FAILED -- TASK (Syntax error) [users | Add web user sudoers items for services]

deschet · November 4, 2015, 2:30pm

During the provisioning of a Digital Ocean instance when running the command $ ansible-playbook -i hosts/production server.yml -K

I get the following error:

TASK: [users | Add web user sudoers items for services] ***********************
failed: [102.XX.XX.XX] => {"failed": true}
msg: failed to validate: rc:1 error:>>> /root/.ansible/tmp/ansible-tmp-1446586517.73-164968937048464/source: syntax error near line 3 <<<
>>> /root/.ansible/tmp/ansible-tmp-1446586517.73-164968937048464/source: syntax error near line 4 <<<
>>> /root/.ansible/tmp/ansible-tmp-1446586517.73-164968937048464/source: syntax error near line 5 <<<
>>> /root/.ansible/tmp/ansible-tmp-1446586517.73-164968937048464/source: syntax error near line 5 <<<
>>> /root/.ansible/tmp/ansible-tmp-1446586517.73-164968937048464/source: syntax error near line 6 <<<
>>> /root/.ansible/tmp/ansible-tmp-1446586517.73-164968937048464/source: syntax error near line 6 <<<

I’m lost for ideas on how to get around this error.

I’ve made sure I created a sudoer_password (for both a admin & web user (web user -> I believe wasn’t necessary)) by running the command:

$ python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(getpass.getpass())"
   - ENTER PASSWORD
    $ RETURN SHA
    PASTE SHA in vars/sudoers_password.yml

I’ve tried setting:
security.yml ---> sshd_permit_root_login: true as well as security.yml ---> sshd_permit_root_login: false

I’m able to to ssh in as root and admin. However, shouldn’t ssh for the root account be disabled and only the admin be able to ssh?

Anyways…

Please reply back with some guidance. Thanks in advance!

swalkinshaw · November 4, 2015, 5:38pm

That error is coming from here: https://github.com/roots/trellis/blob/f6b4976f7169f5d7941e853534a7606e2eefd7fa/roles/users/tasks/main.yml#L31-L39

Ansible provides a nice helper to validate the text you are about to add to sudoers since if you made a mistake you could lock yourself out of your machine.

So sudoers does not like whatever text is ending up in the template here: https://github.com/roots/trellis/blob/f6b4976f7169f5d7941e853534a7606e2eefd7fa/roles/users/templates/sudoers.d.j2

Maybe @fullyint can help more about this.

fullyint · November 4, 2015, 7:16pm

@deschet I haven’t seen this error for a Trellis-user before and I’m not sure what’s causing it.

As @swalkinshaw pointed out, the validation appears to be failing for the sudoer file being created. Do you have this exact web_sudoers entry with no modifications? Be sure your text-editor hasn’t done anything strange with the quotes or symbols. If you didn’t have the default there, change it to default and try running server.yml again. If that doesn’t do it, read on.

Let’s see what file contents the sudoer template would create if it weren’t failing validation. Create a new playbook file with the contents below. Name it debug.yml and save it in your Trellis project next to server.yml.

- name: Debugging sudoers file
  hosts: localhost
  tasks:
    - name: Add web user sudoers items for services
      template:
        src: roles/users/templates/sudoers.d.j2
        dest: /tmp/sudo-debug

Now run the playbook, which will skip validation and create the sudoer file in your /tmp directory:

ansible-playbook debug.yml -i hosts/production

Now go find the file at /tmp/sudo-debug and paste the content here for us to review for trouble. For comparison, here is the content from mine after following the steps above:

# Ansible managed: /Users/philip/projects/roots/example.com/ansible/roles/users/templates/sudoers.d.j2 modified on 2015-04-03 06:05:31 by philip on Philips-MacBook-Pro.local

web ALL=(root) NOPASSWD: /usr/sbin/service hhvm *
web ALL=(root) NOPASSWD: /usr/sbin/service php5-fpm *

You are correct that default Trellis does not need a sudoer_password for the web_user, so you might as well remove it for the sake of keeping defaults wherever possible.

