molecule tests running as root

Created on 14 Oct 2016 · 14Comments · Source: ansible-community/molecule

If if print ansible_user_id from within a task of my ansible role I get root event if no sudo: true or become: true are present.

Can you tell me why, please?

Source

adriano-di-giovanni

Most helpful comment

@marcomancuso I'm using the following in molecule.yml

verifier:
  name: testinfra
  options:
    sudo: true

yves-vogl on 5 Nov 2018

👍5

All 14 comments

Which driver are you using?

retr0h on 14 Oct 2016

Vagrant. Please, find a repo to reproduce the behavior

adriano-di-giovanni on 14 Oct 2016

Hi @adriano-di-giovanni. If you run molecule --debug convege you will see the command executed. We pass the --sudo flag to ansible-playbook.

retr0h on 14 Oct 2016

If I understand what molecule test --help reports (please, read below), default behavior should be --no-sudo

I also tried to run molecule --debug test --no-sudo but --sudo option gets always passed to ansible-playbook.

$ molecule --version
molecule, version 1.12.5

$ molecule test --help
Usage: molecule test [OPTIONS]

  Runs a series of commands (defined in config) against instances for a full
  test/verify run.

Options:
  --driver TEXT                   Specificy a driver.
  --platform TEXT                 Specify a platform.
  --provider TEXT                 Specify a provider.
  --destroy [passing|always|never]
                                  Destroy behavior.
  --sudo / --no-sudo              Enable or disable running tests with sudo.
                                  Default is disabled.
  --help                          Show this message and exit.

adriano-di-giovanni on 14 Oct 2016

--sudo / --no-sudo Enable or disable running tests with sudo.

The sudo flag reported there is for running tests (e.g. testinfra). Has nothing to do with the inital converge which is always run with sudo.

retr0h on 14 Oct 2016

So, no way to avoid sudoing. Right?

adriano-di-giovanni on 14 Oct 2016

So, no way to avoid sudoing. Right?

~~Right.~~

Actually, you can update your molecule.yml with the following. This will disable the passing of the --sudo flag to ansible-playbook.

ansible:
  sudo: False

retr0h on 14 Oct 2016

So, should we not run ansible with sudo, and require each task to sudo. I kinda fliip flop on my thoughts with this. I personally feel running as --sudo is clearer and not really any worse than without.

The chef agent for example runs with privileges. One is not required to think which tasks require additional privileges.

retr0h on 14 Oct 2016

I’m tempted to say that we should not sudo (or ‘become’ as it should be these days), because that is not the Ansible default. And additionally, there’s always the possibility of including tasks from a separate file – if the include is privileged, so are all the subtasks.

On the other hand, this would like mean a lot of changes to ‘passing’ roles.

From: John Dewey [mailto:[email protected]]
Sent: Friday, October 14, 2016 1:05 PM
To: metacloud/molecule
Subject: Re: [metacloud/molecule] molecule tests running as root (#555)

So, should we not run ansible with sudo, and require each task to sudo. I kinda fliip flop on my thoughts with this.

The chef agent for example runs with privileges. One is not required to think which tasks require additional privileges.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHubhttps://github.com/metacloud/molecule/issues/555#issuecomment-253861119, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AAGQ2ssrgr7vBfWVGe-d-1FLIuDjhdOIks5qz7YugaJpZM4KXLHo.

dhutty on 14 Oct 2016

I’m tempted to say that we should not sudo (or ‘become’ as it should be these days), because that is not the Ansible default. And additionally, there’s always the possibility of including tasks from a separate file – if the include is privileged, so are all the subtasks.

On the other hand, this would like mean a lot of changes to ‘passing’ roles.

Yeah, I'm going to leave as is, unless this becomes a problem with adopting molecule. However, it can be turned off as described above.

retr0h on 15 Oct 2016

if some stumples upon this - --sudo flag isn't available anymore.

$ molecule test --help
Usage: molecule test [OPTIONS]

  Test (lint, destroy, dependency, syntax, create, prepare, converge,
  idempotence, side_effect, verify, destroy).

Options:
  -s, --scenario-name TEXT        Name of the scenario to target. (default)
  -d, --driver-name [azure|delegated|docker|ec2|gce|lxc|lxd|openstack|vagrant]
                                  Name of driver to use. (docker)
  --all / --no-all                Test all scenarios. Default is False.
  --destroy [always|never]        The destroy strategy used at the conclusion
                                  of a Molecule run (always).
  --help                          Show this message and exit.

$ molecule --version
molecule, version 2.18.1

yves-vogl on 15 Oct 2018

@yves-vogl yes, how do we run tests with sudo in Molecule 2?

marcomancuso on 5 Nov 2018

@marcomancuso I'm using the following in molecule.yml

verifier:
  name: testinfra
  options:
    sudo: true

yves-vogl on 5 Nov 2018

👍5

@yves-vogl thanks! that worked!

marcomancuso on 5 Nov 2018

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Deprecation Warning: GCE module will be deprecated in 2.12

Lirt · 3Comments

[question] sudo required when using delegate_to

srizzling · 3Comments

Remove scenario name configuration option

tadeboro · 4Comments

Silent failure: Boolean environment variable in `provisioner` causes `ansible-lint` to fail

nkakouros · 4Comments

ansible_default_ipv4 not populated when using docker driver

Xiol · 3Comments