Why is Ansible not Running Pip as sudo user? - pip

I have a playbook that ensures all requirements are installed locally. I am using ansible 2.0.0
ansible-playbook site.yml -i staging
site.yml:
---
- hosts: localhost
become: yes
become_user: "{{ sudo_user }}"
connection: local
vars_files:
- vars/main.yml
roles:
- do
sudo_user is surfer190 in vars.
do/tasks/main.yml:
- name: make sure everything is installed
apt: name={{item}} state=installed
with_items:
- python-apt
- python-pycurl
- python-pip
- python-setuptools
- name: Install dopy
pip: name={{ item }}
with_items:
- virtualenv
- dopy
- passlib
I get the following error:
failed: [localhost] => (item=passlib) => {"cmd": "/usr/local/bin/pip install passlib", "failed": true, "invocation": {"module_args": {"name": "passlib"}, "module_name": "pip"}, "item": "passlib", "msg": "stdout: Collecting passlib\n Using cached passlib-1.6.5-py2.py3-none-any.whl\nInstalling collected packages: passlib\n\n:stderr: Exception:\nTraceback (most recent call last):\n File \"/usr/local/lib/python2.7/dist-packages/pip/basecommand.py\", line 211, in main\n status = self.run(options, args)\n File \"/usr/local/lib/python2.7/dist-packages/pip/commands/install.py\", line 311, in run\n root=options.root_path,\n File \"/usr/local/lib/python2.7/dist-packages/pip/req/req_set.py\", line 646, in install\n **kwargs\n File \"/usr/local/lib/python2.7/dist-packages/pip/req/req_install.py\", line 803, in install\n self.move_wheel_files(self.source_dir, root=root)\n File \"/usr/local/lib/python2.7/dist-packages/pip/req/req_install.py\", line 998, in move_wheel_files\n isolated=self.isolated,\n File \"/usr/local/lib/python2.7/dist-packages/pip/wheel.py\", line 339, in move_wheel_files\n clobber(source, lib_dir, True)\n File \"/usr/local/lib/python2.7/dist-packages/pip/wheel.py\", line 310, in clobber\n ensure_dir(destdir)\n File \"/usr/local/lib/python2.7/dist-packages/pip/utils/__init__.py\", line 71, in ensure_dir\n os.makedirs(path)\n File \"/usr/lib/python2.7/os.py\", line 157, in makedirs\n mkdir(name, mode)\nOSError: [Errno 13] Permission denied: '/usr/local/lib/python2.7/dist-packages/passlib'\n"}
Which is basically a permission denied. So it is not running the command with sudo. As I try sudo pip install passlib and it works.
Even if I run with -k and enter the sudo password it does not work. Take note that the surfer190 user requires a password to sudo.
What am I doing wrong?

Add 'sudo: yes' to Install dopy task
- name: make sure everything is installed
apt: name={{item}} state=installed
with_items:
- python-apt
- python-pycurl
- python-pip
- python-setuptools
- name: Install dopy
pip: name={{ item }}
with_items:
- virtualenv
- dopy
- passlib
sudo: yes
If you notice that the execution of the playbook hangs while executing the task then it is likely that ansible waits for the sudo passoword but there is no way you can enter the password. There is a way to get around that. Update the below specified section in your sudoers file located at '/etc/sudoers'
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
yourusername ALL=NOPASSWD: ALL
Be careful while editing /etc/sudoers, having the incorrect entries might prevent you from logging on to the server ever again.

