[ansible-project] trouble with ansible and sudo remote command

[Kathy Allen]

Hi. I hope someone can help me out here. In one of my plays, I need to have 
a user be able to run an ansible task which runs a command on a remote host 
with sudo. On the remote host, the user is allowed to run this command with 
root privs, per the sudoers rules. But it's not working, and it makes me 
wonder if either I'm doing it wrong, or if ansible is failing to invoke 
sudo on the remote side.

Here are the details... Thanks in advance!

Using ansible v1.8.2. My local config:

[defaults]
callback_plugins = 
/home/kallen/orch/ops-ansible/orchestration/callback_plugins
host_key_checking = False
forks = 50

[ssh_connection]
ssh_args = -o ForwardAgent=yes

The play:

---
- hosts: adminhost
  gather_facts: False
  tasks:
  - debug: var=ansible_ssh_user
  - name: Run remote tool with sudo
    shell: /usr/local/bin/ansible-test --cell {{ cell_shortname }}
    sudo: yes
    sudo_user: '{{ansible_ssh_user}}'
    ignore_errors: false
    register: output
  - debug: msg="remote tool failed"
    when: output|failed
  - debug: var=output
    when: debug and output|failed


Running the play:

$ ansible-playbook -i inventory/on1.ini q.yml -vvvv

PLAY [127.0.0.1] 
**************************************************************
Thursday 09 April 2015  20:14:17 +0000 (0:00:00.076)       0:00:00.076 
********
===============================================================================

PLAY [adminhost] 
****************************************************************
Thursday 09 April 2015  20:14:17 +0000 (0:00:00.000)       0:00:00.077 
********
===============================================================================

TASK: [debug var=ansible_ssh_user] 
********************************************
Thursday 09 April 2015  20:14:17 +0000 (0:00:00.001)       0:00:00.079 
********
<adminhost.aue1t.example.com> ESTABLISH CONNECTION FOR USER: kallen
ok: [adminhost.aue1t.example.com] => {
    "ansible_ssh_user": "kallen"
}

TASK: [Run remote tool with sudo] 
*********************************************
Thursday 09 April 2015  20:14:17 +0000 (0:00:00.136)       0:00:00.215 
********
<adminhost.aue1t.example.com> ESTABLISH CONNECTION FOR USER: kallen
<adminhost.aue1t.example.com> REMOTE_MODULE command 
/usr/local/bin/ansible-test --cell on1 #USE_SHELL
<adminhost.aue1t.example.com> EXEC ssh -C -tt -vvv -o ForwardAgent=yes -o 
StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o 
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey 
-o PasswordAuthentication=no -o ConnectTimeout=10 
adminhost.aue1t.example.com /bin/sh -c 'mkdir -p 
/tmp/ansible-tmp-1428610457.95-130794033081886 && chmod a+rx 
/tmp/ansible-tmp-1428610457.95-130794033081886 && echo 
/tmp/ansible-tmp-1428610457.95-130794033081886'
EXEC previous known host file not found for adminhost.aue1t.example.com
<adminhost.aue1t.example.com> PUT /tmp/tmpoNnYnm TO 
/tmp/ansible-tmp-1428610457.95-130794033081886/command
<adminhost.aue1t.example.com> EXEC ssh -C -tt -vvv -o ForwardAgent=yes -o 
StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o 
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey 
-o PasswordAuthentication=no -o ConnectTimeout=10 
adminhost.aue1t.example.com /bin/sh -c 'chmod a+r 
/tmp/ansible-tmp-1428610457.95-130794033081886/command'
EXEC previous known host file not found for adminhost.aue1t.example.com
<adminhost.aue1t.example.com> EXEC ssh -C -tt -vvv -o ForwardAgent=yes -o 
StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o 
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey 
-o PasswordAuthentication=no -o ConnectTimeout=10 
adminhost.aue1t.example.com /bin/sh -c 'LANG=en_US.UTF-8 
LC_CTYPE=en_US.UTF-8 /usr/bin/python 
/tmp/ansible-tmp-1428610457.95-130794033081886/command'
EXEC previous known host file not found for adminhost.aue1t.example.com
<adminhost.aue1t.example.com> EXEC ssh -C -tt -vvv -o ForwardAgent=yes -o 
StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o 
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey 
-o PasswordAuthentication=no -o ConnectTimeout=10 
adminhost.aue1t.example.com /bin/sh -c 'rm -rf 
/tmp/ansible-tmp-1428610457.95-130794033081886/ >/dev/null 2>&1'
EXEC previous known host file not found for adminhost.aue1t.example.com
failed: [adminhost.aue1t.example.com] => {"changed": true, "cmd": 
"/usr/local/bin/ansible-test --cell on1", "delta": "0:00:00.035996", "end": 
"2015-04-09 20:14:20.153101", "rc": 1, "start": "2015-04-09 
20:14:20.117105", "warnings": []}
stdout: ERROR: tool config file not found. Exiting!

