AWX Template Jobs fail with Permission denied

Hey guys,

so I started working with Ansible recently and created some playbooks to update our servers. Using these playbooks from console with Ansible installed on my local pc works fine, but trying to use these playbooks in AWX yields the following result:

No config file found; using defaults
Skipping callback 'awx_display', as we already have a stdout callback.
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
PLAYBOOK: update_ubuntu_intranet.yaml ******************************************
1 plays in ansible/playbooks/update_ubuntu_intranet.yaml
PLAY [intranet] ****************************************************************
TASK [Gathering Facts] *********************************************************
task path: /runner/project/ansible/playbooks/update_ubuntu_intranet.yaml:1
ok: [monitoring.docsinclouds.com]
TASK [Update all installed packages using APT module] **************************
task path: /runner/project/ansible/playbooks/update_ubuntu_intranet.yaml:5
fatal: [monitoring.docsinclouds.com]: FAILED! => {"changed": false, "msg": "Failed to lock apt for exclusive operation: Failed to lock directory /var/lib/apt/lists/: E:Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)"}
PLAY RECAP *********************************************************************
monitoring.docsinclouds.com : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

Here is the playbook.yaml

- hosts: intranet
  become: true
  become_method: sudo
  tasks:
  - name: Update all installed packages using APT module
    apt:
      name: '*'
      state: latest
      update_cache: yes
      only_upgrade: yes
    register: apt_update_status

  - name: Remove packages not needed anymore
    apt:
      autoremove: yes

#  - name: Prune everything
#    community.docker.docker_prune:
#      containers: true
#      images: true
#      networks: true
#      volumes: false
#      builder_cache: true

  - name: Reboot when packages were updated
    reboot:
      post_reboot_delay: 60
    when: apt_update_status.changed

There’s another problem with installing the docker community package, but that’s for another day :slight_smile: Thanks in advance.

1 Like

Is that the only error, it just shows in the job output window that one error? or is the error from an individual task?

1 Like

The error is from the individual task, i’ll append the output from the template :+1:

1 Like

Try adding this, before the apt task, to check that you are root:

- name: Check the effective user ID
  ansible.bulitin.assert:
    that:
      - ansible_effective_user_id == 0

Because this error:

E:Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)

Makes me wonder if the task is running as root?

3 Likes

Hey @chris ,

thank you so much for your help. I added the task to my playbook, unfortunately it seems like I do not have the sufficient root rights available.


PLAYBOOK: update_ubuntu_intranet.yaml ******************************************
1 plays in ansible/playbooks/update_ubuntu_intranet.yaml
PLAY [intranet] ****************************************************************
TASK [Gathering Facts] *********************************************************
task path: /runner/project/ansible/playbooks/update_ubuntu_intranet.yaml:1
ok: [monitoring.docsinclouds.com]
TASK [Check the effective user ID] *********************************************
task path: /runner/project/ansible/playbooks/update_ubuntu_intranet.yaml:5
fatal: [monitoring.docsinclouds.com]: FAILED! => {
    "assertion": "ansible_effective_user_id == 0",
    "changed": false,
    "evaluated_to": false,
    "msg": "Assertion failed"
}
PLAY RECAP *********************************************************************
monitoring.docsinclouds.com : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0  
1 Like

It does work now! After realising I do not have the right priviliges, I found this article, https://groups.google.com/g/awx-project/c/xCmjY_92nEo and also had the same error, that a ‚ÄúPrivilege Escalation Username‚ÄĚ was defined on my Credential, after removing this entry, my job template is now running smoothly :slight_smile: Thank you so much guys :pray:

3 Likes

Hello, welcome and thank you for sharing the solution @lmarschall, it’s really appreciated!

I will tick the issue as solved :white_check_mark: with the checkmark in your last comment seeing you have resolved the issue and posted the solution.

By the way, you are welcome to use that any time you open a topic to mark the solution that helped you in the future!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.