Ansible through Apache: Authentication or permission failure

Question

I try run Ansible through Apache2 CGI.

This is my script:

#!/usr/bin/env python
# -*- coding: UTF-8 -*-# enable debugging
print "Content-type: text/html"
print

import cgitb
cgitb.enable()
print "<html><head>"
print ""
print "</head><body>"

import os
import ansible.runner
import sys
results = ansible.runner.Runner(
#    transport='ssh',
#    remote_user='root',
#    remote_pass='pass',
    transport='local',
#    su='yes',
#    su_user='root',
#    su_pass='su_pass',
    sudo='yes',
    sudo_user='root',
    sudo_pass='sudo_pass',
    pattern='127.0.0.1',
    module_name='service',
    module_args='name=shoc-lxc-net state=started enabled=yes',
    forks=10,
).run()

if results is None:
   print "No hosts found"
   sys.exit(1)

import json
print(json.dumps(results,
                 default=lambda obj: vars(obj),
                 indent=1))

for (hostname, result) in results['contacted'].items():
    if not 'failed' in result:
        print "%s >>> %s" % (hostname, result['enabled'])

print "</body></html>"

When I run it, I get:

{ "dark": { "127.0.0.1": { "msg": "Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: mkdir -p $HOME/.ansible/tmp/ansible-1420984254.94-125323999727459 && chmod a+rx $HOME/.ansible/tmp/ansible-1420984254.94-125323999727459 && echo $HOME/.ansible/tmp/ansible-1420984254.94-125323999727459, exited with result 1", "failed": true } }, "contacted": {} }

But when I run this script through shell I get:

$ /lxc/www/py/index.py 
Content-type: text/html

<html><head> </head><body> {  "dark": {},  "contacted": {  
"127.0.0.1": {    "invocation": {
    "module_name": "service",
    "module_args": "name=shoc-lxc-net state=started enabled=yes"    },    "state": "started",    "changed": false,    "enabled": true,   
"name": "shoc-lxc-net"   }  } }
127.0.0.1 >>> True

When I check:

# ls -la /var/www/
total 20
drwxrwxrwx  4 root     root     4096 Jan 11 15:57 .
drwxr-xr-x 14 root     root     4096 Jan  8 15:58 ..
drwxr-xr-x  2 root     root     4096 Jan 11 14:54 etc
-rw-r--r--  1 root     root      177 Mar 18  2013 index.html
drwx------  2 www-data www-data 4096 Jan 11 15:36 .ssh
# su www-data
$ mkdir /var/www/.ansible/tmp -p
$
# ls -la /var/www/.ansible/
total 12
drwxrwxr-x 3 www-data www-data 4096 Jan 11 15:57 .
drwxrwxrwx 5 root     root     4096 Jan 11 15:57 ..
drwxrwxr-x 2 www-data www-data 4096 Jan 11 15:57 tmp

Answer 1

I got the same error when running my Ansible project in Molecule. Here's what I found:

When running the command molecule test --destroy=never I reproduce the very same issue with the tmp folder/files. If I skip the destroy flag and just run molecule test -- it works fine.

Posting this answer as folks in the community might run into this issue. As a workaround, you can Ctrl+C after molecule is done with the verify step, just before it finishes execution -- a.k.a destroy

Molecule steps:

└── default
    ├── lint
    ├── destroy
    ├── dependency
    ├── syntax
    ├── create
    ├── prepare
    ├── converge
    ├── idempotence
    ├── side_effect
    ├── verify
    └── destroy

Answer 2

The script is going to run as the apache user (or whatever user you are running apache as - in some cases that may be 'nobody' or something else entirely). That user most likely doesn't have the same permissions as you. You would likely need to either setuid the script to run as a user with the appropriate permissions or add an entry to /etc/sudoers to allow the script to run as a different user without prompting for a password then use a wrapper shell script to have Apache invoke the script via sudo.