Ansible: sudo without password

linux ansible sudo
39,130

Solution 1

It's not ansible it's your server's configuration. Make sure that sudo is allowed for the user ansible is using without password.

  1. To do that login to the server
  2. Open the sudoers file with sudo visudo
  3. Make sure you have a line something like this: centos ALL=(ALL) NOPASSWD:ALL
  4. Replace centos with the your user
  5. Save the file

You can try from the server itself by running:

sudo -u [yourusername] sudo echo "success"

If this works it should work from ansible too.

Solution 2

By default ansible runs sudo with the flags: -H -S -n to become root. Where --non-interactive would be the corresponding long form for option -n. This option seems to make sudo return the error message, without attempting to let the authentication modules do their thing.

I managed to get around the password error by creating a ~/.ansible.cfg containing lines as below, for the most relevant ansible version.

ansible 2.4

[defaults]
sudo_flags = --set-home --stdin

ansible 2.9

[sudo_become_plugin]
flags = -H -S

That was at least enough to allow pam_ssh_agent_auth.so to run and authenticate me.

Prior to version 2.8 the above example works, newer than 2.8 requires the second example. Documentation for the new style configuration can be found in the Ansible User Guide.

Solution 3

Here's the playbook in case you want ansible make it for you

  1. Add user to chosen group ( in my case wheel)
  2. Add this to your playbook
- name: Make users passwordless for sudo in group wheel
  lineinfile:
    path: /etc/sudoers
    state: present
    regexp: '^%wheel'
    line: '%wheel ALL=(ALL) NOPASSWD: ALL'
    validate: 'visudo -cf %s'
Share:
39,130
bbkaaka
Author by

bbkaaka

Updated on July 02, 2021

Comments

  • bbkaaka
    bbkaaka almost 3 years

    I want to run ansible with user sa1 without sudo password:

    First time OK:

    [root@centos1 cp]# ansible cent2 -m shell -a "sudo yum -y install httpd"

cent2 | SUCCESS | rc=0 >>

    Second time FAILED:

    [root@centos1 cp]# ansible cent2 -s -m yum -a "name=httpd state=absent"

cent2 | FAILED! => {
    "changed": false,
    "failed": true,
    "module_stderr": "",
    "module_stdout": "sudo: a password is required\r\n",
    "msg": "MODULE FAILURE",
    "parsed": false
}

    Please help!

    • fishi0x01
      fishi0x01 almost 8 years
      which version of ansible are you using? The -s switch is deprecated in newer versions. Maybe try with -b (become). Also, try to explicitly set the login user via -u, does it work then?
  • bbkaaka
    bbkaaka almost 8 years
    As you can see the first command is successful [root@centos1 cp]# ansible cent2 -m shell -a "sudo yum -y install httpd" cent2 | SUCCESS | rc=0 >> i have already add sa1 ALL=(ALL) NOPASSWD: SOFTWARE , /bin/echo
  • Károly Nagy
    Károly Nagy almost 8 years
    I assume SOFTWARE is a command alias. What do you have defined there? Can you try with ALL to see if that is the limiting factor? If you run ansible with -vvvv you can see what command it is trying to invoke.
  • bbkaaka
    bbkaaka almost 8 years
    I success when change from SOFTWARE TO ALL. This is my alias Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
  • Károly Nagy
    Károly Nagy almost 8 years
    Ansible is doing all sorts of tricks with copying executables to temporary directory that it deletes after execution. I've tested on a server of mine an ansible run with -vvvv. It puts and calls a different yum file: PUT /var/folders/sr/hcg9zzm12jg28txszy7nnh0x721jx7/T/tmpLs5wbd TO /home/centos/.ansible/tmp/ansible-tmp-1464250141.88-48281030‌​641080/yum and after that /usr/bin/python -tt /home/centos/.ansible/tmp/ansible-tmp-1464250141.88-48281030‌​641080/yum so your alias is not matching with the command being executed with ansible module.
  • Norman Pellet
    Norman Pellet over 2 years
    Yep, and use -K when running this playbook only to ask for the elevation password.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Ansible module_stdout: command not found when using sudo on Centos 7
Checking sudoers.d files with Ansible
Is it insecure to have an ansible user with passwordless sudo?
How to disable all repositories using yum module in ansible?
Changing ansible loop due to v2.11 deprecation
Ansible file module error - chown failed: failed to look up user
Using RPM module in Ansible to remove a package
sudo: a password is required ansible-playbook
How to reload the configuration Jenkins from the command line?
sudo: no tty present and no askpass program specified When useing shell_exec