ansible sudo: sorry, you must have a tty to run sudo - ansible

I need to run playbooks on Vagrant boxes and on aws when I setup environment with cloud formation.
In Vagrant file I use ansible-local and everything works fine
name: Setup Unified Catalog Webserver
hosts: 127.0.0.1
connection: local
become: yes
become_user: root
roles: generic
However when I create instance in AWS the ansible playbook fails with error:
sudo: sorry, you must have a tty to run sudo
This happen because it is run as root and it doesnt have tty. But I dont know how to fix it without making change in /etc/sudoers to allow !requiretty
Is there any flags I can setup in ansible.cfg or in my Cloud Formation template?
"#!/bin/bash\n", "\n", "
echo 'Installing Git'\n","
yum --nogpgcheck -y install git ansible htop nano wget\n",
"wget https://s3.eu-central-1.amazonaws.com/XXX -O /root/.ssh/id_rsa\n",
"chmod 600 /root/.ssh/id_rsa\n",
"ssh-keyscan 172.31.7.235 >> /root/.ssh/known_hosts\n",
"git clone git#172.31.7.235:something/repo.git /root/repo\n",
"ansible-playbook /root/env/ansible/test.yml\n

I was able to fix this by setting the transport = paramiko configuration in ansible.cfg.

I have found the following solutions for myself:
1. Change requiretty in /etc/sudoers with sed run playbooks and change it back.
"#!/bin/bash\n", "\n", "
echo 'Installing Git'\n","
yum --nogpgcheck -y install git ansible htop nano wget\n",
"wget https://s3.eu-central-1.amazonaws.com/xx/ansible -O /root/.ssh/id_rsa\n",
"chmod 600 /root/.ssh/id_rsa\n",
"ssh-keyscan 172.31.9.231 >> /root/.ssh/known_hosts\n",
"git clone git#172.31.5.254:somerepo/dev.git /root/dev\n",
"sed -i 's/Defaults requiretty/Defaults !requiretty/g' /etc/sudoers\n",
"\n",
"ansible-playbook /root/dev/env/ansible/uk.yml\n",
"\n",
"sed -i 's/Defaults !requiretty/Defaults requiretty/g' /etc/sudoers\n"
OR
2. In ansible playbook specify variable:
- name: Setup
hosts: 127.0.0.1
connection: local
sudo: {{ require_sudo }}
roles:
- generic
Run in AWS Cloud Formation template would be
"ansible-playbook -e require_sudo=False /root/dev/env/ansible/uk.yml\n"
And for Vagrant in ansible.cfg it can be specified
require_sudo=True
Also in CF template may identify who is running and the pass variable
ansible-playbook -e$(id -u |egrep '^0$' > /dev/null && require_sudo=False || require_sudo=True; echo "require_sudo=$require_sudo") /apps/ansible/uk.yml

If you need to specific connection: paramiko within just one playbook versus a global configuration in ansible.cfg, you can add connection: paramiko following in the playbook, example:
- name: Run checks after deployments
hosts: all
# https://github.com/paramiko/paramiko/issues/1369
connection: paramiko
gather_facts: True

Related

How does sudo and become in ansible go work together?

- name: "read env"
shell: "sudo env"
become: true
I have above snippet in Ansible, I want to know the behaviour of using become and sudo together. I am aware become's default action is to turn the action as sudo. In that case will my sudo in the beginning of shell command get nullified ?
I am getting a different results with shell: "sudo env" and shell: "env" when become is set to true/yes
You do not need to add sudo to your commands when you are using become: true. You can checkout become_method from documentation. It will append sudo for you when you use become: true.
I highly recommend to read documentation for privilege escalation: https://docs.ansible.com/ansible/latest/user_guide/become.html
UPDATE
I did misunderstood your question sorry. The default become_method is sudo in ansible.cfg. When you set become: true without specifying become_method it will basically add a sudo prefix to your cmd. Here i created a example:
# privilege_escalation.yaml
---
- name: privilege escalation
hosts: localhost
tasks:
- name: command without any escalation
shell: env
- name: command with sudo
shell: sudo env
- name: command with become and sudo
shell: sudo env
become: yes
You can run example with this command:
ansible-playbook -vvv --ask-become-pass privilege_escalation.yaml
The first task will run env. In the results you can see USER=your_user line that represents current user.
When you use sudo in command, second task will run sudo env. In the results you can see USER=root and
SUDO_USER=your_user. This means you escalated your privileges to become root when running env command. SUDO_USER environment variable represents the user who invoked sudo.
The last task will run sudo sudo env. In the results you can see USER=root and
SUDO_USER=root. This means the first you become root user, after that root user executed sudo env command.
I hope this helps.

