First some background info:
- Using Ansible 1.9.0.1
- All hosts are Ubuntu 14.04
- My Ansible-fu level: novice (couple/few weeks of use)
I'm trying to cobble together a streamlined development system using
Jenkins + Ansible. I've made a lot of headway thus far, but am running
into an unexpected behavior that has me stumped.
I have a host named devops-ansible and another host named devops-db. On
these hosts, I have user accounts for myself (ben). Using Ansible, I
created an account named jenkins on both machines that is a service account
meant to run a jenkins-slave program that will communicate to a master CI
server.
I've got passwordless SSH working (e.g. SSH certs) between the hosts
working for both users (ben and jenkins). Furthermore, there is an entry
in /etc/sudoers for the jenkins group to be able to use passwordless sudo
for all commands on both hosts:
- i.e.:
%jenkins ALL = NOPASSWD: ALL
Where I first ran into this problem was installing a Postgres database on
devops-db via a playbook executed by jenkins on devops-ansible. When the
playbook runs, it can connect to devops-db just fine and used the apt
module to install Postgres without issue by setting sudo to yes in the task
(but I don't have to run the play with --ask-sudo-pass).
However, I'm at that point where I need to add database users as the user
postgres, which was created by virtue of installing the database. I've
tried every combination of sudo/sudo_user and
become/become_user/become_method that I can think of an consistently run
into the following errors:
- The majority of the time, I observe: "Missing become password" on
stdout of devops-ansible
- If I change become_method to su, then it appears to hang (presumably
waiting for password input?) and I have to kill it via CTRL+C
To illustrate the behavior, I created a series of simple "whoami" tasks as
follows:
- name: Normal Task
command: /usr/bin/whoami
register: n_task
- debug: var=n_task
- name: Sudo Task
command: /usr/bin/whoami
sudo: yes
register: s_task
- debug: var=s_task
- name: Privilege Escalation Task
command: /usr/bin/whoami
become: yes
become_user: "{{postgresql_admin_user}}"
become_method: sudo
register: pe_task
- debug: var=pe_task
Note: the variable postgresql_admin_user resolves to postgres
Below is the stdout as observed when run as jenkins on devops-ansible
TASK: [anxs-postgresql | Normal Task]
*****************************************
<devops-db> ESTABLISH CONNECTION FOR USER: jenkins
<devops-db> REMOTE_MODULE command /usr/bin/whoami
<devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s
-o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o
KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,
gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o
ConnectTimeout=10 devops-db /bin/sh -c 'mkdir -p
$HOME/.ansible/tmp/ansible-tmp-1430932819.87-66566461752335 && chmod a+rx
$HOME/.ansible/tmp/ansible-tmp-1430932819.87-66566461752335 && echo
$HOME/.ansible/tmp/ansible-tmp-1430932819.87-66566461752335'
<devops-db> PUT /tmp/tmphNhLih TO /var/lib/jenkins/.ansible/tmp/ansible-tmp-
1430932819.87-66566461752335/command
<devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s
-o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o
KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,
gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o
ConnectTimeout=10 devops-db /bin/sh -c 'LANG=C LC_CTYPE=C /usr/bin/python
/var/lib/jenkins/.ansible/tmp/ansible-tmp-1430932819.87-66566461752335/command;
rm -rf
/var/lib/jenkins/.ansible/tmp/ansible-tmp-1430932819.87-66566461752335/
>/dev/null 2>&1'
changed: [devops-db] => {"changed": true, "cmd": ["/usr/bin/whoami"],
"delta": "0:00:00.003596", "end": "2015-05-06 12:20:20.489499", "rc": 0,
"start": "2015-05-06 12:20:20.485903", "stderr": "", "stdout": "jenkins",
"warnings": []}
TASK: [anxs-postgresql | debug var=n_task]
************************************
<devops-db> ESTABLISH CONNECTION FOR USER: jenkins
ok: [devops-db] => {
"var": {
"n_task": {
"changed": true,
"cmd": [
"/usr/bin/whoami"
],
"delta": "0:00:00.003596",
"end": "2015-05-06 12:20:20.489499",
"invocation": {
"module_args": "/usr/bin/whoami",
"module_name": "command"
},
"rc": 0,
"start": "2015-05-06 12:20:20.485903",
"stderr": "",
"stdout": "jenkins",
"stdout_lines": [
"jenkins"
],
"warnings": []
}
}
}
TASK: [anxs-postgresql | Sudo Task]
*******************************************
<devops-db> ESTABLISH CONNECTION FOR USER: jenkins
