Re: weird ansible + doas behaviour

Sun, 21 Jun 2020 18:14:49 -0700 



On 2020-06-21 23:55, Stuart Henderson wrote:

On 2020-06-21, Gregory Edigarov <ediga...@qarea.com> wrote:

Trying to run ansible-playbook with localhost.
Playbook:

---
- hosts: localhost
    become: true
    become_method: doas

    roles:
    - wrkstpkgs


Expected behaviour - Ansible asks for the become pass only once, then
execution of tasks require no intervention.
Observed behaviour:

run ansible-playbook:

   ansible-playbook  -K site.yml
BECOME password:
[WARNING]: provided hosts list is empty, only localhost is available.
Note that the implicit localhost does not match 'all'

PLAY [localhost]
******************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts]
************************************************************************************************************************************************************************************************************************
doas (g...@lbld12.duckdns.org) password:
ok: [localhost]

TASK [wrkstpkgs : ensure vital packages are present]
******************************************************************************************************************************************************************************************
doas (g...@lbld12.duckdns.org) password:
ok: [localhost]

TASK [wrkstpkgs : ensure versioned packages are present]
**************************************************************************************************************************************************************************************
doas (g...@lbld12.duckdns.org) password:

doas.conf only contains this line:
permit persist greg

Am I missing anything? Thanks a lot in advance.

I think it's like the problem with using doas in ports.

"persist" uses the TIOCSETVERAUTH/TIOCCHKVERAUTH tty(4) ioctls which
were added specifically for doas, the authentication can't be passed
around very far:

    TIOCCHKVERAUTH void
                Check the verified auth status of this session.  The calling
                process must have the same real user ID and parent process as
                the process which called TIOCSETVERAUTH.  A zero return
                indicates success.

Chances are the second doas call does not have the same parent process.

Hello Stuart.


Yes, it's definitely  the case. But are there any workarounds? of course 
I can install sudo from packages, but I'm always willing to stick with 
the base as much as possible.  And completely preventing the  prompting 
for password using permit nopass doesn't seem to me like a good solution 
either.


--
With best regards,
     Gregory Edigarov























					Reply via email to