I am trying to use Ansible Container for a basic example which is supposed to install Node within the image. When I use the ansible-container build command, after successfully building the conductor image, it fails the first task with a sudo related error. The task in question requires root privileges to be executed.
I am running Debian GNU/Linux 9.2 (stretch) with Docker 17.09.0-ce installed through the Docker APT repository. I tried with Ansible both from Debian Stretch (2.2.1.0-2) and from Pypi (2.4.1.0). I tried Ansible Container from Pypi (0.9.3rc0) and from the latest Git source. I always get the exact same error output.
The Ansible module complains about the following:
sudo: error while loading shared libraries: libsudo_util.so.0: cannot open shared object file: No such file or directory
The task being run looks like the following:
- name: Add the Node Source repository signing certificate to APT
apt_key:
id: 9FD3B784BC1C6FC31A8A0A1C1655A0AB68576280
keyserver: hkps://hkps.pool.sks-keyservers.net
become: yes
Both the conductor as well as the service I try to create use the debian:stretch base image.
I am running the ansible-container build command with sudo prepended, because only root may access the Docker socket on my system.
Here is the content of my container.yml:
version: "2"
settings:
conductor:
base: debian:stretch
project_name: container_test
services:
nodejs:
from: debian:stretch
roles:
- nodejs
registries: {}
Here is the full error output:
Building Docker Engine context...
Starting Docker build of Ansible Container Conductor image (please be patient)...
Parsing conductor CLI args.
Docker™ daemon integration engine loaded. Build starting. project=container_test
Building service... project=container_test service=nodejs
PLAY [nodejs] ******************************************************************
TASK [Gathering Facts] *********************************************************
ok: [nodejs]
TASK [nodejs : Add the Node Source repository signing certificate to APT] ******
fatal: [nodejs]: FAILED! => {"changed": false, "module_stderr": "sudo: error while loading shared libraries: libsudo_util.so.0: cannot open shared object file: No such file or directory\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 127}
to retry, use: --limit @/tmp/tmpTRBQDe/playbook.retry
PLAY RECAP *********************************************************************
nodejs : ok=1 changed=0 unreachable=0 failed=1
ERROR Error applying role! engine=<container.docker.engine.Engine object at 0x7f84da0c5ed0> exit_code=2 playbook=[{'hosts': u'nodejs', 'roles': ['nodejs'], 'vars': {}}]
Traceback (most recent call last):
File "/usr/local/bin/conductor", line 11, in <module>
load_entry_point('ansible-container', 'console_scripts', 'conductor')()
File "/_ansible/container/__init__.py", line 19, in __wrapped__
return fn(*args, **kwargs)
File "/_ansible/container/cli.py", line 408, in conductor_commandline
**params)
File "/_ansible/container/__init__.py", line 19, in __wrapped__
return fn(*args, **kwargs)
File "/_ansible/container/core.py", line 843, in conductorcmd_build
raise RuntimeError('Build failed.')
RuntimeError: Build failed.
Conductor terminated. Cleaning up. command_rc=1 conductor_id=e8899239ad1017a89acc97396d38ab805d937a7b3d74e5a7d2741d7b1124bb0c save_container=False
ERROR Conductor exited with status 1
I found the cause for this:
The base image debian:stretch does not include sudo. Therefore a solution was to set the become_method to su instead. Normally, this can either be done per task, host or playbook. Because it is not obvious where the equivalent of a playbook lies in Ansible Container and how the concept of hosts applies, I only really had the option to use the task level.
I decided to add a role which installs sudo in the image and only set the become_method to su for the solitary task within this role. Atfer the role is applied, no further change is needed and the original tasks work.
A follow-up problem then was, that also GnuPG was not installed either to accomplish the apt_key module task properly. The following solution solves both problems:
- become: yes
become_method: su
block:
- name: Update package cache
apt:
update_cache: yes
cache_valid_time: 86400
- name: Install GnuPG
package:
name: gnupg2
state: present
- name: Install sudo
package:
name: sudo
state: present
Supposedly a more clean option would be to generate a base image that already includes these dependencies to allow for a more streamlined Ansible Container image generation.