8

Is it possible to know exactly what command the following Ansible code will execute on the remote server

- name: Ensure apache is running
    service: name=httpd state=started
    become: true

I believe the user should have the appropriate sudo rights. However, I keep getting sudo: a password is required.

Update #1

In light of provided comments, here is my full Ansible command:

ANSIBLE_KEEP_REMOTE_FILES=1 sudo -u userA ansible-playbook ssl_playbook.yml -i inventories/staging --extra-vars "target=my_server_set" --private-key=/path/to/ssh.key --u userB  -vvv
  • userB is the remote user where the SSH key specified has been configured
  • userB has limited sudo rights. I cannot change this unfortunately, I'm not the server admin.
  • userB is currently configured to access a bunch of servers via SSH/Key already, it seemed a prime candidate for Ansible. I'm currently able to manage all my middleware manually via SSH (Apache, Tomcat, Jenkins, etc) and wanted to automate it using Ansible.
Improve this question
5
  • ansible-playbook -vvv will show you exact command to launch module. Commented Sep 15, 2017 at 17:59
  • I had been running -vvvv actually, and noticed that it was running a .tmp file using sudo -H -S -n -u root.... I also enabled the environment variable ANSIBLE_KEEP_REMOTE_FILES so that I could view these files. However, once I opened a .tmp file, I wasn't able to determine exactly what was happening. Commented Sep 15, 2017 at 18:51
  • Can you manually run sudo on the remote host without a password? Can you show us your sudoers configuration? Do other tasks fail, or just service tasks? Commented Sep 15, 2017 at 19:16
  • Yes, I constantly run sudo without a password. I have a limited set of commands though. For instance sudo service httpd start|restart|status. Now that you mention it, some tasks were completing, and those specifying service have issues. Secondly, I wonde if I couldn't simply issue raw commands instead? I would rather use more standard Ansible code though. Commented Sep 15, 2017 at 19:20
  • See the updates to my answer. Commented Sep 15, 2017 at 19:24

1 Answer 1

Reset to default
3

The answer to your first question ("Is it possible to know exactly what command the following Ansible code will execute on the remote server?") is generally "only by inspecting the source for the corresponding module". A given module may run multiple commands in order to accomplish it's action.

The error message you are seeing ("sudo: a password is required.") does not suggest that the remote user does not have appropriate sudo rights. It only suggests that the remote user is not configured for passwordless sudo. Your two options are:

  1. Provide a password to Ansible:

    ansible-playbook -K secretpassword ...

  2. Modify the sudoers configuration on the remote host to allow passwordless sudo:

    remoteuser ALL=(ALL)    NOPASSWD:ALL

Sudo configuration that involve a limited set of commands probably won't work, because Ansible is running a script using sudo. For example, if I run ansible-playbook -vvv against the following playbook:

- hosts: localhost
  gather_facts: false
  tasks:
    - ping:
      become: true

I will see:

<localhost> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/lars/.ansible/cp/8a5a4c6a60 -tt localhost '/bin/sh -c '"'"'sudo -H -S -n -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-rebjujbhceobxvfuylirykxzgdonillt; /usr/bin/python /home/lars/.ansible/tmp/ansible-tmp-1505503292.11-47458712165303/ping.py; rm -rf "/home/lars/.ansible/tmp/ansible-tmp-1505503292.11-47458712165303/" > /dev/null 2>&1'"'"'"'"'"'"'"'"' && sleep 0'"'"''

In other words, ansible is running:

sudo -H -S -n -u root /bin/sh -c '...embedded script here...'

The only command that sudo ever sees is /bin/sh, which means that a sudo configuration that limits you to only certain commands is doomed to fail.

If you're unable to fix the remote sudo configuration, you may want to investigate ansible's raw module.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I added update #1... I had a glance at the embedded script and wasn't able to immediately decipher anything. I had assumed that it was essentially running sudo service httpd status, which may not be the case.
No, the point is that the sudo is outside the script. So you can't use a sudo configuration that is limited to specific commands. The only command that sudo sees is /bin/sh.
I had thought about the raw command. I'm curious how I would test Apache status with a raw command though. The start|stop of a service would be feasible I'm sure.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.