Hi all, I’m a newbee on ansible and I follow online tutos.
I installed 2 ubuntu VM (named ubunt1 and ubunt2), one as node manager (ubuntu1) and the second one as simple node (ubuntu2). The ssh connection is tested and ok.
When I installed ubuntu, I’ve never been asked for a root password, but only for the name/password for a simple user. But this user belongs to sudoers group so it can make admin tasks. So all is ok.
The pb is that as I try to execute root tasks from ubuntu1 to ubuntu2 with ansible, even if ubuntu2 user belongs to sudoers groups, ansible fails. And if I use the “-become” option, ansible asks me the ubuntu2 root password that I don’t know of course.
In fact I feel that the fact that ubuntu2 user has sudo privilege is useless.
Hi all, I'm a newbee on ansible and I follow online tutos.
I installed 2 ubuntu VM (named ubunt1 and ubunt2), one as node manager (ubuntu1) and the second one as simple node (ubuntu2). The ssh connection is tested and ok.
When I installed ubuntu, I've never been asked for a root password, but only for the name/password for a simple user. But this user belongs to sudoers group so it can make admin tasks. So all is ok.
That is one thing. Depending on your config, you might also have to
provide the password to use sudo.
The pb is that as I try to execute root tasks from ubuntu1 to ubuntu2 with ansible,
What are "root tasks"? Is this different from tasks that require sudo?
even if ubuntu2 user belongs to sudoers groups, ansible fails. And if I use the "-become" option, ansible asks me the ubuntu2 root password that I don't know of course.
See above, this might be required on your config. Check the NOPASSWD
option in your sudoers configuration.
I assume the same username is used on both machines.
Hello,
Yes, its possible to use ansible without root password.
There are two ways you can do this.
Create an user and add that user to sudo group. Let’s say username is anisble. These commands should be run as root in the ubuntu2 machine. useradd ansible usermod -aG sudo ansible visudo
Once the visudo opens, replace this line %sudo ALL=(ALL:ALL) ALL with the line %sudo ALL=(ALL:ALL) NOPASSWD:ALL
so that the user ansible will not be prompted for password when becoming a sudo user.
The same can be done with the ubuntu user as well.
Let me know if there is any ambiguity.
-Ravi Kumar
had to create a “mala” user on ubuntu2 (the node) with sudo privilege (during the ubuntu installation)
created a public/private kay pair on ubuntu1 (the node manager) and I copied the public key on ubunt2 with ssh-copy-id command; it works well since I succeded in making “ssh mala@ubuntu2” from ubuntu1
I never knew root password on ubuntu2 (smae thing on ubuntu1).
In next commands, I tried to create a “ansible-user” on ubuntu2, I know it’s useless since mala on ubnutu2 already exists, but I’m just following a tuto with a remote user creation. The action is not important, this is the failure wich I don’t understand.
grag@ubuntu1:~/ansible$ ansible localhost -i grt.inv -m debug -a “msg={{ ‘passforce’ | password_hash(‘sha512’, ‘secretsalt’) }}”
localhost | SUCCESS => {
“msg”: “$6$secretsalt$X5YDmUgDphPxnMkByvHbNaiP4T5Uk0WjEZ9TukWKQnXmXN81jG3DcGZnNJiSz9ltgPhplH92HOR/RqgmyS.zN1”
}
grag@ubuntu1:~/ansible$ ansible -i grt.inv -m user -a ‘name=user-ansible password=$6$secretsalt$X5YDmUgDphPxnMkByvHbNaiP4T5Uk0WjEZ9TukWKQnXmXN81jG3DcGZnNJiSz9ltgPhplH92HOR/RqgmyS.zN1’ --user root --ask-pass all
SSH password:
ubuntu2 | FAILED! => {
“msg”: “to use the ‘ssh’ connection type with passwords, you must install the sshpass program”
}
grag@ubuntu1:~/ansible$ ansible -i grt.inv -m user -a ‘name=user-ansible password=$6$secretsalt$X5YDmUgDphPxnMkByvHbNaiP4T5Uk0WjEZ9TukWKQnXmXN81jG3DcGZnNJiSz9ltgPhplH92HOR/RqgmyS.zN1’ --user mala --ask-pass all
SSH password:
ubuntu2 | FAILED! => {
“msg”: “to use the ‘ssh’ connection type with passwords, you must install the sshpass program”
}
grag@ubuntu1:~/ansible$ more grt.inv
ubuntu2
grag@ubuntu1:~/ansible$
Note that for ssh password, I typed mala password on ubunt2.
had to create a "mala" user on ubuntu2 (the node) with sudo privilege (during the ubuntu installation)
created a public/private kay pair on ubuntu1 (the node manager) and I copied the public key on ubunt2 with ssh-copy-id command; it works well since I succeded in making "ssh mala@ubuntu2" from ubuntu1
I never knew root password on ubuntu2 (smae thing on ubuntu1).
In next commands, I tried to create a "ansible-user" on ubuntu2, I know it's useless since mala on ubnutu2 already exists, but I'm just following a tuto with a remote user creation. The action is not important, this is the failure wich I don't understand.
You're using having problem with ansible and the privilege escalation,
and you're using a "tuto" that uses ansible to create
users/account/passwords/etc.
To me that sounds like adding more complexity to the mix rather than
reducing it.
Try to *manually* make sure the hosts meet the requirements and get
ansible to work.
grag@ubuntu1:~/ansible$ ansible localhost -i grt.inv -m debug -a "msg={{ 'passforce' | password_hash('sha512', 'secretsalt') }}"
localhost | SUCCESS => {
"msg": "$6$secretsalt$X5YDmUgDphPxnMkByvHbNaiP4T5Uk0WjEZ9TukWKQnXmXN81jG3DcGZnNJiSz9ltgPhplH92HOR/RqgmyS.zN1"
}
grag@ubuntu1:~/ansible$ ansible -i grt.inv -m user -a 'name=user-ansible password=$6$secretsalt$X5YDmUgDphPxnMkByvHbNaiP4T5Uk0WjEZ9TukWKQnXmXN81jG3DcGZnNJiSz9ltgPhplH92HOR/RqgmyS.zN1' --user root --ask-pass all
SSH password:
ubuntu2 | FAILED! => {
"msg": "to use the 'ssh' connection type with passwords, you must install the sshpass program"
}
You're setting a root password which is not needed. So this error is
also irrelevant.
Thanks Ravi, you precisely do what a tuto did.
In fact, instead of manually adding the “%sudo ALL=(ALL:ALL) NOPASSWD:ALL” line in /etc/sudoers of node machine, the tuto says to add this line with ansible, and the command is (I created a new ubuntu VM as a simple node (ubuntu3 with simon user, I used ssh-copy-id to copy my public key from ubuntu1 to ubuntu3)) :
FYI “Échec d’authentification” means “authentication failure”
What surprised me is that since I typed simon’s password, and since simon is allowed to modified locally the /etc/sudoers file, why isn’t he allowed to do the same thing from ansible … ?