You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to use a dedicated user to run playbooks requesting escalation of privilege via Rundeck. The user on the remote server (rundeck) is sudoers. And yet it doesn't work.
I generate the nodes via the Ansible inventory. No problem there. I configure my node source as follows:
On the Default Node Executor side, like this (all other values are empty) :
The job fails: FAILED! => {"msg": "Missing sudo password"}
If I add my user on the remote server in /etc/sudoers rundeck ALL=(ALL) NOPASSWD:ALL, it works. But this is not a solution that I am considering, for security reasons.
In the service.log I find this just before running the job:
/usr/lib/python3.10/getpass.py:91: GetPassWarning: Can not control echo on the terminal.
passwd = fallback_getpass(prompt, stream)
Warning: Password input may be echoed.
SSH password:
Warning: Password input may be echoed.
BECOME password[defaults to SSH password]:
PLAY [all] *********************************************************************
TASK [Ensure tmpdir data directory] ********************************************
changed: [SERVER -> localhost]
TASK [Template the gathered facts] *********************************************
changed: [SERVER -> localhost]
PLAY RECAP *********************************************************************
SERVER : ok=2 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
And when executing the job:
ERROR node.NodeStepPluginAdapter - Error executing node step.
com.dtolabs.rundeck.core.execution.workflow.steps.node.NodeStepException: ERROR: Ansible execution returned with non zero code.
at com.rundeck.plugins.ansible.plugin.AnsiblePlaybookWorflowNodeStep.executeNodeStep(AnsiblePlaybookWorflowNodeStep.java:95) ~[?:?]
at com.dtolabs.rundeck.core.execution.workflow.steps.node.NodeStepPluginAdapter.executeNodeStep(NodeStepPluginAdapter.java:169) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.executeNodeStep(ExecutionServiceImpl.java:207) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.dispatch.SequentialNodeDispatcher.dispatch(SequentialNodeDispatcher.java:130) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.dispatch.SequentialNodeDispatcher.dispatch(SequentialNodeDispatcher.java:61) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.dispatchToNodesWith(ExecutionServiceImpl.java:263) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.dispatchToNodes(ExecutionServiceImpl.java:234) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.steps.NodeDispatchStepExecutor.executeWorkflowStep(NodeDispatchStepExecutor.java:66) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.ExecutionServiceImpl.executeStep(ExecutionServiceImpl.java:111) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.BaseWorkflowExecutor.executeWFItem(BaseWorkflowExecutor.java:285) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.BaseWorkflowExecutor.executeWorkflowStep(BaseWorkflowExecutor.java:681) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.engine.StepCallable.apply(StepCallable.java:71) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.engine.StepOperation.apply(StepOperation.java:76) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.execution.workflow.engine.StepOperation.apply(StepOperation.java:32) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.dtolabs.rundeck.core.rules.WorkflowEngineOperationsProcessor.lambda$beginOperation$1(WorkflowEngineOperationsProcessor.java:323) ~[rundeck-core-5.1.1-20240305.jar!/:?]
at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:131) [guava-32.0.1-jre.jar!/:?]
at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:75) [guava-32.0.1-jre.jar!/:?]
at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:82) [guava-32.0.1-jre.jar!/:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at java.lang.Thread.run(Thread.java:829) [?:?]
[2024-03-05T11:46:56,700] ERROR services.ExecutionUtilService - Execution failed: 191 in project Ansible: [Workflow result: , step failures: {1=Dispatch failed on 1 nodes: [SERVER: AnsibleNonZero: ERROR: Ansible execution returned with non zero code. + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, Node failures: {SERVER=[AnsibleNonZero: ERROR: Ansible execution returned with non zero code. + {dataContext=MultiDataContextImpl(map={}, base=null)} ]}, status: failed]
The text was updated successfully, but these errors were encountered:
Hi,
I'm trying to use a dedicated user to run playbooks requesting escalation of privilege via Rundeck. The user on the remote server (rundeck) is sudoers. And yet it doesn't work.
I generate the nodes via the Ansible inventory. No problem there. I configure my node source as follows:
On the Default Node Executor side, like this (all other values are empty) :
The job fails:
FAILED! => {"msg": "Missing sudo password"}If I add my user on the remote server in /etc/sudoers
rundeck ALL=(ALL) NOPASSWD:ALL, it works. But this is not a solution that I am considering, for security reasons.In the service.log I find this just before running the job:
And when executing the job:
The text was updated successfully, but these errors were encountered: