Alternate TLDs for development - sudo: a password is required

mZoo · August 26, 2021, 4:15pm

In @nathanielks’s XDebug instructional video, which is (a little outdated, but) great, he uses some alternate top level domain names (.trellis and .valet, I think).

I tried this and my browsers (Chrome and Safari, so far) aren’t finding it.

Maybe it doesn’t work any more with modern browsers, or maybe I missed a step.

Vagrant Hostmanager updated etc/hosts with the expected domain names.
The group_vars/development/wordpress_sites.yml looks like this:

wordpress_sites:
  example.club:
    site_hosts:
      - canonical: example.trellis
        redirects:
          - www.example.trellis

Did I miss a step? Thanks, folks.

strarsis · August 26, 2021, 5:54pm

Is the browser unable to resolve that development domain?
HTTP or HTTPS connection?
Connection refused or connection timed out?

mZoo · August 26, 2021, 6:04pm

refused. Actually, Chrome wasn’t recognizing it as we url without my manually including the https.

PING example.trellis (192.168.50.5): 56 data bytes
64 bytes from 192.168.50.5: icmp_seq=0 ttl=64 time=0.431 ms

Looks like there is an error with mysql, but I think that is a separate issue. Maybe I missed something in rebasing Trellis codebase:

Aug 26 18:01:48 example /etc/mysql/debian-start[70262]: FATAL ERROR: Upgrade failed
Aug 26 18:01:48 example /etc/mysql/debian-start[70272]: Checking for insecure root accounts.
Aug 26 18:01:48 example mariadbd[70243]: 2021-08-26 18:01:48 5 [Warning] Access denied for user 'root'@'localhost' (using password: NO)

When trying to run trellis provision --tags mysql development it’s giving:

TASK [python_interpreter : Get Ubuntu version]
non-zero return code
sudo: a password is required

strarsis · August 26, 2021, 6:11pm

Are you using a recent Trellis release?

mZoo · August 26, 2021, 6:18pm

I rebased yesterday. Checking if I missed the main deploy script… I seemed to have missed deploy.yml.

Seems like each time I rebase Trellis, things get missed. Maybe because I’m still relatively new to it.

mZoo · August 29, 2021, 9:53pm

Update

Nope. trellis up passes with flying colors, but trellis provision development fails with same error on two different (less than year old) just rebased projects.

So…

With a fresh trellis new same result, but vagrant up --provision does work. Same sudo password error on both trellis provision development and ansible-playbook dev.yml. Those commands are supposed to work, right?

strarsis · August 29, 2021, 11:35pm

The error message is still sudo: a password is required.

Can you connect via SSH to the vagrant box as the admin user (normal SSH client, not vagrant ssh)?
Can you run sudo as admin user inside?

Trellis should set the ansible_become_pass, so ansible knows what sudo password it should use.

github.com

roots/trellis/blob/a134e81a644aa5df36ee74d30e2370379600dc08/roles/connection/tasks/main.yml#L78-L82


- name: Load become password
  set_fact:
    ansible_become_pass: "{% raw %}{% for user in vault_users | default([]) if user.name == ansible_user %}{{ user.password | default('') }}{% endfor %}{% endraw %}"
  when: ansible_user != 'root' and not cli_ask_become_pass | default(false) and ansible_become_pass is not defined
  no_log: true

mZoo · August 30, 2021, 3:05am

I think maybe the admin user wasn’t created. Look, no admin user:

$ getent passwd | cut -d':' -f1
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
systemd-network
systemd-resolve
systemd-timesync
messagebus
syslog
_apt
tss
uuidd
tcpdump
landscape
pollinate
sshd
_rpc
statd
vagrant
systemd-coredump
vboxadd
ntp
mysql
memcache
nginx

Would it make a difference that I’m using an external drive for VAGRANT_HOME? It isn’t encrypted.

strarsis · August 30, 2021, 11:24am

When you run the provisioning, is somewhere logged that the admin user is created (run in verbose mode if necessary and grep for it)?

