Does the role require sudo privileges?

[conorgil]

I did not see any other issues asking this same question, so I think I must be doing something wrong since it runs for other users. I am running the role and getting errors that sudo is required to install the gpg signing key, etc.

TASK: [nodesource.node | Check nodejs_version variable] ***********************
ok: [52.20.7.220]

TASK: [nodesource.node | Ensure the system can use the HTTPS transport for APT] ***
ok: [52.20.7.220]

TASK: [nodesource.node | Install HTTPS transport for APT] *********************
skipping: [52.20.7.220]

TASK: [nodesource.node | Import the NodeSource GPG key into apt] **************
failed: [52.20.7.220] => {"cmd": "apt-key add -", "failed": true, "rc": 1}
stdout: ERROR: This command can only be used by root.

FATAL: all hosts have already failed -- aborting

If I change the role inline to add sudo: yes to the following tasks, then it runs correctly without errors.

# Install Node.js using packages crafted by NodeSource

---
- name: Check nodejs_version variable
  assert:
    that: nodejs_version in [ "0.10", "0.12" ]

- name: Ensure the system can use the HTTPS transport for APT
  stat: path=/usr/lib/apt/methods/https
  register: apt_https_transport

- name: Install HTTPS transport for APT
  sudo: yes
  apt: pkg=apt-transport-https state=installed
  when: not apt_https_transport.stat.exists

- name: Import the NodeSource GPG key into apt
  sudo: yes
  apt_key: url=https://deb.nodesource.com/gpgkey/nodesource.gpg.key state=present

- name: Add NodeSource deb repository
  sudo: yes
  apt_repository: repo='deb https://deb.nodesource.com/node_{{ nodejs_version }} {{ ansible_distribution_release }} main' state=present

- name: Add NodeSource deb-src repository
  sudo: yes
  apt_repository: repo='deb-src https://deb.nodesource.com/node_{{ nodejs_version }} {{ ansible_distribution_release }} main' state=present

- name: Add NodeSource repository preferences
  sudo: yes
  template:
    src: etc/apt/preferences.d/deb_nodesource_com_node.pref.2
    dest: /etc/apt/preferences.d/deb_nodesource_com_node.pref

- name: Install Node.js
  sudo: yes
  apt: pkg=nodejs={{ nodejs_version }}.* state=installed update_cache=yes

Any advice on what I am doing wrong here would be greatly appreciated. Thanks!

[conorgil]

With some additional trial/error, I realized by looking in the role.yml file used for testing that it calls the role and specifies sudo: yes when calling the role instead of having each task within the role define sudo: yes.

I updated my meta/main.yml file to look like this:

dependencies:
  - {
      role: "nodesource.node",
      sudo: yes
    }

and the script worked as expected without error.

I would just close this issue as solved, but it begs the question in my mind: when will we ever not call this role with sudo: yes? If it is required, then would it be easier to just update the tasks/main.yml to put that on each task and then folks do not need to worry about setting it when calling the role?

Thoughts appreciated.

[fubarhouse]

@conorgil I also highly recommend to use this in addition to your recommendation: sudo_user: "{{ ansible_ssh_user}}".

Running purely as sudo will run commands as root and leave applications unavailable to the default user.

Just because the script passes, it doesn't mean the user is able to access all of these cool tools (without sudo - best practice!).

I would also recommend changing sudo to become and sudo_user to become_user purely because the sudo and sudo_user modules have been deprecated in later releases.

[bradmsmith]

How I solved this problem:

roles:
  - role: nodesource.node
    become: yes