Reputation: 51
Ansible become_user asks for password even though it is configured passwordless
I have a strange issue which after many searches, I was not able to find an answer. It is a very simple case.
Currently there is a linux machine with user x and user y. When I manually login to user x, I can switch user y passwordless using: "sudo su - y".
Now back to ansible.
tasks:
- name: test task
shell: echo "this is a test"
become: true
become_user: y
This task will connect to the machine using user x. To run the echo it becomes y. For this situation I am getting: "module_stdout": "sudo: a password is required\r\n",
for user y I provided a sudoers file with /bin/sh *, also does not work. Anyone have an idea?
Thanks in advance.
Upvotes: 5
Views: 1554
Answers (2)
Reputation: 2310
To make Ansible use sudo su - <username> (with or without a password) my colleague came up with pipe_to_su plugin:
https://gist.github.com/ZbigniewRA/89b70da91c1329a87398387bebdeac64
To use it:
- you need to put that script in
become_plugins/pipe_to_su.py, - add the following to
varsin the inventory file (or your playbook):
ansible_become_method: pipe_to_su
ansible_become_exe: sudo su
ansible_become_flags: '-'
ansible_become_user: '<username>'
ansible_become: yes
ansible_become_password: '' # Put a password here, or leave empty for no password.
Background
Without this plugin Ansible is using sudo su - <username> with arguments (the command to run). This will require a sudo password if sudoers file is configured to only allow passwordless sudo for exactly sudo su - <username> (without any arguments).
pipe_to_su overcomes this limitation.
Upvotes: 2
Reputation: 54507
For using sudo su -, you might have to add the become_flags like this:
tasks:
- name: test task
shell: echo "this is a test"
become: true
become_method: "sudo"
become_flags: "su -"
become_user: y
If that does not work, here's something else to try:
tasks:
- name: test task
shell: echo "this is a test"
become: true
become_method: "sudo"
become_flags: "su - -c"
become_user: y
By adding the -c flag to su, you might be able to work around how Ansible runs the become command. In reality, Ansible is not doing two steps (sudo su - y, then running the command), but instead running one command in the form of sudo ... foobarbaz.py, where the foobarbaz.py is script that contains your shell steps (in this case the echo command).
To make this work, you have to ensure that your sudoers file contains an entry that allows your user to run something like this (if you look at the output of sudo -l):
su - -c *
Upvotes: 1
Related Questions
- Ansible password creation "The input password appears not to have been hashed"
- become_user not working in Ansible when specifying become: true
- Adding users in ansible and enforcing password change, resets user's password when adding new user
- Allow user to set password after creating account using Ansible
- How to make ansible only ask for become password when required
- Can't assign password to user with ansible user module
- Ansible does not run without password file
- ansible created password for a user does not work for ssh sessions
- Why Ansible ignores ansible_become_password variable?
- Missing become password in ansible playbook