen have sudo privileges or not? I'm getting confused now!! Am I misunderstanding the error from the ansible add user script?
EDIT2: I think this question is invalid - as the user does have sudo privileges added manually through the portal. I'm still not sure what's going on but I don't think this question is coherent - or really represents the actual problem I'm trying to solve.
You can either change the sudo config for the user owen with this command:
sudo visudo -f /etc/sudoers
and change the line with user owen to this:
owen ALL=(ALL) NOPASSWD:ALL
then sudo won't require Ansible to enter the password. Or you could instruct Ansible to ask you for the password with the parameter --ask-become-pass like this:
ansible-playbook site.yml --ask-become-pass

Resources