# Alternate TLDs for development - sudo: a password is required

**URL:** https://discourse.roots.io/t/alternate-tlds-for-development-sudo-a-password-is-required/21335
**Category:** trellis
**Created:** 2021-08-26T16:15:38Z
**Posts:** 29

## Post 1 by @mZoo — 2021-08-26T16:15:38Z

In @nathanielks’s XDebug instructional video, which is (a little outdated, but) great, he uses some alternate top level domain names (`.trellis` and `.valet`, I think).

I tried this and my browsers (Chrome and Safari, so far) aren’t finding it.

Maybe it doesn’t work any more with modern browsers, or maybe I missed a step.

1. Vagrant Hostmanager updated `etc/hosts` with the expected domain names.
2. The `group_vars/development/wordpress_sites.yml` looks like this:

```
wordpress_sites:
  example.club:
    site_hosts:
      - canonical: example.trellis
        redirects:
          - www.example.trellis
```

Did I miss a step? Thanks, folks.

---

## Post 2 by @strarsis — 2021-08-26T17:54:37Z

Is the browser unable to resolve that development domain?  
HTTP or HTTPS connection?  
Connection refused or connection timed out?

---

## Post 3 by @mZoo — 2021-08-26T18:04:23Z

refused. Actually, Chrome wasn’t recognizing it as we url without my manually including the `https`.

```
PING example.trellis (192.168.50.5): 56 data bytes
64 bytes from 192.168.50.5: icmp_seq=0 ttl=64 time=0.431 ms
```

Looks like there is an error with mysql, but I think that is a separate issue. Maybe I missed something in rebasing Trellis codebase:

```
Aug 26 18:01:48 example /etc/mysql/debian-start[70262]: FATAL ERROR: Upgrade failed
Aug 26 18:01:48 example /etc/mysql/debian-start[70272]: Checking for insecure root accounts.
Aug 26 18:01:48 example mariadbd[70243]: 2021-08-26 18:01:48 5 [Warning] Access denied for user 'root'@'localhost' (using password: NO)
```

When trying to run `trellis provision --tags mysql development` it’s giving:

```
TASK [python_interpreter : Get Ubuntu version]
non-zero return code
sudo: a password is required
```

---

## Post 4 by @strarsis — 2021-08-26T18:11:39Z

Are you using a recent Trellis release?

> [@Sudo: a password is required + Incorrect sudo password](https://discourse.roots.io/t/sudo-a-password-is-required-incorrect-sudo-password/8058/2):
>
> @DreamOn I would have tried exactly what you described. After playing around with it, I think I understand the problem generally, although I may be incorrect on some details. Only the user root has adequate permissions to create the file, but I think your task was trying as admin. The deploy.yml playbook makes its SSH connections as the [web\_user](https://github.com/roots/trellis/blob/9069df80034dd76b6bf78370a746a76e43e08a35/deploy.yml#L8). I believe your [become\_user](http://docs.ansible.com/ansible/become.html): admin parameter is similar to running sudo -u admin touch \<file\>, i.e., the web\_user becomes admin and tries to touch th…

---

## Post 5 by @mZoo — 2021-08-26T18:18:45Z

I rebased yesterday. Checking if I missed the main deploy script… I seemed to have missed `deploy.yml`.

Seems like each time I rebase Trellis, things get missed. Maybe because I’m still relatively new to it.

---

## Post 6 by @mZoo — 2021-08-29T21:53:07Z

# Update

Nope. `trellis up` passes with flying colors, but `trellis provision development` fails with same error on two different (less than year old) just rebased projects.

# So…

With a fresh `trellis new` same result, but `vagrant up --provision` does work. Same sudo password error on both `trellis provision development` and `ansible-playbook dev.yml`. Those commands are supposed to work, right?

---

## Post 7 by @strarsis — 2021-08-29T23:35:59Z

The error message is still `sudo: a password is required`.

1. Can you connect via SSH to the vagrant box as the `admin` user (normal SSH client, not `vagrant ssh`)?
2. Can you run `sudo` as `admin` user inside?