SSH for root would be disabled in the sshd role, but your playbook is failing before then, in the users role. In your case, the sshd roles has probably not run, so root has not yet been disabled. That being the case, you will not yet need to add the -K option (aka --ask-become-pass) to your ansible-playbook command. You may want to try re-running server.yml without -K to see if for some weird reason it causes a problem to use -K before it is needed.

deschet · November 4, 2015, 7:16pm

Thank you for the replying! Yes, I do understand where the error is coming from but I’m unable to figure the reason for it.

Is it because of an incorrect variable I set in a template or possibly I’m running the incorrect command to deploy or is it possibly a bad ansible install on my OS X Yosemite or…?

What I do know is:

Admin user was created. Validated by logging into my Digital Ocean instance $ ssh admin@staging.example.com
Admin user DOES NOT have sudo access. After ssh’d into server and entering password (the one setup in my sudoer_passwords.yml), I’m unable to get sudo access. Verified by:
```
 $ visudo
       visudo: /etc/sudoers: Permission denied
   $ su (root)  * tried both
        Password:
        su: Authentication failure
```

So basically, my admin user isn’t being setup correctly (with sudo privileges) when I run the command $ ansible-playbook -i hosts/staging server.yml -K -vvvv to have ansible setup and provision the Digital Ocean instance.

The only TASK failing is the one I listed above.

Note: I tested deploying to both a production server (initial post), as well as to a staging server (this post) with the same results. After a change, I’ve trashed the dropplet and attempted to deploy to fresh a instance…done so over 10 times now.

deschet · November 4, 2015, 7:24pm

Here’s my /tmp/sudo-debug file:

# Ansible managed: /Users/my_username/code/client-sites/ansible/roles/users/templates/sudoers.d.j2 modified on 2015-11-04 11:42:35 by my_username on me.local

web ALL=(root) NOPASSWD: -
web ALL=(root) NOPASSWD: "
web ALL=(root) NOPASSWD: /
web ALL=(root) NOPASSWD: u
web ALL=(root) NOPASSWD: s
web ALL=(root) NOPASSWD: r
web ALL=(root) NOPASSWD: /
web ALL=(root) NOPASSWD: s
web ALL=(root) NOPASSWD: b
web ALL=(root) NOPASSWD: i
web ALL=(root) NOPASSWD: n
web ALL=(root) NOPASSWD: /
web ALL=(root) NOPASSWD: s
web ALL=(root) NOPASSWD: e
web ALL=(root) NOPASSWD: r
web ALL=(root) NOPASSWD: v
web ALL=(root) NOPASSWD: i
web ALL=(root) NOPASSWD: c
web ALL=(root) NOPASSWD: e
web ALL=(root) NOPASSWD:  
web ALL=(root) NOPASSWD: h
web ALL=(root) NOPASSWD: h
web ALL=(root) NOPASSWD: v
web ALL=(root) NOPASSWD: m
web ALL=(root) NOPASSWD:  
web ALL=(root) NOPASSWD: *
web ALL=(root) NOPASSWD: "
web ALL=(root) NOPASSWD:  
web ALL=(root) NOPASSWD: -
web ALL=(root) NOPASSWD:  
web ALL=(root) NOPASSWD: "
web ALL=(root) NOPASSWD: /
web ALL=(root) NOPASSWD: u
web ALL=(root) NOPASSWD: s
web ALL=(root) NOPASSWD: r
web ALL=(root) NOPASSWD: /
web ALL=(root) NOPASSWD: s
web ALL=(root) NOPASSWD: b
web ALL=(root) NOPASSWD: i
web ALL=(root) NOPASSWD: n
web ALL=(root) NOPASSWD: /
web ALL=(root) NOPASSWD: s
web ALL=(root) NOPASSWD: e
web ALL=(root) NOPASSWD: r
web ALL=(root) NOPASSWD: v
web ALL=(root) NOPASSWD: i
web ALL=(root) NOPASSWD: c
web ALL=(root) NOPASSWD: e
web ALL=(root) NOPASSWD:  
web ALL=(root) NOPASSWD: p
web ALL=(root) NOPASSWD: h
web ALL=(root) NOPASSWD: p
web ALL=(root) NOPASSWD: 5
web ALL=(root) NOPASSWD: -
web ALL=(root) NOPASSWD: f
web ALL=(root) NOPASSWD: p
web ALL=(root) NOPASSWD: m
web ALL=(root) NOPASSWD:  
web ALL=(root) NOPASSWD: *
web ALL=(root) NOPASSWD: "

