"Permission Denied"

[Banane6077]

Hello fellow People...

i am kinda new to ansible/semaphore and tryin' to set up my first playbook.

My Playbook:

"---

• hosts: all become: yes become_user: myuser tasks:

  • name: Update apt repo and cache on all Debian/Ubuntu boxes apt: update_cache=yes force_apt_get=yes cache_valid_time=3600

  • name: Upgrade all packages on servers apt: upgrade=dist force_apt_get=yes

  • name: Check if a reboot is needed on all servers register: reboot_required_file stat: path=/var/run/reboot-required get_md5=no

  • name: Reboot the box if kernel updated reboot: msg: "Reboot initiated by Ansible for kernel updates" connect_timeout: 5 reboot_timeout: 300 pre_reboot_delay: 0 post_reboot_delay: 30 test_command: uptime when: reboot_required_file.stat.exists "

My error log is in the attachement...

i made already an "ansible all -m ping" and i get a success even the connection via "ssh user@hostip" works fine and without needing a password.

Can you guys help me with that?

Ansible Error.txt

[hmoffatt]

You've set become_user: myuser, but only root can run the apt and reboot tasks. The apt fails first because you're running it as non-root. (This isn't anthing to do with Semaphore.)

[Banane6077]

You've set become_user: myuser, but only root can run the apt and reboot tasks. The apt fails first because you're running it as non-root. (This isn't anthing to do with Semaphore.)

Hello! Thank you for your input! I still have the same errors...

8:32:10 AM TASK [Update apt repo and cache on all Debian/Ubuntu boxes] ******************** 8:33:11 AM fatal: [172.17.3.15]: FAILED! => {"changed": false, "msg": "Failed to lock apt for exclusive operation: Failed to lock directory /var/lib/apt/lists/: E:Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)"}

[hmoffatt]

You need become: yes with become_user: root (or omitted).

[fuuman]

But if I have a SSH-Key copied for user A and user A is allowed to execute "sudo" commands and everything is working manually, why isn't it possible to execute everything as non-root user? I am having the same error.

[hmoffatt]

Post your whole playbook. Also, does the playbook run on the command line without semaphore?

[fuuman]

Playbook: https://pastebin.com/An6wM4rZ

Yes, on the commandline it runs without any issues. Using -K and providing the password manually.

[fiftin]

Fixing in progress

[fuuman]

Is there an older version of the docker image without this bug? So that I could use this in the meantime?

[Kimbaras]

Hey all,

Is there an ETA on the fix?

I believe I've stumbled on the same / similar issue as explained in the mentioned issue. Basically it looks like the "become" part is being ignored when executed by Semaphore while it's working when executing the playbook manually from cli (as reported also above by another user).

When I tried to "force" the sudo / become part (a simple command: sudo touch file) the task hangs indifinetely.

@fuuman not sure if this is helpful to you, but on a different system (running Ansible 2.9.27 and Semaphore 2.8.90) this seems to be working fine

Thanks!

[Kimbaras]

Hi all,

I've done some testing about this issue and tried previous versions of Semaphore to see if I can get an older version to work while a fix is being worked on.

I've tried the following Semaphore versions

• 2.9.37
• 2.9.4
• 2.8.90

On all these versions the issue with the sudo / become seems present. My system is an Ubuntu 22.04 running Ansible 2.15.4

The strange thing is that on a different system, version 2.8.90 is working correctly (Ansible 2.9.27 - Semaphore 2.8.90 running on Raspberry with Raspbian (Buster)).

Between the two systems the differences are:

• The Ansible version (2.15.4 - not working, 2.9.27 - working)
• The fact that on the Ubuntu 22.04 system I'm using LDAP accounts.

Please note that running the playbook manually from cli (ansible-playbook...) is working as expected. So it seems it's not an issue of Ansible, but the interaction between Semaphore <-> Ansible (2.15.4).

Unfortunately at the moment I'm unable to rollback the Ansible version to test with a previous version.

Hoping this helps and a fix / workaround arrives fast!

Thanks!

[innovortex]

I have the same issue, even with the latest beta. Is a fix in sight?

[twistedlogick]

I don't know if this will help anyone else, but this seemed to fix my issues with not being able to run commands as sudo - remove the username from the login with password key in the keystore I was using for sudo-ing: https://github.com/ansible-semaphore/semaphore/issues/1445#issuecomment-1736925703

[bilalbayasut]

I got the same problem.