Trellis should set the `ansible_become_pass`, so `ansible` knows what `sudo` password it should use.

> <https://github.com/roots/trellis/blob/a134e81a644aa5df36ee74d30e2370379600dc08/roles/connection/tasks/main.yml#L78-L82>

---

## Post 8 by @mZoo — 2021-08-30T03:05:45Z

I think maybe the admin user wasn’t created. Look, no `admin` user:

```
$ getent passwd | cut -d':' -f1
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
systemd-network
systemd-resolve
systemd-timesync
messagebus
syslog
_apt
tss
uuidd
tcpdump
landscape
pollinate
sshd
_rpc
statd
vagrant
systemd-coredump
vboxadd
ntp
mysql
memcache
nginx
```

Would it make a difference that I’m using an external drive for `VAGRANT_HOME`? It isn’t encrypted.

---

## Post 9 by @strarsis — 2021-08-30T11:24:40Z

When you run the provisioning, is somewhere logged that the `admin` user is created (run in verbose mode if necessary and grep for it)?

> <https://github.com/roots/trellis/blob/17430191bb7211545eb63ba3ba989ee95c262c5f/group_vars/all/users.yml#L12>

---

## Post 10 by @mZoo — 2021-08-30T15:55:05Z

This is what’s happening:

1. `trellis new example.com`
2. `vagrant up`
3. `vagrant provision`

I don’t think there’s a verbose option for either of those vagrant commands.

Everything completes with no errors:

Vagrant Up:

```
PLAY RECAP *********************************************************************
default : ok=133 changed=88 unreachable=0 failed=0 skipped=35 rescued=0 ignored=0
```

Vagrant provision:

```
PLAY RECAP *********************************************************************
default : ok=118 changed=4 unreachable=0 failed=0 skipped=41 rescued=0 ignored=0
```

Then I try to run `ansible-playbook dev.yml -vvv` and it doesn’t get past the first task, `python_interpreter : Get Ubuntu version`

Is there someplace in `vagrant up` or `vagrant provision` that `admin_user` and `web_user` are supposed to be created? I’m not seeing it in the vagrant output.

---

## Post 11 by @strarsis — 2021-08-30T15:59:21Z

`skipped=35`  
`skipped=41`

Can you check the ansible logs what is logged for the user creation tasks (`admin` and `web`)?

---

## Post 12 by @mZoo — 2021-08-30T16:07:18Z

I wondered about that. There doesn’t seem to be a setting for `$ANSIBLE_LOG_PATH` in the trellis venv, so I added `log_path = ./ansible.log` to `ansible.cfg` and am running `vagrant destroy -f && vagrant up` again.

You are a godsend, @strarsis

On another note, is there a way to add `-vvv` to the `trellis` commands?

---

## Post 13 by @mZoo — 2021-08-30T16:26:32Z

In `vagrant up` the output contains these references to “user”:

```
TASK [common : Generate SSH key for vagrant user] ******************************
TASK [mariadb : Set root user password] ****************************************
TASK [mariadb : Delete anonymous MySQL server users] ***************************
with a mode of 0700, this may cause issues when running as another user. To
TASK [wordpress-setup : Create/assign database user to db and grant permissions] ***
TASK [wordpress-install : Change site owner to user] ***************************
```

And these references to “skip”:

```
skipping: [default] => (item=development)
skipping: [default] => (item=example.com)
skipping: [default] => (item={'type': 'dport_accept', 'dport': ['http', 'https'], 'filename': 'nginx_accept'})
skipping: [default] => (item={'type': 'dport_accept', 'dport': ['ssh'], 'saddr': ['127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']})
skipping: [default] => (item={'type': 'dport_limit', 'dport': ['ssh'], 'seconds': 300, 'hits': 20})
skipping: [default] => (item=example.com)
skipping: [default] => (item=no_default)
skipping: [default] => (item=example.com)
skipping: [default] => (item=no_default)
skipping: [default] => (item=example.com)
skipping: [default] => (item=example.com)
skipping: [default] => (item=example.com)
skipping: [default] => (item={'src': 'ssl.no-default.conf.j2', 'enabled': False})
skipping: [default] => (item={'src': 'ssl.no-default.conf.j2', 'enabled': False})
skipping: [default] => (item={'src': 'no-default.conf.j2'})
skipping: [default] => (item=None)
skipping: [default] => (item=example.com)
skipping: [default]
```

