Molecule: Unable to query for become sudo passphrase
Issue Type
- Feature request - Add an option to molecule to pass a sudo password to ansible
I'm unable to prompt for a become/sudo password because of how molecule is calling ansible. I've been trying to work around it by using an askpass program but that doesn't cache and will prompt me at every task :(
I gather the next question will be why do I want this feature? Well the more I read about docker security, it seems problematic to have a user configured to be able to run docker commands without credentials -- its essentially the same as giving your user password-less sudo access (http://www.projectatomic.io/blog/2015/08/why-we-dont-let-non-root-users-run-docker-in-centos-fedora-or-rhel/).
Molecule and Ansible details
$ molecule --version
molecule, version 2.2.1
$ ansible --version
ansible 2.4.0.0
- Molecule installation method: pip
- Ansible installation method: pip
Desired Behaviour
$ molecule --ask-sudo-pass converge -s dev
# insert password prompt here
Current Behaviour
╰─$ molecule create
--> Test matrix
└── default
├── create
└── prepare
--> Scenario: 'default'
--> Action: 'create'
/usr/lib64/python2.7/getpass.py:83: GetPassWarning: Can not control echo on the terminal.
passwd = fallback_getpass(prompt, stream)
Warning: Password input may be echoed.
Askpass notes
I'd actually be happy if someone could point me to a GUI askpass solution that would work in this case, the few I can find in my repository designed for openssh to not cache and are prompting for each become task :( I realize that question is totally out of scope of molecule and this ticket but I still feel like it would be great to document in your repo if future folks have this same question.
Was calling that like so:
molecule.yml:
provisioner:
name: ansible
config_options:
defaults:
sudo_flags: -A
$ SUDO_ASKPASS=/usr/libexec/openssh/x11-ssh-askpass molecule converge -s dev
msheiny
All 6 comments
Molecule assumes Docker is running on a desktop or a controlled system. I suggest simply adding the user running Molecule to the docker group on the system. This will prevent just any user from running Docker on the system.
However, lets see if any of the Linux Molecule users can chime in with what they do.
retr0h
on 7 Oct 2017
yeah that's what I'm trying to avoid. I concede that's a problem I can
solve myself in a number of ways that don't require a code change on the
project.
theres gotta be another use case someone would want to pass in credentials
to molecule... but I can't think of any off hand :|
On Sat, Oct 7, 2017 at 3:09 PM John Dewey notifications@github.com wrote:
Molecule assumes Docker is running on a desktop or a controlled system. I
suggest simply adding the user running Molecule to the docker group on the
system. This will prevent just any user from running Docker on the system.—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/metacloud/molecule/issues/992#issuecomment-334959036,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABpdvyxISQKRZFG8p_rQN5Zb2wD3bu54ks5sp8xvgaJpZM4PxcVs
.
msheiny
on 7 Oct 2017
I don't add my user to the Docker group because I don't consider my machine to be an impenetrable fortress. You would only need one vulnerability in your (unsandboxed) browser to get root.
While adding the user to docker group is easy, I really wish molecule could prompt us for the become password. (I don't either wish to run molecule with sudo because only certain tasks need root privileges , namely only the ones that need to talk to the docker socket)
jody-frankowski
on 11 Oct 2017
Okay, I'm going to take a stab at this see #1000 for discussion and usage.
@msheiny @jody-frankowski @conorsch please have a look ^^.
retr0h
on 13 Oct 2017
Not going to fix at this time. Too tricky off an issue to solve properly. Try giving dind a try.
retr0h
on 7 May 2018
hey guys, sorry let me bump this thread if I may.
Being able to transparently pass the --ask-sudo-pass flag to ansible and having it show interactive prompt, would be pretty big deal for our use cases.
As mentioned in the https://github.com/ansible-community/molecule/issues/2356 as well as manifested by a number of our repositories and our teams' DevAdminOps, molecule is our tool of choice for server orchestration, including dev, test and live server provisioning.
We've been able to handle all needed use cases so far, like black ninja, thanks to variety of shurikens and nunchucks molecule provide.
However this one made us hit a wall.
Use Case:
- As a developer I want to provision dev cluster/instance with my App using molecule
- Once all is converged and verified I expect to be able to use my browser to navigate to domain the App should be working under, and see it. Without needing to manually modify /etc/host file and such.
Problem:
it's currently impossible to have molecule do any direct modifications to one's host environment (using Ansible's delegate_to flag), if they are using non-root account to run molecule (which they do).
I might be missing something but can this be evaded in a way that utilizes existing features ?
Running molecule with sudo produced more errors than it fixed, namely in lxc/lxd department, but if you could confirm (deny?) that's the way to do I'd give it another go, from a fresh start.
grzegorznowak
on 11 Jun 2020
Related issues
adborden
·
4Comments
ssbarnea
·
4Comments
surfer190
·
3Comments
ssbarnea
·
4Comments
tadeboro
·
4Comments
Most helpful comment
I don't add my user to the Docker group because I don't consider my machine to be an impenetrable fortress. You would only need one vulnerability in your (unsandboxed) browser to get root.
While adding the user to docker group is easy, I really wish molecule could prompt us for the become password. (I don't either wish to run molecule with sudo because only certain tasks need root privileges , namely only the ones that need to talk to the docker socket)