Ansible AUR module keep asking for sudo password

[elvetemedve]

The problem

When packages from the AUR are being installed and the process takes longer than passwd_timeout of sudo, then I get a sudo password promt and the installation is paused. I would expect from Ansible to provide non-interactive provisioning process (do not ask for any info during the provisioning process, except at the very beginning or end).

If the AUR module could utilise the become feature of Ansible that would be great.

Actual result

I have to type the password of my user multiple times.

Expected result

Installation/uninstallation completes without prompting for password at all.

[pigmonkey]

I haven't seen this. It looks like this is new behaviour in makepkg. It may be they are now looking at the effective UID instead of the actual UID. Whatever the cause, using become won't help here. (You would end up running makepkg as become_user, and then when makepkg gets to the install stage it will prompt you for become_user's sudo password to install as root.)

We need to change the AUR module so that it builds and installs the package in separate steps. Build using makepkg using sudo, but install using pacman as root.

[pigmonkey]

Is this fixed with the latest ansible-aur module?

[elvetemedve]

It's fixed for the Install AUR fonts task, but for some reason the Install cower task still asks for password.

[pigmonkey]

I'm not sure what is causing that. Cower is installed the same as the fonts. I uninstalled cower and successfully reinstalled it via that task without a password prompt.

[elvetemedve]

I have no idea why is that. I created a new Arch Linux installation in Virtualbox and run Ansible from there (so not only Cower is installed, but all other package too). I'll try it again.

[elvetemedve]

@pigmonkey I created a fresh Arch Linux installtion and provisioned it by the latest commit. I still get the password prompt.

[pigmonkey]

Have you updated the submodule?

$ git submodule foreach git pull origin master 

What does the ~/aur/cower directory look like at the point of the sudo prompt?

[elvetemedve]

Have you updated the submodule?

I've only run git submodule update. Running the command you posted did not help.

What does the ~/aur/cower directory look like at the point of the sudo prompt?

[pigmonkey]

This is caused by the -s flag we pass to makepkg, causing it to install build dependencies with pacman. I don't think there's any way around this, short of telling Ansible to install all build dependencies in one task and then installing the AUR package in a second task. That is lame, and would become unmaintainable.

The only other solution I can think of is to either increase the sudo timeout, or configure sudo to allow passwordless pacman. Both of those seem like bad ideas compared to just making the user enter the password during install.

[elvetemedve]

None of these sounds like a proper solution to me. :(

I think the current workflow is incorrect: Run Ansible as root --> run Cower (and makepkg) as normal user --> run Pacman as root by sudo

A better workflow would be: Run Ansible as root --> run AUR helper as root --> run makepkg as normal user --> run Pacman as root by AUR helper

Choosing a different AUR helper could be a solution. For example pikaur can be run as root and it will run makepkg in a sandbox environment by utilising systemd-run command and Dynamic Users feature of systemd. See details here and here. What do you think?

[ckotte]

You could try the Ansible module kewlfft\ansible-aur and use pikaur as the AUR helper.

When I run my playbook on a fresh Arch system with root, I still have to enter the user's password before installing cower and pacaur (via makepkg) since it's necessary to use become_user: "{{ user.name }}" with every aur task.

Since I switched to this module and pacaur, I have the feeling that I don't need to type in the user's password so often when configuring a new system. Probably because of the sudoloop feature of pacaur. I think I could further reduce this if I extend the sudo timeout.

Do you need to get rid of all (additional) sudo prompts or is it just annoying?

[elvetemedve]

As a user it's simply annoying. Secondly I planned to contribute to this project by creating automated tests for Ansible roles. That would help keep the project up to date and monitor external changes like deprecated packages. In order to make the installation process fully automated, I need to get rid of all password prompts first.

[ckotte]

But you definitely need to type in the password if you install pikaur with makepkg. If it's just for automated testing, you could use e.g. Vagrant and configure password-less sudo for the vagrant and normal user!?

[pigmonkey]

I'd rather not depend on a helper to install the packages.

Currently the workflow is:

1) Run Ansible as root 2) Download and extract package as user using sudo via curl and tar (or cower, if available) 3) Install build dependencies as user using sudo via makepkg/pacman 4) Build package as user using sudo via makepkg 5) Install package as root

The problem is caused by step 3 (which is technically part of the building in step 4, but it is more useful to visualize it separately). Makepkg is running as the user, sees that it is missing a build dependency, and so it basically tries sudo pacman -S --asdeps thedependency.

You'd want to modify the workflow to be:

1) Run Ansible as root 2) Download and extract package as user using sudo via curl and tar (or cower, if available) 4) Parse makedepends from the PKGBUILD and install missing packages as root 4) Build package as user using sudo via makepkg (without passing -s) 5) Install package as root

[elvetemedve]

@ckotte I agree that passwordless sudo configuration could be the way to go about test automation.

@pigmonkey I don't get it. Step 4 still utilises sudo, so what do we gain by chaining step 3?

[pigmonkey]

In step 2 and 4, root uses sudo to become the user and execute the commands. Root does not need a password to become a user.

Currently in step 3, root uses sudo to become the user, and the user then uses sudo to become root. The user does need a password to become root, hence the password prompt.