So it looks like the minimum config you need is:
---
- hosts: localhost
become: yes
become_user: "{{ sudo_user }}"
connection: local
vars_files:
- vars/main.yml
roles:
- ...
So the become_user needs to be a user that can sudo with no pass I think.
If there is no become_user it fails with:
failed: [localhost] => (item=passlib) => {"failed": true, "item": "passlib", "parsed": false}
[sudo via ansible, key=sgidbrejgqoibeozxncyhixnwsukxjbe] password:

Related

CircleCI job using Ansible : Exception: Error reading SSH protocol banner[Errno 104] Connection reset by peer

I'm working on a CircleCi job running a configuration on an EC2 instance. The problem is that the ansible could not run the configuration and is still running in a loop on this error :
PLAY [configuration play]
******************************************************
TASK [wait 600 seconds for target connection to become reachable/usable] *******
Exception: Error reading SSH protocol banner[Errno 104] Connection reset by peer
Traceback (most recent call last):
File "/usr/lib/python3.8/site-packages/paramiko/transport.py", line 2211, in _check_banner
buf = self.packetizer.readline(timeout)
File "/usr/lib/python3.8/site-packages/paramiko/packet.py", line 380, in readline
buf += self._read_timeout(timeout)
File "/usr/lib/python3.8/site-packages/paramiko/packet.py", line 607, in _read_timeout
x = self.__socket.recv(128)
ConnectionResetError: [Errno 104] Connection reset by peer
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.8/site-packages/paramiko/transport.py", line 2039, in run
self._check_banner()
File "/usr/lib/python3.8/site-packages/paramiko/transport.py", line 2215, in _check_banner
raise SSHException(
paramiko.ssh_exception.SSHException: Error reading SSH protocol banner[Errno 104] Connection reset by peer
Exception: Error reading SSH protocol banner
Traceback (most recent call last):
File "/usr/lib/python3.8/site-packages/paramiko/transport.py", line 2211, in _check_banner
buf = self.packetizer.readline(timeout)
File "/usr/lib/python3.8/site-packages/paramiko/packet.py", line 380, in readline
buf += self._read_timeout(timeout)
File "/usr/lib/python3.8/site-packages/paramiko/packet.py", line 609, in _read_timeout
raise EOFError()
EOFError
....
fatal: [ec2-18-237-14-97.us-west-2.compute.amazonaws.com]: FAILED! => {"changed": false, "elapsed": 600, "msg": "timed out waiting for ping module test success: Error reading SSH protocol banner"}
PLAY RECAP *********************************************************************
ec2-18-237-14-97.us-west-2.compute.amazonaws.com : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Circle-Ci job :
configure-infrastructure:
docker:
- image: python:3.7-alpine3.11
steps:
- checkout
- add_ssh_keys:
fingerprints: ["bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla:bla"]
- attach_workspace:
at: ~/
- run:
name: Install dependencies
command: |
apk add --update tar gzip ansible
pip install awscli
- run:
name: Configure server
command: |
cat ./.circleci/ansible/inventory.txt
export ANSIBLE_HOST_KEY_CHECKING=False
export RECORD_HOST_KEYS=True
ansible-playbook -i ./.circleci/ansible/inventory.txt ./.circleci/ansible/configure-server.yml
- destroy-environment
.circleci/ansible/configure-server.yml
---
- name: configuration play
hosts: web
user: ubuntu
become: true
become_method: sudo
become_user: root
gather_facts: false
vars:
- ansible_python_interpreter: /usr/bin/python3
- ansible_host_key_checking: false
- ansible_stdout_callback: yaml
pre_tasks:
- name: wait 600 seconds for target connection to become reachable/usable
ansible.builtin.wait_for_connection:
delay: 0
timeout: 600
- name: install python for Ansible.
become: true
raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3)
changed_when: false
roles:
- configure-server
roles/configure-server/tasks/main.yml
---
- name: "Update apt packages"
become: true
apt:
update_cache: yes
- name: "Remove dependencies that are no longer required"
become: true
apt:
autoremove: yes
- name: "Install npm and nodejs"
become: true
apt:
name: ["npm", "nodejs"]
state: latest
update_cache: yes
- name: "Install pm2"
become: true
npm:
name: pm2
global: yes
production: yes
state: present
I have already added my key pair to the Circle project settings, obtained the fingerprints and added it to the job configuration ([bla:bla.....]).
I can connect to the Ec2 instance using ssh without any problems.
More details :
ImageId: ami-0d70546e43a941d70
region: us-west-2
Any help or suggestions would be greatly appreciated.
it's stucked with me also, finally i fixed it:-
configure-infrastructure:
docker:
# - image: python:3.7-alpine3.11
- image: python:3.9.16
steps:
- add_ssh_keys:
fingerprints:
- "6b:7d:b7:2c:5b:49:34:cb:34:ab:93:36:47:19:2b:73"
- run:
name: Install dependenciess
command: |
# apk add --update ansible
apt-get update -y
apt install ansible -y
which ansible
- run:
name: Configure server
command: |
cd .circleci/ansible
cat ./inventory
ansible-playbook -i inventory configure-server.yml

