Change Ansible becomes command - bash

In our organization, we have strict policies on our Linux users. We, in our case have a user that can execute sudo su - myuser without a password. But as soon as we add -c behind the su command that is not allowed.
The problem is Ansible adds the -c when executing the "become" command in order to set the environment variables.
My becomes variables:
become: yes
become_user: myuser
become_method: sudo
become_flags: 'su - '
Ansible executes the following:
sudo su - myuser -c '"'"'"'"'"'"'"'"'/bin/sh -c '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-lksjasdhksldjfhsdklhfshsklhkljsh; /usr/bin/python /tmp/ansible-tmp-1602838989.23-135651442029159/setup.py
And this error is caused:
fatal: [xbi407cl03vm01.dbaas.ing.net]: FAILED! => {
"msg": "Timeout (32s) waiting for privilege escalation prompt: "
}
This causes a timeout because the -c is not allowed.
Is there a way to force Ansible to only run the command after the become command was successful?
Or is there an alternative way of changing user for a playbook?

Related

ansible execute shell script with differenr user

I am trying to execute shell script using ansible shell module as shown in below code
-name : Execute
become_user: someuser
shell:
cmd: "./script.ksh"
chdir: "/path/to/script"
But the script still uses my login instead of "someuser". How this can be fixed ?
As suggested by #β.εηοιτ.βε the become: yes is missing, see exapmles and explanation in Become directives.
do you think become: yes is nothing but sudo ?
The default setting (atleast in my case) uses sudo.
To see the default become_method being used, check your "closest" ansible.cfg in the hierarchy.
You can run the playbook in verbose mode and by using -vvv increase verbosity to see the exact commands being used.
If the become: yes with become_user: <username> doesn't help try using a different become_method.
Example with su and su -:
- name : Execute
shell:
cmd: "./script.ksh"
chdir: "/path/to/script"
become: yes
become_user: someuser
become_method: "su"
or:
- name : Execute
shell:
cmd: "su - someuser -c './script.ksh'"
chdir: "/path/to/script"
become: yes
In this case you will most likely recieve the following warning:
[WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running su

Ansible: fatal: [test1]: FAILED! => {"msg": "Timeout (62s) waiting for privilege escalation prompt: "}

I have the below ansible script whre it got failed
- name: Download Java to Latest Version
become: yes
become_method: sudo
become_flags: su
become_user: root
shell: |
cd /home
wget -c --header "Cookie: oraclelicense=accept-securebackup-cookie" {{javaurl}}
tar -xzvf ./jdk-*.tar.gz
rm ./jdk-*.tar.gz
Fatal: [test1]: FAILED! => {"msg": "Timeout (62s) waiting for privilege escalation prompt: "}
but manually I can able to do it
ra#HS-PF1XLASF:/home$ sudo su
root#HS-PF1XLASF:/home#
If you are running your playbook with -kK then you only need a become: yes there.
I would guess that other become* parameters make the sudo to start the interactive prompt, which nobody is there to answer :)

Is there an alternative for Ansible's `become: yes`?

I want to run an Ansible playbook to provision a server. I can ssh into the server as a non-root user. I have sudo privileges, but I am not allowed to switch to root user. I effectively just want to execute sudo mkdir /opt/some_directory (the command works when I ssh in and execute the command on the server).
Using become:true produces the error of trying to switch to root user and then creating the directory, I think.
The Code:
- name: "Info: Creating directory."
become: true
file:
path: "{{ directory }}"
state: directory
mode: '0755'
The error I am getting is Sorry, user xxxxx is not allowed to execute '/bin/sh -c echo BECOME-SUCCESS...
Q: "Is there an alternative for Ansible's become: yes? I have sudo privileges, but I am not allowed to switch to root user. I effectively just want to execute sudo mkdir /opt/some_directory ..."
A: No. Quoting from Can’t limit escalation to certain commands
"Privilege escalation permissions have to be general... If you have ‘/sbin/service’ or ‘/bin/chmod’ as the allowed commands this will fail "...

