In my environment, when a VM is first provisioned, it has no users
other than root, and root has no password. The machines are pre-seeded
with an authorized SSH key so I can log in as root remotely to finish
the set up. These machines have SELinux enforcing the strict policy,
so even logging in as root is insufficient to make any changes, I have
to use sudo to get to the sysadm_r role. Unfortunately, it seems that
Ansible thinks it is smarter than I am, and refuses to run my modules
in sudo if the remote user is root, so everything fails with
permission denied errors.
Is there a way I can force or trick Ansible into running my plays
through sudo, even when logged in as root?
Note: one of the steps in my playbook is to set up another user that
will be used for all subsequent Ansible runs; only the initial set up
needs to be run as root.
Dustin C. Hatch
http://dustin.hatch.name/
“Unfortunately, it seems that
Ansible thinks it is smarter than I am, and refuses to run my modules
in sudo if the remote user is root, so everything fails with
permission denied errors.”
This is true because sudo to the same user causes problems on lots of systems.
This is the first I’ve heard of sudo to root from root giving different behavior than being root.
Can you share some more details about your SELinux policy configuration?
It's the default Gentoo strict policy. Essentially the problem is that
when root logs in via ssh, it gets staff_r, and needs to transition to
sysadm_r in order to actually do anything. Normally, one would use
newrole to do the transition, but since root has no password, it can't
authenticate. These machines have the following entry in sudoers:
root ALL = (ALL) ROLE=sysadm_r TYPE=sysadm_t ALL
This allows root to transition to sysadm_r in order to run commands,
without needing to authenticate. It works perfectly from the command
line, but since Ansible won't run through sudo, root can't get the
sysadm_r role.
Curious. Perhaps a global config setting for “prevent_apparent_useless_sudo” is needed.
IIRC, this caused problems with prompts in some cases – but maybe it didn’t and someone was optimizing something that didn’t need to be optimized.
I'm guessing this was a configuration issue (http://xkcd.com/1343/),
and maybe Ansible should try to work around it by default, but it
should not ignore what I've explicitly told it to do. If you're okay
with a configuration setting to override this behavior, I'll try to
get a patch that implements it.
Dustin C. Hatch
http://dustin.hatch.name/
A config setting seems reasonable. I hate that I don’t remember how we got down this path, but I think there’s a good chance in some cases extra-sudo was causing issues for people.