Sudo: a password is required + Incorrect sudo password

Hello everybody,

In deploy.yml file, I add custom hook:

deploy_initialize_before: "{{ playbook_dir }}/deploy-hooks/initialize-before.yml"

In this hook, I would like to create a file in directory which required permission, so I do this:

- name: Create file
  command: touch /var/lib/mysql/test_file
  become: yes
  become_user: admin

But it’s doesn’t work, I have this error message:

sudo: a password is required

I try to add --ask-become-pass, I enter the password but I have this error message:

Incorrect sudo password

I try to edit visudo and add the following:


But it doesn’t work.

Can you help me?


@DreamOn I would have tried exactly what you described. After playing around with it, I think I understand the problem generally, although I may be incorrect on some details.

Only the user root has adequate permissions to create the file, but I think your task was trying as admin.

The deploy.yml playbook makes its SSH connections as the web_user.
I believe your become_user: admin parameter is similar to running sudo -u admin touch <file>, i.e., the web_user becomes admin and tries to touch the file, but fails because only root has permission.

So, you need to become root then touch the file. The admin user is already a sudoer so it would be easiest to use the remote_user task parameter to make this task’s SSH connection as admin instead of web_user. The become: yes will default to becoming the root user.

The following change is like SSHing as admin then running sudo touch <file>:

 - name: Create file
   command: touch /var/lib/mysql/test_file
   become: yes
-  become_user: admin
+  remote_user: admin

If I were writing the task, I’d use Ansible’s file module like this:

- name: Create file
    dest: /var/lib/mysql/test_file
    state: touch
  become: yes
  remote_user: "{{ admin_user }}"

The deploy playbook intentionally only connects as the web_user, who has limited permissions compared to the admin_user. Adding remote_user: "{{ admin_user }}" as above breaks this pattern. This could be a problem if you want to allow limited privilege colleagues to deploy (colleagues with ability to run only as web_user, not admin_user).

If adding the remote_user: "{{ admin_user }}" parameter causes this problem for you, see the example of how Trellis enables the web_user to run sudo service php7.0-fpm reload by adding a permission to sudoers.d.j2 that lets web_user run sudo service commands without a password.