Develop Reference

ansible: how to become a passwordless user

I'm trying to achieve the following with ansible
create a user without a password
adduser test <-- ok and works on linux machine and works with ansible
change to user test
su test <-- works on linux machine, but fails with ansible. I get
incorrect password message
copy a file from location1 to location2 as a test user and change a file content.
cp loc1/testfile.txt loc2/testfile.txt && echo "hello" > testfile.txt
---
- name: This is a hello-world example
hosts: all
tasks:
- name: create a passwordless test user
action: user name=test state=present
become: yes
become_user: root
- name: Create a file called '/tmp/testfile.txt' with the content 'hello' using test user.
copy:
content: hello
dest: /tmp/testfile.txt
owner: test
group: test
become_user: test
primary conditions:
at a moment of execution the file testfile.txt is already created on linux machine and has a group root and user root. I want to override the file and assign different user and group.
I've tried various combination, including
copy:
content: hello
dest: /tmp/testfile.txt
owner: test
group: test
become: yes
become_user: test
copy:
content: hello
dest: /tmp/testfile.txt
owner: test
group: test
become: yes
become_user: test
become_method: su
copy:
content: hello
dest: /tmp/testfile.txt
owner: test
group: test
become: yes
copy:
content: hello
dest: /tmp/testfile.txt
owner: test
group: test
become_user: test
become_method: su
always getting a message about the password being incorrect. The awkward moment is that test user has no password
What am I doing wrong?
Updates:
Tried this
How to achieve sudo su - <user> and run all command in ansible <-- does not work
Found an answer - it is not possible
https://devops.stackexchange.com/questions/3588/how-do-you-simulate-sudo-su-user-in-ansible
What is the point?
to cite from Quora (source: https://www.quora.com/What-is-advantage-of-creating-passwordless-user-in-Linux)
I presume you mean processes such as a webserver, running as the
"apache" user with a locked password (shadow entry of '!!').
This is for security, in case a vulnerability is discovered in the
server code. Prior to the year 2000 or so, it was common for servers
to run as the root user, particularly as this privilege is required to
open network sockets on privileged ports (below 1024), such as 53
(DNS) or 80 (HTTP). As I recall, high-profile breaches of the bind and
sendmail servers caused developers to re-think this strategy. Since
then, services are started with root privilege, the socket opened, and
then privilege is dropped to a non-privileged user ID such as "apache"
or "named". This needs no password, since it is never intended that
anyone login. Rather, a process running as root executes a setuid()
system call to change effective user ID to this user. In the event of
a security breach, an attacker will be limited to the access lists of
this user; for instance, a vulnerable CGI script on a webserver would
be able to access the /tmp directory as the "apache" user, but be
unable to read /etc/shadow for instance, or to write an extra user
into /etc/passwd or modify system binaries in /sbin.

To avoid what is described in "password not being accepted for sudo user with ansible":
fatal: [testserver]: FAILED! => {"failed": true, "msg": "Incorrect su password"}
You might try using sudo, assuming you have given test user sudo rights:
# Debian systems (Ubuntu / Linux Mint / ElementryOS), add users to the sudo group
sudo usermod -aG sudo username
# On RHEL based systems (Fedora / CentOS), add users to the wheel group
sudo usermod -aG wheel username
Then:
become_user: test
become_method: sudo
Laucnhed with:
ansible-playbook -i inventory simple_playbook.yml --ask-become-pass
And enter the root password

The Agentinstallation.sh needs to be run by user12. For user12 password is user12 how to pass this password to execute the below script

I am new to ansible script, I am running ansible script from root user inside the ansible playbook I want to execute a script in another user(user12). Below is my ansibe playbook
---
- name: agent installation Script
hosts: <hostname>
gather_facts: False
#Disabling gathering facts because playbook not getting executed on server
tasks:
- name: Copy the creating script to Managed node
copy:
src: Createuser.sh
dest: ~/
mode: 0777
become: true
become_user: root
- name: Copy the agent zip to Managed node
copy:
src:13.2.0.0.0.zip
dest: ~/
mode: 0777
become: true
become_user: root
- name: Copy the agent response file to Managed node
copy:
src: agent.rsp
dest: ~/
mode: 0777
become: true
become_user: root
- name: Execute the script
shell: sh ~/Createuser.sh
become: true
become_user: root
- name: Execute the installation script
shell: sh ~/Agentinstallation.sh
become: true
become_user: user12
The Agentinstallation.sh needs to be run by user12. For user12 password is user12 how to pass this password to execute the above script.

With option -k, this will ask for a connection password.
From the docs:
-k, --ask-pass
ask for connection password
-K, --ask-become-pass
ask for privilege escalation password
Note the difference..

