Ansible: sudo without password
Solution 1
It's not ansible it's your server's configuration. Make sure that sudo is allowed for the user ansible is using without password.
- To do that login to the server
- Open the sudoers file with
sudo visudo
- Make sure you have a line something like this:
centos ALL=(ALL) NOPASSWD:ALL
- Replace
centos
with the your user - Save the file
You can try from the server itself by running:
sudo -u [yourusername] sudo echo "success"
If this works it should work from ansible too.
Solution 2
By default ansible runs sudo with the flags: -H -S -n
to become root. Where --non-interactive
would be the corresponding long form for option -n
. This option seems to make sudo return the error message, without attempting to let the authentication modules do their thing.
I managed to get around the password error by creating a ~/.ansible.cfg containing lines as below, for the most relevant ansible version.
ansible 2.4
[defaults]
sudo_flags = --set-home --stdin
ansible 2.9
[sudo_become_plugin]
flags = -H -S
That was at least enough to allow pam_ssh_agent_auth.so to run and authenticate me.
Prior to version 2.8 the above example works, newer than 2.8 requires the second example. Documentation for the new style configuration can be found in the Ansible User Guide.
Solution 3
Here's the playbook in case you want ansible make it for you
-
Add user to chosen group ( in my case
wheel
) - Add this to your playbook
- name: Make users passwordless for sudo in group wheel
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%wheel'
line: '%wheel ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
bbkaaka
Updated on July 02, 2021Comments
-
bbkaaka almost 3 years
I want to run ansible with user sa1 without sudo password:
First time OK:
[root@centos1 cp]# ansible cent2 -m shell -a "sudo yum -y install httpd" cent2 | SUCCESS | rc=0 >>
Second time FAILED:
[root@centos1 cp]# ansible cent2 -s -m yum -a "name=httpd state=absent" cent2 | FAILED! => { "changed": false, "failed": true, "module_stderr": "", "module_stdout": "sudo: a password is required\r\n", "msg": "MODULE FAILURE", "parsed": false }
Please help!
-
fishi0x01 almost 8 yearswhich version of ansible are you using? The
-s
switch is deprecated in newer versions. Maybe try with-b
(become). Also, try to explicitly set the login user via-u
, does it work then?
-
-
bbkaaka almost 8 yearsAs you can see the first command is successful
[root@centos1 cp]# ansible cent2 -m shell -a "sudo yum -y install httpd" cent2 | SUCCESS | rc=0 >>
i have already addsa1 ALL=(ALL) NOPASSWD: SOFTWARE , /bin/echo
-
Károly Nagy almost 8 yearsI assume
SOFTWARE
is a command alias. What do you have defined there? Can you try withALL
to see if that is the limiting factor? If you run ansible with-vvvv
you can see what command it is trying to invoke. -
bbkaaka almost 8 yearsI success when change from SOFTWARE TO ALL. This is my alias
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
-
Károly Nagy almost 8 yearsAnsible is doing all sorts of tricks with copying executables to temporary directory that it deletes after execution. I've tested on a server of mine an ansible run with
-vvvv
. It puts and calls a different yum file:PUT /var/folders/sr/hcg9zzm12jg28txszy7nnh0x721jx7/T/tmpLs5wbd TO /home/centos/.ansible/tmp/ansible-tmp-1464250141.88-48281030641080/yum
and after that/usr/bin/python -tt /home/centos/.ansible/tmp/ansible-tmp-1464250141.88-48281030641080/yum
so your alias is not matching with the command being executed with ansible module. -
Norman Pellet over 2 yearsYep, and use -K when running this playbook only to ask for the elevation password.