So it’s skipping all of the default tasks. Not sure why. Also tried adding to `ansible.cfg`:

```
default_verbosity=4
default_debug=true
```

But this doesn’t look very verbose:

```
TASK [connection : Set remote user for each host] ******************************
skipping: [192.168.50.5]
```

And I don’t know _why_ it’s skipping, and I am not sure how to get verbose output from running vagrant commands.

Wait… Is `dev.yml` not supposed to have a `- { role: users, tags: [users] }` task in it?

---

## Post 14 by @mZoo — 2021-08-30T22:00:30Z

Okay getting some debug output from vagrant now with `VAGRANT_LOG=debug vagrant up &> debug_log` or `vagrant up --debug &> debug_log`.

Most of the “skipping” tasks are skipped because they are using defaults.

(`DEBUG subprocess: stdout: skipping: [default]`, etc…)

`Tasks [user]` doesn’t appear in the output unless I explicitly add it to `dev.yml`, as noted above.

When I add it, with an “inspection” debug task, users looks like:

```
TASK [users : Inspect users] ***************************************************
Users looks like this [{'name': 'vagrant', 'groups': ['www-data'], 'keys':
['ssh-rsa AAAAB3...uKRQrV
mike@mzoo.org']}, {'name': 'admin', 'groups': ['sudo'], 'keys': ['ssh-rsa AAA
AB3NzaC1yc2EAAAADA...KRQrV
mike@mzoo.org']}]
```

Additional output looks like this:

```
TASK [users : Ensure requested groups are present] *****************************
DEBUG subprocess: stdout: [ok: [default] => (item=www-data)[0m
 INFO interface: detail: [ok: [default] => (item=www-data)[0m

[ok: [default] => (item=www-data)[0m
DEBUG subprocess: stdout: [ok: [default] => (item=sudo)[0m
 INFO interface: detail: [ok: [default] => (item=sudo)[0m

[ok: [default] => (item=sudo)[0m
DEBUG subprocess: stdout: 
TASK [users : Ensure sudo group has sudo privileges] ***************************
 INFO interface: detail: 
TASK [users : Ensure sudo group has sudo privileges] ***************************

TASK [users : Ensure sudo group has sudo privileges] ***************************
DEBUG subprocess: stdout: [changed: [default][0m
 INFO interface: detail: [changed: [default][0m

[changed: [default][0m
DEBUG subprocess: stdout: 
TASK [users : Fail if root login will be disabled but admin_user will not be a sudoer] ***
 INFO interface: detail: 
TASK [users : Fail if root login will be disabled but admin_user will not be a sudoer] ***

TASK [users : Fail if root login will be disabled but admin_user will not be a sudoer] ***
DEBUG subprocess: stdout: [skipping: [default][0m
 INFO interface: detail: [skipping: [default][0m

[skipping: [default][0m
DEBUG subprocess: stdout: 
TASK [users : Inspect users] ***************************************************
 INFO interface: detail: 
TASK [users : Inspect users] ***************************************************

[ok: [default][0m
DEBUG subprocess: stdout: 
TASK [users : Setup users] *****************************************************
 INFO interface: detail: 
TASK [users : Setup users] *****************************************************

TASK [users : Setup users] *****************************************************
DEBUG subprocess: stdout: [changed: [default] => (item={'name': 'vagrant', 'groups': ['www-data'], 'keys': ['ssh-rsa AAAAB3...KRQrV mike@mzoo.org']})[0m
 INFO interface: detail: [changed: [default] => (item={'name': 'vagrant', 'groups': ['www-data'], 'keys': ['ssh-rsa AAAAB3...ZuKRQrV mike@mzoo.org']})[0m

[changed: [default] => (item={'name': 'vagrant', 'groups': ['www-data'], 'keys': ['ssh-rsa AAAAB3...ZuKRQrV mike@mzoo.org']})[0m
DEBUG subprocess: stdout: [changed: [default] => (item={'name': 'admin', 'groups': ['sudo'], 'keys': ['ssh-rsa AAAAB...ZuKRQrV mike@mzoo.org']})[0m
 INFO interface: detail: [changed: [default] => (item={'name': 'admin', 'groups': ['sudo'], 'keys': ['ssh-rsa AAAAB3...uKRQrV mike@mzoo.org']})[0m

[changed: [default] => (item={'name': 'admin', 'groups': ['sudo'], 'keys': ['ssh-rsa AAAAB...ZuKRQrV mike@mzoo.org']})[0m
DEBUG subprocess: stdout: 
TASK [users : Add web user sudoers items for services] *************************
 INFO interface: detail: 
TASK [users : Add web user sudoers items for services] *************************
```

