No luck :-(
I tried this use case with 2 attempts. For both the cases, the password is
not taken at the ansible playbook execution time. i get the below error msg.
*Note *- In the ansible.cfg, i have set *timeout = 300. Are there any extra
parameters which I need to set here ?*
*Attempt-1:*
cat testroot.yaml
---
- hosts: '{{ host }}'
gather_facts: yes
tasks:
- name: Get current user on remote
ansible.builtin.shell: |
whoami
become: true
register: out
- debug:
msg: "{{ out }}"
vmansible01:/home/testuser/access_audit_automation_jan172023 #
ansible-playbook -i hosts testroot.yaml -e "host=hostname.corp.domain.com"
--ask-become-pass -k
[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the
controller starting with Ansible 2.12. Current
version: 3.6.15 (default, Sep 15 2021, 14:20:42) [GCC]. This feature will
be removed from ansible-core in version 2.12.
Deprecation warnings can be disabled by setting deprecation_warnings=False
in ansible.cfg.
SSH password:
BECOME password[defaults to SSH password]:
PLAY [hostname.corp.domain.com]
************************************************************************************************
TASK [Gathering Facts]
******************************************************************************************************
[WARNING]: Platform linux on host hostname.corp.domain.com is using the
discovered Python interpreter at /usr/bin/python, but
future installation of another Python interpreter could change the meaning
of that path. See
https://docs.ansible.com/ansible-core/2.11/reference_appendices/interpreter_discovery.html
for more information.
ok: [hostname.corp.domain.com]
TASK [Get current user on remote]
*******************************************************************************************
fatal: [hostname.corp.domain.com]: FAILED! => {"changed": false,
"module_stderr": "Shared connection to hostname.corp.domain.com
closed.\r\n", "module_stdout": "Subject to Corp's Global Employee and
Global Contingent Worker Privacy Notices\r\n(see
https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html
)\r\nall system access and delegated/privileged activity on the Corp
network\r\nmay be logged for auditing and security purposes, including your
username \r\nand commands used. Log records may be retained for up to 1
year.\r\n\r\nWe trust you have received the usual lecture from the local
System\r\nAdministrator. It usually boils down to these three
things:\r\n\r\n #1) Respect the privacy of others.\r\n #2) Think
before you type.\r\n #3) With great power comes great
responsibility.\r\n\r\nRemember you may use 'sudo -l' to review a list of
authorized commands.\r\n\r\n\r\n", "msg": "MODULE FAILURE\nSee
stdout/stderr for the exact error", "rc": 1}
PLAY RECAP
******************************************************************************************************************
hostname.corp.domain.com : ok=1 changed=0 unreachable=0
failed=1 skipped=0 rescued=0 ignored=0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*Attempt-2:*
---
- hosts: '{{ host }}'
gather_facts: yes
tasks:
- name: Get current user on remote
ansible.builtin.shell: |
whoami
become: true
become_method: sudo
become_exe: "sudo rootsh"
become_flags: -i
register: out
- debug:
msg: "{{ out }}"
ansible-playbook -i hosts testroot.yaml -e "host=hostname.corp.domain.com"
--ask-become-pass -k
[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the
controller starting with Ansible 2.12. Current
version: 3.6.15 (default, Sep 15 2021, 14:20:42) [GCC]. This feature will
be removed from ansible-core in version 2.12.
Deprecation warnings can be disabled by setting deprecation_warnings=False
in ansible.cfg.
SSH password:
BECOME password[defaults to SSH password]:
PLAY [hostname.corp.domain.com]
************************************************************************************************
TASK [Get current user on remote]
*******************************************************************************************
fatal: [hostname.corp.domain.com]: FAILED! => {"changed": false,
"module_stderr": "Shared connection to hostname.corp.domain.com closed.\r\n",
"module_stdout": "Subject to Corp's Global Employee and Global Contingent
Worker Privacy Notices\r\n(see
https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html
)\r\nall system access and delegated/privileged activity on the Corp
network\r\nmay be logged for auditing and security purposes, including your
username \r\nand commands used. Log records may be retained for up to 1
year.\r\n\r\nWe trust you have received the usual lecture from the local
System\r\nAdministrator. It usually boils down to these three
things:\r\n\r\n #1) Respect the privacy of others.\r\n #2) Think
before you type.\r\n #3) With great power comes great
responsibility.\r\n\r\nRemember you may use 'sudo -l' to review a list of
authorized commands.\r\n\r\nAuthenticate with testuser's password:
\r\nsudo: timed out reading password\r\n", "msg": "MODULE FAILURE\nSee
stdout/stderr for the exact error", "rc": 1}
PLAY RECAP
******************************************************************************************************************
hostname.corp.domain.com : ok=0 changed=0 unreachable=0
failed=1 skipped=0 rescued=0 ignored=0
On Fri, Jan 20, 2023 at 7:17 PM 'Rowe, Walter P. (Fed)' via Ansible Project
<[email protected]> wrote:
> Try leaving off become_exe. If you can run sudo rootsh then your task can
> use sudo. When you run sudo rootsh at a command prompt does it ask for your
> password? If so, the ansible task also will have to respond to a password
> prompt. That is causing your timeout.
