Get exact Ansible command that is being executed

Question

Is it possible to know exactly what command the following Ansible code will execute on the remote server

- name: Ensure apache is running
    service: name=httpd state=started
    become: true

I believe the user should have the appropriate sudo rights. However, I keep getting sudo: a password is required.

Update #1

In light of provided comments, here is my full Ansible command:

ANSIBLE_KEEP_REMOTE_FILES=1 sudo -u userA ansible-playbook ssl_playbook.yml -i inventories/staging --extra-vars "target=my_server_set" --private-key=/path/to/ssh.key --u userB  -vvv

• userB is the remote user where the SSH key specified has been configured
• userB has limited sudo rights. I cannot change this unfortunately, I'm not the server admin.
• userB is currently configured to access a bunch of servers via SSH/Key already, it seemed a prime candidate for Ansible. I'm currently able to manage all my middleware manually via SSH (Apache, Tomcat, Jenkins, etc) and wanted to automate it using Ansible.

Answer 1

The answer to your first question ("Is it possible to know exactly what command the following Ansible code will execute on the remote server?") is generally "only by inspecting the source for the corresponding module". A given module may run multiple commands in order to accomplish it's action.

The error message you are seeing ("sudo: a password is required.") does not suggest that the remote user does not have appropriate sudo rights. It only suggests that the remote user is not configured for passwordless sudo. Your two options are:

1. Provide a password to Ansible:

   ansible-playbook -K secretpassword ...
   

2. Modify the sudoers configuration on the remote host to allow passwordless sudo:

   remoteuser ALL=(ALL)    NOPASSWD:ALL
   

Sudo configuration that involve a limited set of commands probably won't work, because Ansible is running a script using sudo. For example, if I run ansible-playbook -vvv against the following playbook:

- hosts: localhost
  gather_facts: false
  tasks:
    - ping:
      become: true

I will see:

<localhost> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/lars/.ansible/cp/8a5a4c6a60 -tt localhost '/bin/sh -c '"'"'sudo -H -S -n -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-rebjujbhceobxvfuylirykxzgdonillt; /usr/bin/python /home/lars/.ansible/tmp/ansible-tmp-1505503292.11-47458712165303/ping.py; rm -rf "/home/lars/.ansible/tmp/ansible-tmp-1505503292.11-47458712165303/" > /dev/null 2>&1'"'"'"'"'"'"'"'"' && sleep 0'"'"''

In other words, ansible is running:

sudo -H -S -n -u root /bin/sh -c '...embedded script here...'

The only command that sudo ever sees is /bin/sh, which means that a sudo configuration that limits you to only certain commands is doomed to fail.

If you're unable to fix the remote sudo configuration, you may want to investigate ansible's raw module.