CODEWITHSUNDEEP
linuxansiblesudo
bbkaaka
bbkaaka

Reputation: 307

Ansible: sudo without password

I want to run ansible with user sa1 without sudo password:

First time OK:

[root@centos1 cp]# ansible cent2 -m shell -a "sudo yum -y install httpd"

cent2 | SUCCESS | rc=0 >>

Second time FAILED:

[root@centos1 cp]# ansible cent2 -s -m yum -a "name=httpd state=absent"

cent2 | FAILED! => {
    "changed": false,
    "failed": true,
    "module_stderr": "",
    "module_stdout": "sudo: a password is required\r\n",
    "msg": "MODULE FAILURE",
    "parsed": false
}

Please help!

Upvotes: 10

Views: 59274

Answers (5)

Alexander Sinchenko
Alexander Sinchenko

Reputation: 33

This helped me with Ansible installed in VENV with

rm -rf ~/.ansible/

SSH Session was hanging in cache

Upvotes: 0

Andrii
Andrii

Reputation: 21

##-----------------------
  - name: sudo without password
    become: true
    copy:
      dest: /etc/sudoers.d/dont-prompt-ubuntu_user-for-sudo-password
      content: 'ubuntu ALL=(ALL) NOPASSWD:ALL'

It creates a file called /etc/sudoers.d/dont-prompt-ubuntu_user-for-sudo-password with the following contents:

ubuntu ALL=(ALL) NOPASSWD:ALL

This works because Debian's and Ubuntu's default /etc/sudoers file has this line:

@includedir /etc/sudoers.d

Upvotes: 1

mati kepa
mati kepa

Reputation: 3201

Here's the playbook in case you want ansible make it for you

  1. Add user to chosen group ( in my case wheel)
  2. Add this to your playbook
- name: Make users passwordless for sudo in group wheel
  lineinfile:
    path: /etc/sudoers
    state: present
    regexp: '^%wheel'
    line: '%wheel ALL=(ALL) NOPASSWD: ALL'
    validate: 'visudo -cf %s'

Upvotes: 13

sampi
sampi

Reputation: 872

By default ansible runs sudo with the flags: -H -S -n to become root. Where --non-interactive would be the corresponding long form for option -n. This option seems to make sudo return the error message, without attempting to let the authentication modules do their thing.

I managed to get around the password error by creating a ~/.ansible.cfg containing lines as below, for the most relevant ansible version.

ansible 2.4

[defaults]
sudo_flags = --set-home --stdin

ansible 2.9

[sudo_become_plugin]
flags = -H -S

That was at least enough to allow pam_ssh_agent_auth.so to run and authenticate me.

Prior to version 2.8 the above example works, newer than 2.8 requires the second example. Documentation for the new style configuration can be found in the Ansible User Guide.

Upvotes: 11

Károly Nagy
Károly Nagy

Reputation: 1754

It's not ansible it's your server's configuration. Make sure that sudo is allowed for the user ansible is using without password.

  1. To do that login to the server
  2. Open the sudoers file with sudo visudo
  3. Make sure you have a line something like this: centos ALL=(ALL) NOPASSWD:ALL
  4. Replace centos with the your user
  5. Save the file

You can try from the server itself by running:

sudo -u [yourusername] sudo echo "success"

If this works it should work from ansible too.

Upvotes: 16

Related Questions