...
ERROR: Unable to lock database: Permission denied
ERROR: Failed to open apk database: Permission denied
could not update package db

In my setup, because semaphore (docker) uses alpine, I have to change become_method = su in the ansible.cfg and also got to change my task from using apt into using apk in the playbook.

I have tried workaround from @twistedlogick but it shows another error complaining no username found :) . I hope this is because this bug

[wuyue92tree]

Maybe work

My playbook use to clean docker unused images & container which also need root permission.

semaphore version is v2.9.37

- name: clean docker
  hosts: docker
  
  tasks:
    - name: docker clean
      become: true
      become_user: root
      become_method: sudo
      command: docker system prune -a -f

at first it's always failed, finaly I found an wrong config in my Inventory, I set both User Credentials and Sudo Credentials (Optional) to the same Key Store, this is the fail reason. the Sudo Credentials (Optional) should not have a username I guest. When I create a new Key Store keep the username none, it' worked.

wrong

right

Good luck~

[bilalbayasut]

strangely enough that works, thanks @wuyue92tree . so to wrap up. two keystores need to be created

1. one keystore entry (login_password or ssh) that contains username and password (though the password wont be used in this keystore)
2. one keystore entry that only containing password, (emptying out the username).

and put those in the inventory, and use it as vault password in the template

[RusticPotatoes]

strangely enough that works, thanks @wuyue92tree . so to wrap up. two keystores need to be created

1. one keystore entry (login_password or ssh) that contains username and password (though the password wont be used in this keystore)

2. one keystore entry that only containing password, (emptying out the username).

and put those in the inventory, and use it as vault password in the template

can confirm works.. cheers

[PauliusGitSoft]

It works, googled two days. Thanks @wuyue92tree

[cbrookins]

Thanks for sharing. This helped me out.

[avegy]

This fixed it for me, too. Thank you

[dcolley]

@wuyue92tree 's reply works because of the sudo command

UserId: You need to leave userid blank or put root (i.e. the user you want to become)

Password: You need to put your password that allows you to call sudo

I think an update to the documentatio would allow this issue to be closed.

[bilalbayasut]

strangely enough that works, thanks @wuyue92tree . so to wrap up. two keystores need to be created

1. one keystore entry (login_password or ssh) that contains username and password (though the password wont be used in this keystore)
2. one keystore entry that only containing password, (emptying out the username).

and put those in the inventory, and use it as vault password in the template

this doesn't work anymore, it ended up working by putting the correct value in vault password (a entry with username and password filled) . did they fix this up ?

[DevOpsSim]

@fiftin Добрый день! Скажите, будет ли исправление проблемы повышения привилегий sudo или не ждать и не мучаться в итоге?

[fiftin]

@DevOpsSim в процессе исправления. Буду благодарен, если поможете в тестировании предварительной версии.

[fiftin]

@DevOpsSim https://github.com/semaphoreui/semaphore/releases/tag/v2.9.66-beta

docker pull semaphoreui/semaphore:v2.9.66-beta

UPDATE: this version has a bug. Will fix soon.

UPDATE: https://github.com/semaphoreui/semaphore/releases/tag/v2.9.68-beta

[Koltsz]

@wuyue92tree Thankyou!

This waas driving me mad

[fiftin]

Hi @Koltsz Do you have a use case to reproduce the problem? Step-by-step.

[Koltsz]

Hi @Koltsz Do you have a use case to reproduce the problem? Step-by-step.

Hey, sure

• Installed the latest docker image. Using mysql as the DB.

• Started with adding a key with type login with password called docker-server

• created Environment var and added "ANSIBLE_HOST_KEY_CHECKING": "False" so I could use login with password.

• Inventory is a static file with just one IP to test this is where the issue was but I'll explain what I had before I did the fix. The user credentials are set to docker-server and the Sudo credentials were also set to docker-server.

