What's the output from
sudo -l
on that host (as per the task "Get current user on remote" message)?
On 1/23/23 1:10 AM, saravanan jothilingam wrote:
No luck :-(
I tried this use case with 2 attempts. For both the cases, the
password is not taken at the ansible playbook execution time. i get
the below error msg.
*Note *- In the ansible.cfg, i have set *timeout = 300. Are there any
extra parameters which I need to set here ?*
*Attempt-1:*
cat testroot.yaml
---
- hosts: '{{ host }}'
gather_facts: yes
tasks:
- name: Get current user on remote
ansible.builtin.shell: |
whoami
become: true
register: out
- debug:
msg: "{{ out }}"
vmansible01:/home/testuser/access_audit_automation_jan172023 #
ansible-playbook -i hosts testroot.yaml -e
"host=hostname.corp.domain.com <http://hostname.corp.domain.com>"
--ask-become-pass -k
[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the
controller starting with Ansible 2.12. Current
version: 3.6.15 (default, Sep 15 2021, 14:20:42) [GCC]. This feature
will be removed from ansible-core in version 2.12.
Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
SSH password:
BECOME password[defaults to SSH password]:
PLAY [hostname.corp.domain.com <http://hostname.corp.domain.com>]
************************************************************************************************
TASK [Gathering Facts]
******************************************************************************************************
[WARNING]: Platform linux on host hostname.corp.domain.com
<http://hostname.corp.domain.com> is using the discovered Python
interpreter at /usr/bin/python, but
future installation of another Python interpreter could change the
meaning of that path. See
https://docs.ansible.com/ansible-core/2.11/reference_appendices/interpreter_discovery.html
for more information.
ok: [hostname.corp.domain.com <http://hostname.corp.domain.com>]
TASK [Get current user on remote]
*******************************************************************************************
fatal: [hostname.corp.domain.com <http://hostname.corp.domain.com>]:
FAILED! => {"changed": false, "module_stderr": "Shared connection to
hostname.corp.domain.com <http://hostname.corp.domain.com>
closed.\r\n", "module_stdout": "Subject to Corp's Global Employee and
Global Contingent Worker Privacy Notices\r\n(see
https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html
)\r\nall system access and delegated/privileged activity on the Corp
network\r\nmay be logged for auditing and security purposes, including
your username \r\nand commands used. Log records may be retained for
up to 1 year.\r\n\r\nWe trust you have received the usual lecture from
the local System\r\nAdministrator. It usually boils down to these
three things:\r\n\r\n #1) Respect the privacy of others.\r\n #2)
Think before you type.\r\n #3) With great power comes great
responsibility.\r\n\r\nRemember you may use 'sudo -l' to review a list
of authorized commands.\r\n\r\n\r\n", "msg": "MODULE FAILURE\nSee
stdout/stderr for the exact error", "rc": 1}
PLAY RECAP
******************************************************************************************************************
hostname.corp.domain.com <http://hostname.corp.domain.com> : ok=1
changed=0 unreachable=0 failed=1 skipped=0 rescued=0
ignored=0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
*Attempt-2:*
---
- hosts: '{{ host }}'
gather_facts: yes
tasks:
- name: Get current user on remote
ansible.builtin.shell: |
whoami
become: true
become_method: sudo
become_exe: "sudo rootsh"
become_flags: -i
register: out
- debug:
msg: "{{ out }}"
ansible-playbook -i hosts testroot.yaml -e
"host=hostname.corp.domain.com <http://hostname.corp.domain.com>"
--ask-become-pass -k
[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the
controller starting with Ansible 2.12. Current
version: 3.6.15 (default, Sep 15 2021, 14:20:42) [GCC]. This feature
will be removed from ansible-core in version 2.12.
Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
SSH password:
BECOME password[defaults to SSH password]:
PLAY [hostname.corp.domain.com <http://hostname.corp.domain.com>]
************************************************************************************************
TASK [Get current user on remote]
*******************************************************************************************
fatal: [hostname.corp.domain.com <http://hostname.corp.domain.com>]:
FAILED! => {"changed": false, "module_stderr": "Shared connection to
hostname.corp.domain.com <http://hostname.corp.domain.com>
closed.\r\n", "module_stdout": "Subject to Corp's Global Employee and
Global Contingent Worker Privacy Notices\r\n(see
https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html
)\r\nall system access and delegated/privileged activity on the Corp
network\r\nmay be logged for auditing and security purposes, including
your username \r\nand commands used. Log records may be retained for
up to 1 year.\r\n\r\nWe trust you have received the usual lecture from
the local System\r\nAdministrator. It usually boils down to these
three things:\r\n\r\n #1) Respect the privacy of others.\r\n #2)
Think before you type.\r\n #3) With great power comes great
responsibility.\r\n\r\nRemember you may use 'sudo -l' to review a list
of authorized commands.\r\n\r\nAuthenticate with testuser's password:
\r\nsudo: timed out reading password\r\n", "msg": "MODULE FAILURE\nSee
stdout/stderr for the exact error", "rc": 1}
PLAY RECAP
******************************************************************************************************************
hostname.corp.domain.com <http://hostname.corp.domain.com> : ok=0
changed=0 unreachable=0 failed=1 skipped=0 rescued=0
ignored=0
On Fri, Jan 20, 2023 at 7:17 PM 'Rowe, Walter P. (Fed)' via Ansible
Project <[email protected]> wrote:
Try leaving off become_exe. If you can run sudo rootsh then your
task can use sudo. When you run sudo rootsh at a command prompt
does it ask for your password? If so, the ansible task also will
have to respond to a password prompt. That is causing your timeout.
