So I may have solved my own problem. I'll go ahead and post my results
here for completeness sake.
I found a nice role definition for postgres on GitHub that I'm adapting for
my own use (this is one of the things I love about Ansible).
One of the tasks in the role looked like this originally:
- name: PostgreSQL | Make sure the PostgreSQL users are present
postgresql_user:
name: "{{item.name}}"
password: "{{item.pass | default('pass')}}"
port: "{{postgresql_port}}"
state: present
login_user: "{{postgresql_admin_user}}"
sudo: yes
sudo_user: "{{postgresql_admin_user}}"
with_items: postgresql_users
when: postgresql_users|length > 0
This (and a series of tasks that attempted priviledge escalation for the
postgresql_user module) would throw the "Missing become password" error.
I changed the above task by substituting sudo syntax with become syntax in
hopes I could try different become_method options to no avail. As it turns
out, I've removed both the sudo and become constructs from this task and it
executed fine.
But, I don't know why it executed fine.
v/r
Ben
On Wednesday, May 6, 2015 at 1:09:56 PM UTC-5, Ben Watson wrote:
>
> First some background info:
>
>
> - Using Ansible 1.9.0.1
> - All hosts are Ubuntu 14.04
> - My Ansible-fu level: novice (couple/few weeks of use)
>
> I'm trying to cobble together a streamlined development system using
> Jenkins + Ansible. I've made a lot of headway thus far, but am running
> into an unexpected behavior that has me stumped.
>
> I have a host named devops-ansible and another host named devops-db. On
> these hosts, I have user accounts for myself (ben). Using Ansible, I
> created an account named jenkins on both machines that is a service account
> meant to run a jenkins-slave program that will communicate to a master CI
> server.
>
> I've got passwordless SSH working (e.g. SSH certs) between the hosts
> working for both users (ben and jenkins). Furthermore, there is an entry
> in /etc/sudoers for the jenkins group to be able to use passwordless sudo
> for all commands on both hosts:
>
> - i.e.:
> %jenkins ALL = NOPASSWD: ALL
>
>
> Where I first ran into this problem was installing a Postgres database on
> devops-db via a playbook executed by jenkins on devops-ansible. When the
> playbook runs, it can connect to devops-db just fine and used the apt
> module to install Postgres without issue by setting sudo to yes in the task
> (but I don't have to run the play with --ask-sudo-pass).
>
> However, I'm at that point where I need to add database users as the user
> postgres, which was created by virtue of installing the database. I've
> tried every combination of sudo/sudo_user and
> become/become_user/become_method that I can think of an consistently run
> into the following errors:
>
> - The majority of the time, I observe: "Missing become password" on
> stdout of devops-ansible
> - If I change become_method to su, then it appears to hang (presumably
> waiting for password input?) and I have to kill it via CTRL+C
>
> To illustrate the behavior, I created a series of simple "whoami" tasks as
> follows:
>
> - name: Normal Task
> command: /usr/bin/whoami
> register: n_task
>
>
> - debug: var=n_task
>
>
> - name: Sudo Task
> command: /usr/bin/whoami
> sudo: yes
> register: s_task
>
>
> - debug: var=s_task
>
>
> - name: Privilege Escalation Task
> command: /usr/bin/whoami
> become: yes
> become_user: "{{postgresql_admin_user}}"
> become_method: sudo
> register: pe_task
>
>
> - debug: var=pe_task
>
> Note: the variable postgresql_admin_user resolves to postgres
>
> Below is the stdout as observed when run as jenkins on devops-ansible
>
> TASK: [anxs-postgresql | Normal Task]
> *****************************************
> <devops-db> ESTABLISH CONNECTION FOR USER: jenkins
> <devops-db> REMOTE_MODULE command /usr/bin/whoami
> <devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=
> 60s -o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o
> KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-
> mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o
> ConnectTimeout=10 devops-db /bin/sh -c 'mkdir -p
> $HOME/.ansible/tmp/ansible-tmp-1430932819.87-66566461752335 && chmod a+rx
> $HOME/.ansible/tmp/ansible-tmp-1430932819.87-66566461752335 && echo
> $HOME/.ansible/tmp/ansible-tmp-1430932819.87-66566461752335'
> <devops-db> PUT /tmp/tmphNhLih TO /var/lib/jenkins/.ansible/tmp/ansible-
> tmp-1430932819.87-66566461752335/command
> <devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=
> 60s -o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o
> KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-
> mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o
> ConnectTimeout=10 devops-db /bin/sh -c 'LANG=C LC_CTYPE=C /usr/bin/python
> /var/lib/jenkins/.ansible/tmp/ansible-tmp-1430932819.87-66566461752335/command;
>
> rm -rf
> /var/lib/jenkins/.ansible/tmp/ansible-tmp-1430932819.87-66566461752335/
> >/dev/null 2>&1'
> changed: [devops-db] => {"changed": true, "cmd": ["/usr/bin/whoami"],
> "delta": "0:00:00.003596", "end": "2015-05-06 12:20:20.489499", "rc": 0,
> "start": "2015-05-06 12:20:20.485903", "stderr": "", "stdout": "jenkins",
> "warnings": []}
>
>
> TASK: [anxs-postgresql | debug var=n_task]
> ************************************
