Unable to deploy via bastion host, localhost delegation tries to use sudo.

[gwvandesteeg]

Describe the bug

Role fails to work due to trying to execute commands delegated to the localhost, it tries to use sudo even though the task explicitly states become: false. This appears to be caused from research into the issue by the fact the system is connecting to the target host via SSH and a bastion host with a ansible_user setting specified.

To reproduce

Steps to reproduce the bug:

1. Target network setup.
   Workstation --SSH--> bastion-host --SSH--> NGINX host
2. I have deployed/run the Ansible NGINX role using the following playbook.yml:

   ---
   - hosts:
       - nginx
     tasks:
   
       # install nginx
       - name: "Install nginx"
         ansible.builtin.include_role:
           name: nginxinc.nginx
   
       - name: "Configure nginx"
         ansible.builtin.import_role:
           name: nginxinc.nginx_config
   

3. I have seen the following error(s) on my terminal output/logs:

   TASK [nginxinc.nginx : Verify you are using a supported Ansible version on your Ansible host] 
   ********************************************************************************************
   task path: /home/redacted/.ansible/roles/nginxinc.nginx/tasks/validate/validate.yml:2
   Monday 10 March 2025  17:25:41 +1300 (0:00:00.034)       0:01:34.871 **********
   Monday 10 March 2025  17:25:41 +1300 (0:00:00.034)       0:01:34.870 **********
   ok: [10.64.0.10 -> localhost] => {
       "changed": false,
       "msg": "Ansible 2.16.14 is supported."
   }
   
   TASK [nginxinc.nginx : Extract the version of Jinja2 installed on your Ansible host] 
   *****************************************************************************************************
   task path: /home/redacted/.ansible/roles/nginxinc.nginx/tasks/validate/validate.yml:12
   Monday 10 March 2025  17:25:41 +1300 (0:00:00.034)       0:01:34.905 **********
   Monday 10 March 2025  17:25:41 +1300 (0:00:00.034)       0:01:34.904 **********
   Using module file /home/redacted/src/redcated/system-deployment/.venv/lib/python3.11/site-packages/ansible/modules/command.py
   Pipelining is enabled.
   <localhost> ESTABLISH LOCAL CONNECTION FOR USER: redacted
   <localhost> EXEC /bin/sh -c 'sudo -H -S -n  -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-atmsixqyexukmjricmcyignojkckobhg ; 
   /home/redacted/src/redacted/system-deployment/.venv/bin/python3.11'"'"' && sleep 0'
   fatal: [10.64.0.10 -> localhost]: FAILED! => {
       "changed": false,
       "module_stderr": "sudo: a password is required\n",
       "module_stdout": "",
       "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
       "rc": 1
   }
   

Expected behavior

The role to apply without failure and setup/install NGINX

Your environment

• Version of the Ansible NGINX role (or specific commit): from requirements.yml

    - src: nginxinc.nginx
      version: 0.25.0
    - src: nginxinc.nginx_config
      version: 0.7.1

• Version of Ansible: see below, installed using a virtual environment
• Version of Jinja2 (if you are using any templating capability): see below

ansible-playbook [core 2.16.14]
  config file = /home/redacted/src/redacted/system-deployment/ansible.cfg
  configured module search path = ['/home/redacted/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/redacted/src/redacted/system-deployment/.venv/lib/python3.11/site-packages/ansible
  ansible collection location = /home/redacted/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/redacted/src/redacted/system-deployment/.venv/bin/ansible-playbook
  python version = 3.11.0rc1 (main, Aug 12 2022, 10:02:14) [GCC 11.2.0] (/home/redacted/src/redacted/system-deployment/.venv/bin/python3.11)
  jinja version = 3.1.2
  libyaml = True
Using /home/redacted/src/redacted/system-deployment/ansible.cfg as config file

• How is Ansible being managed: CLI with Makefile (make nginx, see below)
• Target deployment platform(s): Ubuntu 22.04

Additional context (optional)

ansible.cfg content

[defaults]
hash_behaviour=merge
nocows=True
max_diff_size=1048576
host_key_checking=False
callbacks_enabled = timer, profile_tasks, profile_roles
forks=30
pipelining=True
timeout=30
vault_identity_list="redacted@/home/redacted/src/redacted/ansible/redacted/vault_password.txt"

[ssh_connection]
ssh_args = -4 -o ControlMaster=auto -o ControlPersist=120s

Makefile except:

LOCAL_FILE=local_newstaging.yml
VERBOSE=-vvvv
ANSIBLE_CMD=ansible-playbook \
	$(VERBOSE) \
	-i hosts \
	--extra-vars "@$(LOCAL_FILE)" \
	--extra-vars "@redacted/redacted/vars/apt_repo_credentials.yml"

nginx:
	$(ANSIBLE_CMD) -t nginx playbook.yml

local_newstaging.yml content

---
ansible_user: "redacted"
ansible_ssh_common_args: '-o ProxyCommand="ssh -4 -q -A -W %h:%p redacted@bastion-host.example.org"'

Host inventory just has the private IP

[nginx]
10.0.0.10

Code in role causing the problem:

https://github.com/nginxinc/ansible-role-nginx/blob/d7364da638319480587df6c732d6a34c0f5663a1/tasks/validate/validate.yml#L12-L18

[gwvandesteeg]

Resolved, become: true in the [all:vars] section in the hosts inventory caused the problem.