Just to be safe, I copied the raw output of users/tasks/main.yml from github. Also, trashed old Digital Ocean instance & rebuilt a new Ubuntu 14.04x64 instance. Deleted web user from sudoer_passwords.yml file (leaving just admin: xxxx…password…xxxxxxx )

Attempted to setup server without -K → ansible-playbook -i hosts/staging server.yml -K -vvvv

and I get the same result:

failed: [staging.example.com] => {"failed": true}
msg: failed to validate: rc:1 error:>>> /root/.ansible/tmp/ansible-tmp-1446665388.16-174732382412116/source: syntax error near line 3 <<<
>>> /root/.ansible/tmp/ansible-tmp-1446665388.16-174732382412116/source: syntax error near line 4 <<<
>>> /root/.ansible/tmp/ansible-tmp-1446665388.16-174732382412116/source: syntax error near line 5 <<<
>>> /root/.ansible/tmp/ansible-tmp-1446665388.16-174732382412116/source: syntax error near line 5 <<<
>>> /root/.ansible/tmp/ansible-tmp-1446665388.16-174732382412116/source: syntax error near line 6 <<<
>>> /root/.ansible/tmp/ansible-tmp-1446665388.16-174732382412116/source: syntax error near line 6 <<<

swalkinshaw · November 4, 2015, 9:53pm

That’s crazy. It’s treating each string like it’s an array and looping over it.

What version of Ansible?

deschet · November 4, 2015, 10:41pm

I know. I’m about to pull my hair out!

$ ansible --version
   ansible 1.9.2
   configured module search path = None

I guess I’ll try reinstalling ansible. Maybe I have a bad install or something. I used home-brew to install and not that it should matter…I’m running Ansible from my local machines command line and not from my VirtualBox Vagrant instance. Again, I don’t believe it matters…my vagrant VB machine is running when I attempt to setup the Digital Ocean staging instance.

fullyint · November 5, 2015, 12:23am

Ansible reinstall sounds like a good step.
I agree, I can’t think how/why Homebrew would be the cause. My Ansible is from brew.
So long as you’re not on Windows, yes, I’d recommend running Ansible commands from your regular machine, not the VB VM.
I agree, I can’t think of any reason why a running VM would interfere with provisioning remote servers. Also, that debug.yml was all local and still had a problem.

You might also double-check that your local sudoers.d.j2 template perfectly matches the official repo. Better yet, you could try a fresh clone of Trellis, modifying only the remote host info in order to test whether the playbook will work on remote hosts in vanilla form, without customizations.

Could you add these two tasks to the debug.yml and share their output?

    - name: Check value/structure of `web_sudoers`
      debug:
        var: web_sudoers
    - name: Check `web_sudoers` as processed by loop
      debug: var=item
      with_items: web_sudoers

For comparison, here is what the output looks like for me:

TASK: [Check value/structure of `web_sudoers`] ******************************** 
ok: [localhost] => {
    "var": {
        "web_sudoers": [
            "/usr/sbin/service hhvm *",
            "/usr/sbin/service php5-fpm *"
        ]
    }
}

TASK: [Check `web_sudoers` as processed by loop] ****************************** 
ok: [localhost] => (item=/usr/sbin/service hhvm *) => {
    "item": "/usr/sbin/service hhvm *",
    "var": {
        "item": "/usr/sbin/service hhvm *"
    }
}
ok: [localhost] => (item=/usr/sbin/service php5-fpm *) => {
    "item": "/usr/sbin/service php5-fpm *",
    "var": {
        "item": "/usr/sbin/service php5-fpm *"
    }
}

deschet · November 5, 2015, 3:41pm

I reinstalled ansible, updated Xcode, even upgraded to El Capt from yosemite and I’m still getting the same error

Here’s the output of the debug task:

TASK: [Check value/structure of `web_sudoers`] ********************************
ok: [localhost] => {
    "var": {
        "web_sudoers": "-\"/usr/sbin/service hhvm *\" - \"/usr/sbin/service php5-fpm *\""
    }
}

