• 1,113 Views

Ch2. section 2.4 guided exercise, step 7 not working as expected ??

Jump to solution

Hi, the exercise says to type in the password for "student" account. I was curious what would happen if i type in "help".  It still works fine.

I ran it again and typed "student" password and the playbook runs the same ?

What should i see, or what am i not understanding ?

Thank you.

-Angelo

CODE output

[student@workstation playbook-manage]$ ansible-navigator run -m stdout ping-intranetweb.yml
BECOME password:

PLAY [Validate inventory hosts] **************************************************************************************************************************************************************************************

TASK [Ping intranetweb] **********************************************************************************************************************************************************************************************
ok: [servera.lab.example.com]

PLAY RECAP ***********************************************************************************************************************************************************************************************************
servera.lab.example.com : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

1 Solution

Accepted Solutions
Travis
Moderator
Moderator
  • 1,098 Views

@uconn-alf02013 -

This unfortunately is a bad example. We are showing how to setup an ansible-navigator.yml configuration file for Ansible Navigator. We are also showing how to create the standard ansible.cfg configuration file. Unfortunately, what you've discovered is that it does prompt you for the "BECOME" password like it is supposed to, however, the ping module doesn't actually show you any type of failure here as you don't need to be a privileged user to get a response from ping. I have different demos that I generally use when doing this course that will show that a little better.

We also have various keys and accounts setup on the system that also might be impacting things here. I will get a demo that you can see things a little better, but for now know that it is using some defaults. A quick fix showing things break is to modify the ansible.cfg file. Specify the remote_user as student. I will submit a fix for this in the book so we can show actual breakage. Unfortunately, since we have other "defaults" there and you are using a user that is in sudoers without a password, it will work everytime regardless of the password as it isn't needed.

I agree you should get this ...

[student@workstation playbook-manage]$ ansible-navigator run -m stdout ping-internetweb.yml
BECOME password:

PLAY [Validate inventory hosts] ***********************************************************************************************************

TASK [Ping internetweb] *******************************************************************************************************************
fatal: [serverb.lab.example.com]: FAILED! => {"msg": "Incorrect sudo password"}

PLAY RECAP ********************************************************************************************************************************
serverb.lab.example.com    : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Please review the log for errors.

But that also requires a modification to the ansible.cfg file to specify a user that can sudo, but not in the sudoers file without requiring a password.

[student@workstation playbook-manage]$ cat ansible.cfg
[defaults]
inventory = ./inventory
remote_user = student

[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = true

@bonnevil and @Chetan_Tiwary_ for visibility. I will try to file a JIRA with the details today.

Travis Michette, RHCA XIII
https://rhtapps.redhat.com/verify?certId=111-134-086
SENIOR TECHNICAL INSTRUCTOR / CERTIFIED INSTRUCTOR AND EXAMINER
Red Hat Certification + Training

View solution in original post

7 Replies
Travis
Moderator
Moderator
  • 1,099 Views

@uconn-alf02013 -

This unfortunately is a bad example. We are showing how to setup an ansible-navigator.yml configuration file for Ansible Navigator. We are also showing how to create the standard ansible.cfg configuration file. Unfortunately, what you've discovered is that it does prompt you for the "BECOME" password like it is supposed to, however, the ping module doesn't actually show you any type of failure here as you don't need to be a privileged user to get a response from ping. I have different demos that I generally use when doing this course that will show that a little better.

We also have various keys and accounts setup on the system that also might be impacting things here. I will get a demo that you can see things a little better, but for now know that it is using some defaults. A quick fix showing things break is to modify the ansible.cfg file. Specify the remote_user as student. I will submit a fix for this in the book so we can show actual breakage. Unfortunately, since we have other "defaults" there and you are using a user that is in sudoers without a password, it will work everytime regardless of the password as it isn't needed.

I agree you should get this ...

[student@workstation playbook-manage]$ ansible-navigator run -m stdout ping-internetweb.yml
BECOME password:

PLAY [Validate inventory hosts] ***********************************************************************************************************

TASK [Ping internetweb] *******************************************************************************************************************
fatal: [serverb.lab.example.com]: FAILED! => {"msg": "Incorrect sudo password"}

PLAY RECAP ********************************************************************************************************************************
serverb.lab.example.com    : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Please review the log for errors.

