This hangs and I have to kill the process. I don’t want to use -K since I’d rather use passwordless ssh.
ansible -i hosts webserver1 -m shell -a “/sbin/service httpd restart” --sudo
Now, if I pass the sudo command via the shell, it works just fine.
which connection transport are you using? did you try differnet ones, and try to use the new -vvvv option to debug ssh connections
Looks like I’m stuck here …
ESTABLISH CONNECTION FOR USER: deployment on PORT 22 TO oqn-01-web1
EXEC /bin/sh -c ‘mkdir -p $HOME/.ansible/tmp/ansible-1380135044.57-157834591122680 && chmod a+rx $HOME/.ansible/tmp/ansible-1380135044.57-157834591122680 && echo $HOME/.ansible/tmp/ansible-1380135044.57-157834591122680’
REMOTE_MODULE command /sbin/service httpd restart
PUT /tmp/tmppxQ9cr TO /home/deploy/.ansible/tmp/ansible-1380135044.57-157834591122680/command
EXEC /bin/sh -c ‘sudo -k && sudo -H -S -p “[sudo via ansible, key=gjnesgjnrperpmifmojteiocwhyyfsrj] password: " -u root /bin/sh -c '”’“‘/usr/bin/python /home/deploy/.ansible/tmp/ansible-1380135044.57-157834591122680/command; rm -rf /home/deploy/.ansible/tmp/ansible-1380135044.57-157834591122680/ >/dev/null 2>&1’”‘"’’
You need to specify -K when using sudo, as it is waiting at a prompt for a sudo password.
But I thought if I’m using passwordless SSH it shouldn’t matter?
It does, because sudo may not be passwordless. Using -k is for ssh, -K is for sudo.
Always why I prefer long form options every time 
Sorry to be digging up an old thread. I ran into this issue to and the issue is not always simply sudo/password/-K issue.
sudo is often configured to only allow certain commands to run via sudo. For example, a developer that may restart a web service, but not administer the rest of the system. After tracing logs, I believe ansible does not support this.
For example, sudo is configured with the follow authorisation:
%tomcat7 ALL=(ALL) NOPASSWD: /usr/sbin/service tomcat7 restart
User runs ‘sudo service tomcat7 restart’ in a shell directly:
==> /var/log/auth.log <==
Nov 18 18:49:46 host sudo: username : TTY=pts/0 ; PWD=/home/username ; USER=root ; COMMAND=/usr/sbin/service tomcat7 restart
Nov 18 18:49:46 host sudo: pam_unix(sudo:session): session opened for user root by username(uid=0)
Nov 18 18:49:52 host sudo: pam_unix(sudo:session): session closed for user root
Ansible playbook task service: name=tomcat7 state=restarted:
==> /var/log/auth.log <==
Nov 18 18:48:54 host sudo: username : TTY=pts/6 ; PWD=/home/username ; USER=root ; COMMAND=/bin/sh -c echo SUDO-SUCCESS-uwsxighxnhfaaspfrokwpdvxgnjycdil; /usr/bin/python
The ansible call is wrapped and sudo called using /bin/sh which sudo does not allow.
Is there a workaround for this, other than granting the user sudo access to everything?
“sudo is often configured to only allow certain commands to run via sudo”
Correct, this is not how ansible works.
We simply don’t invoke chown, modules are reusable pieces of code and we don’t require them to be preinstalled.
Sorry to bring up this old thread again, but I’m running into the same issue as Phil.
I’d like to have a user that has sudo access to restart Apache but not, say, delete it.
How do people typically handle this? Is it possible to create users that can run ansible modules like “service” as sudo, without having sudo rights to run every command?
Or is the expectation that Ansible should have full sudo access?
JW
I’m sorry, you can’t define sudo access to do specific commands this way.