Ansible sudo command without password checking

I would like to use ansible in a full automated context, where I cannot manually type passwords. To deal with this, I connect the servers with SSH public key, and I whitelisted severals commands such as apt-get install * in my sudoers configuration so I do not need a password to run them. For instance sudo apt-get install git.
However if the setting become is True in a playbook, ansible asks me for a password it does not need.
How can I tell ansible to run a command as sudo, without asking me a password?
Do you know another way to install apt packages without password?
Should I use another become method?
sudoers conf
myuser ALL = NOPASSWD: /usr/bin/apt-get install *
ansible
- name: install the latest version of ntpdate
package:
name: ntpdate
state: latest
become: True
Produces this output:
failed: [x.x.x.x] (item=ntpdate) => {"failed": true, "item": "python3-dev", "module_stderr": "", "module_stdout": "sudo: a password is required\r\n", "msg": "MODULE FAILURE", "rc": 1}
The simple answer is that you cannot do it without enabling all commands (or at least python).
Ansible does not run the commands as you expect it to run. It runs Python scripts. You can see the exact command when you execute ansible-playbook with -vvv. They are much more complex and to enable them you would have to add them to sudoers, for example:
sudo -H -S -n -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-xxxxxx;
/usr/bin/python /var/www/.ansible/tmp/ansible-tmp-xxxxxxxx/apt.py;
rm -rf "/var/www/.ansible/tmp/ansible-tmp-xxxxxxxx/" > /dev/null 2>&1'"'"'
&& sleep 0
The tricky part is that all spaces, quotes, and other special characters are relevant and until you get the correct command pattern by trial and error, replacing characters with wildcards, the system will not allow the command to run with elevated privileges. Effectively you won't be able to whitelist all the commands Ansible runs.
The only exception is raw module which runs the given command intact.
In all the Ansible playbooks I have worked on, I had to do only 2 things so that tasks run with become:True
Create file /etc/sudoers.d/demo on the target hosts with below content:
demo ALL=(ALL) NOPASSWD:ALL
Copy ssh id from Ansible host to target host using ssh-copy-id
template/without_sudo
%sudo ALL=(ALL) NOPASSWD: ALL
%sudo ALL=(ALL) NOPASSWD: /sbin/poweroff, /sbin/reboot, /sbin/shutdown
tasks/main.yml
- name: Sudoers no password
raw: echo '{{ user_password }}' | sudo -S sh -c 'echo "{{ lookup('file', 'templates/without_sudo') }}" > /etc/sudoers.d/without_sudo'
no sudo for the rest of the ansible command
You can use the ansible 'command' module with sudo as part of the command, instead of 'become: yes'
- name: install the latest version of ntpdate
command: 'sudo apt-get update ntpdate'
The downside is that this is much less portable. The upside is, it works... and you only need to whitelist the specific command.
in my opinion, if you set your node with =(ALL) NOPASSWD:ALL. then anybody: including the hackers can access your nodes.
so what I can suggest ,
ansible-playbook <name>.yml --ask-sudo-pass
this will ask your node sudo password. and u can execute ur operation, as I guess you know ur node's credential.

How can I run commands in sudo mode with ansible playbook?

I am trying to run a "folder creation" command with my ansible playbook. (Code is below)
The creation requires sudo login to execute.
I run the playbook as follows:
ansible-playbook myfile.yml --ask-pass
This prompts for user account password of remote machine.
The ssh connection gets established, but commands fail with permission denied since its not taking super user password.
How can I fix my issue?
hosts: GSP
tasks:
- name: "make build directory"
command: mkdir -p /home/build/
become: true
become_user: root
- name: "change permissions on the directory"
command: chmod 777 -R /home/
become: true
become_user: root
There's also --ask-become-pass switch for ansible-playbook cli to query user for sudo password.
You can add the ansible_become_pass variable to specify the become password in your playbook.
More details can be found here:
http://docs.ansible.com/ansible/latest/become.html

Resources