github.com

roots/trellis/blob/17430191bb7211545eb63ba3ba989ee95c262c5f/group_vars/all/users.yml#L12


admin_user: admin

# Also define 'vault_users' (`group_vars/staging/vault.yml`, `group_vars/production/vault.yml`)
users:
  - name: "{{ web_user }}"
    groups:
      - "{{ web_group }}"
    keys:
      - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
      # - https://github.com/username.keys
  - name: "{{ admin_user }}"
    groups:
      - sudo
    keys:
      - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
      # - https://github.com/username.keys

web_user: web
web_group: www-data
web_sudoers:
  - "/usr/sbin/service php{{ php_version }}-fpm *"

mZoo · August 30, 2021, 3:55pm

This is what’s happening:

trellis new example.com
vagrant up
vagrant provision

I don’t think there’s a verbose option for either of those vagrant commands.

Everything completes with no errors:

Vagrant Up:

PLAY RECAP *********************************************************************
default                    : ok=133  changed=88   unreachable=0    failed=0    skipped=35   rescued=0    ignored=0

Vagrant provision:

PLAY RECAP *********************************************************************
default                    : ok=118  changed=4    unreachable=0    failed=0    skipped=41   rescued=0    ignored=0

Then I try to run ansible-playbook dev.yml -vvv and it doesn’t get past the first task, python_interpreter : Get Ubuntu version

Is there someplace in vagrant up or vagrant provision that admin_user and web_user are supposed to be created? I’m not seeing it in the vagrant output.

strarsis · August 30, 2021, 3:59pm

skipped=35
skipped=41

Can you check the ansible logs what is logged for the user creation tasks (admin and web)?

mZoo · August 30, 2021, 4:07pm

I wondered about that. There doesn’t seem to be a setting for $ANSIBLE_LOG_PATH in the trellis venv, so I added log_path = ./ansible.log to ansible.cfg and am running vagrant destroy -f && vagrant up again.

You are a godsend, @strarsis

On another note, is there a way to add -vvv to the trellis commands?

mZoo · August 30, 2021, 4:26pm

In vagrant up the output contains these references to “user”:

TASK [common : Generate SSH key for vagrant user] ******************************
TASK [mariadb : Set root user password] ****************************************
TASK [mariadb : Delete anonymous MySQL server users] ***************************
with a mode of 0700, this may cause issues when running as another user. To
TASK [wordpress-setup : Create/assign database user to db and grant permissions] ***
TASK [wordpress-install : Change site owner to user] ***************************

And these references to “skip”:

skipping: [default] => (item=development)
skipping: [default] => (item=example.com)
skipping: [default] => (item={'type': 'dport_accept', 'dport': ['http', 'https'], 'filename': 'nginx_accept'})
skipping: [default] => (item={'type': 'dport_accept', 'dport': ['ssh'], 'saddr': ['127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']})
skipping: [default] => (item={'type': 'dport_limit', 'dport': ['ssh'], 'seconds': 300, 'hits': 20})
skipping: [default] => (item=example.com)
skipping: [default] => (item=no_default)
skipping: [default] => (item=example.com)
skipping: [default] => (item=no_default)
skipping: [default] => (item=example.com)
skipping: [default] => (item=example.com)
skipping: [default] => (item=example.com)
skipping: [default] => (item={'src': 'ssl.no-default.conf.j2', 'enabled': False})
skipping: [default] => (item={'src': 'ssl.no-default.conf.j2', 'enabled': False})
skipping: [default] => (item={'src': 'no-default.conf.j2'})
skipping: [default] => (item=None)
skipping: [default] => (item=example.com)
skipping: [default]

So it’s skipping all of the default tasks. Not sure why. Also tried adding to ansible.cfg:

default_verbosity=4
default_debug=true

But this doesn’t look very verbose:

TASK [connection : Set remote user for each host] ******************************
skipping: [192.168.50.5]

And I don’t know why it’s skipping, and I am not sure how to get verbose output from running vagrant commands.

Wait… Is dev.yml not supposed to have a - { role: users, tags: [users] } task in it?

mZoo · August 30, 2021, 10:00pm

Okay getting some debug output from vagrant now with VAGRANT_LOG=debug vagrant up &> debug_log or vagrant up --debug &> debug_log.

Most of the “skipping” tasks are skipped because they are using defaults.

(DEBUG subprocess: stdout: skipping: [default], etc…)

Tasks [user] doesn’t appear in the output unless I explicitly add it to dev.yml, as noted above.