Use of privilege escalation in a secure environment with become/ansible

I want to perform administrative tasks with ansible in a secure environment:
On the server :
root is not activated
we connect throught ssh to a not sudoer account (public/private key, I usually use ssh-agent not to type the passphrase each and every time)
change to a user which belongs to sudo group
then we perform administrative tasks
Here is the command I execute :
ansible-playbook install_update.yaml -K
the playbook :
---
- hosts: server
tasks:
- name: install
apt:
name: python-apt
state: latest
- name: update
become: yes
become_user: admin_account
become_method: su
apt:
name: "*"
state: latest
The hosts file :
[server]
192.168.1.50 ansible_user=ssh_account
But this doesn't allow me to do the tasks: for this particular playbook, It raises this error :
fatal: [192.168.1.50]: FAILED! => {"changed": false, "msg": "'/usr/bin/apt-get upgrade --with-new-pkgs ' failed: E: Could not open lock file /var/lib/dpkg/lock-frontend - open (13: Permission denied)\nE: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), are you root?\n", "rc": 100, "stdout": "", "stdout_lines": []}
which gives the idea that there is a privilege issue...
I would be really glad if someone had an idea !!
Best regards
PS: I have added to sudoers file the nopasswd for this admin account and if I run this playbook it works :
---
- hosts: pi
tasks:
- name: install
apt:
name: python-apt
state: latest
- name: update
become: yes
become_method: su
become_user: rasp_admin
shell: bash -c "sudo apt update"
I guess that when I changed user via su command from ssh_account, I would like to specify that with the admin_accound, my commands have to be run with sudo, but I failed finding the right way to do it...any ideas ??
PS: a workarround is to download a shell file et execute it with ansible but I find it is not satisfying...any other idea ?

"[Errno 13] Permission denied error" while running Py script in Ansible

When, I'm running a Python script via an Ansible playbook, I get the following error:
fatal: [localhost]: FAILED! => {"changed": false, "cmd": "/Dest/To/Repo/HW.py", "failed": true, "msg": "[Errno 13] Permission denied", "rc": 13}
I did add the sudo: yes line:
Here is my yaml file:
- name: a play that runs entirely on the ansible host
hosts: 127.0.0.1
sudo: yes
connection: local
tasks:
- name: check out a git repository
git: repo={{ repo_url }} dest=/Dest/To/Repo/ accept_hostkey=yes
vars:
repo_url: https://github.com/lorin/mezzanine-example.git
- name: Running the Python Script
command: /Dest/To/Repo/HW.py
The HW.py script is just print("Hello World")
Is there anything which I need to do, regarding the permissions error?
You need to use umask to add execution rights in you git module call :
- name: a play that runs entirely on the ansible host
hosts: 127.0.0.1
sudo: yes
connection: local
tasks:
- name: check out a git repository
git: repo={{ repo_url }} dest=/Dest/To/Repo/ accept_hostkey=yes
umask: 0022
vars:
repo_url: https://github.com/lorin/mezzanine-example.git

Why Ansible keeps giving me error "Could not find the requested service httpd: cannot check nor set state"?

