Doas is not working in my playbook... error msg Dest /etc/ not writable

I am trying to write some configuration files to an OpenBSD node.
I have created a remote user: ansible
I have allowed said user to perform as root in /etc/doas.conf
I have tested logging in as well as using doas to become root interactively
The playbook is as follows:

- name: For newer OpenBSD hosts
  hosts: obsd_doas
  gather_facts: true
  become: yes
  become_method: community.general.doas
  become_user: root
 - name: Write the snmp client configuration file
      src: "{{ ansible_facts['distribution'] }}_snmpd.j2"
      dest: /etc/snmpd.conf
      owner: root
      group: wheel
      mode: '0600'
    - restart snmpd

Using the following command:

$ ansible-playbook -v --limit dns5-new -K snmp.yml

The error message is:

TASK [Gathering Facts] ********************************************************************************************************************************************************************************
ok: [dns5-new]

TASK [Write the snmp client configuration file] *******************************************************************************************************************************************************
fatal: [dns5-new]: FAILED! => {"changed": false, "checksum": "a71ac6e888a48b1caf483e077bd985c6fdbd02e9", "msg": "Destination /etc not writable"}

PLAY RECAP ********************************************************************************************************************************************************************************************
dns5-new                   : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Tag: playbook, doas


A few questions / observations:

  • Are your sure you are connecting as ‘ansible’ user on remote node using Ansibe ? Could you run: ansible -i <yourInventoryFile> dns5-new -m setup -a 'filter=ansible_user_id' ?
  • I understand opening up a root shell using doas interactively works, while being logged in as ‘ansible’ user on your remote node, but have you tried also manually creating a file on /etc/ using doas (preferably not from a root shell) ? It should work in theory, though you might have some filesystem attributes on that might prevent your user writing on it, like an ext4 immutable equivalent
  • Have you tried templating out your file elsewhere, both on another root-restricted path and one that is not, like /tmp ? What gives ?
  • Could your run your playbook in verbose / debug mode, using either -vvv (should be enough) params or ANSIBLE_DEBUG=1 envvar, then post the output ?
  • Which version of Ansible are you using ? (ansible --version)
  • It surely is a bad or reconstituted paste but your playbook present syntax issues (no tasks: block indicator, and task name not correctly indented). Output doesn’t reflect that, so nvm

I was able to find the error. It was that I had the following in my hosts file:

ansible_become_user: ansible

where as it should have been:

ansible_become_user: root

which is probably the default

Thanks for your assistance!


As an extra debugging flag … have you tried instead of -v the -vv or -vvv ?

1 Like