Ping a Specific Port

Question

Mike S

Asked: 2020-03-14 14:22:32 +0800 CST2020-03-14 14:22:32 +0800 CST 2020-03-14 14:22:32 +0800 CST

How do I create a proper sudoer rule for an Ansible handler?

772

Is it possible to use become in a handler?

We are running ansible 2.9.3 on a RHEL 7.4 machine. We have a user who is modifying some config files for a daemon (Consul), and we want the service to restart after any configuration change. We have a notify in the tasks, and a handler.

The files are getting modified properly, and the handler is getting notified and it runs. However, the sudo rule is not working correctly as Ansible exits with a failure:

"module_stderr": "sudo: a password is required\n"

When they run it from the command line, the user can run any systemctl commands they want using sudo commands; eg sudo systemctl restart consul and sudo systemctl restart consul.service work famously. Only the Ansible handler demands the password.

Here is our handler:

---

- name: Restart consul
  service:
    name: consul
    state: restarted
  become: yes
  become_user: root
  become_method: sudo

What is the magic inside the sudoers file that Ansible wants? I have looked for clues from the ansible -vvv output but the only thing it tells me is as below. It looks like it wants to run something like

sudo -H -S -n  -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-hltnfuwykrbhkmyixwzzockacxeosntn ; /usr/bin/python /home/consinstall/.ansible/tmp/ansible-tmp-1584133543.53-230020740311861/AnsiballZ_systemd.py'"'"'

which would be impossible to put in our sudoers file. Here's the output from the handler:

RUNNING HANDLER [workdir : Restart consul] *****************************************************************************************************
task path: /home/consinstall/bitbucket/workdir/roles/deploy/handlers/main.yml:3
<testhost01> ESTABLISH LOCAL CONNECTION FOR USER: consinstall
<testhost01> EXEC /bin/sh -c 'echo ~consinstall && sleep 0'
<testhost01> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/consinstall/.ansible/tmp/ansible-tmp-1584133543.53-230020740311861 `" && echo ansible-tmp-1584133543.53-230020740311861="` echo /home/consinstall/.ansible/tmp/ansible-tmp-1584133543.53-230020740311861 `" ) && sleep 0'
Using module file /usr/lib/python2.7/site-packages/ansible/modules/system/systemd.py
<testhost01> PUT /home/consinstall/.ansible/tmp/ansible-local-79139pfL0dr/tmpauDoVw TO /home/consinstall/.ansible/tmp/ansible-tmp-1584133543.53-230020740311861/AnsiballZ_systemd.py
<testhost01> EXEC /bin/sh -c 'chmod u+x /home/consinstall/.ansible/tmp/ansible-tmp-1584133543.53-230020740311861/ /home/consinstall/.ansible/tmp/ansible-tmp-1584133543.53-230020740311861/AnsiballZ_systemd.py && sleep 0'
<testhost01> EXEC /bin/sh -c 'sudo -H -S -n  -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-hltnfuwykrbhkmyixwzzockacxeosntn ; /usr/bin/python /home/consinstall/.ansible/tmp/ansible-tmp-1584133543.53-230020740311861/AnsiballZ_systemd.py'"'"' && sleep 0'
<testhost01> EXEC /bin/sh -c 'rm -f -r /home/consinstall/.ansible/tmp/ansible-tmp-1584133543.53-230020740311861/ > /dev/null 2>&1 && sleep 0'
fatal: [testhost01]: FAILED! => {
    "changed": false, 
    "invocation": {
        "module_args": {
            "daemon_reexec": false, 
            "daemon_reload": false, 
            "enabled": null, 
            "force": null, 
            "masked": null, 
            "name": "consul", 
            "no_block": false, 
            "scope": null, 
            "state": "restarted", 
            "user": null
        }
    }, 
    "msg": "Unable to start service consul: Job for consul.service failed because the control process exited with error code. See \"systemctl status consul.service\" and \"journalctl -xe\" for details.\n"
}
META: ran handlers

NO MORE HOSTS LEFT *******************************************************************************************************************************************

PLAY RECAP ***************************************************************************************************************************************************
testhost01                : ok=2    changed=1    unreachable=0    failed=1    skipped=2    rescued=0    ignored=0

1 Answers

Voted

John Mahowald · Answer 1 · 2020-03-15T05:39:16+08:00

Best Answer

John Mahowald

2020-03-15T05:39:16+08:002020-03-15T05:39:16+08:00

Ansible does not simply run systemctl. The service module determines the correct service manager for your system, then transfers an appropriate Python module with proper state reporting and error checking.

The necessary sudo rule is running arbitrary python scripts as the become_user. It is near impossible to limit this, so Ansible users in less restrictive environments tend to give the Ansible user sudo to run all.

An alternative to remote Ansible ssh-ing in and becoming root is to run plays from an already privileged process. Think ansible-pull style clone and run from root's crontab. It is possible to become a less privileged user for tasks that don't require it.

raw module technically doesn't need to run any scripts, but that severely limits Ansible as you can't use modules.

Another write up of this: Can't use sudo command-limiting in Ansible.

1

How do I create a proper sudoer rule for an Ansible handler?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?