ansible
ansible copied to clipboard
prometheus-community
Error on step "Create localhost binary cache path" if "become: true" is set on whole playbook
I have a playbook with become: true for the whole playbook.
I use the prometheus.prometheus.redis_exporter role as so:
- name: Install Prometheus Redis Exporter
include_role:
name: prometheus.prometheus.redis_exporter
I, however, get stuck at this step:
TASK [prometheus.prometheus._common : Create localhost binary cache path] ***************************************************************************
task path: /Users/<me>/.ansible/collections/ansible_collections/prometheus/prometheus/roles/_common/tasks/install.yml:59
<localhost> ESTABLISH LOCAL CONNECTION FOR USER: <me>
<localhost> EXEC /bin/sh -c 'echo ~<me> && sleep 0'
<localhost> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /Users/<me>/.ansible/tmp `"&& mkdir "` echo /Users/<me>/.ansible/tmp/ansible-tmp-1741783842.452032-45768-224007809248663 `" && echo ansible-tmp-1741783842.452032-45768-224007809248663="` echo /Users/<me>/.ansible/tmp/ansible-tmp-1741783842.452032-45768-224007809248663 `" ) && sleep 0'
Using module file /opt/homebrew/Cellar/ansible/11.3.0/libexec/lib/python3.13/site-packages/ansible/modules/file.py
<localhost> PUT /Users/<me>/.ansible/tmp/ansible-local-4568292m01zny/tmp8bchxrh3 TO /Users/<me>/.ansible/tmp/ansible-tmp-1741783842.452032-45768-224007809248663/AnsiballZ_file.py
<localhost> EXEC /bin/sh -c 'chmod u+x /Users/<me>/.ansible/tmp/ansible-tmp-1741783842.452032-45768-224007809248663/ /Users/<me>/.ansible/tmp/ansible-tmp-1741783842.452032-45768-224007809248663/AnsiballZ_file.py && sleep 0'
<localhost> EXEC /bin/sh -c 'sudo -H -S -p "[sudo via ansible, key=qaimkxrkcmfademqqinjnrxbmqtinkj] password:" -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-qaimkxrkcmzfademqqinjnrxbmqtinkj ; /opt/homebrew/Cellar/ansible/11.3.0/libexec/bin/python /Users/<me>/.ansible/tmp/ansible-tmp-1741783842.452032-45768-224007809248663/AnsiballZ_file.py'"'"' && sleep 0'
Even if I try wrapping it in a non-elevated block, it still tries to sudo:
- name: Install Prometheus Redis Exporter without elevated privileges
block:
- name: Install Prometheus Redis Exporter
include_role:
name: prometheus.prometheus.redis_exporter
become: false
In https://github.com/prometheus-community/ansible/issues/427 an issue causing errors (or an infinite sudo prompt), if "become: true" was set on the whole workbook was fixed. It seems that my issue is the same. Some changes were done in 6209b53314d61b375578572e9b4df7e120ce3066 where the become: false statement on the task Create localhost binary cache path moved.
It seems that somehow the become: false set in the "Download binary ..." task of the install.yml file is not being respected.
Is this a bug?
Is there any reason why you need to apply become to the whole playbook?
When you apply the become to the playbook you are overwriting the individual become configuration of every task.
I know some other roles don't specify become for individual tasks but the roles in this collection are all designed where the tasks run only with elevated privileges where needed.
I'm having the same issue. I don't expose root user over SSH, and connecting to all of my servers via ubuntu user + sudo (no password). that's why I use become: true globally. Actually, it's such an expected thing that I didn't expect that it might create any problems with the particular role
Are there any workarounds so far?
UPDATED: ok, I've found the solution. I had ansible_become: true defined in group_vars/all.yml. And it covers localhost as well. What I got to do is to assign ansible_become to my nodes directly, or at least to more specific groups: in group_vars/servers.yml for example
Are there any workarounds so far?
Yes - don't run the whole playbook with become, the role does it when needed