How to run "sudo command" as ssh user without switching to become_user?

Archives Ansible Project
1

Hi,
I’m connecting to my host as “user1” and my become user name is “user2”. The only account that has sudo privs to run the “do-something” command is user1.

Attempt 1:
I’m trying to run the following task, but it doesn’t work because ansible isn’t providing the password to the host and it sits there until it times out:

task:

  • name: apply configurator on {{ inventory_hostname }}

become: false

shell: “sudo /usr/bin/do-something”



output:



**Attempt 2:**

 I then tried to run the following task, but it doesn't work because it runs as *user2*, but that's not what I want because *user2* doesn't have sudo privs:



task:


> - name: apply configurator on {{ inventory_hostname }}



>  become: true



>  shell: "/usr/bin/do-something"





> ```
> output:
> ```



> > fatal: [host]: FAILED! => {"changed": true, "cmd": "/usr/bin/do-something", "delta": "0:00:00.027783", "end": "2018-03-01 21:46:58.719945", "msg": "non-zero return code", "rc": 126, "start": "2018-03-01 21:46:58.692162", "stderr": "/bin/sh: /usr/bin/do-something: Permission denied", "stderr_lines": ["/bin/sh: /usr/bin/do-something: Permission denied"], "stdout": "", "stdout_lines": []} 





```
**Attempt 3:**
```



 I then try to run the following task, but it hangs as it waits for credentials for *user2*'s password, which ansible will not provide (even it it worked):





task:



```

> - name: apply configurator on {{ inventory_hostname }}

```



```

>  become: true

```



```

>  shell: "sudo /usr/bin/do-something"

```



```

```



> ```
> output:
> ```



> > <times-out> 



  I've even tried setting the become_user to *user1*, but that doesn't work either. Using "sudo" in the shell command causes it to hang because a prompt for password is waiting whereas keeping "sudo" out gets me another permission error.

  Any help is greatly appreciated.

Thanks,
Kevin
2

Try adding this to your /etc/sudoers file so you don’t get prompted
some_user ALL=(ALL) NOPASSWD: ALL

3

Hi Tony,
Thanks for the tip. Unfortunately, I can’t modify this file, but I did find a solution! Although, it does look like there may be a bug in Ansible (version 2.4.2.0).

It’s worth noting that I had the following in my inventory group vars file:

ansible_become_user: user2

I tried the following task:

  • name: Configurator command needs to be run
    become_user: root
    shell: “/usr/bin/do-something”

Which also didn’t work because ansible reported that I didn’t have privileges (same error as I reported above with attempts 2).

Later, I removed then ansible_become_user variable setting from my inventory group vars file and re-ran the task with success!

Looking at the variable precedence documentation, it says that task variable settings are higher precedence then inventory group variables.

I’m I looking at this the wrong way? Or shouldn’t this have worked by setting the become_user to root in the task no matter what’s in the inventory group vars file?

Thanks,
Kevin

4

Hi,
Ok, clearly I’m a newbie!

I changed the inventory group vars to the following and it works as expected:

become_user: user2

The documentation reads as if ansible_become_user and become_user are synonyms of each other. Clearly not!

Thanks,
Kevin

5

They are not the same, but they are related, 'ansible_become_user' is
a 'connection variable' which has higher precedence than 'become_user'
which is a playbook keyword.

The former is meant to be specific to a host/group of hosts to provide
a way to deal with heterogeneous environments, the latter is a way to
make play/task specific usage and expected to work in more homogeneous
environments.