Why Ansible ignores ansible_become_password variable?

3
votes

I am provisioning a VM via local connection with Ansible. Some tasks require su privileges (to be granted via sudo).

I can't use the --ask-become-password switch as I want the provisioning to be completely automated.

Here is my playbook play.yml:

---
  - hosts: all
    gather_facts: yes
    roles:
      - role1

Here is roles/role1/tasks/main.yml:

---
  - name: Update apt-get cache (apt-get update)
    become: true
    apt: update_cache=yes

My inventory:

localhost

Finally host_vars/localhost.yml:

---
ansible_connection: local
ansible_become_pass: user

I get the following error while running the playbook with: ansible-playbook -i inventory play.yml -vvvv

<localhost> REMOTE_MODULE apt update_cache=yes
<localhost> EXEC ['/bin/sh', '-c', 'mkdir -p /tmp/ansible-tmp-1448910759.16-277915614747763 && chmod a+rx /tmp/ansible-tmp-1448910759.16-277915614747763 && echo /tmp/ansible-tmp-1448910759.16-277915614747763']
<localhost> PUT /tmp/tmpKuhTO2 TO /tmp/ansible-tmp-1448910759.16-277915614747763/apt
<localhost> EXEC ['/bin/sh', '-c', u'chmod a+r /tmp/ansible-tmp-1448910759.16-277915614747763/apt']
<localhost> EXEC /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=ilkbtrjkxxznhmgwvdaglfojzolhhfhz] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-ilkbtrjkxxznhmgwvdaglfojzolhhfhz; LANG=C LC_CTYPE=C /usr/bin/python /tmp/ansible-tmp-1448910759.16-277915614747763/apt'"'"''
<localhost> EXEC /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=stcxercjkjtxgyzjewlffytjjwcwidip] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-stcxercjkjtxgyzjewlffytjjwcwidip; LANG=C LC_CTYPE=C /usr/bin/python /home/user/.ansible/tmp/ansible-tmp-1449081640.46-119933765060267/apt; rm -rf /home/user/.ansible/tmp/ansible-tmp-1449081640.46-119933765060267/ >/dev/null 2>&1'"'"''
failed: [localhost] => {"failed": true, "parsed": false}
[sudo via ansible, key=stcxercjkjtxgyzjewlffytjjwcwidip] password:

Why ansible_become_password for localhost is being ignored?

I have noticed that the password is not being reported in Ansible verbose output, but I don't know if it's the default behavior.

Ansible 1.9.4, default ansible.cfg on Ubuntu Server 15.10.

EDIT: updated playbooks (removed ansible_become_user variable) and output.

the play works if I run it with the --ask-become-password switch.

2
ansiblesudoansible-playbook

2 Answers

4
votes

ansible_become_user is used to switch to a user much like su.

If that user doesn't have the right privileges to perform the task without further privilege escalation then the task will fail.

If you remove your ansible_become_user line it will default to root which should then be able to do anything.

2
votes

The documentation says to use ansible_become_pass, and not ansible_become_password.

ansible_become equivalent to ansible_sudo or ansible_su, allows to force privilege escalation

ansible_become_method allows to set privilege escalation method

ansible_become_user equivalent to ansible_sudo_user or ansible_su_user, allows to set the user you become through privilege escalation

ansible_become_pass equivalent to ansible_sudo_pass or ansible_su_pass, allows you to set the privilege escalation password