Re: weird ansible + doas behaviour

Sun, 21 Jun 2020 13:56:49 -0700 

On 2020-06-21, Gregory Edigarov <ediga...@qarea.com> wrote:
> Trying to run ansible-playbook with localhost.
> Playbook:
>
> ---
> - hosts: localhost
>    become: true
>    become_method: doas
>
>    roles:
>    - wrkstpkgs
>
>
> Expected behaviour - Ansible asks for the become pass only once, then 
> execution of tasks require no intervention.
> Observed behaviour:
>
> run ansible-playbook:
>
>   ansible-playbook  -K site.yml
> BECOME password:
> [WARNING]: provided hosts list is empty, only localhost is available. 
> Note that the implicit localhost does not match 'all'
>
> PLAY [localhost] 
> ******************************************************************************************************************************************************************************************************************************
>
> TASK [Gathering Facts] 
> ************************************************************************************************************************************************************************************************************************
> doas (g...@lbld12.duckdns.org) password:
> ok: [localhost]
>
> TASK [wrkstpkgs : ensure vital packages are present] 
> ******************************************************************************************************************************************************************************************
> doas (g...@lbld12.duckdns.org) password:
> ok: [localhost]
>
> TASK [wrkstpkgs : ensure versioned packages are present] 
> **************************************************************************************************************************************************************************************
> doas (g...@lbld12.duckdns.org) password:
>
> doas.conf only contains this line:
> permit persist greg
>
> Am I missing anything? Thanks a lot in advance.

I think it's like the problem with using doas in ports.

"persist" uses the TIOCSETVERAUTH/TIOCCHKVERAUTH tty(4) ioctls which
were added specifically for doas, the authentication can't be passed
around very far:

   TIOCCHKVERAUTH void
               Check the verified auth status of this session.  The calling
               process must have the same real user ID and parent process as
               the process which called TIOCSETVERAUTH.  A zero return
               indicates success.

Chances are the second doas call does not have the same parent process.

Reply via email to