how to install the script interactive via ansible playbook

I can run the script with the command line argument on the linux server it works fine.
for e.g.: ./install.sh -n -I <IP address of the server>
The above command is able to install the script on the server.
When I am trying to do via ansible (version 2.5) playbook using the shell module it gives me an argument error.
- name: Running the script
shell: yes | ./fullinstall
Expect modules has been tried.
--my-arg1=IP address
- shell: "./install.sh -n -I"
args:
chdir: somedir/
creates: somelog.txt
You can look here for examples.
You can also place the install.sh file on the server as a template. Then you can set the variables as desired in Jinja2.
- name: Template install.sh
template:
src: /install.sh.j2
dest: /tmp/install.sh
- shell: "cd /tmp/ ; ./install.sh
Your install.sh.j2 contains:
IP adres: {{ my_ip }}
And set the variable on the command line with:
ansible-playbook -e my_ip="192.168.0.1"
Use command module
- name: run script
command: /path/to/install.sh -n -I {{ ip_addrress }}
playbook
ansible-playbook -e ip_address="192.168.3.9" play.yml
If you want to interactively wanted to enter the IP address, use prompt module.

Ansible sudo command without password checking

I would like to use ansible in a full automated context, where I cannot manually type passwords. To deal with this, I connect the servers with SSH public key, and I whitelisted severals commands such as apt-get install * in my sudoers configuration so I do not need a password to run them. For instance sudo apt-get install git.
However if the setting become is True in a playbook, ansible asks me for a password it does not need.
How can I tell ansible to run a command as sudo, without asking me a password?
Do you know another way to install apt packages without password?
Should I use another become method?
sudoers conf
myuser ALL = NOPASSWD: /usr/bin/apt-get install *
ansible
- name: install the latest version of ntpdate
package:
name: ntpdate
state: latest
become: True
Produces this output:
failed: [x.x.x.x] (item=ntpdate) => {"failed": true, "item": "python3-dev", "module_stderr": "", "module_stdout": "sudo: a password is required\r\n", "msg": "MODULE FAILURE", "rc": 1}
The simple answer is that you cannot do it without enabling all commands (or at least python).
Ansible does not run the commands as you expect it to run. It runs Python scripts. You can see the exact command when you execute ansible-playbook with -vvv. They are much more complex and to enable them you would have to add them to sudoers, for example:
sudo -H -S -n -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-xxxxxx;
/usr/bin/python /var/www/.ansible/tmp/ansible-tmp-xxxxxxxx/apt.py;
rm -rf "/var/www/.ansible/tmp/ansible-tmp-xxxxxxxx/" > /dev/null 2>&1'"'"'
&& sleep 0
The tricky part is that all spaces, quotes, and other special characters are relevant and until you get the correct command pattern by trial and error, replacing characters with wildcards, the system will not allow the command to run with elevated privileges. Effectively you won't be able to whitelist all the commands Ansible runs.
The only exception is raw module which runs the given command intact.
In all the Ansible playbooks I have worked on, I had to do only 2 things so that tasks run with become:True
Create file /etc/sudoers.d/demo on the target hosts with below content:
demo ALL=(ALL) NOPASSWD:ALL
Copy ssh id from Ansible host to target host using ssh-copy-id
template/without_sudo
%sudo ALL=(ALL) NOPASSWD: ALL
%sudo ALL=(ALL) NOPASSWD: /sbin/poweroff, /sbin/reboot, /sbin/shutdown
tasks/main.yml
- name: Sudoers no password
raw: echo '{{ user_password }}' | sudo -S sh -c 'echo "{{ lookup('file', 'templates/without_sudo') }}" > /etc/sudoers.d/without_sudo'
no sudo for the rest of the ansible command
You can use the ansible 'command' module with sudo as part of the command, instead of 'become: yes'
- name: install the latest version of ntpdate
command: 'sudo apt-get update ntpdate'
The downside is that this is much less portable. The upside is, it works... and you only need to whitelist the specific command.
in my opinion, if you set your node with =(ALL) NOPASSWD:ALL. then anybody: including the hackers can access your nodes.
so what I can suggest ,
ansible-playbook <name>.yml --ask-sudo-pass
this will ask your node sudo password. and u can execute ur operation, as I guess you know ur node's credential.

