search

Comcast / ansible-sdkman

An Ansible role that installs, configures, and manages SDKMAN
https://galaxy.ansible.com/Comcast/sdkman/
Apache License 2.0
58 stars 28 forks source link

Unable to execute privileged commands in role #60

Closed artis3n closed 3 years ago

artis3n commented 3 years ago

I am using become: true on my import_role task to call this role and setting sdkman_user and sdkman_group to the user who should be able to invoke sdkman.

However, I am hitting this error. ansible_become_password is set correctly and I can invoke other privileged commands without issue.

2021-07-26_14-52-49

What do I need to do to get the role working? I am on an OSX machine but the role executes without an issue on my OSX thing in CircleCI where the user is passwordless sudo. So I don't believe there is an OS incompatibility.

elliotweiser commented 3 years ago

@artis3n Hi! Please copy the exact way in which you are invoking this role, including the version of the role you have installed. Thanks!

artis3n commented 3 years ago

Yeah, absolutely. 

[WARNING]: - Comcast.sdkman (1.7.0) is already installed - use --force to
change version to unspecified

So 1.7.0 invoked in a playbook with:

- name: Java | Install SDKMan
  become: true
  ansible.builtin.import_role:
    name: Comcast.sdkman
  vars:
    sdkman_user: "{{ lookup('env', 'USER') }}"
    sdkman_group: staff
    sdkman_auto_answer: true
    sdkman_update: true
    sdkman_auto_selfupdate: true
    # This was moved to a vars.yml variable but Ansible threw interpolation errors so back it goes
    sdkman_install_packages:
      - {candidate: 'java', version: '16.0.1.hs-adpt'}
      - {candidate: 'java', version: '8.0.292.hs-adpt'}
      - {candidate: 'java', version: '11.0.12.7.2-amzn'}
    sdkman_defaults:
      java: '8.0.292.hs-adpt'
    sdkman_flush_caches_before:
      - temp
    sdkman_flush_caches_after:
      - archives
      - broadcast
      - candidates
      - temp
    sdkman_offline_mode: false
    sdkman_update_alternatives:
      - candidate: java
        name: java
        link: /usr/bin/java
      - candidate: java
        name: javac
        link: /usr/bin/javac
elliotweiser commented 3 years ago

I'm a little curious why you need privilege escalation at all. On MacOS, you can generally get away with installing SDKMAN without root. I notice you are not specifying become_user here, so maybe you are setting it elsewhere? I suppose it would helpful to know...

  1. Is this a local-only use-case? i.e. Is there an SSH user involved?
  2. If SSH to remote machine is happening, is the SSH user different from the sdkman_user
  3. Are you setting become_user? i.e. at the command-line, or on the play itself.
artis3n commented 3 years ago

Hey, yeah it is local-only. I was not using become:true but received the same error so I tried applying it and didn't see a difference. Not setting become_user so it is defaulting to root.

elliotweiser commented 3 years ago

@artis3n Ah I see. In that case, I think you can get by with the --skip-tags=sdkman_privilege approach. See the README. Let me know how it goes!

Addendum: If you're doing this, then obviously remove the become: true piece :)

artis3n commented 3 years ago

Thanks, that looks to be working. If I set the sdkman_user and sdkman_group to someone else on the local system I'll be in trouble with https://github.com/Comcast/ansible-sdkman/blob/master/tasks/install.yml#L83 but that's not the intended approach so should be fine. Thanks for your prompt responses