rhsm modules: cleanly fail when not run as root (#6211)

subscription-manager on RHEL installs a symlink in /usr/bin to console-helper (part of usermode), which triggers an interactive prompt for root credentials when run as user. It seems that console-helper does not handle well non-interactive contexts (e.g. without a TTY for input), and thus it will hang waiting for input when run as user in an Ansible task. Since subscription-manager requires root already anyway (and it will fail when explicitly run as user), then apply the same logic locally on all the modules that interact with it: redhat_subscription, rhsm_release, and rhsm_repository.
2025-07-20 03:40:22 -07:00 · 2023-03-22 13:15:32 +01:00 · 2023-03-22 13:15:32 +01:00 · 9f67cbbe36
commit 9f67cbbe36
parent 512bf4b77f
6 changed files with 40 additions and 4 deletions
--- a/plugins/modules/rhsm_release.py
+++ b/plugins/modules/rhsm_release.py
@ -18,6 +18,8 @@ notes:
  - This module will fail on an unregistered system.
    Use the C(redhat_subscription) module to register a system
    prior to setting the RHSM release.
+  - It is possible to interact with C(subscription-manager) only as root,
+    so root permissions are required to successfully run this module.
 requirements:
  - Red Hat Enterprise Linux 6+ with subscription-manager installed
 extends_documentation_fragment:
@ -63,6 +65,7 @@ current_release:

 from ansible.module_utils.basic import AnsibleModule

+import os
 import re

 # Matches release-like values such as 7.2, 5.10, 6Server, 8
@ -109,6 +112,11 @@ def main():
        supports_check_mode=True
    )

+    if os.getuid() != 0:
+        module.fail_json(
+            msg="Interacting with subscription-manager requires root permissions ('become: true')"
+        )
+
    target_release = module.params['release']

    # sanity check: the target release at least looks like a valid release