I have the following playbook
---
- name: myPlaybook
hosts: "{{machine_to_setup}}"
remote_user: "{{user_to_use}}"
become: yes
roles:
# Install Gosa - part 1
- { role: gosa, become: yes }
(I know become is duplicated.
With the following role content:
run with -vvvv to see what ansible is doing.
TASK [gosa : Install EPEL Package] ********************************************* task path: /var/lib/awx/projects/_8__bitbucket_ldap/ansible/roles/gosa/tasks/main.yml:15 <192.168.20.4> ESTABLISH SSH CONNECTION FOR USER: sshUser <192.168.20.4> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s) <192.168.20.4> SSH: ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled: (-o)(StrictHostKeyChecking=no) <192.168.20.4> SSH: ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set: (-o)(User=sshUser) <192.168.20.4> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10) <192.168.20.4> SSH: PlayContext set ssh_common_args: () <192.168.20.4> SSH: PlayContext set ssh_extra_args: () <192.168.20.4> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r) <192.168.20.4> SSH: EXEC sshpass -d19 ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o User=sshUser -o ConnectTimeout=10 -o ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r -tt 192.168.20.4 ‘/bin/sh -c ‘"’"’( umask 22 && mkdir -p “echo /tmp/ansible-tmp-1458673360.76-40131931109713” && echo “echo /tmp/ansible-tmp-1458673360.76-40131931109713” )‘"’“‘’ <192.168.20.4> PUT /tmp/tmp79QZ0d TO /tmp/ansible-tmp-1458673360.76-40131931109713/yum <192.168.20.4> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s) <192.168.20.4> SSH: ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled: (-o)(StrictHostKeyChecking=no) <192.168.20.4> SSH: ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set: (-o)(User=sshUser) <192.168.20.4> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10) <192.168.20.4> SSH: PlayContext set ssh_common_args: () <192.168.20.4> SSH: PlayContext set sftp_extra_args: () <192.168.20.4> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r) <192.168.20.4> SSH: EXEC sshpass -d19 sftp -b - -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o User=sshUser -o ConnectTimeout=10 -o ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r ‘[192.168.20.4]’ <192.168.20.4> ESTABLISH SSH CONNECTION FOR USER: sshUser <192.168.20.4> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s) <192.168.20.4> SSH: ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled: (-o)(StrictHostKeyChecking=no) <192.168.20.4> SSH: ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set: (-o)(User=sshUser) <192.168.20.4> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10) <192.168.20.4> SSH: PlayContext set ssh_common_args: () <192.168.20.4> SSH: PlayContext set ssh_extra_args: () <192.168.20.4> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r) <192.168.20.4> SSH: EXEC sshpass -d19 ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o User=sshUser -o ConnectTimeout=10 -o ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r -tt 192.168.20.4 '/bin/sh -c '”‘“‘chmod a+r /tmp/ansible-tmp-1458673360.76-40131931109713/yum’”’“‘’ <192.168.20.4> ESTABLISH SSH CONNECTION FOR USER: sshUser <192.168.20.4> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s) <192.168.20.4> SSH: ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled: (-o)(StrictHostKeyChecking=no) <192.168.20.4> SSH: ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set: (-o)(User=sshUser) <192.168.20.4> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10) <192.168.20.4> SSH: PlayContext set ssh_common_args: () <192.168.20.4> SSH: PlayContext set ssh_extra_args: () <192.168.20.4> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r) <192.168.20.4> SSH: EXEC sshpass -d19 ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o User=sshUser -o ConnectTimeout=10 -o ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r -tt 192.168.20.4 '/bin/sh -c '”‘“'su machineAdmin -c '”’“'”‘"’“'”‘"’“'/bin/sh -c '”‘"’“'”‘"’“'”‘"’“'”‘"’“'”‘"’“'”‘"’“'”‘"’“'”‘"’“'”‘“‘echo