help while running sudo in Ansible playbooks

Hi Ansible team,

I am Ram. We need some help in running the Ansible playbook ( specifically how to add sudo while running playbooks ). in your environment, we can run all admin related commands with sudo acess ( by adding sudo in front of command . For example, sudo vgs or sudo vi /etc/sudoers ). We don’t have root access and hence we don’t wanted to run the playbooks with direct root access .

Most of our servers ( Redhat / Solaris / Aix ) doesn’t have root access. The possibility of running all admin activities are by running sudo as admin ( sysunx ) user.

I mean, after logging to the server with sysunx account, we run the admin related command as sudo . How to simulate this in Ansible.

playbook code

[root@sgdlvapp03infra splunk_forwarder]# cat sudo_test_solaris.yml

Hi Ansible team,

I am Ram. We need some help in running the Ansible playbook ( specifically how to add sudo while running playbooks ).
in your environment, we can run all admin related commands with sudo acess ( by adding sudo in front of command . For
example, sudo vgs or sudo vi /etc/sudoers ). We don't have root access and hence we don't wanted to run the playbooks
with direct root access .

Most of our servers ( Redhat / Solaris / Aix ) doesn't have root access. The possibility of running all admin activities
are by running sudo <command> as admin ( sysunx ) user.

I mean, after logging to the server with sysunx account, we run the admin related command as sudo <command>. How to
simulate this in Ansible.

You need to add "become: yes" to the touch task (or to the whole playbook):

Regards
          Rackd

After adding ‘become: true’ also no use, its not working.

My use case is to add sudo while running playbooks ( to run sudo comamnds, no password is required ) .

[root@sgdlvapp03infra splunk_forwarder]# ssh -q sysunx@10.4.67.141 “touch /opt/testfile” → without sudo, command is fialining
Password:
touch: cannot change times on /opt/testfile: Permission denied
[root@sgdlvapp03infra splunk_forwarder]#
[root@sgdlvapp03infra splunk_forwarder]#
[root@sgdlvapp03infra splunk_forwarder]# ssh -q sysunx@10.4.67.141 “sudo touch /opt/testfile” → with sudo, command is wokring. No password is required.
Password:
[root@sgdlvapp03infra splunk_forwarder]#
[root@sgdlvapp03infra splunk_forwarder]#
[root@sgdlvapp03infra splunk_forwarder]# ssh -q sysunx@10.4.67.141 “ls /opt/testfile”
Password:
/opt/testfile
[root@sgdlvapp03infra splunk_forwarder]#

PLaybook

[root@sgdlvapp03infra splunk_forwarder]# cat sudo_test_solaris.yml

After adding 'become: true' also no use, its not working.

You need to tell Ansible the sudo password:

https://docs.ansible.com/ansible/latest/user_guide/become.html

Regards
         Racke

Hi,

Ansible is designed to have all sudo (or su) access (but not remote root acess to be more specific)....So you should be sure thats is no way to have it !

See "Privilege escalation must be general <https://docs.ansible.com/ansible/latest/user_guide/become.html#id9&gt;&quot; on https://docs.ansible.com/ansible/latest/user_guide/become.html#only-one-method-may-be-enabled-per-host

If not, you can still use the same command you already use with "sudo command" with the shell module (using become: no)... but's ugly and you loose idempotence work of all the module (except shell) that are provided by ansible community

Regards,

JYL

Hi Ansible team,

I am Ram. We need some help in running the Ansible playbook ( specifically how to add sudo while running playbooks
). in your environment, we can run all admin related commands with sudo acess ( by adding sudo in front of command .
For example, sudo vgs or sudo vi /etc/sudoers ). We don't have root access and hence we don't wanted to run the
playbooks with direct root access .

Most of our servers ( Redhat / Solaris / Aix ) doesn't have root access. The possibility of running all admin
activities are by running sudo <command> as admin ( sysunx ) user.

Hi,

Ansible is designed to have all sudo (or su) access (but not remote root acess to be more specific)....So you should be
sure thats is no way to have it !

See "Privilege escalation must be general <https://docs.ansible.com/ansible/latest/user_guide/become.html#id9&gt;&quot; on
https://docs.ansible.com/ansible/latest/user_guide/become.html#only-one-method-may-be-enabled-per-host

If not, you can still use the same command you already use with "sudo command" with the shell module (using become:
no)... but's ugly and you loose idempotence work of all the module (except shell) that are provided by ansible community

I really don't see the point to promote using Ansible as glorified shell, especially as it seems that the only the sudo
password is missing in this case.

Regards
        Racke

Unrelated to ansible, but 'vi /etc/sudoers' is dangerous, use visudo instead.