Thanks for your input. In the remote machine, i dont have any permission to edit any files under /etc. In this case, how to achieve the remote node execution using 'sudo rootsh' cmd.
On Fri, Jan 20, 2023 at 6:33 PM 'Rowe, Walter P. (Fed)' via Ansible Project <[email protected]> wrote: > In ansible if you have become: true on a task, that task will run with > elevated privileges. On Linux the default is to try sudo. You don't need to > specify become_exe. Any command given to your shell task will run in a root > privileged shell. The user ID you run the playbook as must have login > access to the remote system and sudo privilege on the remote system via > /etc/sudoers or a file in /etc/sudoers.d. > > In our environment we have some common files we populate in /etc/sudoers.d > based on server function. For example, all servers we manage have a server > mgmt id we use for remote mgmt and a special group for our own user IDs > when we remote into those machines. We place a file in /etc/sudoers.d that > grants our mgmt ID and mgmt group the rights we need. For all database > servers our DBA group requires some privileges so we add an > /etc/sudoers.d/dba file that controls their privileged access for members > of the DBA group members. > > In your testroot.yaml file you can remove the become_exe line. > > *testroot.yaml* > --- > - hosts: '{{ host }}' > gather_facts: yes > tasks: > - name: Get current user on remote > ansible.builtin.shell: | > whoami > become: true > register: out > - debug: > msg: "{{ out }}" > > Next you need to make sure your user ID that makes the connection to the > remote machine has sudo access that does not require a password. I imagine > your sudo command was waiting on a response to a password prompt that was > never going to be answered. > > Walter > -- > Walter Rowe, Division Chief > Infrastructure Services, OISM > Mobile: 202.355.4123 > > On Jan 20, 2023, at 1:40 AM, saravanan jothilingam < > [email protected]> wrote: > > Any update on this? > > On Thu, Jan 19, 2023 at 8:05 PM saravanan jothilingam < > [email protected]> wrote: > >> Hi, >> I am a novice to ansible and am practising to get more hands-on. I am >> trying one usecase where I need to connect to a remote SLES12 linux server >> using my id and then switch to root user and execute some tasks. While >> switching over to root user (*cmd: *sudo rootsh), it prompts for a root >> password. When I run this usecase using ansible playbook, it gives the >> below error. >> >> Could you please let me know what would be correct/valid directives >> (become_*) that I need to use to run the cmd using root user. Appreciate >> your help. >> >> I wrote this playboo >> >> >> *testroot.yaml* >> --- >> - hosts: '{{ host }}' >> gather_facts: yes >> tasks: >> - name: Get current user on remote >> ansible.builtin.shell: | >> whoami >> become: true >> become_exe: "sudo rootsh" >> register: out >> - debug: >> msg: "{{ out }}" >> >> >> *ansible-playbook -i hosts testroot.yaml -e "host=host.iil.corp.com >> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C156eed1cf35745db8b8808dafab1810e%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638097937538559199%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2Fs%2BA%2FTLfT%2B5qdJB1p8%2BE8ycWBmBDqz9PH2pKufF6a%2Bs%3D&reserved=0>" >> --ask-become-pass -k* >> [DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the >> controller starting with Ansible 2.12. Current version: 3.6.15 (default, >> Sep 15 2021, 14:20:42) [GCC]. This feature will be removed >> from ansible-core in version 2.12. Deprecation warnings can be disabled >> by setting deprecation_warnings=False in ansible.cfg. >> >> *SSH password: BECOME password[defaults to SSH password]:* >> >> PLAY [host.iil.corp.com >> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C156eed1cf35745db8b8808dafab1810e%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638097937538559199%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2Fs%2BA%2FTLfT%2B5qdJB1p8%2BE8ycWBmBDqz9PH2pKufF6a%2Bs%3D&reserved=0>] >> ******************************************************************************************************************************************************************************** >> >> TASK [Get current user on remote] >> *************************************************************************************************************************************************************************** >> fatal: [host.iil.corp.com >> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C156eed1cf35745db8b8808dafab1810e%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638097937538559199%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2Fs%2BA%2FTLfT%2B5qdJB1p8%2BE8ycWBmBDqz9PH2pKufF6a%2Bs%3D&reserved=0>]: >> FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: >> Subject to Company's Global Employee and Global Contingent Worker Privacy >> Notices\r\n(see >> https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html >> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Femployeecontent.corp.com%2Fcontent%2Fcorp%2FGlobal_Employee_and_Global_Contingent_Worker_Privacy.html&data=05%7C01%7Cwalter.rowe%40nist.gov%7C156eed1cf35745db8b8808dafab1810e%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638097937538559199%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=F3tE8F7%2F%2FVJ%2BHc%2FaXbsdXmLDzwCOu2I2Md4CO1i%2FnHg%3D&reserved=0> >> )\r\nall system access and delegated/privileged activity on the corp >> network\r\nmay be logged for auditing and security purposes, including your >> username \r\nand commands used. Log records may be retained for up to 1 >> year.\r\n\r\nWe trust you have received the usual lecture from the local >> System\r\nAdministrator. It usually boils down to these three >> things:\r\n\r\n #1) Respect the privacy of others.\r\n #2) Think >> before you type.\r\n #3) With great power comes great >> responsibility.\r\n\r\nRemember you may use 'sudo -l' to review a list of >> authorized commands.\r\n\r\n"} >> >> PLAY RECAP >> ************************************************************************************************************************************************************************************************** >> host.iil.corp.com >> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C156eed1cf35745db8b8808dafab1810e%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638097937538559199%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2Fs%2BA%2FTLfT%2B5qdJB1p8%2BE8ycWBmBDqz9PH2pKufF6a%2Bs%3D&reserved=0> >> : ok=0 changed=0 unreachable=0 failed=1 skipped=0 >> rescued=0 ignored=0 >> > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CAE7H9qq05ZQ1YcytQQSQmTo_fn0Wo8UAN97WL5iNKtfVSo-uuQ%40mail.gmail.com > <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAE7H9qq05ZQ1YcytQQSQmTo_fn0Wo8UAN97WL5iNKtfVSo-uuQ%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C156eed1cf35745db8b8808dafab1810e%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638097937538559199%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=h5M5bOtaOFOWdOchagpt7G5JAoSsyTOhHoQ1yKveqPc%3D&reserved=0> > . > > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/2F9FE7FD-B3CD-4E16-8CCD-44A6298F5825%40nist.gov > <https://groups.google.com/d/msgid/ansible-project/2F9FE7FD-B3CD-4E16-8CCD-44A6298F5825%40nist.gov?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAE7H9qry8T6%2Bc3TE%3D8KiyU6E7Ooh1wAKgGzLztq3EGzsKijDKg%40mail.gmail.com.
