Menu
I've set up a box with a user david who has sudo privileges. I can ssh into the box and perform sudo operations like apt-get install. When I try to do the same thing using Ansible's "become privilege escalation", I get a permission denied error. So a simple playbook might look like this:
simple_playbook.yml:
--- - name: Testing... hosts: all become: true become_user: david become_method: sudo tasks: - name: Just want to install sqlite3 for example... apt: name=sqlite3 state=present I run this playbook with the following command:
ansible-playbook -i inventory simple_playbook.yml --ask-become-pass This gives me a prompt for a password, which I give, and I get the following error (abbreviated):
fatal: [123.45.67.89]: FAILED! => {... failed: E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)\nE: Unable to lock the administration directory (/var/lib/dpkg/), are you root?\n", ...} Why am I getting permission denied?
Additional information
I'm running Ansible 2.1.1.0 and am targeting a Ubuntu 16.04 box. If I use remote_user and sudo options as per Ansible < v1.9, it works fine, like this: remote_user: david sudo: yes
Update
The local and remote usernames are the same. To get this working, I just needed to specify become: yes (see @techraf's answer):
965
To specify a password for sudo, run ansible-playbook with --ask-become-pass ( -K for short). If you run a playbook utilizing become and the playbook seems to hang, most likely it is stuck at the privilege escalation prompt. Stop it with CTRL-c , then execute the playbook with -K and the appropriate password.
Ansible allows you to 'become' another user, different from the user that logged into the machine (remote user). This is done using existing privilege escalation tools such as sudo , su , pfexec , doas , pbrun , dzdo , ksu , runas and others.
Note: Ansible does not require root access; however, if you choose to use a non-root user, you must configure the appropriate sudo permissions for the tasks you want to accomplish. You will be prompted for the root password for servera, which will allow your SSH key to be installed on the remote host.
What is Ansible Sudo? In Ansible, we can use become to make use to Linux system's sudo feature. This makes one user to execute commands on system as another user for the moment of command execution.
Why am I getting permission denied?
Because APT requires root permissions (see the error: are you root?) and you are running the tasks as david.
Per these settings:
become: true become_user: david become_method: sudo Ansible becomes david using sudo method. It basically runs its Python script with sudo david in front.
the user 'david' on the remote box has sudo privileges.
It means david can execute commands (some or all) using sudo-executable to change the effective user for the child process (the command). If no username is given, this process runs as the root account.
Compare the results of these two commands:
$ sudo whoami root $ sudo david whoami david Back to the APT problem, you (from CLI) as well as Ansible (connecting with SSH using your account) need to run:
sudo apt-get install sqlite3 not:
sudo david apt-get install sqlite3 which will fail with the very exact message Ansible displayed.
The following playbook will escalate by default to the root user:
--- - name: Testing... hosts: all become: true tasks: - name: Just want to install sqlite3 for example... apt: name=sqlite3 state=present remote_user is david. Call the script with --ask-pass and give password for david. If david doesn't have passwordless sudo, then you should also call it with --ask-become-pass.
- name: Testing... hosts: all remote_user: david become: true become_method: sudo tasks: - name: Just want to install sqlite3 for example... apt: name=sqlite3 state=present If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