TASK: [Check `web_sudoers` as processed by loop] ******************************
ok: [localhost] => (item=-"/usr/sbin/service hhvm *" - "/usr/sbin/service php5-fpm *") => {
    "item": "-\"/usr/sbin/service hhvm *\" - \"/usr/sbin/service php5-fpm *\"",
    "var": {
        "item": "-\"/usr/sbin/service hhvm *\" - \"/usr/sbin/service php5-fpm *\""
    }
}

PLAY RECAP ********************************************************************
localhost                  : ok=4    changed=0    unreachable=0    failed=0

Thinking it might be an ssh issue. I created a passwordless ssh key, as well as I checked the /var/log/auth.logon the Digital Ocean instance and don’t see any issues. Here’s the log snippet of where the task fails:

Nov  5 10:32:41 staging sudo:     root : TTY=pts/1 ; PWD=/root ; USER=root ; COMMAND=/bin/sh -c echo BECOME-SUCCESS-dhkaveolvkaydpbakwdhdfkcqgnunmgi; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1446737562.56-54065160733831/copy; rm -rf /root/.ansible/tmp/ansible-tmp-1446737562.56-54065160733831/ >/dev/null 2>&1
Nov  5 10:32:41 staging sudo: pam_unix(sudo:session): session opened for user root by root(uid=0)
Nov  5 10:32:41 staging sudo: pam_unix(sudo:session): session closed for user root

I’m about to wipe my computer and start with a fresh install of everything

deschet · November 5, 2015, 4:42pm

I was able to get the playbook to finally work (on another machine).
I think the problem is possibly related to using ITerm as my terminal because I it’s not installed on the other machine. Possibly, I don’t have it setup correctly. I’ll try uninstalling it from my laptop to see if it’s actually causing the problem & report back.

Thank you for all of your efforts in helping me figure this out!

You guys ROCK! I love what you guys have done with the Wordpress deployment process! Keep up the GREAT work!

P.S. I LOVE my Roots T-shirt! I wear it often

ruslankomjakov · December 17, 2015, 1:58am

Hey @deschet, have you figured out what was the problem?

It looks like I’m having similar problem when admin user is not being setup with sudo privileges on Digital Ocean droplet. I get fatal: [xxx.xxx.xxx.xxx] => Incorrect become password when I run ansible-playbook server.yml -i hosts/staging --ask-become-pass with sshd_permit_root_login set to false.

I’m using latest Trellis and ansible 1.9.4.

Please reply if you’ve figured it out! Thanks in advance!

cc @swalkinshaw @fullyint

fullyint · December 17, 2015, 2:24am

Incorrect become password

@ruslankomjakov Did you enter the default admin_user sudoer password of example_password when prompted (or the new password if you changed it)? I’m just double-checking that you you know this is not asking for your own sudo password that you use for commands on your own machine.

ruslankomjakov · December 17, 2015, 2:40am

@fullyint yes, I’ve setup and entered sudoer password for admin_user following Trellis instructions.

ruslankomjakov · December 17, 2015, 3:22am

@fullyint @deschet Sorry guys, my mistake! Looks like there was a problem with the password generated using the python command. I’ve changed the password and run it through the python command once again and everything worked! Thanks!

deschet · December 17, 2015, 5:55pm

@ruslankomjakov I didn’t exactly figure out what was causing the error. However, I think it was being caused by either of the following two things:

a conflict with iTerm and/or my env (path) setup
It possibly had something todo with having setup ansible on a secondary encrypted partition of my hard drive.

I was able to avoid this problem by uninstalling iTerm and then reinstalling, npm, ansible and trellis on the main partition of the drive. I wish I knew exactly what was causing the error but since I do not…I hope this was helpful.

Curious, do you use iTerm?

ruslankomjakov · December 18, 2015, 1:04am

I do use iTerm, that’s why when I saw this thread I thought maybe I’m having exactly the same problem, although it’s unlikely that iTerm would cause this. Anyway, it appeared that my problem was the password that was incorrectly crypted.

Thank you for your reply. Roots community is great!

deschet · December 28, 2015, 2:59am

Which password? The one in the sudoer_passwords.yml?

reverbsoul · July 20, 2016, 3:50am

I know this is old, but I also use iTerm and was getting the same error. I pulled up Terminal, ran the script and it’s installed perfectly. If you’re using iTerm, and using ansible-playbook server.yml -e env=production test with Terminal.