Ansible asks for sudo password from following code, it tries to create a new postgres user.
Error message:
fatal: [xxx.xxx.xxx.xxx] => Missing sudo password
main.yml
- name: 'Provision a PostgreSQL server'
hosts: "dbservers"
sudo: yes
sudo_user: postgres
roles:
- postgres
create_db.yml
- name: Make sure the PostgreSQL users are present
postgresql_user: name=rails password=secret role_attr_flags=CREATEDB,NOSUPERUSER
sudo_user: postgres
sudo: yes
The remote_user that used to login to this machine is a non-root user, it has no password, and can only login using key auth.
For user postgres, this account doesn't have the password as well, because the database was just installed.
Since I logged in as non-root user, of course it will ask for password when switch to postgress account in order to create database user. But it won't be need for password if switch to postgres from root account. So, I wonder if there is a way to switch to root, and then switch to user postgres.
Note: the root account has no public key, no password, and cannot login from SSH.
Try with the option -kK. It will prompt for password.
$ ansible-playbook mail.yml -kK
SSH password:
BECOME password[defaults to SSH password]:
-k, --ask-pass: ask for connection password
-K, --ask-become-pass: ask for privilege escalation password
You can specificy the sudo password when running the Ansible playbook:
ansible-playbook playbook.yml -i inventory.ini --extra-vars "ansible_sudo_pass=yourPassword"
Add a file to the /etc/sudoers.d directory on the target machine called postgres with the following contents:
postgres ALL=(ALL) NOPASSWD:ALL
This ensures that the postgres user (provided you are using that as your sudo user) will not be asked for a password when it attempts sudo commands.
If you are using a different user to connect to the target machine, then you'll have to amend the above to give the NOPASSWD permission to that user instead.
See here for further details.
In my case, I added the information to the servergroup's group variables
So in /etc/ansible/group_vars/{servergroup}/vars
I added
ansible_become: yes
ansible_become_method: sudo
ansible_become_pass: "{{ vault_ansible_password }}"
This article helped me workout the answer https://www.cyberciti.biz/faq/how-to-set-and-use-sudo-password-for-ansible-vault/
You would need to modify /etc/sudoers file or command visudo to allow user with which you connect to the remove server to switch to another user without password prompt.
If all of the above solutions did not work for you, which was my case. My problem was that my ansible_user has not all the permissions, I don't like to allow root to connect from ssh.
But my tester user did not have all the sudo permissions to perform some operations:
Initial tester_user permission:
tester ALL= NOPASSWD:ALL # bad
changed to :
tester ALL=(ALL:ALL) NOPASSWD:ALL # good
The meaning of these additional fields is:
First “ALL” indicates that the user can run commands as all users.
The second “ALL” indicates that the user can run commands as all groups.
Initially wanted to restrict permissions for maintainers, but it is mandatory that the ansible_user can run commands as all users use become_user in Ansible.
Add this to your /etc/sudoers file
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
username-u-want-to-allow ALL=(ALL) NOPASSWD: ALL
This will happen from Ansible Tower UI if you select the 'Enable Privilege Escalation' option. You might need to supply the password twice in Ansible Tower.
In your Remote-server (Client-Server) or (target-server) whatever you call, as a root user write this command
visudo pressenter
Under
User privilege specification
<your-name on (client-server)> ALL=(ALL) NOPASSWD: ALL
save file
Now from your Controller-Server (Workstation) or (Ansible-Server) whatever you call, run your command
ssh <your-user on (client-server)>#ipaddress
SUCCESS
In my case, my user did not have sudo permission on the managed node. By default ansible was setting the become_method: sudo
I found out this by specifying -vvvv, and looking at the logs.
...
remote_user: username
become_method: sudo
inventory: (u'/etc/ansible/hosts',)
...
ansible-playbook -u -b ansible-script.yml -vvvv
To get around the problem, I specify "become no" in the ansible script.
For example:
- name: Ensure the httpd service is running
service:
name: httpd
state: started
become: no
You don't need specify the sudo_user if the ssh_user that you use to make the connection belongs to the sudoers group, only has to say the sudo_pass.
