ansible-playbook hanging after SETUP PHASE on ubuntu 12.04

Hi,

i discussed this issue on IRC with cocopy and mgw, cocopy requested to post it on the mailing list.

I set up a ubuntu 12.04 machine via vagrant, the ssh connection works fine:

ansible --user=vagrant --inventory-file=/tmp/inventory20120516-6931-mnyks5 --private-key=/home/dominik/.vagrant.d/insecure_private_key all -m ping
127.0.0.1 | success >> {
“ping”: “pong”
}

But when i try to execute a playbook, the command hangs after the “SETUP PHASE”:

ansible-playbook --user=vagrant --inventory-file=/tmp/inventory20120516-6931-mnyks5 --private-key=/home/dominik/.vagrant.d/insecure_private_key …/ansible-playbooks/nginx-ubuntu.yml
PLAY [web-servers] ****************************
SETUP PHASE ****************************

I tracked down the issue to https://github.com/ansible/ansible/blob/devel/lib/ansible/connection.py#L130, on ubuntu 12.04 “sudo -k” always promts for a password, even if the user is set up for passwordless-sudo. On ubuntu 11.10 everything works as aspected (the same playbook runs without issues).

“sudo -k whoami” on ubuntu 12.04:
[sudo] password for vagrant:

“sudo -k whoami” on ubuntu 11.10:
root

regard,

Dominik

Hi Dominik,

Here's my output on EC2 precise for sudo -k whoami:

ubuntu@ubuntu:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04 LTS
Release: 12.04
Codename: precise
ubuntu@ubuntu:~$ groups
ubuntu adm dialout cdrom floppy audio dip video plugdev netdev admin
ubuntu@ubuntu:~$ sudo -k whoami
root

-cocoy

Hi Rodney,

thanks for the pointer, the issue was indeed with my vagrant box, he vagrant
user has two matching entries in the sudoers file, one with and one without
password prompt, this causes the issue with sudo -k.

vagrant@precise32:~$ sudo -l
Matching Defaults entries for vagrant on this host:
env_reset, exempt_group=admin, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User vagrant may run the following commands on this host:
(ALL) NOPASSWD: ALL
(ALL : ALL) ALL

This is totally fixable, but should ansible really force a password prompt if it
does not need to, and has no sudo password provided?

regards,

Dominik

Hi Dominik,

I'm not sure how about vagrant setup.
Hmm..normally on default ubuntu boxes ansible will not prompt for
password.

-Rodney

Hi Rodney,

thanks for your help I think I located the problem as a inconsistency or bug
in sudo.

tl;dr the issue is not related to ansible

I would expect “sudo” and “sudo -k” to act the same way if no user credentials
are cached, either both prompt for a password or they don’t. But the
exempt_group option of the sudoers file seems to mess things up a bit.

Working normally:
Matching Defaults entries for dominik on this host:
env_reset, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User dominik may run the following commands on this host:
(ALL) NOPASSWD: ALL
(ALL : ALL) ALL
dominik@ubuntu ~ $$ sudo -K
dominik@ubuntu ~ $$ sudo whoami
[sudo] password for dominik:
dominik@ubuntu ~ $$ sudo -k whoami
[sudo] password for dominik:

With exempt_group:
Matching Defaults entries for dominik on this host:
env_reset, exempt_group=admin, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User dominik may run the following commands on this host:
(ALL) NOPASSWD: ALL
(ALL : ALL) ALL
dominik@ubuntu ~ $$ sudo -K
dominik@ubuntu ~ $$ sudo whoami
root
dominik@ubuntu ~ $$ sudo -k whoami
[sudo] password for dominik:

I will poke the sudo guys if this is working as expected or some kind of bug.

regards,

Dominik