[DOCKER] Explicited sudo command permissions. NO ALL

Archives Ansible Project
1

SUMMARY

My company work with sudo for docker operations, but my user can't become
root. I just can use commands as root in form "sudo docker ps", "sudo
docker run ...", "sudo docker images" etc. I can't use "sudo su - " or
"sudo echo test" per example. The commands are explicity declarated.

My stdout of "sudo -l" command execution:

User MYUSER may run the following commands on THISSERVER:
(root) NOPASSWD: /usr/bin/docker

Isn't an option, to change "/usr/bin/docker" to "ALL" because these setting
aren't my scope.

COMPONENT NAME

docker_images

ANSIBLE VERSION

ansible 2.6.1
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/oi367730/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Jul 13 2018, 13:06:57) [GCC 4.8.5 20150623 (Red Hat 4.8.5-28)]

CONFIGURATION
OS / ENVIRONMENT

CentOS 7.5.1804

STEPS TO REPRODUCE

I wanna download a any image, soo i can use shell module, like:

- name: "Root Tasks"
  hosts: all
  remote_user: MYUSER
  tasks:
    - name: Task Name
      shell: sudo docker pull $IMAGENAME

BUT I wanna use the docker_image module, like:

- name: Testing Docker
  hosts: all
  remote_user: MYUSER
  tasks:
  - name: Test
    become: yes
    docker_image:
      name: $IMAGENAME

EXPECTED RESULTS

I expect these two executions work.

ACTUAL RESULTS

fatal: [SERVER]: FAILED! => {
    "changed": false,
    "module_stderr": "OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 58: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 6691\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 1\r\nShared connection to SERVER closed.\r\n",
    "module_stdout": "sudo: a password is required\r\n",
    "msg": "MODULE FAILURE",
    "rc": 1
}

2

The Ansible docker modules do not execute the docker CLI commands. They instead use the docker python module, which would require you to be allowed to run python via sudo.

If you are constrained to this path, you will have to use the shell or command modules to execute the docker CLI.

Otherwise, you could ask whoever runs your servers to add your user to the docker group, which would prevent needing to use sudo.

3

Thanks for reply, Matt! This is exactly what I need to know. I will test some approaches and try to solve my problem. Thanks again!

4

pl try adding user to sudoer

grep dwalsh /etc/sudoers
dwalsh        ALL=(ALL)       NOPASSWD: /usr/bin/docker