My solution / workaround for error message:
fatal: [node]: FAILED! => {"msg": "Missing sudo password"}
For me although the user already existed in the sudoers file on the remote host to perform commands without the use of password I still got this message. What I did to enter in the main YAML playbook enter:
---
- hosts: [your targeted inventory list of hosts]
become_user: [your remote privileged user]
become: true
roles:
- [your playbook role]
Also in the /etc/ansible/ansible.cfg I enabled/ commented out or changed the following:
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
[defaults]
remote_tmp = /tmp/ansible-$USER
host_key_checking = False
sudo_user = [your remote privileged user]
ask_sudo_pass = False
ask_pass = False
The entry remote_tmp = /tmp/ansible-$USER was to avoid messages like:
OSError: [Errno 13] Permission denied: '/etc/.ansible_tmpLyoZOOyum.conf'
fatal: [node]: FAILED! => {"changed": false, "msg": "The destination directory (/etc) is not writable by the current user. Error was: [Errno 13] Permission denied: '/etc/.ansible_tmpLyoZOOyum.conf'"}
In my case I have solved it by adding the command /bin/sh in the line of /etc/sudoers to allow executing commands without password.
This was the error shown:
BECOME password:
debian | FAILED! => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"module_stderr": "Shared connection to debian9 closed.\r\n",
"module_stdout": "\r\n",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
Only add this:
user ALL= NOPASSWD: /usr/bin/id, /usr/bin/whoami, /bin/sh
for testing purposes I also added id and whoami.
In my case, even though password was correct, I was getting this error because playbook had "connection: local" specified. The playbook had connection type set to local as all commands were supposed to be run on localhost. After adding a new task which required delegation to remote host, the connection method was still set to local which resulted in the Missing sudo password error. The error was fixed by removing the "connection: local" in playbook.
Related
This is my code:
- name: Extract terraform into /usr/bin/
unarchive:
src: ~/terraform_0.15.4_linux_amd64.zip
dest: /usr/bin/
become: yes
I am getting this error:
"Failed to get information on remote file (/usr/bin/): sudo: a password is required\n"}
I thought by using 'become: yes', I would have sudo access.
How can I fix this?
Your error is:
sudo: a password is required
Are you providing the sudo password somewhere in order to use become: yes ? If not, then how will ansible figure out the password to escalate the privilege ?
Here are few options you may use:
Option-1: You can supply the become password using command line switch as below to prompt the password at the beginning of the playbook execution.Use this option, if you do not wish to store the become password in any of the file.
--ask-become-pass #OR
-k
Option-2: if you want to keep your solution touch-less(without prompt) you can set the following variable in your inventory. One important note, if you will be using this approach then your password will be exposed as a plain text. To prevent this, you may vault your password, but you will have to use yaml format inventory file, ini inventory does not support vaulted passwords.
ansible_sudo_pass
Option-3: Perhaps, the best solution is to tell your sudoers file to not prompt for the password for the user.This option is only possible when you do have permissions to change(either manually or via code) the sudoers file in the remote node.
visudo #run this from root user.
remote-user-name ALL=(ALL) NOPASSWD:ALL
I am trying to subsequently run a task after I am connected using ssh. I am connecting using this in my playbook
- name: connect using password # task 1; this task set/connect me as root
expect:
command: ssh -o "StrictHostKeyChecking=no" myuser#********
responses:
"password:":
-my password
-my password
delegate_to: localhost
That task is fine and I am able to see that I am connected. The problem now is that when I try to run subsequent tasks for example:
- name: copy folder # task 2 in the same playbook
copy:
src: "files/mylocalfile.txt"
dest: "etc/temp"
mode: "0777"
I have the following message:
"msg: etc/temp not writable"
How do I do to continue executing the remaining task as root that got connected in task1?
I believe this might not be an ansible question, but a linux one.
Is your user in /etc/wheel?
Ansible has the direective become, which will let you execute a task as root, if the user you are connecting with is allowed to escalate privileges. The task you want to run with privileges would be something like:
- name: copy folder # task 2 in the same playbook
become: yes
copy:
src: "files/mylocalfile.txt"
dest: "etc/temp"
mode: "0777"
you can use become_user if you need to specify the user you want to run the task as, and if you have a password for the privileged user, you can ask ansible to prompt for the password when running ansible-playbook, using --ask-become-password.
