TASK [Gathering Facts] *********************************************************
task path: /opt/playbook/site.yml:1
Using module file /usr/local/lib/python3.10/dist-packages/ansible/modules/setup.py
Pipelining is enabled.
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: slurm
<localhost> EXEC /bin/sh -c 'sudo -H -S -n -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-mvloemssulwwmnnhtatxivyevcbshjsb ; /usr/bin/python3'"'"' && sleep 0'
fatal: [localhost]: FAILED! => {
"ansible_facts": {},
"changed": false,
"failed_modules": {
"ansible.legacy.setup": {
"failed": true,
"module_stderr": "sudo: a password is requiredn",
"module_stdout": "",
"msg": "MODULE FAILUREnSee stdout/stderr for the exact error",
"rc": 1
}
},
"msg": "The following modules failed to execute: ansible.legacy.setupn"
}
A playbook is executed by the slurm user on node startup. However, it fails while gathering facts and I am unsure what the issue is. Apparently something is wrong with sudo. I am looking for ways to debug this more efficiently.
The playbook runs without issues under the regular ubuntu user.
Simplified host File
vpn:
children:
master:
hosts:
localhost:
ansible_connection: local
ansible_python_interpreter: /usr/bin/python3
ansible_user: ubuntu
ip: localhost
2
Answers
I was using
local
in my host file and therefore it was trying to run all scripts within the playbook on the master as the slurm user.By changing
local
tossh
it now connects to the master as the ubuntu user and by that has no privilege issue later on.@natan — I think it would probably be better if you didn’t try to invoke
sudo
quite so directly. Also you probably don’t need to be root just to executesetup
.Here’s what the header looks like in a lot of my playbooks:
Key things:
hosts: localhost
— this is the only machine you’re working on.connection: local
— avoids usingssh
to connect to the machine it’s already executing on anyway.gather_facts: yes
— you can just get yoursetup
facts using this and you shouldn’t need to be root.This still leaves the problem of how to become root for subsequent operations.
Traditionally, connection parameters (including passwords, if unavoidable) have been provided in the inventory file.
You can set the
ansible_become_password
in your inventory or in your playbook, but you should never have your password in plain text.Then, for tasks that need to be root to succeed, you can use:
I’d recommend this Ansible page for more info: Ansible: Understanding privilege escalation