When I add it, with an “inspection” debug task, users looks like:

TASK [users : Inspect users] ***************************************************
Users looks like this [{'name': 'vagrant', 'groups': ['www-data'], 'keys':
['ssh-rsa AAAAB3...uKRQrV
mike@mzoo.org']}, {'name': 'admin', 'groups': ['sudo'], 'keys': ['ssh-rsa AAA
AB3NzaC1yc2EAAAADA...KRQrV
mike@mzoo.org']}]

Additional output looks like this:

TASK [users : Ensure requested groups are present] *****************************
DEBUG subprocess: stdout: [ok: [default] => (item=www-data)[0m
 INFO interface: detail: [ok: [default] => (item=www-data)[0m

[ok: [default] => (item=www-data)[0m
DEBUG subprocess: stdout: [ok: [default] => (item=sudo)[0m
 INFO interface: detail: [ok: [default] => (item=sudo)[0m

[ok: [default] => (item=sudo)[0m
DEBUG subprocess: stdout: 
TASK [users : Ensure sudo group has sudo privileges] ***************************
 INFO interface: detail: 
TASK [users : Ensure sudo group has sudo privileges] ***************************


TASK [users : Ensure sudo group has sudo privileges] ***************************
DEBUG subprocess: stdout: [changed: [default][0m
 INFO interface: detail: [changed: [default][0m

[changed: [default][0m
DEBUG subprocess: stdout: 
TASK [users : Fail if root login will be disabled but admin_user will not be a sudoer] ***
 INFO interface: detail: 
TASK [users : Fail if root login will be disabled but admin_user will not be a sudoer] ***


TASK [users : Fail if root login will be disabled but admin_user will not be a sudoer] ***
DEBUG subprocess: stdout: [skipping: [default][0m
 INFO interface: detail: [skipping: [default][0m

[skipping: [default][0m
DEBUG subprocess: stdout: 
TASK [users : Inspect users] ***************************************************
 INFO interface: detail: 
TASK [users : Inspect users] ***************************************************

[ok: [default][0m
DEBUG subprocess: stdout: 
TASK [users : Setup users] *****************************************************
 INFO interface: detail: 
TASK [users : Setup users] *****************************************************


TASK [users : Setup users] *****************************************************
DEBUG subprocess: stdout: [changed: [default] => (item={'name': 'vagrant', 'groups': ['www-data'], 'keys': ['ssh-rsa AAAAB3...KRQrV mike@mzoo.org']})[0m
 INFO interface: detail: [changed: [default] => (item={'name': 'vagrant', 'groups': ['www-data'], 'keys': ['ssh-rsa AAAAB3...ZuKRQrV mike@mzoo.org']})[0m

[changed: [default] => (item={'name': 'vagrant', 'groups': ['www-data'], 'keys': ['ssh-rsa AAAAB3...ZuKRQrV mike@mzoo.org']})[0m
DEBUG subprocess: stdout: [changed: [default] => (item={'name': 'admin', 'groups': ['sudo'], 'keys': ['ssh-rsa AAAAB...ZuKRQrV mike@mzoo.org']})[0m
 INFO interface: detail: [changed: [default] => (item={'name': 'admin', 'groups': ['sudo'], 'keys': ['ssh-rsa AAAAB3...uKRQrV mike@mzoo.org']})[0m

[changed: [default] => (item={'name': 'admin', 'groups': ['sudo'], 'keys': ['ssh-rsa AAAAB...ZuKRQrV mike@mzoo.org']})[0m
DEBUG subprocess: stdout: 
TASK [users : Add web user sudoers items for services] *************************
 INFO interface: detail: 
TASK [users : Add web user sudoers items for services] *************************

strarsis · August 30, 2021, 10:48pm

To rule out issues from trelils-cli, can you run the ansible playbook directly on a running Vagrant box?

ansible-playbook server.yml -e env=development

Does this work?

mZoo · August 30, 2021, 10:52pm

Yes. Thank you. Running over previous vagrant up and vagrant provision server, same result:

