Reputation: 3838
Why Ansible is ignoring my 'sudo: False'?
I intend to use ansible to deploy a remote file, since the remote location can only be written with 'root', and local file cannot be downloaded with 'root', I use the following playbook:
# in the main playbook
- hosts: master
user: ec2-user
sudo: yes
# in role definition
# download only in the ansible master node
- local_action: get_url url={{ hadoop_mirrors|random }}/hadoop-{{ hadoop_version }}/hadoop-{{ hadoop_version }}.tar.gz dest=/opt/hadoop-{{ hadoop_version }}.tar.gz force=no
sudo: False
register: result
until: result|success
retries: 5
delay: 2
when: hadoop_type_of_node == 'master'
However Ansible seems incapable of reading the line sudo: False. When I ran this playbook I still got this error:
TASK [ansible-role-hadoop : get_url] **************************************************************************************************
FAILED - RETRYING: ansible-role-hadoop : get_url (5 retries left).
FAILED - RETRYING: ansible-role-hadoop : get_url (4 retries left).
FAILED - RETRYING: ansible-role-hadoop : get_url (3 retries left).
FAILED - RETRYING: ansible-role-hadoop : get_url (2 retries left).
FAILED - RETRYING: ansible-role-hadoop : get_url (1 retries left).
fatal: [54.201.26.110 -> localhost]: FAILED! => {"attempts": 5, "changed": false, "module_stderr": "sudo: a password is required\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
to retry, use: --limit @/home/peng/git/datapassport/clusterops/ansible/deploy/master.retry
Why is this line not read and what should I do to fix it?
Upvotes: 2
Views: 5918
Answers (2)
Reputation: 1447
Privilege Escalation is important to manage in Ansible. The become keyword is the operator for this ability.
4 common uses:
- become set to ‘true’/’yes’ to activate privilege escalation.
- become_user set to user with desired privileges — the user you ‘become’, NOT the user you login as. Does NOT imply become: yes, to allow it to be set at host level.
- become_method (at play or task level) overrides the default method set in ansible.cfg, set to sudo/su/pbrun/pfexec/doas/dzdo/ksu
- become_flags (at play or task level) permit to use specific flags for the tasks or role. One common use is to change user to nobody when the shell is set to no login.
So, sudo: yes, use become: like this:
- hosts: master
user: ec2-user
become: false
Upvotes: 1
Reputation: 68439
Use become: false, not sudo: false which has been deprecated long ago.
sudo declaration is still kept for compatibility in plays definitions, but for some reason has been not maintained in tasks since Ansible 2.4.
- There is no check for declarations in tasks (you can add foo: bar to a task and it will be ignored). That's why you don't see any error/warning.
- On the other hand, you should get a warning about sudo being deprecated.
Upvotes: 6
Related Questions
- Becoming non root user in ansible fails
- Ansible run commands with sudo but don't become root
- Ansible keeps wanting to be root
- How can I run commands in sudo mode with ansible playbook?
- Ansible: Cannot configure sudo command even become_user is a sudo user
- Can't run sudo command in Ansible playbook
- sudo error even after using "become: yes" in Ansible
- Prevent ansible from using sudo
- Why is Ansible not Running Pip as sudo user?
- Can't get sudo commands working with Ansible