I've got a CentOS cluster where /home is going to get mounted over nfs. So I think the centos user's home should get moved to somewhere which will remain local, maybe /var/lib/centos or something. But given centos is the ansible_user I can't use:
hosts: cluster
become: yes
tasks:
- ansible.builtin.user:
name: centos
move_home: yes
home: "/var/lib/centos"
as unsurprisingly it fails with
usermod: user centos is currently used by process 45028
Any semi-tidy workarounds for this, or better ideas?
I don't think you're going to be able to do this with the user module if you're connecting as the centos user. However, if you handle the individual steps yourself it should work:
---
- hosts: centos
gather_facts: false
become: true
tasks:
- command: rsync -a /home/centos/ /var/lib/centos/
- command: sed -i 's,/home/centos,/var/lib/centos,' /etc/passwd
args:
warn: false
- meta: reset_connection
- command: rm -rf /home/centos
args:
warn: false
This relocates the home directory, updates /etc/passwd, and then removes the old home directory. The reset_connection is in there to force a new ssh connection: without that, Ansible will be unhappy when you remove the home directory.
In practice, you'd want to add some logic to the above playbook to make it idempotent.
Related
I am setting up a playbook that automatically configures my workstation. This will hopefully allow me to quickly install linux somewhere and automatically have all the resources I need.
One of the steps is installing homebrew and I cannot figure out how to do it.
I have created this playbook
- hosts: localhost
become: yes
become_user: myUser
tasks:
- name: Download homebrew install script from source
get_url:
url: https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh
dest: ~/Downloads/install_homebrew.sh
mode: 'u+rwx'
- name: Install homebrew
shell: ~/Downloads/install_homebrew.sh
and run it with ansible-playbook myplaybook.yaml.
However, when I execute it, there is a permission denied error. Apparently this is because of how the copy-module works (here). So I thought I'd just run the sudo ansible-playbook myplaybook.yaml instead. This leads to the exact same permission error. I guess this is because I have become_user: myUser.
However, when i remove become_user, I obviously get another error Destination /root/Downloads does not exist because my destination is coded to the users download-directory.
So how can I execute the playbook as the user myUser but with root privileges? This would allow me to access the root-stuff but still refer to my home-directory. In theory this should be possible since I can run
sudo ls -a /root && ls ~/
and get both the content of the root-folder and of my home directory. But I don't know how to do this in ansible.
I'd like to make a playbook that shows me the user currently in use.
this is my ansible cfg:
[defaults]
inventory=inventory
remote_user=adminek
[privilege_escalation]
become=true
[ssh_connection]
allow_world_readable_tmpfiles = True
ssh_args = -o ControlMaster=no -o ControlPath=none -o ControlPersist=no
pipelining = false
and this is my playbook
---
- name: show currenty users
hosts: server_a
tasks:
- name: test user - root
shell: "whoami"
register: myvar_root
- name: test user - user2
become: true
become_user: user2
shell: "whoami"
register: myvar_user2
- name: print myvar root
debug:
var: myvar_root.stdout_lines
- name: print myvar user2
debug:
var: myvar_user2.stdout
taks "test user - root" work fine and give me output
ok: [172.22.0.134] => {
"myvar_root.stdout_lines": [
"root"
]
}
taks "test user - user2" give me output
fatal: [172.22.0.134]: FAILED! => {"msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chown: changing ownership `/var/tmp/ansible-tmp-1621340458.2-11599-141854654478770/': Operation permited\nchown: changing ownership `/var/tmp/ansible-tmp-1621340458.2-11599-141854654478770/AnsiballZ_command.py': Operation permited\n}). For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}
Explanation:
adminek- sudoer user
User2 - non sudoers users
OS - Scientific Linux release 6.9
Additionaly I hgad similar problem on ubuntu 18.04 but when i installed acl begun works
Someone know what is wrong?
Thanks for help!
One of the following options should fix your issue:
Ensure sudo is installed on the remote host
Ensure acl is installed on the remote host
Uncomment the following lines in /etc/ansible/ansible.cfg:
allow_world_readable_tmpfiles = True
pipelining = True
#F1ko thanks for reply.
I did what you wont and I installed acl on my host, but steal was wrong.
I added to visudo.
Defaults:user2 !requiretty
Defaults:adminek !requiretty
I dont know it's ok and secure but work.
for me it worked installing the acl package in host
- name: Install required packaged
yum:
name: "{{ item }}"
state: present
with_items:
- acl
- python3-pip
in my case I used centos/07, if you use ubuntu, change yum to apt.