I am doing a dry run on installing apache web server on a centos 7 box.
This is the webserver.yml file:
--- # Outline to Playbook Translation
- hosts: apacheWeb
user: aleatoire
sudo: yes
gather_facts: no
tasks:
- name: date/time stamp for when the playbook starts
raw: /bin/date > /home/aleatoire/playbook_start.log
- name: install the apache web server
yum: pkg=httpd state=latest
- name: start the web service
service: name=httpd state=started
- name: install client software - telnet
yum: pkg=telnet state=latest
- name: install client software - lynx
yum: pkg=lynx state=latest
- name: log all the packages installed on the system
raw: yum list installed > /home/aleatoire/installed.log
- name: date/time stamp for when the playbook ends
raw: /bin/date > /home/aleatoire/playbook_end.log
When I do a dry run with:
ansible-playbook webserver.yml --check
I keep getting this error:
fatal: [<ip_address>]: FAILED! => {"changed": false, "failed": true, "msg": "Could not find the requested service httpd: cannot check nor set state"}
to retry, use: --limit #/home/aleatoire/Outline/webserver.retry
I tried adding ignore_issues: true and that did not work either.
--check is not going to actually install the httpd package if it's not there yet. So then the service: call will fail if there is no httpd unit file installed yet.
You can use --syntax-check option instead.

Trouble with ansible playbook syntax

I have just begun with ansible and I'm finding trouble with playbook syntax trying to provision a vagrant file. Below is my ansible playbook
---
- hosts: all
tasks:
- name: update apt cache
apt: update_cache=yes
become: yes
become_method: sudo
- name: create a directory for projects
file: path=/home/projects
state=directory
- name: create a directory for our project
file: path=/home/projects/myproject
state=directory
- name: install git
apt: name=git
become: yes
become_method: sudo
- name: initiaite git
command: git init
args:
chdir: /home/projects/myproject
- name: pull git
git: repo=https://github.com/path/to/repo.git
dest=/home/projects/myproject
- name: install mysql
apt: name=mysql-server
become: yes
become_method: sudo
- name: create mysql db for project
mysql_db: name=mydb
encoding=utf8
- name: create user and assign privileges
mysql_user: name=foo
password=bar
priv=mydb.*,GRANT
- name: install pip
apt: name=pip
become: yes
become_method: sudo
- name: install virtualenv
pip: name=virtualenv
become: yes
become_method: sudo
- name: Create the initial virtualenv
command: virtualenv /home/projects/myproject/venv -p python2.7 creates="/home/projects/myproject/venv"
- name: install requirements
pip:
requirements=/home/projects/myproject/requirements.txt
virtualenv=/home/projects/bankproblem/venv
My trouble is with the 4th task where I'm trying to install git.
ERROR: Syntax Error while loading YAML script, playbook.yml
Note: The error may actually appear before this position: line 21, column 1
become_method: sudo
^
Ansible failed to complete successfully. Any error output should be
visible above. Please fix these errors and try again.`
Someone please explain to me what's happening.
My Vagrantfile
VAGRANTFILE_API_VERSION = "2"
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.box = "trusty-server-cloudimg-amd64-vagrant-disk1.box"
config.vm.box_url = "https://cloud-images.ubuntu.com/vagrant/trusty/current/trusty-server-cloudimg-amd64- vagrant-disk1.box"
config.vm.network "forwarded_port", guest: 80, host: 8080
config.vm.provision :ansible do |ansible|
ansible.playbook = "playbook.yml"
end
end
P.S. Please neglect the naive way the playbook is written as my intention is to simply get started with.
It was simply that
I had to make sure unnecessary white spaces aren't there and
The arguments to a task had to be in a single line separated by spaces, for instance,
Instead of
git: repo=https://github.com/path/to/repo.git
dest=/home/projects/myproject
I needed to use
git: repo=https://github.com/path/to/repo.git dest=/home/projects/myproject
Silly me! No more syntax errors now.

Resources