<devops-db> REMOTE_MODULE command /usr/bin/whoami
<devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s
-o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o
KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,
gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o
ConnectTimeout=10 devops-db /bin/sh -c 'mkdir -p
$HOME/.ansible/tmp/ansible-tmp-1430932820.05-171310724077328 && chmod a+rx
$HOME/.ansible/tmp/ansible-tmp-1430932820.05-171310724077328 && echo
$HOME/.ansible/tmp/ansible-tmp-1430932820.05-171310724077328'
<devops-db> PUT /tmp/tmpfRaznB TO /var/lib/jenkins/.ansible/tmp/ansible-tmp-
1430932820.05-171310724077328/command
<devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s
-o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o
KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,
gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o
ConnectTimeout=10 devops-db /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via
ansible, key=pozuyfielrfgovoplpbakzjuflxuzboo] password: " -u root /bin/sh
-c '"'"'echo BECOME-SUCCESS-pozuyfielrfgovoplpbakzjuflxuzboo; LANG=C
LC_CTYPE=C /usr/bin/python
/var/lib/jenkins/.ansible/tmp/ansible-tmp-1430932820.05-171310724077328/command;
rm -rf
/var/lib/jenkins/.ansible/tmp/ansible-tmp-1430932820.05-171310724077328/
>/dev/null 2>&1'"'"''
changed: [devops-db] => {"changed": true, "cmd": ["/usr/bin/whoami"],
"delta": "0:00:00.010214", "end": "2015-05-06 12:20:20.832838", "rc": 0,
"start": "2015-05-06 12:20:20.822624", "stderr": "", "stdout": "root",
"warnings": []}
TASK: [anxs-postgresql | debug var=s_task]
************************************
<devops-db> ESTABLISH CONNECTION FOR USER: jenkins
ok: [devops-db] => {
"var": {
"s_task": {
"changed": true,
"cmd": [
"/usr/bin/whoami"
],
"delta": "0:00:00.010214",
"end": "2015-05-06 12:20:20.832838",
"invocation": {
"module_args": "/usr/bin/whoami",
"module_name": "command"
},
"rc": 0,
"start": "2015-05-06 12:20:20.822624",
"stderr": "",
"stdout": "root",
"stdout_lines": [
"root"
],
"warnings": []
}
}
}
TASK: [anxs-postgresql | Privilege Escalation Task]
***************************
<devops-db> ESTABLISH CONNECTION FOR USER: jenkins
<devops-db> REMOTE_MODULE command /usr/bin/whoami
<devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s
-o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o
KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,
gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o
ConnectTimeout=10 devops-db /bin/sh -c 'mkdir -p
/tmp/ansible-tmp-1430932820.42-42861004344608 && chmod a+rx
/tmp/ansible-tmp-1430932820.42-42861004344608 && echo
/tmp/ansible-tmp-1430932820.42-42861004344608'
<devops-db> PUT /tmp/tmptC6NoD TO /tmp/ansible-tmp-1430932820.42-
42861004344608/command
<devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s
-o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o
KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,
gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o
ConnectTimeout=10 devops-db /bin/sh -c 'chmod a+r
/tmp/ansible-tmp-1430932820.42-42861004344608/command'
<devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s
-o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o
KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,
gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o
ConnectTimeout=10 devops-db /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via
ansible, key=jbwdiylloxvtejdifemgantwsahulmsr] password: " -u postgres
/bin/sh -c '"'"'echo BECOME-SUCCESS-jbwdiylloxvtejdifemgantwsahulmsr;
LANG=C LC_CTYPE=C /usr/bin/python
/tmp/ansible-tmp-1430932820.42-42861004344608/command'"'"''
fatal: [devops-db] => Missing become password
FATAL: all hosts have already failed -- aborting
The SSH session below should illustrate that, at the OS level, my users are
good to go privilege-wise:
ben@devops-ansible:~/Development/ansible-playbooks/BenDevEnv$ sudo su -
jenkins
[sudo] password for ben:
jenkins@devops-ansible:~$ ssh devops-db
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-49-generic i686)
* Documentation: https://help.ubuntu.com/
63 packages can be updated.
55 updates are security updates.
Last login: Wed May 6 12:20:20 2015 from laptop
jenkins@devops-db:~$ sudo su postgres
postgres@devops-db:/var/lib/jenkins$
Any advice?
v/r
Ben
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/18dabf58-50f9-499e-9c11-eb14e8489585%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