> <devops-db> ESTABLISH CONNECTION FOR USER: jenkins
> ok: [devops-db] => {
> "var": {
> "n_task": {
> "changed": true,
> "cmd": [
> "/usr/bin/whoami"
> ],
> "delta": "0:00:00.003596",
> "end": "2015-05-06 12:20:20.489499",
> "invocation": {
> "module_args": "/usr/bin/whoami",
> "module_name": "command"
> },
> "rc": 0,
> "start": "2015-05-06 12:20:20.485903",
> "stderr": "",
> "stdout": "jenkins",
> "stdout_lines": [
> "jenkins"
> ],
> "warnings": []
> }
> }
> }
>
>
> TASK: [anxs-postgresql | Sudo Task]
> *******************************************
> <devops-db> ESTABLISH CONNECTION FOR USER: jenkins
> <devops-db> REMOTE_MODULE command /usr/bin/whoami
> <devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=
> 60s -o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o
> KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-
> mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o
> ConnectTimeout=10 devops-db /bin/sh -c 'mkdir -p
> $HOME/.ansible/tmp/ansible-tmp-1430932820.05-171310724077328 && chmod a+rx
> $HOME/.ansible/tmp/ansible-tmp-1430932820.05-171310724077328 && echo
> $HOME/.ansible/tmp/ansible-tmp-1430932820.05-171310724077328'
> <devops-db> PUT /tmp/tmpfRaznB TO /var/lib/jenkins/.ansible/tmp/ansible-
> tmp-1430932820.05-171310724077328/command
> <devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=
> 60s -o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o
> KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-
> mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o
> ConnectTimeout=10 devops-db /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo
> via ansible, key=pozuyfielrfgovoplpbakzjuflxuzboo] password: " -u root
> /bin/sh -c '"'"'echo BECOME-SUCCESS-pozuyfielrfgovoplpbakzjuflxuzboo;
> LANG=C LC_CTYPE=C /usr/bin/python
> /var/lib/jenkins/.ansible/tmp/ansible-tmp-1430932820.05-171310724077328/command;
>
> rm -rf
> /var/lib/jenkins/.ansible/tmp/ansible-tmp-1430932820.05-171310724077328/
> >/dev/null 2>&1'"'"''
> changed: [devops-db] => {"changed": true, "cmd": ["/usr/bin/whoami"],
> "delta": "0:00:00.010214", "end": "2015-05-06 12:20:20.832838", "rc": 0,
> "start": "2015-05-06 12:20:20.822624", "stderr": "", "stdout": "root",
> "warnings": []}
>
>
> TASK: [anxs-postgresql | debug var=s_task]
> ************************************
> <devops-db> ESTABLISH CONNECTION FOR USER: jenkins
> ok: [devops-db] => {
> "var": {
> "s_task": {
> "changed": true,
> "cmd": [
> "/usr/bin/whoami"
> ],
> "delta": "0:00:00.010214",
> "end": "2015-05-06 12:20:20.832838",
> "invocation": {
> "module_args": "/usr/bin/whoami",
> "module_name": "command"
> },
> "rc": 0,
> "start": "2015-05-06 12:20:20.822624",
> "stderr": "",
> "stdout": "root",
> "stdout_lines": [
> "root"
> ],
> "warnings": []
> }
> }
> }
>
>
> TASK: [anxs-postgresql | Privilege Escalation Task]
> ***************************
> <devops-db> ESTABLISH CONNECTION FOR USER: jenkins
> <devops-db> REMOTE_MODULE command /usr/bin/whoami
> <devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=
> 60s -o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o
> KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-
> mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o
> ConnectTimeout=10 devops-db /bin/sh -c 'mkdir -p
> /tmp/ansible-tmp-1430932820.42-42861004344608 && chmod a+rx
> /tmp/ansible-tmp-1430932820.42-42861004344608 && echo
> /tmp/ansible-tmp-1430932820.42-42861004344608'
> <devops-db> PUT /tmp/tmptC6NoD TO /tmp/ansible-tmp-1430932820.42-
> 42861004344608/command
> <devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=
> 60s -o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o
> KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-
> mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o
> ConnectTimeout=10 devops-db /bin/sh -c 'chmod a+r
> /tmp/ansible-tmp-1430932820.42-42861004344608/command'
> <devops-db> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=
> 60s -o ControlPath="/var/lib/jenkins/.ansible/cp/%h-%r" -o
> KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-
> mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o
> ConnectTimeout=10 devops-db /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo
> via ansible, key=jbwdiylloxvtejdifemgantwsahulmsr] password: " -u postgres
> /bin/sh -c '"'"'echo BECOME-SUCCESS-jbwdiylloxvtejdifemgantwsahulmsr;
> LANG=C LC_CTYPE=C /usr/bin/python
> /tmp/ansible-tmp-1430932820.42-42861004344608/command'"'"''
> fatal: [devops-db] => Missing become password
>
>
> FATAL: all hosts have already failed -- aborting
>
> The SSH session below should illustrate that, at the OS level, my users
> are good to go privilege-wise:
>
> ben@devops-ansible:~/Development/ansible-playbooks/BenDevEnv$ sudo su -
> jenkins
> [sudo] password for ben:
> jenkins@devops-ansible:~$ ssh devops-db
> Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 3.13.0-49-generic i686)
>
>
> * Documentation: https://help.ubuntu.com/
>
>
> 63 packages can be updated.
> 55 updates are security updates.
>
>
> Last login: Wed May 6 12:20:20 2015 from laptop
> jenkins@devops-db:~$ sudo su postgres
> postgres@devops-db:/var/lib/jenkins$
>
>
>
> Any advice?
>
> v/r
>
> Ben
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/6881ee09-43e7-4846-af81-e32d562ba29d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