How to add a sudo password to a delegated host

How do you add a sudo password to a delegated host?
eg.
hosts: host1
- name: Some remote command
command: sudo some command
register: result
delegate_to: host2
become: yes
I get "Incorrect sudo password" because I assume it is using the sudo pass for host1. Is there a way to make it use a different password?

It has been a while - but I was struggling with this as well and managed to solve it so here is a summarized answer:
As pointed out correctly the issue is that the ansible_become_password variable is set to to your original host (host1) when running the delegated task on host2.
Option 1: Add become password to inventory and delegate facts
One option to solve this is to specify the become password for host2 in your inventory, and secure it using ansible vault (as they have done here: How to specify become password for tasks delegated to localhost). Then you should be able to trigger using the correct sudo pw with delegate_facts as they did here Ansible delegate_to "Incorrect sudo password".
Option 2: Prompt and overwrite pass manually
If you prefer to get prompted for the second sudo password instead, you can do this by using a vars_promt to specify the second sudo pw during runtime:
- hosts: host1
vars_prompt:
- name: custom_become_pass
prompt: enter the custom become password for host2
private: yes
tasks:
...
Then you can just replace the variable ansible_become_password before running your delegated tasks and it will use the correct sudo password:
tasks:
- name: do stuff on host1
...
- name: set custom become
set_fact:
ansible_become_password: '{{ custom_become_pass }}'
- name: perform delegated task
command: sudo some command
register: result
delegate_to: host2
become: yes

You could try to use ansible_become_password variable directly inside the task's var section.
Ansible doc

Struggling to switch to root user with Ansible

I'm a beginner with Ansible, and I need to run some basic tasks on a remote server.
The procedure is as follows:
I log as some user (osadmin)
I run su - to become root
I then do the tasks I need to.
So, I wrote my playbook as follows:
---
- name: Some tasks
become: yes
become_user: root
# become_method: su // Also tried with that.
template: src=repo.j2 dest=/etc/yum.repos.d/test.repo owner=root group=root
register: copy
Also, I have the following in vars/main.yml:
ansible_user: osadmin
ansible_password: password1
ansible_become_password: password2
[ some other values ]
However, when running my tasks, Ansible / the hosts returns me the following:
"Incorrect sudo password"
While I'm sure I gave it the right password. So, I guess I'm not doing this correctly.
What would be the correct way to switch to root via su?
Thank you in advance

From your question, I see that variable values are stored in vars/main.yml. Instead have the variables inside group_vars/all.yml and uncomment # become_method: su.
Modified code
---
- name: Some tasks
become: yes
become_user: root
become_method: su // Also tried with that.
template: src=repo.j2 dest=/etc/yum.repos.d/test.repo owner=root group=root
register: copy
have variables in group_vars/all.yml
ansible_user: osadmin
ansible_password: password1
ansible_become_password: password2
[ some other values ]
I tried this and it works for me.

Getting Error "You need to be root to perform this command" ansible-playbook

I am running below playbook. which will login to the server using ec2-user but mysql-java-connector will be installed, my test1 user.
---
- hosts: cluster
become: yes
remote_user: ec2-user
tasks:
- name: Create test1 User
user:
name: test1
password: '$6$jQX0JQzf8GB$NI/Pv1rMLyxWYaFCGNsbrun3sfn5bXSzg89Ip.ga2yf3n7hhrjiPsEo5IChIA7X8xVxnuZzm2sWA7IRM6qZOR0'
state: present
shell: /bin/bash # Defaults to /bin/bash
system: no # Defaults to no
createhome: yes # Defaults to yes
home: /home/test1
- name: Add users to sudoers
lineinfile:
dest : /etc/sudoers
state: present
line: 'test1 ALL=(ALL) NOPASSWD: ALL'
- name: Install mysql java connector
become_user: test1
become_method: sudo
yum: name=mysql-connector-java state=present
Gets below error:
fatal: [xxx.xxx.xxx.211]: FAILED! => {"changed": false, "msg": "You need to be root to perform this command.\n", "rc": 1, "results": [""]}

Same error, you should include become and become_user. In some cases add become method. More
- hosts: somehost
name: Install something
become: yes
remote_user: yourname
become
set to yes to activate privilege escalation.
become_user
set to user with desired privileges — the user you become, NOT the user you login as. Does NOT imply become: yes, to allow it to be set
at host level. Default value is root.

Add ansible_user=Your-User and ansible_become=true in /etc/ansible/hosts file to remove this error:
You need to be root to perform this command

Replace become_user: test1 to become_user: root (or delete this line, because become_user is root by default).
Please read Understanding privilege escalation for more information.