Downloading the CoreDNS binary from GitHub requires root permission on Ansible Control hostΒ #37
Description
What happened?
When not specifying the coredns_binary_local_dir, the binary is trying to be downloaded to machine from which Ansible is running, requiring root permission (even when become: false is set up in block).
Did you expect to see some different?
I would expect that when the coredns_binary_local_dir is not specified, the binary is downloaded on target machine and installed there.
How to reproduce it (as minimally and precisely as possible):
- Do not specify the
coredns_binary_local_dirin any vars file - Run the playbook with minimal config under non-root user of target machine (with passwordless sudo enabled)
hosts: all
roles:
- role: cloudalchemy.coredns
Environment
Target machine: Centos 7
Ansible Control machine: Fedora 31
-
Role version:
0.3.1 -
Ansible version information:
ansible 2.9.6
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/luknagy/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/luknagy/.local/share/virtualenvs/homenas-i9vCctaZ/lib/python3.7/site-packages/ansible
executable location = /home/luknagy/.local/share/virtualenvs/homenas-i9vCctaZ/bin/ansible
python version = 3.7.6 (default, Jan 30 2020, 09:44:41) [GCC 9.2.1 20190827 (Red Hat 9.2.1-1)] -
Variables:
coredns_version: 1.6.7
coredns_dns_port: 53
coredns_config_file: "Corefile.example.j2"
- Ansible playbook execution Logs:
TASK [cloudalchemy.coredns : Naive assertion of proper DNS port number] **********************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/preflight.yml:2
ok: [homenas] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [cloudalchemy.coredns : Assert usage of systemd as an init system] **********************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/preflight.yml:7
ok: [homenas] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [cloudalchemy.coredns : Check if source Corefile is set] ********************************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/preflight.yml:12
ok: [homenas] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [cloudalchemy.coredns : Get checksum for amd64 architecture] ****************************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/preflight.yml:17
ok: [homenas] => {"ansible_facts": {"coredns_checksum": "ca229f972e5fbb65964998ad7aed78a677884874a023caee1c6551d0ee8e0c1b"}, "changed": false}
TASK [cloudalchemy.coredns : Create the coredns group] ***************************************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/install.yml:2
ok: [homenas] => {"changed": false, "gid": 993, "name": "coredns", "state": "present", "system": true}
TASK [cloudalchemy.coredns : Create the coredns user] ****************************************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/install.yml:8
ok: [homenas] => {"append": true, "changed": false, "comment": "", "group": 100, "groups": "coredns", "home": "/", "move_home": false, "name": "coredns", "shell": "/usr/sbin/nologin", "state": "present", "uid": 997}
TASK [cloudalchemy.coredns : create coredns configuration directories] ***********************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/install.yml:18
ok: [homenas] => (item=/etc/coredns) => {"ansible_loop_var": "item", "changed": false, "gid": 0, "group": "root", "item": "/etc/coredns", "mode": "0755", "owner": "root", "path": "/etc/coredns", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 4096, "state": "directory", "uid": 0}
ok: [homenas] => (item=/etc/coredns/zones) => {"ansible_loop_var": "item", "changed": false, "gid": 0, "group": "root", "item": "/etc/coredns/zones", "mode": "0755", "owner": "root", "path": "/etc/coredns/zones", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 4096, "state": "directory", "uid": 0}
TASK [cloudalchemy.coredns : Download coredns binary to local folder] ************************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/install.yml:30
FAILED - RETRYING: Download coredns binary to local folder (5 retries left).
FAILED - RETRYING: Download coredns binary to local folder (4 retries left).
FAILED - RETRYING: Download coredns binary to local folder (3 retries left).
FAILED - RETRYING: Download coredns binary to local folder (2 retries left).
FAILED - RETRYING: Download coredns binary to local folder (1 retries left).
fatal: [homenas -> localhost]: FAILED! => {"attempts": 5, "changed": false, "module_stderr": "sudo: a password is required\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
PLAY RECAP ***********************************************************************************************
homenas : ok=37 changed=3 unreachable=0 failed=1 skipped=15 rescued=0 ignored=0
Anything else we need to know?:
Is this behaviour intentional? I don't see a reason why the binary should be downloaded on control machine when I didn't specify to use version downloaded on the control machine. It makes more sense to let everything happen on remote node (I don't want to provide root password to my machine -> seems like become: false is not respected in block
ansible-coredns/tasks/install.yml
Lines 29 to 61 in 39c5a51