Hi all
I’m having a weird issue that I can’t figure out:
I’m making a backup of /etc/sudoers from client boxes, before templating.
ansible complains it has no rights to read /etc/sudoers. (with sudo)
And yet it can read any other file in /etc/.
/etc/sudoers has 0440 as permissions.
I’ve tried with fetch, shell, command, and lastly script.
All fail with some variation of this:
failed: [clientbox] => {"changed": true, "rc": 1} stdout: cp: cannot open/etc/sudoers’ for reading: Permission denied
`
And I know this is not a permissions issue as this actually works in the same box:
`
ssh -t clientbox “sudo -Hi cp /etc/sudoers /tmp/temp_sudoers && sudo -Hi chmod 777 /tmp/temp_sudoers && scp /tmp/temp_sudoers ansible_masterbox:/tmp/”
`
Could anyone please let me know what I’m doing wrong here?
Thanks
Do you have selinux enforcing?
`
[root@clientbox tmp]# sestatus
SELinux status: disabled
`
Same result in both client and master.
So I have been doing tests and I cannot read any file which is set 0440 owned by root, through ansible.
[root@clientbox tmp]# stat /etc/sudoers File:/etc/sudoers’
Size: 10092 Blocks: 24 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 1246098 Links: 1
Access: (0440/-r–r-----) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2014-04-08 13:55:52.000000000 +0100
Modify: 2014-04-08 12:59:46.000000000 +0100
Change: 2014-04-08 12:59:46.000000000 +0100
`
But I can do whatever I want through ssh, sudo and a pseudo tty.
As it should be…
And of course this is a issue I have. I still remember the cake of JP Mens.
But still ansible does not play ball and straight ssh does.
Any help appreciated.
I was curious because ansible is actually executing the commands through python, so I wanted to be sure that no selinux rule was preventing that on your system.
Could you also please share the playbook you’re running (only the failing step is required) as well as the output run with -vvvv?
Thanks!
Do you try to copy files via single command, like ansible -i hosts all -m shell -a ‘cp /etc/sudoers /tmp/temp_sudoers’ or via playbook?
Any example?..
Hi
James: This is one of the playbooks I’ve tried:
`
And in theory it is the very same logic. Ansible actually uses “sudo -Hi” to log in to the boxes.
Are you sure?
Try to add “sudo: True” in your exanple playbook.
or -s on the command line. Just because you have it asking for your Sudo password doesn’t mean that it’s using sudo (I’ve run into that myself before).
Adam
Petr, Adam, you are both right.
I’t amazing how you don’t see the trees because of the forest sometimes.
Thanks both.
Very much solved.