FATAL: all hosts have already failed -- aborting

PLAY RECAP 
********************************************************************
Thursday 09 April 2015  20:14:20 +0000 (0:00:02.752)       0:00:02.968 
********
===============================================================================
           to retry, use: --limit @/home/kallen/q.retry

adminhost.aue1t.example.com  : ok=1    changed=0    unreachable=0    
failed=1



My user on the adminhost:

[kallen@adminhost aue1t:c ~]$ sudo -l
Matching Defaults entries for kallen on this host:
    env_reset, env_keep+="APP_SERVER_ID DISPLAY GEM_HOME GEM_PATH JAVA_HOME 
MY_RUBY_HOME RD_* RUBY_VERSION SSH_AUTH_SOCK SS_* TOMCAT_HOME XAUTHORITY", 
!lecture, !requiretty

User kallen may run the following commands on this host:
    (root) NOPASSWD: (root) /usr/local/bin/ansible-test


The config files needed on the adminhost:

[root@adminhost aue1t:c ~]# ls -ld /opt/ansible/conf
drwx------ 2 root root 4096 Jan  6 23:19 /opt/ansible/conf
[root@adminhost aue1t:c ~]# ls -ld /opt/ansible/conf/.secret
-rw------- 1 root root 9 Jan  6 22:18 /opt/ansible/conf/.secret


The ansible_test bash script:

#!/bin/bash
THIS=$(basename -- $0)
DIR=$(dirname -- $0)
source "$DIR/common.library.sh"
parse_options "$@"
if [ ! -f /opt/ansible/conf/.secret ]; then
  echo "ERROR: tool config file not found. Exiting!"; exit 1
fi

export PASS=$(cat /opt/ansible/conf/.secret)
if [ -z "$PASS" ]; then
  echo "ERROR: failed to set tool password via config file. Exiting!"
  exit 1
fi

echo "success. PASS is $PASS"


On the adminhost itself, kallen can sudo this command successfully:

[kallen@adminhost aue1t:c ~]$ sudo /usr/local/bin/ansible-test --cell on1
success. PASS is s00per5ekrit
[kallen@adminhost aue1t:c ~]$ /usr/local/bin/ansible-test --cell on1
ERROR: tool config file not found. Exiting!


But running this command via ansible is not working.

If the kallen user is changed to have more sudo privs on adminhost (can run 
a shell as root),

   User kallen may run the following commands on this host:
       (ALL) NOPASSWD: ALL

and I remove from the ansible play:

   sudo_user: '{{ansible_ssh_user}}'

Then it works because without sudo_user, the remote command is run in a 
root shell:
sudo -H -S -p "[sudo via ansible snip: " -u root /bin/sh -c 'snip command 
snip'

TASK: [Run remote tool with sudo] 
*********************************************
Thursday 09 April 2015  20:25:38 +0000 (0:00:00.057)       0:00:00.107 
********
<adminhost.aue1t.example.com> ESTABLISH CONNECTION FOR USER: kallen
<adminhost.aue1t.example.com> REMOTE_MODULE command 
/usr/local/bin/ansible-test --cell on1 #USE_SHELL
<adminhost.aue1t.example.com> EXEC ssh -C -tt -vvv -o ForwardAgent=yes -o 
StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o 
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey 
-o PasswordAuthentication=no -o ConnectTimeout=10 
adminhost.aue1t.example.com /bin/sh -c 'mkdir -p 
$HOME/.ansible/tmp/ansible-tmp-1428611138.64-82111749040688 && chmod a+rx 
$HOME/.ansible/tmp/ansible-tmp-1428611138.64-82111749040688 && echo 
$HOME/.ansible/tmp/ansible-tmp-1428611138.64-82111749040688'
EXEC previous known host file not found for adminhost.aue1t.example.com
<adminhost.aue1t.example.com> PUT /tmp/tmp7GRbuy TO 
/home/kallen/.ansible/tmp/ansible-tmp-1428611138.64-82111749040688/command
<adminhost.aue1t.example.com> EXEC ssh -C -tt -vvv -o ForwardAgent=yes -o 
StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o 
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey 
-o PasswordAuthentication=no -o ConnectTimeout=10 
adminhost.aue1t.example.com /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via 
ansible, key=pfyaibypbxwgmeypqigbfwmvcvwnnjik] password: " -u root /bin/sh 
-c '"'"'echo SUDO-SUCCESS-pfyaibypbxwgmeypqigbfwmvcvwnnjik; 
LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python 
/home/kallen/.ansible/tmp/ansible-tmp-1428611138.64-82111749040688/command; 
rm -rf /home/kallen/.ansible/tmp/ansible-tmp-1428611138.64-82111749040688/ 
>/dev/null 2>&1'"'"''
EXEC previous known host file not found for adminhost.aue1t.example.com
changed: [adminhost.aue1t.example.com] => {"changed": true, "cmd": 
"/usr/local/bin/ansible-test --cell on1", "delta": "0:00:00.066358", "end": 
"2015-04-09 20:25:40.224494", "rc": 0, "start": "2015-04-09 
20:25:40.158136", "stderr": "", "stdout": "success. PASS is s00per5ekrit", 
"warnings": []}




-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/f90b0529-a1ec-4028-a88e-3f764ce6e2b5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.