Running service with systemd as default user via ansible in ec2 (requests password)

amazon-ec2 sudo ansible systemd

5,461

If you have global sudo, add become: no to the two tasks that do not require sudo privs.

5,461

MikeiLL

Mike Kilmer began blogging in the mid-nineties for his web diary, Obliteration and through work as a web developer, branched out into professional blogging in 2010. Relatively experienced in php, css and wordpress and learning python and more javascript and unix/linux.

Updated on September 18, 2022

Comments

MikeiLL over 1 year
I'm trying to employ the following Ansible script (part of a playbook) to run unicorn via systemd for a rails app on EC2 (micro) instance:
```
---

- name: restart unicorn
  command: psql -h {{ db_host }} -U {{ db_user }} -d {{ db }} -c "SELECT true FROM pg_tables WHERE tablename = 'order_cycles';"
  register: table_exists
  ignore_errors: yes
  sudo: yes
  sudo_user: "{{ unicorn_user }}"
  notify: restart unicorn step 2

#TODO make sure both of these things run as one handler.
- name: restart unicorn step 2
  service:
    name: unicorn_{{ app }}
    state: restarted
  when: table_exists.stderr.find('does not exist') == -1
  # If unicorn isn't actually started yet we probably need this:
  notify: start unicorn

- name: start unicorn
  service:
    name: unicorn_{{ app }}
    state: started
```
The user configured in the playbook is ubuntu, the default (EC2) user and I'm hitting an Interactive authentication required error there, so I'm just trying to troubleshoot directly in the command line of the deploy-to server and have come upon this roadblock.

I can run it as sudo:
```
$ sudo systemctl start unicorn_myapp.service
```
Either directly via the server's command line, or by using Ansible's raw method, which succeeds.

But then the rails server, being run by user ubuntu can't access it (at least that's an avenue I'm exploring for cause of .sock failed (111: Connection refused error).

If I run it without sudo, a password is requested, but as far as I can tell, EC2 ubuntu user runs without a password.

I know that a workaround might be to create a new user with password and run rails and systemctl/unicorn as that user, but I don't think that's the actual answer to this problem, even more so since the playbook's developer recently removed the user_password from the playbook altogether for security reasons.

If I can figure out how to run systemd as a non-root user at all, maybe I can figure out how to make Ansible succeed at it.

Of course it's also not unlikely that I'm approaching it from the wrong angle in the first place, as I'm fairly new to pretty much everything this scenario involves.
- Michael Hampton over 8 years
  
  meta.stackexchange.com/q/66377/189912
- MikeiLL over 8 years
  
  Thank you much @MichaelHampton. Updated the question and I hope have extracted it from the XY Problem category. Please let me know if it still seems like an unclear or even inappropriate question so I can try updating further or deleting it.... no. i can already see that i need to reverse the question...
- Michael Hampton over 8 years
  
  If psql is connecting to a remote host as a specific user, why do you need to sudo in that step at all? Further, what user is ansible using normally?
- MikeiLL over 8 years
  
  Well, I'm using an ansible-playbook that was created by the rails apps developers and I'm not sure why it uses sudo in first task. Second task I was getting the interaction required error. How does psql come into play here at all? Does unicorn interact with it?
- MikeiLL over 8 years
  
  Also what do you mean psql connecting to a remote host? It's all within the single ec2 instance as far as I know.
- Michael Hampton over 8 years
  
  That play is quite weird. It appears they are calling psql to check the existence of a table, and only restarting unicorn if the table exists.
- MikeiLL over 8 years
  
  I thought maybe that was to short-circuit deployment if the psql provisioning had failed. And now I think I understand why you mentioned psql. I was forgetting that first task, since it isn't failing.
- Michael Hampton over 8 years
  
  So, again, what user is ansible configured to use on the remote server?
- MikeiLL over 8 years
  
  ubuntu, the default (ec2) user.
MikeiLL over 5 years

Do you mean add that configuration line to the two Ansible tasks that don't require those privileges? Do you mean 'restart unicorn step 2' and 'restart unicorn'?
xddsg over 5 years

Yes. You didn't paste the top level play or your ansible cfg so it's possible you have sudo enabled on every task.
MikeiLL over 5 years

I've been off of this project for a long time now so can't test. But will upvote.