BECOME-SUCCESS-lfogtfnclgywxqhqkuojrrwwqbimgrad; LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/bin/python -tt /tmp/ansible-tmp-1458673360.76-40131931109713/yum’”’“'”‘"’“'”‘"’“'”‘"’“'”‘"’“'”‘"’“'”‘"’“'”‘"’“'”‘"’“‘’”‘"’“'”‘"’“'”‘"’‘"’“‘’ <192.168.20.4> ESTABLISH SSH CONNECTION FOR USER: sshUser <192.168.20.4> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s) <192.168.20.4> SSH: ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled: (-o)(StrictHostKeyChecking=no) <192.168.20.4> SSH: ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set: (-o)(User=sshUser) <192.168.20.4> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10) <192.168.20.4> SSH: PlayContext set ssh_common_args: () <192.168.20.4> SSH: PlayContext set ssh_extra_args: () <192.168.20.4> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r) <192.168.20.4> SSH: EXEC sshpass -d19 ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o User=sshUser -o ConnectTimeout=10 -o ControlPath=/tmp/ansible_tower_ujAG0E/cp/ansible-ssh-%h-%p-%r -tt 192.168.20.4 '/bin/sh -c '”‘“‘rm -f -r /tmp/ansible-tmp-1458673360.76-40131931109713/ > /dev/null 2>&1’”’“‘’ fatal: [192.168.20.4]: FAILED! => {“changed”: true, “failed”: true, “invocation”: {“module_args”: {“conf_file”: null, “disable_gpg_check”: false, “disablerepo”: null, “enablerepo”: null, “exclude”: null, “install_repoquery”: true, “list”: null, “name”: [”/tmp/epel.rpm"], “state”: “present”, “update_cache”: false, “validate_certs”: true}, “module_name”: “yum”}, “msg”: “You need to be root to perform this command.\n”, “rc”: 1, “results”: [“Loaded plugins: fastestmirror\n”]} [WARNING]: Failure when attempting to use callback plugin (</usr/lib/python2.7 /site-packages/awx/plugins/callback/job_event_callback.JobCallbackModule object at 0x7fe7a4496c10>): ‘unicode’ object has no attribute ‘get’
From what I understand of ‘become’ it only specifies that you want to allow user escalation. It doesn’t actually escalate to a super user. You’ll need to use additional directives to escalate to super-user as described here:
Directives
These can be set from play to task level, but are overriden by connection variables as they can be host specific.
become
set to ‘true’/’yes’ to activate privilege escalation.
become_user
set to user with desired privileges, the user you ‘become’, NOT the user you login as. Does NOT imply , to allow it to be set at host level.
become_method
at play or task level overrides the default method set in ansible.cfg, set to ‘sudo’/’su’/’pbrun’/’pfexec’/’doas’
http://docs.ansible.com/ansible/become.html
So, try this
- name: myPlaybook
hosts: "{{machine_to_setup}}"
remote_user: "{{user_to_use}}"
become: yes
become_user: "{{user_to_use}}"
become_method: sudo
So in the first debug I see “su machineAdmin” which might not have access to the specific action if yum is giving you that message.
@Brandon, this is useless:
remote_user: “{{user_to_use}}”
become: yes
become_user: “{{user_to_use}}”
^ that is the same as writing sudo ‘myself’, the become_user is the user you TURN INTO, the remote_user is the one you login as and that TURNS INTO the become_user.
If i run the yum install as the machineAdmin user it is fine on the machine. Ansible is somehow losing the privledges?
And it’s using su machineAdmin cause ansible tower is configured that the sshUser’s privelege escalation is of type su and with credentials for machineAdmin
(In reality both machineAdmin and sshUser are sudoers and hence an execute the command)
Have you setup sshUser in sudoers for password less privilege elevation?
Benjamin
If i go into visudo (centos) I have the following
sshUser ALL=(ALL) NOPASSWD: ALL
machineAdmin ALL=(ALL) NOPASSWD: ALL
so yes?
I believe the issue is you are using become wrong, as per that sudoers file you can just leave the become_user: root and it will work logging in either as sshuser or machineadmin (also become_method: sudo), or just don’t set them as those are the defaults.
Updating the ansible credentials to leave out the privelege escalation worked thanks