Thanks to Paul for this one!
Basic usage is similar to sudo …
or pass as command line parameters …
ansible-playbook --su --su-user=root --ask-su-pass -i inventory site.yml
just curious, can sudo and su be used simultaneously?
Is that suception?
This doesn’t work with the git module. If I use sudo:true and sudo_user: {{item.owner}, then the git module does the correct thing. However, If I do su:true and su_user: {{item.owner}}, then the git module continues to run as root(I am connecting remotely as root for my playbook).
I haven’t tested this on other modules.
Please show the -vvvv output from ansible-playbook and file a bug on github.
I’m looking at this as well, and believe that I may have identified and fixed the issue. I’m going to talk it over with Paul (angstwad) for validation and testing.
The following playbook doesn't do what I think it should. The su on the task stays as root.
I was asked to file a bug; I could still do so. But if you think you have a handle on it, then it might just be better to past this here.
cmd: ansible-playbook -i hosts.txt su-for-task-broken.yml -vvvv
== hosts.txt
localhost ansible_ssh_pass=xxxxxxxx current_user=adam
== su-for-task-broken.yml
- hosts: localhost
remote_user: root
tasks:
- name: sudo test
sudo: true
sudo_user: "{{ current_user }}"
shell: whoami
register: sudo_test_result
- name: su test
su: true
su_user: "{{ current_user }}"
shell: whoami
register: su_test_result
- name: debug
debug: var=sudo_test_result
- name: sudo test check
fail: msg="sudo didn't change to the correct user"
when: sudo_test_result.stdout != current_user
- name: su test check
fail: msg="su didn't change to the correct user"
when: sudo_test_result.stdout != current_user
Adam,
See the pull request that was just submitted: https://github.com/ansible/ansible/pull/5751
That should resolve your issue. If you are up to testing it, please do so and let us know if it resolves your issue.
Hi Adam,
Thanks for reporting this. I submitted a PR this morning based on your issue.
Yup, see it, installed it, tried it, commented.
Thanks for this feature, I absolutely need it. I do seem to have an issue using it.
I am using ansible 1.6 (devel eb090ad4a2) on RHEL 6. When I use su with the copy module I get a permission denied error.
I use a remote user to login to the server then su to another acccount. This is required in my environment. The remote user has no home directory so I have remote_tmp set in my ansible.cfg to /tmp/.ansible/tmp. It appears that the su user doesn’t have permission to .ansible/tmp created by the remote user. I saw this issue that is similar, but I could not find anything specifically for su.
Should I file a bug for this?
ansible command line: ansible-playbook upgrade.yml -i hosts.yml -u remoteuser -k -S -R a_user --ask-su-pass
Output:
fatal: hostname] => failed to parse:
SUDO-SUCCESS-ulnzuflbdcdwddmombacdjeerhjdfgoy
{“msg”: “Could not replace file: /tmp/.ansible/tmp/ansible-tmp-1398820873.22-273887835083885/source to /opt/local-data/apphome/caches/remove_me.txt: [Errno 13] Permission denied: ‘/tmp/.ansible/tmp/ansible-tmp-1398820873.22-273887835083885/source’”, “failed”: true}
Exception OSError: (2, ‘No such file or directory’, ‘/opt/local-data/apphome/caches/.ansible_tmpzRLO88remove_me.txt’) in <bound method _TemporaryFileWrapper.del of <closed file ‘’, mode ‘w+b’ at 0x7fd090bbbdb0>> ignored
fatal: [vsin3u544.svr.us.jpmchase.net] => failed to parse:
SUDO-SUCCESS-ulnzuflbdcdwddmombacdjeerhjdfgoy
{"msg": "Could not replace file: /tmp/.ansible/tmp/ansible-tmp-1398820873.22-273887835083885/source to /opt/adtools-local-data/jira8/jira_home/c aches/remove_me.txt: [Errno 13] Permission denied: '/tmp/.ansible/tmp/ansible-tmp-1398820873.22-273887835083885/source'", "failed": true}
Exception OSError: (2, 'No such file or directory', '/opt/adtools-local-data/jira8/jira_home/caches/.ansible_tmpzRLO88remove_me.txt') in <bound method _TemporaryFileWrapper.__del__ of <closed file '<fdopen>', mode 'w+b' at 0x7fd090bbbdb0>> ignored
fatal: [vsin3u544.svr.us.jpmchase.net] => failed to parse:
SUDO-SUCCESS-ulnzuflbdcdwddmombacdjeerhjdfgoy
{"msg": "Could not replace file: /tmp/.ansible/tmp/ansible-tmp-1398820873.22-273887835083885/source to /opt/adtools-local-data/jira8/jira_home/c aches/remove_me.txt: [Errno 13] Permission denied: '/tmp/.ansible/tmp/ansible-tmp-1398820873.22-273887835083885/source'", "failed": true}
Exception OSError: (2, 'No such file or directory', '/opt/adtools-local-data/jira8/jira_home/caches/.ansible_tmpzRLO88remove_me.txt') in <bound method _TemporaryFileWrapper.__del__ of <closed file '<fdopen>', mode 'w+b' at 0x7fd090bbbdb0>> ignored
Hi George,
Since I’m responsible for this feature, its edge cases, and bugs 
I’ll see what I can do to replicate your issue. I may or may not be able to get to it before the weekend but I’ll follow up.
I thought I tested for this scenario but I may have missed it.
Thanks for any help you can give. Let me know if you need any more info. I also see it happening in the template module:
{“msg”: “Could not replace file: /tmp/.ansible/tmp/ansible-tmp-1398978322.77-92955034866020/source to /opt/adtools-local-data/jira8/atlassian-jira-6.2.3-standalone/conf/server.xml: [Errno 13] Permission denied: ‘/tmp/.ansible/tmp/ansible-tmp-1398978322.77-92955034866020/source’”, “failed”: true}
Exception OSError: (2, ‘No such file or directory’, ‘/opt/adtools-local-data/jira8/atlassian-jira-6.2.3-standalone/conf/.ansible_tmpf2zuKKserver.xml’) in <bound method _TemporaryFileWrapper.del of <closed file ‘’, mode ‘w+b’ at 0x7f5225a3ad20>> ignored
This seems to be a reply to a post back on January 24th on commit that’s already merged in.
I’m thinking this may be due to Google clearing out some spam backlog that wasn’t spam.
Should be ignorable, yes?
Let me know if not and this was posted today.
Thanks!
Hi Michael,
I posted about a problem using copy and template module with su on Apr 29th with ansible 1.6.
I probably posted it wrong, I don’t get out much.
Should I have replied to the last message in the thread instead of the first? I also wondered if it was ok to leave all the original quote in or if I should trim it down. My apologies for making you teach me how to use Google Groups.
Hi Paul,
Anything I can do to help with this? I am starting a sprint next week and will be feeling the pain if I can’t use ansible to support our work. I am happy to try and find the issue in source, not so happy to try and edit Python code. I didn’t want to duplicate work if you were already looking at it.
Thanks again for your help!
I have a workaround for this. Posted the details in ansible developer list since it involves code changes.
https://groups.google.com/forum/#!topic/ansible-devel/bquhK9YSfQc