But that also requires a modification to the ansible.cfg file to specify a user that can sudo, but not in the sudoers file without requiring a password.

[student@workstation playbook-manage]$ cat ansible.cfg
[defaults]
inventory = ./inventory
remote_user = student

[privilege_escalation]
become = true
become_method = sudo
become_user = root
become_ask_pass = true

@bonnevil and @Chetan_Tiwary_ for visibility. I will try to file a JIRA with the details today.

Travis Michette, RHCA XIII
https://rhtapps.redhat.com/verify?certId=111-134-086
SENIOR TECHNICAL INSTRUCTOR / CERTIFIED INSTRUCTOR AND EXAMINER
Red Hat Certification + Training
Travis
Moderator
Moderator
  • 1,097 Views

@uconn-alf02013 -

Some demos you can use ...

https://github.com/tmichett/RH294

 

 

Travis Michette, RHCA XIII
https://rhtapps.redhat.com/verify?certId=111-134-086
SENIOR TECHNICAL INSTRUCTOR / CERTIFIED INSTRUCTOR AND EXAMINER
Red Hat Certification + Training
Travis
Moderator
Moderator
  • 1,091 Views

So a quick look with the ansible.builtin.shell module and the "whoami" command can illustrate this.

changed: [serverb.lab.example.com] => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python3"}, "changed": true, "cmd": "whoami", "delta": "0:00:00.006622", "end": "2024-03-19 11:51:23.570223", "msg": "", "rc": 0, "start": "2024-03-19 11:51:23.563601", "stderr": "", "stderr_lines": [], "stdout": "root", "stdout_lines": ["root"]}

or when 

become = false
changed: [serverb.lab.example.com] => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python3"}, "changed": true, "cmd": "whoami", "delta": "0:00:00.007338", "end": "2024-03-19 11:51:48.868613", "msg": "", "rc": 0, "start": "2024-03-19 11:51:48.861275", "stderr": "", "stderr_lines": [], "stdout": "student", "stdout_lines": ["student"]}

The lab environment is keying off of the user when it sees the become. Even though the password was wrong, the previous user or not defining a user is "root" based on other defaults and setups for the system. So the key here to ensure you are testing the Ansible User you want is to specifically define that user in the ansible.cfg file. Root doesn't need to sudo to become root, so it is never checking the password.

whoami.yml

---
- name: Validate inventory hosts
  hosts: internetweb
  gather_facts: no

  tasks:

    - name: Show who you are and testing credentials
      ansible.builtin.shell: whoami
Travis Michette, RHCA XIII
https://rhtapps.redhat.com/verify?certId=111-134-086
SENIOR TECHNICAL INSTRUCTOR / CERTIFIED INSTRUCTOR AND EXAMINER
Red Hat Certification + Training
Travis
Moderator
Moderator
  • 1,083 Views

@bonnevil and @Chetan_Tiwary_ - an issue has been filed and reported.

https://issues.redhat.com/browse/PTL-12801

 

Travis Michette, RHCA XIII
https://rhtapps.redhat.com/verify?certId=111-134-086
SENIOR TECHNICAL INSTRUCTOR / CERTIFIED INSTRUCTOR AND EXAMINER
Red Hat Certification + Training
Chetan_Tiwary_
Community Manager
Community Manager
  • 1,082 Views

thanks a lot for reporting this @Travis ! I have moved it to backlog. 

0 Kudos
bonnevil
Starfighter Starfighter
Starfighter
  • 1,076 Views

Thanks, @Travis 

0 Kudos
Travis
Moderator
Moderator
  • 1,020 Views

@uconn-alf02013 -

If you want some real fun here, you can see how the EE (Ansible Execution Environment) runs as a container and how that inside the container as a regular container, the user is root. You can further demonstrate and see that when using things like ad-hoc commands with the Ansible/Remote User you can see how things change on whether you specify --become or not.

 

https://github.com/tmichett/AnsiblePlaybooks/blob/master/AAP2/navigator/EE_Demo_Readme.adoc

 

Travis Michette, RHCA XIII
https://rhtapps.redhat.com/verify?certId=111-134-086
SENIOR TECHNICAL INSTRUCTOR / CERTIFIED INSTRUCTOR AND EXAMINER
Red Hat Certification + Training
0 Kudos
Join the discussion
You must log in to join this conversation.