Walter
--
Walter Rowe, Division Chief
Infrastructure Services, OISM
Mobile: 202.355.4123
On Jan 20, 2023, at 8:31 AM, saravanan jothilingam
<[email protected]> wrote:
Thanks for your input. In the remote machine, i dont have any
permission to edit any files under /etc. In this case, how to
achieve the remote node execution using 'sudo rootsh' cmd.
On Fri, Jan 20, 2023 at 6:33 PM 'Rowe, Walter P. (Fed)' via
Ansible Project <[email protected]> wrote:
In ansible if you have become: true on a task, that task will
run with elevated privileges. On Linux the default is to try
sudo. You don't need to specify become_exe. Any command given
to your shell task will run in a root privileged shell. The
user ID you run the playbook as must have login access to the
remote system and sudo privilege on the remote system via
/etc/sudoers or a file in /etc/sudoers.d.
In our environment we have some common files we populate in
/etc/sudoers.d based on server function. For example, all
servers we manage have a server mgmt id we use for remote
mgmt and a special group for our own user IDs when we remote
into those machines. We place a file in /etc/sudoers.d that
grants our mgmt ID and mgmt group the rights we need. For all
database servers our DBA group requires some privileges so we
add an /etc/sudoers.d/dba file that controls their privileged
access for members of the DBA group members.
In your testroot.yaml file you can remove the become_exe line.
*testroot.yaml*
---
- hosts: '{{ host }}'
gather_facts: yes
tasks:
- name: Get current user on remote
ansible.builtin.shell: |
whoami
become: true
register: out
- debug:
msg: "{{ out }}"
Next you need to make sure your user ID that makes the
connection to the remote machine has sudo access that does
not require a password. I imagine your sudo command was
waiting on a response to a password prompt that was never
going to be answered.
Walter
--
Walter Rowe, Division Chief
Infrastructure Services, OISM
Mobile: 202.355.4123
On Jan 20, 2023, at 1:40 AM, saravanan jothilingam
<[email protected]> wrote:
Any update on this?
On Thu, Jan 19, 2023 at 8:05 PM saravanan jothilingam
<[email protected]> wrote:
Hi,
I am a novice to ansible and am practising to get more
hands-on. I am trying one usecase where I need to
connect to a remote SLES12 linux server using my id and
then switch to root user and execute some tasks. While
switching over to root user (/cmd: /sudo rootsh), it
prompts for a root password. When I run this
usecase using ansible playbook, it gives the below error.
Could you please let me know what would be correct/valid
directives (become_*) that I need to use to run the cmd
using root user. Appreciate your help.
I wrote this playboo
*testroot.yaml*
---
- hosts: '{{ host }}'
gather_facts: yes
tasks:
- name: Get current user on remote
ansible.builtin.shell: |
whoami
become: true
become_exe: "sudo rootsh"
register: out
- debug:
msg: "{{ out }}"
*ansible-playbook -i hosts testroot.yaml -e
"host=host.iil.corp.com
<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C54b6e8c2f3874ef3338b08dafaeab7c8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638098183276567858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FuQiNPkLCsWiHrfSfqlts%2FvoJSjGVheB2YAr4RRCM2s%3D&reserved=0>"
--ask-become-pass -k*
[DEPRECATION WARNING]: Ansible will require Python 3.8
or newer on the controller starting with Ansible 2.12.
Current version: 3.6.15 (default, Sep 15 2021, 14:20:42)
[GCC]. This feature will be removed
from ansible-core in version 2.12. Deprecation warnings
can be disabled by setting deprecation_warnings=False in
ansible.cfg.
