1

In shell I am following the below approach to become root user without any password. And it is working fine.

ssh-agent bash

ssh-add /repository/ansible/.ssh/id_rsa_ansible

ssh -A ansible@e8-df1

[ansible@e8-df1 ~]$ sudo -i
[root@e8-df1 ~]#

However, In ansible, I do not achieve the same and getting error. Below is my ansible inventory and playbook.

Inventory:

[qv]
e8-df1
e8-df2

[qv:vars]
ansible_ssh_user=ansible
ansible_ssh_private_key_file=/repository/ansible/.ssh/id_rsa_ansible

Playbook:

---
- hosts: qv
  become: yes
  roles:
    - abc

Error:

fatal: [e8-df1]: FAILED! => {
    "changed": false, 
    "failed": true, 
    "invocation": {
        "module_name": "setup"
    }, 
    "module_stderr": "Shared connection to e8-df1 closed.\r\n", 
    "module_stdout": "sudo: a password is required\r\n", 
    "msg": "MODULE FAILURE"
}
fatal: [e8-df2]: FAILED! => {
    "changed": false, 
    "failed": true, 
    "invocation": {
        "module_name": "setup"
    }, 
    "module_stderr": "Shared connection to e8-df2 closed.\r\n", 
    "module_stdout": "sudo: a password is required\r\n", 
    "msg": "MODULE FAILURE"
}

I have gone through some documents and Q&As and they are suggesting to add below line in the sudoers file. 

ansible ALL=(ALL) NOPASSWD: ALL

Now, I am not able to realize why the shell procedure is working without the sudoers configuration. And if there is any other way to achieve the same in the ansible?

Biswadip Dey
  • 509
  • 2
  • 7
  • 20
  • 1
    Are you saying that without modifying /etc/sudoers, interactive sudo works but via Ansible does not, but if you do edit /etc/sudoers, both methods work? If so, there is some existing sudoers config which is allowing interactive sudo. Run `egrep -v '^$|^#' /etc/sudoers /etc/sudoers.d/*` which will show you all the effective sudo rules in place. – clockworknet Jan 09 '19 at 09:36
  • I have checked in the /etc/sudoers.d also and there no such rules. – Biswadip Dey Jan 09 '19 at 12:51

2 Answers2

0

The problem is that when you connect via shell, you are passing the Agent in the SSH connection using the -A parameter, in Ansible you need to configure this behavior if you want to pass the agent on SSH connection.

Here a related question with a solution: SSH Agent Forwarding with Ansible

Basically you need to provide on ansible.cfg the SSH parameter that you want, also you can add the parameters to hosts you are connecting, with a configuration of SSH client on ~/.ssh/config.

Securez
  • 46
  • 2
0

You need to setup this private_key_file = /path/to/file in configuration file /etc/ansible/ansible.cfg

As per you questioned it will should look like as below:

private_key_file = /repository/ansible/.ssh/id_rsa_ansible

Hope this helps.

Santosh Garole
  • 1,419
  • 13
  • 23