Ansible:用户升级失败

tag-icon tag-icon ansible ansible-playbook
Ansible:用户升级失败

编辑:这ansible_become_pass: "{{ scrappy.pass }}" #scrappy 的密码是问题的根源。应该是 ubuntu 用户的密码

我很难理解如何在 ansible 中设置每个任务的权限。

因此,给定剧本scrappy,我想以管理员用户(ubuntu)身份登录,但以用户 scrappy 的身份执行一些操作。

注意:

  • scrappy 和 ubuntu 都在sudoers文件中
  • 两者都具有相同的权限集name ALL=(ALL) ALL
  • 但是ubuntu唯一允许登录主机的用户

剧本scrappy.yml:

---
- hosts: fig
  name: LogInAsUbuntuButDoSomethingAsScrappy
  gather_facts: false
  remote_user: ubuntu
  vars:   
    ansible_become_pass: "{{ scrappy.pass }}" 
    ansible_ssh_private_key_file: "{{ ubuntu_key_path }}" 

 roles: 
   - examplerole

任务是:

- name: ScrappyDoesSomething
  become_user: scrappy
  become: true
  apt: 
    name: python3-pip
    state: present

然而,运行上述剧本会导致:

TASK [fig : Run some command as docker user] *********************************************************************
task path: /Users/pnotes/Code/Ansible/example/roles/fig/tasks/main.yml:35
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'echo ~ubuntu && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'/home/ubuntu\n', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /var/tmp/ansible-tmp-1540132846.970539-145559158546185 `" && echo ansible-tmp-1540132846.970539-145559158546185="` echo /var/tmp/ansible-tmp-1540132846.970539-145559158546185 `" ) && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'ansible-tmp-1540132846.970539-145559158546185=/var/tmp/ansible-tmp-1540132846.970539-145559158546185\n', b'')
Using module file /Users/pnotes/.pyenv/versions/3.6.4/lib/python3.6/site-packages/ansible/modules/packaging/os/apt.py
<xx.xxx.xx.xxx> PUT /Users/pnotes/.ansible/tmp/ansible-local-33576100fmfnk/tmpp4r90jce TO /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py
<xx.xxx.xx.xxx> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 '[xx.xxx.xx.xxx]'
<xx.xxx.xx.xxx> (0, b'sftp> put /Users/pnotes/.ansible/tmp/ansible-local-33576100fmfnk/tmpp4r90jce /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py\n', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 xx.xxx.xx.xxx '/bin/sh -c '"'"'setfacl -m u:rekc:r-x /var/tmp/ansible-tmp-1540132846.970539-145559158546185/ /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py && sleep 0'"'"''
<xx.xxx.xx.xxx> (0, b'', b'')
<xx.xxx.xx.xxx> ESTABLISH SSH CONNECTION FOR USER: ubuntu
<xx.xxx.xx.xxx> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/pnotes/.ssh/test_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ubuntu -o ConnectTimeout=10 -o ControlPath=/Users/pnotes/.ansible/cp/e54428a659 -tt xx.xxx.xx.xxx '/bin/sh -c '"'"'sudo -H -S  -p "[sudo via ansible, key=hegelcumrkxfphxoykzfggauamdrklck] password: " -u rekc /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-hegelcumrkxfphxoykzfggauamdrklck; /usr/bin/env python3.6 /var/tmp/ansible-tmp-1540132846.970539-145559158546185/AnsiballZ_apt.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation failed
fatal: [xx.xxx.xx.xxx]: FAILED! => {
    "msg": "Incorrect sudo password"
}

有人能解释一下我这里遗漏了什么吗?谢谢。

答案1

如果该任务需要由 root 运行,则不应该become_user- 这是以没有权限的用户身份运行该任务。

- name: ScrappyDoesSomething
  become: true
  apt: 
    name: python3-pip
    state: present

在这种情况下,它将是ubuntu请求升级的人,因为他们被设置为remote_user。如果您需要scrappy成为请求升级的人,那么应该将任务remote_user设置为,但仍应为 root。由于远程用户是为剧本设置的,如果您想更改用户,您需要有一个新的剧本。scrappybecome_user

答案2

一个选项是允许用户Ubuntu无需密码即可使用 sudo

ubuntu ALL=(ALL) NOPASSWD: ALL

实际上,这是遵守安全最佳实践的必要条件。在 Ansible 中,最佳实践是让远程用户仅使用 ssh 密钥登录(无密码)。

拥有无密码 sudo 的 ansible 用户是否不安全?

相关内容