/*SSH password:
BECOME password[defaults to SSH password]:*/
PLAY [host.iil.corp.com
<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C54b6e8c2f3874ef3338b08dafaeab7c8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638098183276567858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FuQiNPkLCsWiHrfSfqlts%2FvoJSjGVheB2YAr4RRCM2s%3D&reserved=0>]
********************************************************************************************************************************************************************************
TASK [Get current user on remote]
***************************************************************************************************************************************************************************
fatal: [host.iil.corp.com
<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C54b6e8c2f3874ef3338b08dafaeab7c8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638098183276567858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FuQiNPkLCsWiHrfSfqlts%2FvoJSjGVheB2YAr4RRCM2s%3D&reserved=0>]:
FAILED! => {"msg": "Timeout (12s) waiting for privilege
escalation prompt: Subject to Company's Global Employee
and Global Contingent Worker Privacy Notices\r\n(see
https://employeecontent.corp.com/content/corp/Global_Employee_and_Global_Contingent_Worker_Privacy.html
<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Femployeecontent.corp.com%2Fcontent%2Fcorp%2FGlobal_Employee_and_Global_Contingent_Worker_Privacy.html&data=05%7C01%7Cwalter.rowe%40nist.gov%7C54b6e8c2f3874ef3338b08dafaeab7c8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638098183276567858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=V3Gk90vVuHPhCnS%2FjpKmLTj%2BiMFJPK%2BKeTL8HmPggbA%3D&reserved=0>
)\r\nall system access and delegated/privileged activity
on the corp network\r\nmay be logged for auditing and
security purposes, including your username \r\nand
commands used. Log records may be retained for up to 1
year.\r\n\r\nWe trust you have received the usual
lecture from the local System\r\nAdministrator. It
usually boils down to these three things:\r\n\r\n #1)
Respect the privacy of others.\r\n #2) Think before
you type.\r\n #3) With great power comes great
responsibility.\r\n\r\nRemember you may use 'sudo -l' to
review a list of authorized commands.\r\n\r\n"}
PLAY RECAP
**************************************************************************************************************************************************************************************************
host.iil.corp.com
<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fhost.iil.corp.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C54b6e8c2f3874ef3338b08dafaeab7c8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638098183276567858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FuQiNPkLCsWiHrfSfqlts%2FvoJSjGVheB2YAr4RRCM2s%3D&reserved=0>
: ok=0 changed=0 unreachable=0 failed=1
skipped=0 rescued=0 ignored=0
--
You received this message because you are subscribed to the
Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to
[email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAE7H9qq05ZQ1YcytQQSQmTo_fn0Wo8UAN97WL5iNKtfVSo-uuQ%40mail.gmail.com
<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAE7H9qq05ZQ1YcytQQSQmTo_fn0Wo8UAN97WL5iNKtfVSo-uuQ%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C54b6e8c2f3874ef3338b08dafaeab7c8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638098183276567858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GdqDJZ8iDNKG8n9burZmuUzZ9bLfo%2Fu7EE0du0NiP2Q%3D&reserved=0>.
--
You received this message because you are subscribed to the
Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to
[email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/2F9FE7FD-B3CD-4E16-8CCD-44A6298F5825%40nist.gov
<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F2F9FE7FD-B3CD-4E16-8CCD-44A6298F5825%2540nist.gov%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C54b6e8c2f3874ef3338b08dafaeab7c8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638098183276567858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1R7FR%2FY3ouaNkUpRM170pJpvBTHUVE8sHQurnfgxkN0%3D&reserved=0>.
--
You received this message because you are subscribed to the
Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAE7H9qry8T6%2Bc3TE%3D8KiyU6E7Ooh1wAKgGzLztq3EGzsKijDKg%40mail.gmail.com
<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAE7H9qry8T6%252Bc3TE%253D8KiyU6E7Ooh1wAKgGzLztq3EGzsKijDKg%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C54b6e8c2f3874ef3338b08dafaeab7c8%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638098183276567858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=i%2BO7HSYUhFfh8Vlcvi3X9OE0Zkwbvpk5PoKFtkKQtIc%3D&reserved=0>.
--
You received this message because you are subscribed to the Google
Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/B0AE6100-8F2D-43C7-A857-144EE740C535%40nist.gov
<https://groups.google.com/d/msgid/ansible-project/B0AE6100-8F2D-43C7-A857-144EE740C535%40nist.gov?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAE7H9qrQZGwNC1zEViaDkP5BX%3DcZRaZAoERTfUnyOuC3K6FJ5A%40mail.gmail.com
<https://groups.google.com/d/msgid/ansible-project/CAE7H9qrQZGwNC1zEViaDkP5BX%3DcZRaZAoERTfUnyOuC3K6FJ5A%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
Todd
--
You received this message because you are subscribed to the Google Groups "Ansible
Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/5dc01924-a818-f2cd-fee7-8f91c4350b37%40gmail.com.
