{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 何必那么认真 的问题《Ansible non-root sudo user and “become” privilege》','https://www.manongdao.com/q-213104.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I've set up a box with a user david who has sudo privileges. I can ssh into the box and perform sudo operations like apt-get install. When I try to do the same thing using Ansible's "become privilege escalation", I get a permission denied error. So a simple playbook might look like this:
simple_playbook.yml:
---
- name: Testing...
hosts: all
become: true
become_user: david
become_method: sudo
tasks:
- name: Just want to install sqlite3 for example...
apt: name=sqlite3 state=present
I run this playbook with the following command:
ansible-playbook -i inventory simple_playbook.yml --ask-become-pass
This gives me a prompt for a password, which I give, and I get the following error (abbreviated):
fatal: [123.45.67.89]: FAILED! => {...
failed: E: Could not open lock file /var/lib/dpkg/lock - open (13:
Permission denied)\nE: Unable to lock the administration directory
(/var/lib/dpkg/), are you root?\n", ...}
Why am I getting permission denied?
Additional information
I'm running Ansible 2.1.1.0 and am targeting a Ubuntu 16.04 box. If I use remote_user and sudo options as per Ansible < v1.9, it works fine, like this:
remote_user: david
sudo: yes
Update
The local and remote usernames are the same. To get this working, I just needed to specify become: yes (see @techraf's answer):
Because APT requires root permissions (see the error:
are you root?) and you are running the tasks asdavid.Per these settings:
Ansible becomes
davidusingsudomethod. It basically runs its Python script withsudo davidin front.It means
davidcan execute commands (some or all) usingsudo-executable to change the effective user for the child process (the command). If no username is given, this process runs as therootaccount.Compare the results of these two commands:
Back to the APT problem, you (from CLI) as well as Ansible (connecting with SSH using your account) need to run:
not:
which will fail with the very exact message Ansible displayed.
The following playbook will escalate by default to the root user:
remote_userisdavid. Call the script with--ask-passand give password fordavid. Ifdaviddoesn't have passwordless sudo, then you should also call it with--ask-become-pass.