• task set up with my GitHub, the playbook is called update-servers.yaml

Here is the link: https://github.com/Koltsz/ansible/blob/main/playbooks%2Fupdate-servers.yaml

This is the error I got:

2:43:38 PM
Task 19 added to queue
2:43:43 PM
Started: 19
2:43:43 PM
Run TaskRunner with template: update-servers
2:43:43 PM
Preparing: 19
2:43:43 PM
Updating Repository https://github.com/Koltsz/ansible
2:43:43 PM
From https://github.com/Koltsz/ansible
2:43:43 PM
 * branch            main       -> FETCH_HEAD
2:43:43 PM
Already up to date.
2:43:43 PM
installing static inventory
2:43:43 PM
No collections/requirements.yml file found. Skip galaxy install process.
2:43:43 PM
No roles/requirements.yml file found. Skip galaxy install process.
2:43:44 PM
PLAY [all] *********************************************************************
2:43:44 PM
TASK [Gathering Facts] *********************************************************
2:43:44 PM
2:43:44 PM
2:43:45 PM
ok: [10.0.0.93]
2:43:45 PM
2:43:45 PM
TASK [upgrade apt packages] ****************************************************
2:44:45 PM
fatal: [10.0.0.93]: FAILED! => {"changed": false, "msg": "Failed to lock apt for exclusive operation: Failed to lock directory /var/lib/apt/lists/: E:Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)"}
2:44:45 PM
2:44:45 PM
PLAY RECAP *********************************************************************
2:44:45 PM
10.0.0.93                  : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   
2:44:45 PM
2:44:45 PM
Running playbook failed: exit status 2

And I tried everything to fix it, the only way to fix it was for me to follow what @wuyue92tree explained to do.

That's pretty much it.

[fiftin]

@Koltsz

Please try docker pull semaphoreui/semaphore:v2.9.68-beta.

I just did what you said and it is works.

FYI:

I changed method of passing login/password to ansible-playbook. Now Semaphore uses flags --ask-pass, --ask-become-pass and sends passwords via Stdin.

[DevOpsSim]

@DevOpsSimв процессе исправления. Буду благодарен, если поможете в предварительной версии теста.

@DevOpsSim в процессе исправления. Буду благодарен, если поможете в тестировании предварительной версии.

Проверю, отпишусь. Спасибо!

[DevOpsSim]

Обновил на v2.9.68-beta

Мой playbook:

• hosts: all gather_facts: no become: true become_user: ansible tasks:

  • name: make sure SSL certificates are existing and secured copy: src: "/tmp/semaphore/repository_1_1/deploy_ssl/v_1/ssl/{{ item }}/domain.crt" dest: "/home/ansible/ssl/{{ item }}/domain.crt" owner: ansible group: ansible mode: "0644" loop:

    • example_1.com
    • example_2.com
    • example_3.com

  • name: make sure SSL private keys are installed copy: src: "/tmp/semaphore/repository_1_1/deploy_ssl/v_1/ssl/{{ item }}/domain.key" dest: "/home/ansible/ssl/{{ item }}/domain.key" owner: ansible group: ansible mode: "0644" no_log: true loop:

    • example_1.com
    • example_2.com
    • example_3.com

  • name: Create symbolic link file: src: "/home/ansible/ssl" dest: "/etc/nginx/ssl" state: link

  • name: reload nginx service: name: nginx.service state: reloaded

Авторизация и выполнение под пользователем ansible. Ему даны права sudo. В инвентаре в semaphore Учетные данные пользователя: логин и пароль пользователя ansible. Повышенные учетные данные(дополнительно): только пароль пользователя ansible, без логина. P.S. если запускаю этот же playbook локально на машине, подключаюсь по ssh под этим же пользователем ansible. выполняется без ошибок. Ссылка создается, сервис nginx reloded. Все ОК!

3:14:37 PM PLAY [all] ********************************************************************* 3:14:37 PM 3:14:37 PM TASK [make sure SSL certificates are existing and secured] ********************* 3:14:41 PM changed: [test-debian] => (item=example_1.com) 3:14:46 PM changed: [test-debian] => (item=example_2.com) 3:14:51 PM changed: [test-debian] => (item=example_3.com) 3:14:51 PM 3:14:51 PM TASK [make sure SSL private keys are installed] ******************************** 3:14:55 PM changed: [test-debian] => (item=None) 3:15:00 PM changed: [test-debian] => (item=None) 3:15:04 PM changed: [test-debian] => (item=None) 3:15:04 PM changed: [test-debian] 3:15:04 PM 3:15:04 PM TASK [Create symbolic link] **************************************************** 3:15:06 PM fatal: [test-debian]: FAILED! => {"changed": false, "msg": "Error while linking: [Errno 13] Permission denied: b'/home/ansible/ssl' -> b'/etc/nginx/ssl'", "path": "/etc/nginx/ssl"} 3:15:06 PM 3:15:06 PM PLAY RECAP ********************************************************************* 3:15:06 PM test-debian : ok=3 changed=3 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
3:15:06 PM 3:15:06 PM Running playbook failed: exit status 2