Skip to content

Deprecated — Consolidated into PLAT-0004 on 2026-05-02 per ADR-0047. This source file is retained as a reference; the canonical content is in PLAT-0004.

ADR-0036 — Pin Classic Sudo Provider on Ubuntu 25.10+

| Status | Accepted | | Date | 2026-04-22 | | Author | Ben Peries | | Phases | 1, 2 | | ADO WI | #297 |

Context

Ubuntu 25.10 (Questing Quokka) installs sudo-rs (a Rust reimplementation of sudo) as an alternative in the update-alternatives system, and sets it as the default /usr/bin/sudo. sudo-rs is not a drop-in replacement for classic sudo in all automation contexts: it does not respond to Ansible's become prompt mechanism, causing SSH connections to hang until timeout when Ansible tasks require privilege escalation.

The fleet runs Ubuntu LTS/non-LTS across caneast-site1-node2 (22.04 LTS), caneast-site1-node3 (24.04 LTS), caneast-site1-node4 (25.04), and caneast-site1-node5 (25.10). Classic sudo is available on Ubuntu 25.10 as /usr/bin/sudo.ws but is not the default. The incompatibility was discovered during caneast-site1-node4 and caneast-site1-node5 baseline (WI-288), where Ansible became tasks failed silently.

A manual workaround (update-alternatives --set sudo /usr/bin/sudo.ws) was applied to caneast-site1-node4 and caneast-site1-node5 directly. This ADR codifies that fix as a baseline role task so it applies automatically to any new node on Ubuntu 25.10+.

Decision

Add an idempotent task to ansible/roles/common/tasks/sudo.yml that:

  1. Queries the current sudo alternative via update-alternatives --query sudo
  2. Runs update-alternatives --set sudo /usr/bin/sudo.ws only if the current value is not already /usr/bin/sudo.ws
  3. Is gated on ansible_distribution == "Ubuntu" and ansible_distribution_version >= 25.10

The task is included from roles/common/tasks/main.yml under the [common, sudo] tag set, matching the existing per-task import pattern.

Consequences

  • Ansible become works correctly on all Ubuntu 25.10+ nodes after baseline run
  • Classic sudo is pinned; sudo-rs remains installed but de-prioritised
  • If Ubuntu removes classic sudo from the archive (possible by 26.10), this task will fail gracefully (failed_when: false on the query step) and a new ADR will be required to address the sudo strategy
  • The gate condition (>= 25.10) means older Ubuntu nodes are unaffected

Alternatives Considered

Install and configure sudo-rs to accept Ansible become — rejected; sudo-rs configuration is non-trivial and diverges from upstream Ansible become design. Increases maintenance surface for no practical benefit at this fleet scale.

Pin the alternative only on affected nodes ad hoc — rejected; this was the short-term workaround that necessitated this ADR. Not repeatable at scale.

Switch Ansible become_method to su — rejected; requires root password on all nodes and conflicts with the ansible-svc-account NOPASSWD model (ADR-0014).

References

  • ADR-0014 — Ansible service account (ansible-svc-account, NOPASSWD model)
  • WI-288 — caneast-site1-node5 onboarding (where incompatibility was first observed)
  • WI-297 — Codify sudo provider preference in IT baseline role
  • Ubuntu sudo-rs: https://github.com/memorysafety/sudo-rs