Is it possible to know exactly what command the following Ansible code will execute on the remote server
- name: Ensure apache is running
service: name=httpd state=started
become: true
I believe the user should have the appropriate sudo rights. However, I keep getting sudo: a password is required
.
Update #1
In light of provided comments, here is my full Ansible command:
ANSIBLE_KEEP_REMOTE_FILES=1 sudo -u userA ansible-playbook ssl_playbook.yml -i inventories/staging --extra-vars "target=my_server_set" --private-key=/path/to/ssh.key --u userB -vvv
The answer to your first question ("Is it possible to know exactly what command the following Ansible code will execute on the remote server?") is generally "only by inspecting the source for the corresponding module". A given module may run multiple commands in order to accomplish it's action.
The error message you are seeing ("sudo: a password is required.
") does not suggest that the remote user does not have appropriate sudo
rights. It only suggests that the remote user is not configured for passwordless sudo
. Your two options are:
Provide a password to Ansible:
ansible-playbook -K secretpassword ...
Modify the sudoers
configuration on the remote host to allow passwordless sudo
:
remoteuser ALL=(ALL) NOPASSWD:ALL
Sudo configuration that involve a limited set of commands probably won't work, because Ansible is running a script using sudo
. For example, if I run ansible-playbook -vvv
against the following playbook:
- hosts: localhost
gather_facts: false
tasks:
- ping:
become: true
I will see:
<localhost> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/lars/.ansible/cp/8a5a4c6a60 -tt localhost '/bin/sh -c '"'"'sudo -H -S -n -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-rebjujbhceobxvfuylirykxzgdonillt; /usr/bin/python /home/lars/.ansible/tmp/ansible-tmp-1505503292.11-47458712165303/ping.py; rm -rf "/home/lars/.ansible/tmp/ansible-tmp-1505503292.11-47458712165303/" > /dev/null 2>&1'"'"'"'"'"'"'"'"' && sleep 0'"'"''
In other words, ansible is running:
sudo -H -S -n -u root /bin/sh -c '...embedded script here...'
The only command that sudo
ever sees is /bin/sh
, which means that a sudo
configuration that limits you to only certain commands is doomed to fail.
If you're unable to fix the remote sudo
configuration, you may want to investigate ansible's raw module.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With