The following link offers documentation about privilege escalation in ansible:
https://docs.ansible.com/ansible/latest/user_guide/become.html
I am trying to simply run a command while logged in as a different user in the remote machine than what I initially ssh into using ansible.
on my remote machine I have:
-userA
-userB
I ssh as userA, run several tasks and want to switch to userB to run a command such as "conda list" to test that enviornment is working for userB.
Effectively what I want to do in ansible is for one task:
ssh into remote machine as userA
perform sudo su
then su userB
I tried to modify my playbook to use become_user and become. Also through extensive google searches and on stack overflow I was shown the become_method:su.
Here is my playbook
- name: verify conda install by conda list command
command: ls
become: yes
become_user: "{{user}}"
become_method: su
become_flags: "su - root -c"
register: out
tags: conda_verify
Where {{user}} is defined in defaults as userB
Here is the output of the error:
TASK [anaconda-install : verify conda install by conda list command]
FAILED! => {"changed": false, "module_stderr":
"Shared connection to 10.66.144.68 closed.\r\n", "module_stdout": "No passwd entry for user 'su'\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
Now if I remove the playbook command
become_flags: "su - root -c"
The playbook then timesout waiting for a password.
FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: "}
You can use something like this :
- name: install required packages
yum:
name: maven
become: yes
become_user: userB
And when executing, make sure you are passing extra variable from command line as below :
ansible-playbook user_switch.yml --extra-vars "ansible_become_password=<Password of userB>"
Also check ansible configuration for "ask_sudo_pass" depending on your system configuration for switching with sudo.
I know this has been discussed in other questions and I have tried various options but nothing seems to be solving my issue.
I am starting to learn Ansible and trying to run a playbook. I have one role which have tasks in it. I want to run the whole playbook as user john on remote machine. Playbook begins with a copying task. Everything was working fine till I started using become and become_user. I tried running the role as user john by specifying in major playbbok :
---
- hosts: target-machine.com
roles:
- role: installSoftware
become: yes
become_user: john
Then when executing the playbook, I run the following :
ansible-playbook -s major.yml -K
which prompts me for
SUDO password:
I enter the password of user john which exists in the remote target machine. As soon as it starts running playbook, it hangs at the task which requires user as john and complains :
fatal: [target.com]: FAILED! => {"failed": true, "msg": "Failed to get information on remote file (/home/john/software.zip): MODULE FAILURE"}
I also tried the following:
---
- hosts: target-machine.com
become: yes
become_user: john
roles:
- role: installSoftware
so as to run the whole playbook as user john. It again asks me for the SUDO password and then after 5 minutes complains:
fatal: [openam.ansible-target.com]: FAILED! => {"changed": false, "failed": true, "module_stderr": "", "module_stdout": "\r\nSorry, try again .\r\n[sudo via ansible, key=kchjtpjorgnvaksspqvgwzzkgtjnxsyv] password: \r\nsudo: 1 incorrect password attempt\r\n", "msg": "MODULE FAILURE"}
although the password I have entered is correct. On SO it was suggested to increase the SSH timeout which I did in ansible.cfg file:
[ssh_connection]
ssh_args = -o ServerAliveInterval=60 -o ControlMaster=auto -o ControlPersist=1m
All I want to mirror is what I would run on target machine:
su john
Enter Password:
john$
Any help will be appreciated. Thank You.
By default, become uses sudo, not su. As a result, the password Ansible is prompting you for is the password of the user you're logged-in as, not the user you're changing to. You can change this by setting become_method to su.
If you want to always run all your tasks on that host as a different user, you probably instead want to set ansible_user. See the inventory documentation for more details on that.
I access to my host with user "admin", I can change to my applicative user : "appli" with the command :
# sudo su - app
But this task doesn't work :
- command: "/opt/local/application/do_something.sh"
become_user: appli
become_method: sudo
remote_user: admin
I got an error : "sudo: a password is required".
I could deploy ssh key to authorized_keys of appli, but I would prefer to do it with sudo.
Chained become methods are not (and probably will not be) supported- you have to use either sudo or su, not both. You can specify a become password with -K if that's the only issue...