TASK [python_interpreter : Get Ubuntu version] ***************************************************************************************
task path: example.com/trellis/roles/python_interpreter/tasks/main.yml:2
<192.168.50.5> ESTABLISH LOCAL CONNECTION FOR USER: mikekilmer
<192.168.50.5> EXEC sudo -H -S -n  -u root /bin/sh -c 'echo BECOME-SUCCESS-ghmrvlsmcvmeqvmkluaxlxmwcdqypahr ; lsb_release -rs'
System info:
  Ansible 2.10.13; Darwin
  Trellis 1.8.0: February 12th, 2021
[WARNING]: Failure using method (v2_runner_on_failed) in callback plugin (<ansible.plugins.callback.output.CallbackModule object at
0x110bc3a00>): Invalid color supplied to display: bright gray
Callback Exception:
  File "example.com/trellis/.trellis/virtualenv/lib/python3.9/site-packages/ansible/executor/task_queue_manager.py", line 389, in send_callback
    method(*new_args, **kwargs)
   File "example.com/trellis/lib/trellis/plugins/callback/output.py", line 42, in v2_runner_on_failed
    output.display_host(self, result)
   File "example.com/trellis/lib/trellis/utils/output.py", line 120, in display_host
    display(obj, result)
   File "example.com/trellis/lib/trellis/utils/output.py", line 105, in display
    display(system(obj.vagrant_version), 'bright gray')
   File "example.com/trellis/.trellis/virtualenv/lib/python3.9/site-packages/ansible/utils/display.py", line 215, in display
    raise AnsibleAssertionError('Invalid color supplied to display: %s' % color)

I’m going to try the vagrant destroy loop again, using that ansible-playbook commend rather than vagrant up and vagrant provision. Is this something that needs to be run following vagrant up? Now I’m getting that error when vagrant up hasn’t been run.

mZoo · August 30, 2021, 11:07pm

With or without vagrant up beforehand, this fails with same error.

Cloned the Trellis master directly, created my own venv for pip requirements, server.yml is looking for a swapfile role, which doesn’t seem to exist (either locally or on github).

I had forgotten to run ansible-galaxy install -r galaxy.yml.

Following that, same “password is required” when I run ansible-playbook server.yml -e env=development, both before and after vagrant up. Same error also after vagrant provision and no admin user created. Don’t know if there’s supposed to be one, or if vagrant is supposed to be the user on dev box.

mZoo · August 31, 2021, 6:22pm

Making a little progress here, I think.

It’s trying to run Get Ubuntu Version as my OSX account user, mikekilmer. Not sure why. Is that expected behavior?

<192.168.50.5> ESTABLISH LOCAL CONNECTION FOR USER: mikekilmer

I can login,

create that account
add to admin group
grant sudo access
become mikekilmer and execute the command runs without error:

sudo su mikekilmer
$ sudo -H -S  -p "[sudo via ansible, key=hohotzlimtuwzxgpajolfbnmmnnvcxtz] password:" -u root /bin/sh -c 'echo BECOME-SUCCESS-hohotzlimtuwzxgpajolfbnmmnnvcxtz ; lsb_release -rs
> '
[sudo via ansible, key=hohotzlimtuwzxgpajolfbnmmnnvcxtz] password:
BECOME-SUCCESS-hohotzlimtuwzxgpajolfbnmmnnvcxtz
20.04

When running the server.yml playbook directly with --ask-become-pass, it stalls indefinitely (ten minutes plus) on that command. I’m about ready to throw in the towel on Ansible… I mean Trellis… I mean web development… I mean computers at all.

strarsis · August 31, 2021, 7:41pm

This option will cause ansible to prompt for the sudo password interactively.
As this doesn’t work in playbooks, ansible will wait for it unsuccessfully until it times out.

Can you define the password directly in ansible config, e.g. as ansible_become_password variable?

mZoo · August 31, 2021, 8:07pm

You mean something like this?

- block:
    - name: Get Ubuntu version
      raw: lsb_release -rs
      register: ubuntu_version
      changed_when: false
    - name: Set ansible_python_interpreter for Ubuntu >= 18.04
      set_fact:
        ansible_python_interpreter: python3
        ansible_become_password: "mikekilmer"
      when: ubuntu_version.stdout | trim is version('18.04', '>=')
  when: ansible_python_interpreter is not defined
  tags: always