If you use Ansible, probably you have some habits, that are hard to give them up. Also, many people have a very nasty sin – they ignore deprecation warnings. Moreover, some of them even like turning off warnings about deprecated features! And due to that, they are forced to digging the Internet and looking for the solution to their problem. But there is also another reason for digging – lack of documentation. It’s hard to say what is the cause of the problem which I’m going to describe, but I assume that both causes may be possible. Ok, so what’s the problem? Ansible 2.8 sudo escalation problem. 🙂
What is the problem?
You want to upgrade your Ansible to version 2.8. You read Porting Guide, check the changelog and you think that everything is clear. Then you made necessary changes in your playbook and made an upgrade. And then what? Your playbook crashes for example with the following error:
|
1 |
Failed to connect to the host via ssh: sudo: a password is required |
Of course, it can be another warning, even during the playbook execution (depending on how do you use become). Please check now your ansible.cfg file and check whether you have something like this inside the file:
|
1 2 |
[defaults] sudo_flags = -H -S |
The flags don’t matter – just check if you have sudo_flags under the defaults section. If the answer is yes, just try to remove this line and add the following section:
|
1 2 |
[privilege_escalation] become_flags = -H -S |
So I have Ansible 2.8 sudo escalation problem – but why?
There may be a lot of reasons, but in this article, I want to focus on one – wrong ansible.cfg configuration. In the older version of Ansible, you are able to overwrite the default flags passed to sudo by sudo_flags option. By default, it has -H -S -n value. If you don’t use sudo_flags, nothing bad happens. But if you overwrite like in my example:
|
1 2 |
[defaults] sudo_flags = -H -S |
You should see the following deprecation warning prior to Ansible 2.8:
|
1 2 |
[DEPRECATION WARNING]: DEFAULT_SUDO_FLAGS option, In favor of Ansible Become, which is a generic framework. See become_flags. , use become instead. This feature will be removed in version 2.8. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. |
It says, that since Ansible 2.8 sudo_flags has been removed. Now Ansible uses [privilege_escalation] section to pass these flags, what you can see in the official documentation. So probably your Ansible 2.8 sudo escalation problem can be caused by that change.
sudo_flags has been changed to become_flags and moved to the [privilege_escalation] section
I hope that was the only problem and my post solved your issue. Of course, if you didn’t change default sudo_flags value, you would not have this problem. So there is a chance, that this solution won’t solve your problem and you need to go deeper.
THANK YOU!!! I was struggling with sudo_flags var in ansible.cfg and it was not working at all. this little two line fixed it
[privilege_escalation]
become_flags = -H -S
We have many OS type adn AIX was keeping giving me the “sudo: Illegal option -n” even when sudo_flags in default section was modified.
I’m glad it helped you. 🙂 Whoa, I’ve never used Ansible with AIX, nice! I’m wondering if it works with HP-UX as well… 😀