I'm building new servers for Unix Tutorial VPS pool and for some functions within my Tech Stack Solutions consultancy, and one show stopper for Ansible onboarding is this: default sudoers settings do not support remote sessions generated by Ansible. Here's how to address this.
The issue with Ansible and sudoers
Many modern distros have the following default variable in main SUDO config file, /etc/sudoers:
Defaults requiretty
In very basic terms, this setting means only interactive users of your system (local terminal sessions or Terminal app started from graphics desktop or even SSH sessions). But for non-interactive use like scripts and Ansible automation this doesn't work.
When trying Ansible playbook against such a system, you'll get an error about "sudo: sorry, you must have a tty to run sudo":
Disable requrietty Option Per User
While it's possible to just disable this default option altogether:
Defaults !requiretty
I strongly recommend you not do this – it's a security setting that one day will serve you well.
That's why I suggest the next best thing: let's disable this setting for just the users for Ansible automation. In my case, this is the default user created on each newly installed/deployed server – that's usually my user greys.
So we add the following line to /etc/sudoers:
Defaults:greys !requiretty
What this does is perfect: it disables requiretty just for the user I need it for, without compromising overall sudoers setup more than required.
See Also
- Ansible
- Docker module in Ansible
- Create backup files when deploying with Ansible
- visudo tutorial
- sudo command
