Doas is not working in my playbook... error msg Dest /etc/ not writable

quist · October 13, 2023, 3:53pm

I am trying to write some configuration files to an OpenBSD node.
I have created a remote user: ansible
I have allowed said user to perform as root in /etc/doas.conf
I have tested logging in as well as using doas to become root interactively
The playbook is as follows:

- name: For newer OpenBSD hosts
  hosts: obsd_doas
  gather_facts: true
  become: yes
  become_method: community.general.doas
  become_user: root
 - name: Write the snmp client configuration file
    template:
      src: "{{ ansible_facts['distribution'] }}_snmpd.j2"
      dest: /etc/snmpd.conf
      owner: root
      group: wheel
      mode: '0600'
    notify:
    - restart snmpd

Using the following command:

$ ansible-playbook -v --limit dns5-new -K snmp.yml

The error message is:

TASK [Gathering Facts] ********************************************************************************************************************************************************************************
ok: [dns5-new]

TASK [Write the snmp client configuration file] *******************************************************************************************************************************************************
fatal: [dns5-new]: FAILED! => {"changed": false, "checksum": "a71ac6e888a48b1caf483e077bd985c6fdbd02e9", "msg": "Destination /etc not writable"}

PLAY RECAP ********************************************************************************************************************************************************************************************
dns5-new                   : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Tag: playbook, doas

ptn · October 14, 2023, 10:34am

Hi,

A few questions / observations:

Are your sure you are connecting as ‘ansible’ user on remote node using Ansibe ? Could you run: ansible -i <yourInventoryFile> dns5-new -m setup -a 'filter=ansible_user_id' ?
I understand opening up a root shell using doas interactively works, while being logged in as ‘ansible’ user on your remote node, but have you tried also manually creating a file on /etc/ using doas (preferably not from a root shell) ? It should work in theory, though you might have some filesystem attributes on that might prevent your user writing on it, like an ext4 immutable equivalent
Have you tried templating out your file elsewhere, both on another root-restricted path and one that is not, like /tmp ? What gives ?
Could your run your playbook in verbose / debug mode, using either -vvv (should be enough) params or ANSIBLE_DEBUG=1 envvar, then post the output ?
Which version of Ansible are you using ? (ansible --version)
It surely is a bad or reconstituted paste but your playbook present syntax issues (no tasks: block indicator, and task name not correctly indented). Output doesn’t reflect that, so nvm

quist · October 14, 2023, 2:55pm

I was able to find the error. It was that I had the following in my hosts file:

ansible_become_user: ansible

where as it should have been:

ansible_become_user: root

which is probably the default

Thanks for your assistance!

wa_schaly · October 15, 2023, 11:59am

As an extra debugging flag … have you tried instead of -v the -vv or -vvv ?