Hi,
i discussed this issue on IRC with cocopy and mgw, cocopy requested to post it on the mailing list.
I set up a ubuntu 12.04 machine via vagrant, the ssh connection works fine:
ansible --user=vagrant --inventory-file=/tmp/inventory20120516-6931-mnyks5 --private-key=/home/dominik/.vagrant.d/insecure_private_key all -m ping
127.0.0.1 | success >> {
“ping”: “pong”
}
But when i try to execute a playbook, the command hangs after the “SETUP PHASE”:
ansible-playbook --user=vagrant --inventory-file=/tmp/inventory20120516-6931-mnyks5 --private-key=/home/dominik/.vagrant.d/insecure_private_key …/ansible-playbooks/nginx-ubuntu.yml
PLAY [web-servers] ****************************
SETUP PHASE ****************************
I tracked down the issue to https://github.com/ansible/ansible/blob/devel/lib/ansible/connection.py#L130, on ubuntu 12.04 “sudo -k” always promts for a password, even if the user is set up for passwordless-sudo. On ubuntu 11.10 everything works as aspected (the same playbook runs without issues).
“sudo -k whoami” on ubuntu 12.04:
[sudo] password for vagrant:
“sudo -k whoami” on ubuntu 11.10:
root
regard,
Dominik
Hi Dominik,
Here's my output on EC2 precise for sudo -k whoami:
ubuntu@ubuntu:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04 LTS
Release: 12.04
Codename: precise
ubuntu@ubuntu:~$ groups
ubuntu adm dialout cdrom floppy audio dip video plugdev netdev admin
ubuntu@ubuntu:~$ sudo -k whoami
root
-cocoy
Hi Rodney,
thanks for the pointer, the issue was indeed with my vagrant box, he vagrant
user has two matching entries in the sudoers file, one with and one without
password prompt, this causes the issue with sudo -k.
vagrant@precise32:~$ sudo -l
Matching Defaults entries for vagrant on this host:
env_reset, exempt_group=admin, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User vagrant may run the following commands on this host:
(ALL) NOPASSWD: ALL
(ALL : ALL) ALL
This is totally fixable, but should ansible really force a password prompt if it
does not need to, and has no sudo password provided?
regards,
Dominik
Hi Dominik,
I'm not sure how about vagrant setup.
Hmm..normally on default ubuntu boxes ansible will not prompt for
password.
-Rodney
Hi Rodney,
thanks for your help I think I located the problem as a inconsistency or bug
in sudo.
tl;dr the issue is not related to ansible
I would expect “sudo” and “sudo -k” to act the same way if no user credentials
are cached, either both prompt for a password or they don’t. But the
exempt_group option of the sudoers file seems to mess things up a bit.
Working normally:
Matching Defaults entries for dominik on this host:
env_reset, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User dominik may run the following commands on this host:
(ALL) NOPASSWD: ALL
(ALL : ALL) ALL
dominik@ubuntu ~ $$ sudo -K
dominik@ubuntu ~ $$ sudo whoami
[sudo] password for dominik:
dominik@ubuntu ~ $$ sudo -k whoami
[sudo] password for dominik:
With exempt_group:
Matching Defaults entries for dominik on this host:
env_reset, exempt_group=admin, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User dominik may run the following commands on this host:
(ALL) NOPASSWD: ALL
(ALL : ALL) ALL
dominik@ubuntu ~ $$ sudo -K
dominik@ubuntu ~ $$ sudo whoami
root
dominik@ubuntu ~ $$ sudo -k whoami
[sudo] password for dominik:
I will poke the sudo guys if this is working as expected or some kind of bug.
regards,
Dominik