---

## Post 15 by @strarsis — 2021-08-30T22:48:50Z

To rule out issues from trelils-cli, can you run the ansible playbook directly on a running Vagrant box?

```
ansible-playbook server.yml -e env=development
```

Does this work?

---

## Post 16 by @mZoo — 2021-08-30T22:52:57Z

Yes. Thank you. Running over previous `vagrant up` and `vagrant provision` server, same result:

```
TASK [python_interpreter : Get Ubuntu version] ***************************************************************************************
task path: example.com/trellis/roles/python_interpreter/tasks/main.yml:2
<192.168.50.5> ESTABLISH LOCAL CONNECTION FOR USER: mikekilmer
<192.168.50.5> EXEC sudo -H -S -n -u root /bin/sh -c 'echo BECOME-SUCCESS-ghmrvlsmcvmeqvmkluaxlxmwcdqypahr ; lsb_release -rs'
System info:
  Ansible 2.10.13; Darwin
  Trellis 1.8.0: February 12th, 2021
[WARNING]: Failure using method (v2_runner_on_failed) in callback plugin (<ansible.plugins.callback.output.CallbackModule object at
0x110bc3a00>): Invalid color supplied to display: bright gray
Callback Exception:
  File "example.com/trellis/.trellis/virtualenv/lib/python3.9/site-packages/ansible/executor/task_queue_manager.py", line 389, in send_callback
    method(*new_args, **kwargs)
   File "example.com/trellis/lib/trellis/plugins/callback/output.py", line 42, in v2_runner_on_failed
    output.display_host(self, result)
   File "example.com/trellis/lib/trellis/utils/output.py", line 120, in display_host
    display(obj, result)
   File "example.com/trellis/lib/trellis/utils/output.py", line 105, in display
    display(system(obj.vagrant_version), 'bright gray')
   File "example.com/trellis/.trellis/virtualenv/lib/python3.9/site-packages/ansible/utils/display.py", line 215, in display
    raise AnsibleAssertionError('Invalid color supplied to display: %s' % color)
```

I’m going to try the `vagrant destroy` loop again, using that ansible-playbook commend rather than `vagrant up` and `vagrant provision`. Is this something that needs to be run following `vagrant up`? Now I’m getting that error when `vagrant up` hasn’t been run.

---

## Post 17 by @mZoo — 2021-08-30T23:07:18Z

> [@strarsis](#):
>
> ```
> ansible-playbook server.yml -e env=development
> ```

With or without `vagrant up` beforehand, this fails with same error.

Cloned the Trellis master directly, created my own `venv` for pip requirements, `server.yml` is looking for a swapfile role, which doesn’t seem to exist (either locally or on github).

I had forgotten to run `ansible-galaxy install -r galaxy.yml`.

Following that, same “password is required” when I run `ansible-playbook server.yml -e env=development`, both before and after `vagrant up`. Same error also after `vagrant provision` and no `admin` user created. Don’t know if there’s supposed to be one, or if `vagrant` is supposed to be the user on dev box.

---

## Post 18 by @mZoo — 2021-08-31T18:22:12Z

Making a little progress here, I think.