>
> Walter
> --
> Walter Rowe, Division Chief
> Infrastructure Services, OISM
> Mobile: 202.355.4123
>
> On Jan 20, 2023, at 8:31 AM, saravanan jothilingam <
> [email protected]> wrote:
>
>
> Thanks for your input. In the remote machine, i dont have any permission
> to edit any files under /etc. In this case, how to achieve the remote node
> execution using 'sudo rootsh' cmd.
>
> On Fri, Jan 20, 2023 at 6:33 PM 'Rowe, Walter P. (Fed)' via Ansible
> Project <[email protected]> wrote:
>
>> In ansible if you have become: true on a task, that task will run with
>> elevated privileges. On Linux the default is to try sudo. You don't need to
>> specify become_exe. Any command given to your shell task will run in a root
>> privileged shell. The user ID you run the playbook as must have login
>> access to the remote system and sudo privilege on the remote system via
>> /etc/sudoers or a file in /etc/sudoers.d.
>>
>> In our environment we have some common files we populate in
>> /etc/sudoers.d based on server function. For example, all servers we manage
>> have a server mgmt id we use for remote mgmt and a special group for our
>> own user IDs when we remote into those machines. We place a file in
>> /etc/sudoers.d that grants our mgmt ID and mgmt group the rights we need.
>> For all database servers our DBA group requires some privileges so we add
>> an /etc/sudoers.d/dba file that controls their privileged access for
>> members of the DBA group members.
>>
>> In your testroot.yaml file you can remove the become_exe line.
>>
>> *testroot.yaml*
>> ---
>> - hosts: '{{ host }}'
>> gather_facts: yes
>> tasks:
>> - name: Get current user on remote
>> ansible.builtin.shell: |
>> whoami
>> become: true
>> register: out
>> - debug:
>> msg: "{{ out }}"
>>
>> Next you need to make sure your user ID that makes the connection to the
>> remote machine has sudo access that does not require a password. I imagine
>> your sudo command was waiting on a response to a password prompt that was
>> never going to be answered.
>>
>> Walter
>> --
>> Walter Rowe, Division Chief
>> Infrastructure Services, OISM
>> Mobile: 202.355.4123
>>
>> On Jan 20, 2023, at 1:40 AM, saravanan jothilingam <
>> [email protected]> wrote:
>>
>> Any update on this?
>>
>> On Thu, Jan 19, 2023 at 8:05 PM saravanan jothilingam <
>> [email protected]> wrote:
>>
>>> Hi,
>>> I am a novice to ansible and am practising to get more hands-on. I am
>>> trying one usecase where I need to connect to a remote SLES12 linux server
>>> using my id and then switch to root user and execute some tasks. While
>>> switching over to root user (*cmd: *sudo rootsh), it prompts for a root
>>> password. When I run this usecase using ansible playbook, it gives the
>>> below error.
>>>
>>> Could you please let me know what would be correct/valid directives
>>> (become_*) that I need to use to run the cmd using root user. Appreciate
>>> your help.
>>>
>>> I wrote this playboo
>>>
>>>
>>> *testroot.yaml*
>>> ---
>>> - hosts: '{{ host }}'
>>> gather_facts: yes
>>> tasks:
>>> - name: Get current user on remote
>>> ansible.builtin.shell: |
>>> whoami
>>> become: true
>>> become_exe: "sudo rootsh"
>>> register: out
>>> - debug:
>>> msg: "{{ out }}"
>>>
>>>
>>> *ansible-playbook -i hosts testroot.yaml -e "host=host.iil.corp.com
>>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C54b6e8c2f3874ef3338b08dafaeab7c8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638098183276567858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FuQiNPkLCsWiHrfSfqlts%2FvoJSjGVheB2YAr4RRCM2s%3D&reserved=0>"
>>> --ask-become-pass -k*
>>> [DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the
>>> controller starting with Ansible 2.12. Current version: 3.6.15 (default,
>>> Sep 15 2021, 14:20:42) [GCC]. This feature will be removed
>>> from ansible-core in version 2.12. Deprecation warnings can be disabled
>>> by setting deprecation_warnings=False in ansible.cfg.
