become_user not being honored?

Running Ansible 2.1. If I use sudo in front of the command, it works. if I remove and use “become_user: root” it does not work. I’ve also tried setting “become: True” and I get the same results.

Works:

- name: restart web server
  shell: sudo /etc/init.d/aria_services restart
  when: install_rpm_results|success
  register: restart_services_result
  failed_when: "'FAIL' in restart_services_result.stdout"
  ignore_errors: True

Expected Results:

"stdout": "Creating /web bind mounts\n=== stop ===\n== no PID means no KILL ==\nClearing wsdl and symfony cache files\n=== start ===\nQuery API OK\nNGUI API OK\nCore API OK\nAdmin API OK\nFailed ARC/VIE API\n2 attempted: 2 started, 2 stopped",
        "stdout_lines": [
            "Creating /web bind mounts",
            "=== stop ===",
            "== no PID means no KILL ==",
            "Clearing wsdl and symfony cache files",
            "=== start ===",
            "Query API OK",
            "NGUI API OK",
            "Core API OK",
            "Admin API OK",
            "Failed ARC/VIE API",
            "2 attempted: 2 started, 2 stopped"
        ],

Does not work:

- name: restart web server
  shell: /etc/init.d/aria_services restart
  when: install_rpm_results|success
  register: restart_services_result
  failed_when: "'FAIL' in restart_services_result.stdout"
  ignore_errors: True
  become_user: root

Actual Results:

"stderr": "Password: su: Authentication information cannot be recovered\ncat: /etc/aria/services: Permission denied",
        "stdout": "No aria services found",

become_user only says which user to be used. To actually use become/sudo you need to add become: true

become_user default to root so you do not need to specify it if you like having less code.

Ok so i removed become_user and added “become: true”

now it’s asking for a password.

TASK [restart web server] ******************************************************
fatal: [127.0.0.1]: FAILED! => {“changed”: false, “failed”: true, “module_stderr”: “sudo: a password is required\n”, “module_stdout”: “”, “msg”: “MODULE FAILURE”, “parsed”: false}

My sudo entry shows this.

%deployment ALL=(ALL) NOPASSWD: DEPLOYMENT

Cmnd_Alias DEPLOYMENT_CMDS = /etc/init.d/aria_services restart, /etc/init.d/aria_services start, /etc/init.d/aria_services stop,

Ansible requires the ability to run any command via sudo, it does not work with a restricted set of commands, as it executes python via /bin/sh. It does not directly run those commands that you have restricted that group to.

Ok, so then why does it work if I add “sudo” in front of the command?

Is this the become directive handles sudo differently?

And instead of allowing your user (the one ansible connects as and
runs sudo) to run all commands without a password, I would rather save
the sudo password in a ansible-vault encrypted file on the controller:

ansible-vault edit host_vars/foobar.yml

for the host foobar, and create an entry 'become_pass: xyz' for the
password xyz.

Johannes

In the case where you put sudo in the command, then the command ansible runs from within the python script contains sudo.

In the case where you use become, and don’t put sudo in the command, the python script is being executed with sudo, and not the inner specified command itself.

Because then ansible starts a shell and calls that exact command you
tell it to run. And thus sudo kicks in, as the command is allowed, and
runs it.

Johannes

So I’m kind of SOL then if Ansible removes “sudo”

I'm not sure what you mean. Why should ansible remove sudo?

If you can't change the sudo policy on the target, simply use your
task with the shell module. Or supply the sudo password via ansible-vault.

If you can change the sudo policy, you could grant your user (or a
special ansible user) the right to call all commands without passwords.

The choice is yours.

Johannes

Nevermind, i misunderstood the notes on the become module page. I will continue to use shell w/ sudo.