It’s trying to run Get Ubuntu Version as my OSX account user, `mikekilmer`. Not sure why. Is that expected behavior?

```
<192.168.50.5> ESTABLISH LOCAL CONNECTION FOR USER: mikekilmer
```

I can login,

- create that account
- add to admin group
- grant sudo access
- become `mikekilmer` and execute the command runs without error:

```
sudo su mikekilmer
$ sudo -H -S -p "[sudo via ansible, key=hohotzlimtuwzxgpajolfbnmmnnvcxtz] password:" -u root /bin/sh -c 'echo BECOME-SUCCESS-hohotzlimtuwzxgpajolfbnmmnnvcxtz ; lsb_release -rs
> '
[sudo via ansible, key=hohotzlimtuwzxgpajolfbnmmnnvcxtz] password:
BECOME-SUCCESS-hohotzlimtuwzxgpajolfbnmmnnvcxtz
20.04
```

When running the `server.yml` playbook directly with `--ask-become-pass`, it stalls indefinitely (ten minutes plus) on that command. I’m about ready to throw in the towel on Ansible… I mean Trellis… I mean web development… I mean computers at all. :upside_down_face:

---

## Post 19 by @strarsis — 2021-08-31T19:41:27Z

> [@mZoo](#):
>
> –ask-become-pass

This option will cause `ansible` to prompt for the `sudo` password **interactively**.  
As this doesn’t work in playbooks, `ansible` will wait for it unsuccessfully until it times out.

Can you define the password directly in ansible config, e.g. as `ansible_become_password` variable?

---

## Post 20 by @mZoo — 2021-08-31T20:07:42Z

You mean something like this?

```
- block:
    - name: Get Ubuntu version
      raw: lsb_release -rs
      register: ubuntu_version
      changed_when: false
    - name: Set ansible_python_interpreter for Ubuntu >= 18.04
      set_fact:
        ansible_python_interpreter: python3
        ansible_become_password: "mikekilmer"
      when: ubuntu_version.stdout | trim is version('18.04', '>=')
  when: ansible_python_interpreter is not defined
  tags: always
```

---

## Post 21 by @strarsis — 2021-08-31T20:09:30Z

You can also set the `ansible_become_pass` (or `[...]_password`) in the ansible inventory:  
Edit: Better link:

> <https://stackoverflow.com/questions/21870083/specify-sudo-password-for-ansible/37002802#37002802>

---

## Post 22 by @mZoo — 2021-08-31T21:50:09Z

Adding to `hosts/development`? I have tried many variations of the following, all of which do not register the password:

```
[development]
192.168.50.5 ansible_connection=local

[development:vars]
ansible_connection=local ansible_sudo_pass=mikekilmer

[web]
192.168.50.5 ansible_connection=local
```

This one yields “no hosts matched”, skipping server setup altogether:

```
[development:mikekilmer]
ansible_connection=local ansible_sudo_pass=mikekilmer
```

Is there supposed to be a `web` user? I see `www-data` but not `web`.

---

## Post 23 by @mZoo — 2021-09-01T17:03:56Z

I think what it comes down to is that Ansible is trying to connect as the user who runs the playbook in the host machine (`mikekilmer`), while that user hasn’t been created on the guest machine.

Is there supposed to be a user on the guest which matches the host? Or, is Ansible not supposed to be trying to connect as the host user who runs the playbook (`mikekilmer`)?

---

## Post 24 by @strarsis — 2021-09-01T19:26:49Z

Just had an idea: You are using a fresh clone from Trellis, right? Have you also ensured that no `.ansible` folder from previous attempts is used? These hidden folders could still be there.

---

## Post 25 by @mZoo — 2021-09-01T20:16:29Z

Great idea, man. There isn’t a directory (or file) named `.ansible`. There is a `.vagrant` file containing this:

```
Aug 30 20:29 bundler/
Aug 31 07:58 hostmanager/
Aug 30 20:29 machines/
Aug 31 07:58 provisioners/
Aug 30 20:29 rgloader/
```

I think that the `.trellis` file just has the `venv` in it.