>>>
>>> *SSH password: BECOME password[defaults to SSH password]:*
>>>
>>> PLAY [host.iil.corp.com
>>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C54b6e8c2f3874ef3338b08dafaeab7c8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638098183276567858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FuQiNPkLCsWiHrfSfqlts%2FvoJSjGVheB2YAr4RRCM2s%3D&reserved=0>]
>>> ********************************************************************************************************************************************************************************
>>>
>>> TASK [Get current user on remote]
>>> ***************************************************************************************************************************************************************************
>>> fatal: [host.iil.corp.com
>>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C54b6e8c2f3874ef3338b08dafaeab7c8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638098183276567858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FuQiNPkLCsWiHrfSfqlts%2FvoJSjGVheB2YAr4RRCM2s%3D&reserved=0>]:
>>> FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt:
>>> Subject to Company's Global Employee and Global Contingent Worker Privacy
>>> Notices\r\n(see
>>> https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html
>>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Femployeecontent.corp.com%2Fcontent%2Fcorp%2FGlobal_Employee_and_Global_Contingent_Worker_Privacy.html&data=05%7C01%7Cwalter.rowe%40nist.gov%7C54b6e8c2f3874ef3338b08dafaeab7c8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638098183276567858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=V3Gk90vVuHPhCnS%2FjpKmLTj%2BiMFJPK%2BKeTL8HmPggbA%3D&reserved=0>
>>> )\r\nall system access and delegated/privileged activity on the corp
>>> network\r\nmay be logged for auditing and security purposes, including your
>>> username \r\nand commands used. Log records may be retained for up to 1
>>> year.\r\n\r\nWe trust you have received the usual lecture from the local
>>> System\r\nAdministrator. It usually boils down to these three
>>> things:\r\n\r\n #1) Respect the privacy of others.\r\n #2) Think
>>> before you type.\r\n #3) With great power comes great
>>> responsibility.\r\n\r\nRemember you may use 'sudo -l' to review a list of
>>> authorized commands.\r\n\r\n"}
>>>
>>> PLAY RECAP
>>> **************************************************************************************************************************************************************************************************
>>> host.iil.corp.com
>>> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C54b6e8c2f3874ef3338b08dafaeab7c8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638098183276567858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FuQiNPkLCsWiHrfSfqlts%2FvoJSjGVheB2YAr4RRCM2s%3D&reserved=0>
>>> : ok=0 changed=0 unreachable=0 failed=1 skipped=0
>>> rescued=0 ignored=0
>>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/CAE7H9qq05ZQ1YcytQQSQmTo_fn0Wo8UAN97WL5iNKtfVSo-uuQ%40mail.gmail.com
>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAE7H9qq05ZQ1YcytQQSQmTo_fn0Wo8UAN97WL5iNKtfVSo-uuQ%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C54b6e8c2f3874ef3338b08dafaeab7c8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638098183276567858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GdqDJZ8iDNKG8n9burZmuUzZ9bLfo%2Fu7EE0du0NiP2Q%3D&reserved=0>
>> .
>>
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/2F9FE7FD-B3CD-4E16-8CCD-44A6298F5825%40nist.gov
>> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F2F9FE7FD-B3CD-4E16-8CCD-44A6298F5825%2540nist.gov%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C54b6e8c2f3874ef3338b08dafaeab7c8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638098183276567858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1R7FR%2FY3ouaNkUpRM170pJpvBTHUVE8sHQurnfgxkN0%3D&reserved=0>
>> .
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/CAE7H9qry8T6%2Bc3TE%3D8KiyU6E7Ooh1wAKgGzLztq3EGzsKijDKg%40mail.gmail.com
> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAE7H9qry8T6%252Bc3TE%253D8KiyU6E7Ooh1wAKgGzLztq3EGzsKijDKg%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C54b6e8c2f3874ef3338b08dafaeab7c8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638098183276567858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=i%2BO7HSYUhFfh8Vlcvi3X9OE0Zkwbvpk5PoKFtkKQtIc%3D&reserved=0>
> .
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/B0AE6100-8F2D-43C7-A857-144EE740C535%40nist.gov
> <https://groups.google.com/d/msgid/ansible-project/B0AE6100-8F2D-43C7-A857-144EE740C535%40nist.gov?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAE7H9qrQZGwNC1zEViaDkP5BX%3DcZRaZAoERTfUnyOuC3K6FJ5A%40mail.gmail.com.