Can I use sudo in Ansible with connection "local"?

I give up, just can't understand how to use Ansible with "connection: local" + "sudo: yes".
I have something like:
ansible-playbook ansible/desktop.yml
- hosts: localhost
connection: local
...
tasks:
- apt_repository: repo='ppa:alexey-smirnov/deadbeef'
sudo: yes
I've also tried sudo_user: ... param, sudo before the command, ansible-playbook --sudo and --ask-sudo-pass
Currently:
failed: [localhost] => {"failed": true}
msg: [Errno 13] Permission denied
How should it be executed?
ansible --version
ansible 1.7.2
Try
ansible-playbook -i <inventory> ansible/desktop.yml -u <local user who can sudo with password> --ask-sudo-pass
This will make ansible use the remote user you mentioned in -u. And when it uses that user to sudo, it will ask you for sudo password.
Here's another method (also works with ansible become: syntax):
sudo su -c "ansible-playbook <your playbook name and options>"

Ansible and Wget

I am trying to wget a file from a web server from within an Ansible playbook.
Here is the Ansible snippet:
---
- hosts: all
sudo: true
tasks:
- name: Prepare Install folder
sudo: true
action: shell sudo mkdir -p /tmp/my_install/mysql/ && cd /tmp/my_install/mysql/
- name: Download MySql
sudo: true
action: shell sudo wget http://{{ repo_host }}/MySQL-5.6.15-1.el6.x86_64.rpm-bundle.tar
Invoking it via:
ansible-playbook my_3rparties.yml -l vsrv644 --extra-vars "repo_host=vsrv656" -K -f 10
It fails with the following:
Cannot write to `MySQL-5.6.15-1.el6.x86_64.rpm-bundle.tar' (Permission denied).
FATAL: all hosts have already failed -- aborting
PLAY RECAP ********************************************************************
to retry, use: --limit #/usr2/ihazan/vufroria_3rparties.retry
vsrv644 : ok=2 changed=1 unreachable=0 failed=1
When trying to do the command that fail via regular remote ssh to mimic what ansible would do, it doesn't work as follows:
-bash-4.1$ ssh ihazan#vsrv644 'cd /tmp/my_install/mysql && sudo wget http://vsrv656/MySQL-5.6.15-1.el6.x86_64.rpm-bundle.tar'
Enter passphrase for key '/usr2/ihazan/.ssh/id_rsa':
sudo: sorry, you must have a tty to run sudo
But I can solve it using -t as follows:
-bash-4.1$ ssh -t ihazan#vsrv644 'cd /tmp/my_install/mysql && sudo wget http://vsrv656/MySQL-5.6.15-1.el6.x86_64.rpm-bundle.tar'
Then it works.
Is there a way to set the -t (pseudo tty option) on ansible?
P.S: I could solve it by editing the sudoers file as others propose but that is a manual step I am trying to avoid.
Don't use shell-module when there is specialized modules available. In your case:
Create directories with file-module:
- name: create project directory {{ common.project_dir }}
file: state=directory path={{ common.project_dir }}
Download files with get_url-module:
- name: download sources
get_url: url={{ opencv.url }} dest={{ common.project_dir }}/{{ opencv.file }}
Note the new module call syntax in the examples above.
If you have to use sudo with password remember to give --ask-sudo-pass when needed (see e.g. Remote Connection Information).
In Ansible:
file to manage files/directories
get_url to download what you need
become:yes to use sudo priviledges
See ansible documentation:
https://docs.ansible.com/ansible/latest/modules/modules_by_category.html

Resources