ansible playbook to run cmd using its root user (sudo rootsh) and password

Hi,
I am a novice to ansible and am practising to get more hands-on. I am trying one usecase where I need to connect to a remote SLES12 linux server using my id and then switch to root user and execute some tasks. While switching over to root user (cmd: sudo rootsh), it prompts for a root password. When I run this usecase using ansible playbook, it gives the below error.

Could you please let me know what would be correct/valid directives (become_*) that I need to use to run the cmd using root user. Appreciate your help.

I wrote this playboo

testroot.yaml

Any update on this?

In ansible if you have become: true on a task, that task will run with elevated privileges. On Linux the default is to try sudo. You don’t need to specify become_exe. Any command given to your shell task will run in a root privileged shell. The user ID you run the playbook as must have login access to the remote system and sudo privilege on the remote system via /etc/sudoers or a file in /etc/sudoers.d.

In our environment we have some common files we populate in /etc/sudoers.d based on server function. For example, all servers we manage have a server mgmt id we use for remote mgmt and a special group for our own user IDs when we remote into those machines. We place a file in /etc/sudoers.d that grants our mgmt ID and mgmt group the rights we need. For all database servers our DBA group requires some privileges so we add an /etc/sudoers.d/dba file that controls their privileged access for members of the DBA group members.

In your testroot.yaml file you can remove the become_exe line.

testroot.yaml

Thanks for your input. In the remote machine, i dont have any permission to edit any files under /etc. In this case, how to achieve the remote node execution using ‘sudo rootsh’ cmd.

Try leaving off become_exe. If you can run sudo rootsh then your task can use sudo. When you run sudo rootsh at a command prompt does it ask for your password? If so, the ansible task also will have to respond to a password prompt. That is causing your timeout.

Walter

No luck
I tried this use case with 2 attempts. For both the cases, the password is not taken at the ansible playbook execution time. i get the below error msg.
Note - In the ansible.cfg, i have set timeout = 300. Are there any extra parameters which I need to set here ?

Attempt-1:

cat testroot.yaml

What’s the output from

sudo -l

on that host (as per the task “Get current user on remote” message)?

Hi,
I get this output when I run ‘sudo -l’. I used ansible_user=testuser in the host inventory file to connect to the remote server.

sudo -l
Subject to Corporate’s Global Employee and Global Contingent Worker Privacy Notices
(see https://employeecontent.Corporate.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html )
all system access and delegated/privileged activity on the Corporate network
may be logged for auditing and security purposes, including your username
and commands used. Log records may be retained for up to 1 year.

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Remember you may use ‘sudo -l’ to review a list of authorized commands.

Authenticate with testuser’s password:
Matching Defaults entries for testuser on testhost:
syslog=local3, !set_home, !targetpw, !insults, mailto=alert-sudo, !mail_always, ignore_dot, timestamp_timeout=5,
listpw=always, !lecture_file, passprompt="Authenticate with %u’s password: ", always_set_home, !env_reset,
umask_override, !root_sudo, !tty_tickets, fqdn, listpw=always, env_delete+=USER_ITOOLS, env_delete+=PROJECT_ITOOLS,
env_delete+=KRB5CCNAME, env_delete+=XAUTHORITY, lecture=always, lecture_file=/nfs/site/gen/adm/ec_global/sudo.lecture,
passprompt="Authenticate with %u’s password: ", always_set_home, !env_reset, umask_override, !root_sudo, !tty_tickets,
fqdn, listpw=always, env_delete+=USER_ITOOLS, env_delete+=PROJECT_ITOOLS, env_delete+=KRB5CCNAME

User testuser may run the following commands on testhost:
(root) /usr/Corporate/bin/rootsh, /usr/Corporate/bin/rootsh2, /usr/Corporate/bin/rootsh1
(root) NOPASSWD: /usr/Corporate/common/pkgs/vas-helper/1.0/exe//idchange
(root) NOPASSWD: /usr/Corporate/common/pkgs/vas-helper/1.0/bin/krb-helper
(root) /bin/cat /var/log/messages, /usr/bin/cat /var/log/messages, /bin/dmesg
(kerberostest) NOPASSWD: /usr/bin/sudo /bin/date, /usr/bin/sudo -l, /usr/Corporate/bin/sudo /bin/date, /usr/Corporate/bin/sudo -l
(root) NOPASSWD: /nfs/iil/gen/adm/netbatch/util/nbconfig/nbconfig
(root) NOPASSWD: /nfs/iil/gen/adm/nbtools/bin/nblock.pl
(root) NOPASSWD: /nfs/iil/local/common/bin/lsdir.amd
(root) NOPASSWD: /usr/local/common/bin/lsdir.amd
(profusr) NOPASSWD: /nfs/site/gen/itec/profiling/utils/profiler/profiler_post,
/nfs/site/gen/itec/profiling/utils/profiler/benchmarking_post
(root) NOPASSWD: /usr/Corporate/common/pkgs/acctusers/CURRENT/bin/acctusers
(root) NOPASSWD: /usr/Corporate/common/pkgs/acctusers/1.1/bin/acctusers
(root) /nfs/site/gen/adm/ec_global/customerSudo/SLES12SP2upgrader.sh
(root) NOPASSWD: /nfs/site/gen/adm/emulation/Global/scripts/virt_modules/startVirt.sh,
/p/emulation/virt_modules/startVirt.sh, /p/emulation/virt_modules/start_virt
(root) NOPASSWD: /usr/Corporate/common/pkgs/vas-helper/1.0/bin/krb-helper
(root) NOPASSWD: /usr/Corporate/common/pkgs/vas-helper/1.0/exe//idchange

Authenticate with testuser’s password:

THIS … you had to authenticate … the ansible playbook is also “waiting to authenticate” the sudo for testuser (become: true).

That is timing out because it expects to have sudo rights without requiring a password.

Walter

Yes Walter, you are right. I am passing the root password ( –ask-become-pass ) as part of the ansible playbook execution cmd. Here my ssh user pwd and root pwd are the same.

ansible-playbook -i hosts testroot.yaml -e “host=host.iil.corp.com” --ask-become-pass -k
[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with Ansible 2.12. Current version: 3.6.15 (default, Sep 15 2021, 14:20:42) [GCC]. This feature will be removed
from ansible-core in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
SSH password:
BECOME password[defaults to SSH password]:

Something feels not quite right with that answer. You only got the “Timeout (12s) waiting for privilege escalation prompt” timeout when you used become_exe: “sudo rootsh”, which of course will never work because there is no executable named “sudo rootsh”. The other times, you were just disconnected. I believe this wasn’t because it expected no-password sudo to work, but rather because testuser has only a limited set of commands it’s allowed to run under sudo. These were listed in the output of “sudo -l” previously.

One thing you might try is setting “become_flags: rootsh”. I know it’s not really a flag, but we’re trying to get sudo to run rootsh — I’m guessing, based on what you showed us already. I don’t really expect it to work, but its failure may provide more information.

More generally, to do Ansible right, your connecting user needs sudo capability to run any command, regardless of whether a sudo password is required. There are four distinct issues that must be considered: connection, privilege escalation, authorization, and execution. Any of those may have distinct authentication components. It can be difficult to discern which one is thwarting success.

Aha! Good observation. Perhaps he should NOT “become: true” and instead include “sudo rootsh” as part of his command?

Walter

[

You cannot limit privilege escalation permissions to certain commands. Ansible does not always use a specific command to do something but runs modules (code) from a temporary file name which changes every time.

Walter