Reprovision suddenly gives "Missing become password" error

After a succesfull provision and deploy and working website, I get a “Missing become password” error when I try to reprovision (again with ansible-playbook -i hosts/staging server.yml).

It seems to occur when I git add/commit/push some changes in my project to Gitlab prior to reprovisioning. Though I’m not sure if that’s related at all.

I’m also using sshd_permit_root_login: no and created a new hashed pw and added that to sudoer_passwords.yml/admin. Loging in on the server with ssh admin@myserverip and ssh @myserverip works just fine.

The reprovision error:

GATHERING FACTS *************************************************************** 
fatal: [myserverip] => Missing become password

TASK: [common | Validate Ansible version] ************************************* 
FATAL: no hosts matched or all hosts have already failed -- aborting


PLAY RECAP ******************************************************************** 
           to retry, use: --limit @/home/rwh/server.retry

myserverip              : ok=2    changed=0    unreachable=1    failed=0

This is my group_vars/all (redacted some stuff for security reasons):

---
apt_cache_valid_time: 86400
default_timezone: Europe/Amsterdam
mariadb_dist: trusty
mysql_user: root
www_root: /srv/www

mail_smtp_server: smtp.sendgrid.net:587
mail_admin: <redacted>
mail_hostname: <redacted>
mail_user: <redacted>
mail_password: <redacted>

hhvm: false

web_user: io
web_group: www-data
web_sudoers:
  - "/usr/sbin/service php5-fpm *"

users:
  - name: "{{ web_user }}"
    groups:
      - "{{ web_group }}"
    keys:
      - "{{ lookup('file', '~/.ssh/id_rsa_<redacted>.pub') }}"
      - "{{ lookup('file', '~/.ssh/id_rsa_<redacted>.pub') }}"
  - name: "{{ admin_user }}"
    groups:
      - sudo
    keys:
      - "{{ lookup('file', '~/.ssh/id_rsa_<redacted>.pub') }}"

admin_user: admin
sshd_permit_root_login: "no" # If "no", admin_user must be in 'users' above (with sudo group) and in sudoer_passwords
sshd_password_authentication: "no"

ferm_input_list:
  - type: dport_accept
    dport: [http, https]
    filename: nginx_accept
  - type: dport_limit
    dport: [ssh]
    seconds: 300
    hits: 20

logrotate_scripts:
  - name: wordpress-sites
    path: "{{ www_root }}/**/logs/*.log"
    options:
      - weekly
      - maxsize 50M
      - missingok
      - rotate 8
      - compress
      - delaycompress
      - notifempty
      - create 0640 {{ web_user }} {{ web_group }}
      - sharedscripts
    scripts:
      prerotate: |
        if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
              run-parts /etc/logrotate.d/httpd-prerotate; \
            fi \
      postrotate: invoke-rc.d nginx rotate >/dev/null 2>&1

And my group_vars/staging:

mysql_root_password: <redacted>

wordpress_sites:
  staging.<redacted>.nl:
    site_hosts:
      - staging.<redacted>.nl
    local_path: ../site # path targeting local Bedrock site directory (relative to Ansible root)
    repo: git@gitlab.<redacted>.io:richard/<redacted>.nl.git
    branch: master
    subtree: site # Use this if following the roots-example-project structure
    multisite:
      enabled: false
      subdomains: false
    ssl:
      enabled: false
    cache:
      enabled: false
      duration: 30s
    system_cron: true
    env:
      wp_home: http://staging.<redacted>.nl
      wp_siteurl: http://staging.<redacted>.nl/wp
      wp_env: staging
      db_name: <redacted>
      db_user: <redacted>
      db_password: <redacted>
      # Generate your keys here: https://api.wordpress.org/secret-key/1.1/salt/
      auth_key: "generateme"
      auth_salt: "generateme"
      logged_in_key: "generateme"
      logged_in_salt: "generateme"
      nonce_key: "generateme"
      nonce_salt: "generateme"
      secure_auth_key: "generateme"
      secure_auth_salt: "generateme"

Awesome you’ve added that security. Check out the Security wiki which mentions how you’ll need to add the --ask-become-pass flag to your ansible-playbook command now that root login is disabled. So, try this:
ansible-playbook server.yml -i hosts/staging --ask-become-pass

Or use -K (that’s a capital K) for short:
ansible-playbook server.yml -i hosts/staging -K

Immediately after you initiate the command, it will ask you to type that password you created for the admin user. That way Ansible can use the password for any commands it must run as sudo.

4 Likes

Thanks for the quick response! Using --ask-become-pass (or -K) solves the “Missing become password” error, but now it seems to hang at the GATHERING FACTS stage, I’ve been wating for 10 minutes, nothing happens and no error message either.

Nevermind now it finally gets past the gathering facts, wow that took a while… rest of the server was performing okay. Is the gathering facts stage checking some stuff from github by any chance? I know they suffered from a ddos attack yesterday.

Oh! Well, great! I was going to say it might be waiting for your SSH key password to be entered, which you wouldn’t be able to do in this case. (Note: I don’t mean the sudo password for admin.)

I don’t recall having my “gathering facts” ever taking nearly as long as that. My impression is that the only “facts” it gathers are by connecting with your remote server and inspecting it. My initial thought was that this process doesn’t include connecting out to third parties, but I guess I’m not sure. I haven’t looked into it much.

While provisioning, I’ve definitely seen certain external connections be slower sometimes. If over the next few days/weeks the “gathering facts” routinely takes more than a few seconds for you, let us know.

1 Like

Tried another reprovision and now it moves past the gathering facts very fast. Thanks for the awesome support!

1 Like