Ansible problem

Quutio · May 16, 2026, 6:04am

Hello,
I installed Ansible as described in README.md https://github.com/QubesOS/qubes-ansible/blob/main/README.md:

to Dom0 I installed qubes-ansible-dom0
to template used for default-mgmt-dvm (fedora-43-xfce) I installed qubes-ansible-vm

Then I appended lines as described in Management VM-section to files:

/etc/qubes/policy.d/include/admin-local-rwx
/etc/qubes/policy.d/include/admin-global-ro
/etc/qubes/policy.d/30-ansible.policy

Next I created inventory file:

[local]
localhost
[local:vars]
ansible_connection=local
[appvms]
fedora-demo-appvm
[appvms:vars]
ansible_connection=qubes
[templatevms]
fedora-demo                             # this is existing template
fedora-clone-ansible 
[templatevms:vars]
ansible_connection=qubes

Then I created a playbook that should:

clone fedora-demo template as new template with name fedora-clone-ansible
start it
install flatpak package to it (by using mgmt-dvm as proxy)

This is my playbook.yaml:

---
- hosts: local
  connection: local
  tasks:
  - name: clone template
    qubesos:
      name: fedora-clone-ansible
      state: present
      template: "fedora-demo"
      vmtype: TemplateVM
      

- hosts: local
  tasks:
  - name: start template
    qubesos:
      name: fedora-clone-ansible
      state: running
      wait: true

- hosts: fedora-clone-ansible
  tasks:
  - name: install flatpak
    become: yes
    dnf:
      package: flatpak

Everything works fine until last task. Qubes starts mgmt-dvm-fedora-clone-ansible, but then I get an error:
fatal: [fedora-clone-ansible]: UNREACHABLE! => {
“changed”: false,
“msg”: “Failed to create temporary directory. In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in "/tmp", for more error information use -vvv. Failed command was: ( umask 77 && mkdir -p "echo ~/.ansible/tmp"&& mkdir "echo ~/.ansible/tmp/ansible-tmp-1778910509.4363546-763-113605423299708" && echo ansible-tmp-1778910509.4363546-763-113605423299708="echo ~/.ansible/tmp/ansible-tmp-1778910509.4363546-763-113605423299708" ), exited with result 1”,
“unreachable”: true
}
How to get this working?

barto · May 17, 2026, 6:28pm

The forum mangled your error message, which almost certainly contains backticks (`) - which I hate, for this reason…

First thing/idea that I would try is to move the “become: yes” line under “- hosts: fedora-clone-ansible” so that all the tasks are executed as root:

Quutio · May 18, 2026, 12:56pm

Thansk for you answer barto, but I still get same error. I don’t know, if this error means, that Ansible hasn’t permission to write to /tmp/ in mgmt-dvm or in target template; in my case fedora-clone-ansible (?)

ascent5 · May 18, 2026, 3:00pm

Same issue here when using a management VM based on Fedora 43, while one based on Debian 13 works fine.

Basic troubleshooting points to SELinux.

When you run ansible-playbook, add “-vvvv” to get a more detailed error message.

Edit: Missed a word.

Quutio · June 10, 2026, 9:04am

According to https://github.com/QubesOS/qubes-ansible it is possible to use a dedicated qube to run Ansible playbooks. If I want to e.g. clone a template:

---
- hosts: local
  connection: local
  tasks:
  - name: clone template
    qubesos:
      name: fedora-clone-ansible
      state: present
      template: "fedora-demo"
      vmtype: TemplateVM

what should I change for hosts and connection values? And how to change invenroty file?
I have made changes to files in /etc/qubes/policy.d/include/ and created /etc/qubes/policy.d/30-mgmtvm.policy file as instructed in Github.