ansible asks for sudo password but local command does not

Archives Ansible Project
1

Hi,

i am having trouble to execute a command which needs sudo on the remote host. when i execute it directly on the host with sudo there is no ask for password but when using ansible it fails with "sudo: a password is required

i don’t have root rights on the remote and i am using a jumphost. i tried all the “become” vodoo but no luck yet.

2

When i am directly on the target host as user john “sudo yum install htop” works without asking for a password so i guess NOPASSWD is set for john. I don’t even have a password. I connect via ssh key.

Ansible doesn’t do this:

`
ssh john@a-host sudo yum install htop

`

Ansible uploads a python script which is run using sudo. Something like:

`
scp tmp-script john@a-host:~/.ansible/tmp/…
ssh john@a-host sudo python ~/.ansble/tmp/…

`

So sudo NOPASSWD for yum doesn’t help.

Cheers,
Paul

3

Is there a reason you’re not using the yum module?

4

@paul
thx, though i knew it works like that i did not came to the idea to ask for python permission, what i did now.

@alexaner
same problem as it is still python which gets executed:

sudo -H -S -n -u root /bin/sh -c ‘"’“'”‘"’“'”‘"’“‘echo BECOME-SUCCESS-mukfdpvotlpobkadiwdhuktbihrwsnnr; LANG=en_US.utf8 LC_ALL=en_US.utf8 LC_MESSAGES=en_US.utf8 /usr/bin/python /home/john/.ansible/tmp/ansible-tmp-1474312334.89-150221606981760/setup; rm -rf “/home/john/.ansible/tmp/ansible-tmp-1474312334.89-150221606981760/” > /dev/null 2>&1’”‘"’“'”‘"’“'”‘"’ && sleep 0’“'”‘’

5

sudo -H -S -n -u root /bin/sh -c ‘"’“'”‘"’“'”‘"’“‘echo BECOME-SUCCESS-mukfdpvotlpobkadiwdhuktbihrwsnnr; LANG=en_US.utf8 LC_ALL=en_US.utf8 LC_MESSAGES=en_US.utf8 /usr/bin/python /home/john/.ansible/tmp/ansible-tmp-1474312334.89-150221606981760/setup; rm -rf “/home/john/.ansible/tmp/ansible-tmp-1474312334.89-150221606981760/” > /dev/null 2>&1’”‘"’“'”‘"’“'”‘"’ && sleep 0’“'”‘’

Ok, I said “something like”, because I didn’t have a machine to dig up the details on. But clearly you were able to do that. Look at the command. It’s sudo … /bin/sh .

So NOPASSWD: for /bin/sh. But really you should just give wildcard NOPASSWD for running ansible. There’s very little difference in NOPASSWD for /bin/sh and everything. Or input the password using --ask-become-pass

Cheers,
Paul

6

jep, NOPASSWD: for /bin/sh did it. I don’t have (or should i say “had”) root on the target server.

thanks

Mike