The `ansible.cfg` makes reference to `~/.ansible` which looks like this:

```
├── collections
│ └── ansible_collections
├── cp
├── galaxy_cache
│ └── api.json
├── galaxy_token
├── roles
│ ├── composer
│ ├── geerlingguy.daemonize
│ ├── logrotate
│ ├── mailhog
│ ├── ntp
│ └── swapfile
└── tmp
    └── ansible-local-32592z7tt26t4
```

I’m blowing out the `.vagrant` directory and building from scratch again. Will report back.

---

## Post 26 by @mZoo — 2021-09-01T21:02:58Z

Tried blowing out `trellis/.vagrant` as well as `~/.ansible`. Same result. After running `vagrant up --provision`, there is no `admin` user, no `web` user, no user matching the host machine user who runs the playbook.

And same result trying to run `ansible-playbook server.yml -e env=development`:

```
<192.168.50.5> ESTABLISH LOCAL CONNECTION FOR USER: mikekilmer
<192.168.50.5> EXEC sudo -H -S -n -u root /bin/sh -c 'echo BECOME-SUCCESS-qlcblryqaqnlhnqrkaarqfdwxswlthyb ; lsb_release -rs'
System info:
  Ansible 2.10.13; Darwin
  Trellis version (per changelog): "Fix #1277 - Disable PHP CLI memory limit"
---------------------------------------------------
non-zero return code
sudo: a password is required
fatal: [192.168.50.5]: FAILED! => {
    "changed": false,
    "rc": 1,
    "stderr_lines": [
        "sudo: a password is required"
    ],
    "stdout": "",
    "stdout_lines": []
}
```

May be worth mentioning as well, that xDebug doesn’t seem to be enabled, which is what got me trying to run the provisioning tasks in the first place:

```
php -r "printf('xDebug does%s exists.' . PHP_EOL, > extension_loaded('xdebug') ? '' : 'n\'t');"
xDebug doesn't exists.
```

---

## Post 27 by @mZoo — 2021-09-02T02:44:08Z

Here in this [debug output](https://gist.github.com/MikeiLL/6771f8d41f197e23398188881108bc28) it says

`Note: Ansible will attempt connections as user = admin ok: [192.168.50.5]`

But there _is no_ admin user. Do you know if there is supposed to be an `admin` or a `web` user on the dev machine? I see that `vagrant`, in `www-data` group, owns the web files:

```
-rwxr--r-- 1 vagrant www-data 120 Sep 1 17:49 /srv/www/ellipticastudios.com/current/web/index.php
```

Additionally, I’m not sure if the IP address I have set in `vagrant.default.yml` is the one that should be referenced in the logs, but as you can see, it’s `192.168.50.5`. Previously, I’ve been using the default IP. This time, I tried updating it to `192.168.50.9`.

```
## /etc/hosts
## vagrant-hostmanager-start id: 326d3641-8c87-4f6f-a6cd-6eca0685c1c3
192.168.50.9	example.test
192.168.50.9	www.example.test
## vagrant-hostmanager-end
```

If I understand correctly, the following settings in `hosts/development` makes it so that _within_ the Vagrant box, `192.168.50.5` is used, while locally, in the host, it’s `192.168.50.9`:

```
[development]
192.168.50.5 ansible_connection=local

[web]
192.168.50.5 ansible_connection=local
```

In the browser, `example.test` is served, but I want to be able to re-provision using Ansible/Trellis, not to mention, I believe xDebug is supposed to be active “out of the box.”

---

## Post 28 by @mZoo — 2021-09-02T16:03:31Z

> [@mZoo](#):
>
> ```
> php -r "printf('xDebug does%s exists.' . PHP_EOL, > extension_loaded('xdebug') ? '' : 'n\'t');"
> xDebug doesn't exists.
> ```

This was a red herring, just telling me that xDebug isn’t enabled for the command line php. If I put `phpinfo()` into a file at `/srv/www/example.com/current/web/info.php` it confirms xDebug _is_ active.

---

## Post 29 by @system — 2021-10-07T16:15:39Z

This topic was automatically closed after 42 days. New replies are no longer allowed.