I have a playbook than run roles, and logs in the server with a user that has the sudo privileges. The problem is that, when switching to this user, I still need to use sudo to, say, install packages.
ie:
sudo yum install httpd
However, Ansible seems to ignore that and will try to install packages without sudo, which will result as a fail.
Ansible will run the following:
yum install httpd
This is the role that I use:
tasks:
- name: Import du role 'memcacheExtension'
import_role:
name: memcacheExtension
become: yes
become_method: sudo
become_user: "{{become_user}}"
become_flags: '-i'
tags:
- never
- memcached
And this is the tasks that fails in my context:
- name: Install Memcached
yum:
name: memcached.x86_64
state: present
Am I setting the sudo parameter at the wrong place? Or am I doing something wrong?
Thank you in advance
You can specify become: yes a few places. Often it is used at the task level, sometimes it is used as command line parameter (--become, -b run operations with become). It can be also set at the play level:
- hosts: servers
become: yes
become_method: enable
tasks:
- name: Hello
...
You can also enable it in group_vars:
group_vars/exmaple.yml
ansible_become: yes
For your example, using it for installing software I would set it at the task level. I think in your case the import is the problem. You should set it in the file you are importing.
I ended up specifying Ansible to become root for some of the tasks that were failing (my example wasn't the only one failing, and it worked well. The tweak in my environment is that I can't login as root, but I can "become" root once logged in as someone else.
Here is how my tasks looks like now:
- name: Install Memcached
yum:
name: memcached.x86_64
state: present
become_user: root
Use shell module instead of yum.
- name: Install Memcached
shell: sudo yum install -y {{ your_package_here }}
Not as cool as using a module, but it will get the job done.
Your become_user is ok. If you don't use it, you'll end up trying to run the commands in the playbook, by using the user used to stablish the ssh connection (ansible_user or remote_user or the user used to execute the playbook).
I'm an ansible newbie.
I'm using ansible 2.3.0.0
I have the playbook below to bootstrap nodes for a k8s cluster in openstack:
- name: bootstrap
hosts: coreos
become_user: root
become_method: su
gather_facts: False
roles:
- defunctzombie.coreos-bootstrap
tasks:
- lineinfile:
path: /etc/coreos/update.conf
state: present
regexp: '^REBOOT_STRATEGY'
line: 'REBOOT_STRATEGY=off'
I want to turn off auto-reboots on coreos because our openstack installation has a problem with reboots not coming back up properly and having coreos reboot often is causing instance to have to be manually shut down and restarted.
Anyway, the playbook above doesn't work. I get this error:
"The destination directory (/etc/coreos) is not writable by the current user. Error was: [Errno 13] Permission denied: '/etc/coreos/.ansible_tmppQCJrCupdate.conf'"
So my syntax is wrong (I've tried a few different combinations with no luck).
Could someone point me in the right direction? And feel free to make a suggestion on anything about this playbook.
Thanks!
Instead of execute playbook as root user, use different user with sudo access.
Please try this:
- name: bootstrap
hosts: coreos
user: <user_name>
become_method: sudo
gather_facts: False
roles:
- defunctzombie.coreos-bootstrap
tasks:
- lineinfile:
path: /etc/coreos/update.conf
state: present
regexp: '^REBOOT_STRATEGY'
line: 'REBOOT_STRATEGY=off'
Replace <user_name> with your user.
Run your playbook as ansible-playbook <playbook_name> --ask-sudo-pass
Our actual setup runs on AWS where we have RDS available, but in vagrant we naturally need to install MySQL locally. What's the normal way of skipping installation with Vagrant? My ansible file looks something like this:
---
- name: foo
hosts: foo
sudo: yes
roles:
- common-web
- bennojoy.mysql
- php
I would recommend having specific groups in your inventory file, and run an 'install locally' playbook on the vagrant instances. This also means you would want to run an 'install RDS config' playbook on the AWS instances of course...
Trying to do all the things in all the places in one playbook is possible, but imo its cleaner to have different playbooks for different environments.
You can do this, as the vagrant always created a directory on the root level "/vagrant"
So just check it like this:
---
- name: foo
hosts: foo
sudo: yes
roles:
- common-web
- bennojoy.mysql
- php
tasks:
- name: Check that /vagrant directory exist
command: /usr/bin/test -e /vagrant
register: dir_exists
roles:
- common-web
- { role: bennojoy.mysql, when: when: dir_exists.rc == 0 }
- php
Here I am supposing that "bennojoy.mysql" is your main mysql role, please check it and let me know if it work for you. Thanks