Ansible privilege escalation become with sudo -i - ansible

I can become root on host only with command "sudo -i". I must be root to make some changes on this host. How can I become root with this method using ansibleplaybook?

For privilege escalation, become allows you to specify both become_method and become_flags:
- name: My playbook
hosts: myhosts
become: yes
become_method: sudo
become_flags: '-i'
tasks:
- name: My task
[..]

Related

ansible execute shell script with differenr user

I am trying to execute shell script using ansible shell module as shown in below code
-name : Execute
become_user: someuser
shell:
cmd: "./script.ksh"
chdir: "/path/to/script"
But the script still uses my login instead of "someuser". How this can be fixed ?
As suggested by #β.εηοιτ.βε the become: yes is missing, see exapmles and explanation in Become directives.
do you think become: yes is nothing but sudo ?
The default setting (atleast in my case) uses sudo.
To see the default become_method being used, check your "closest" ansible.cfg in the hierarchy.
You can run the playbook in verbose mode and by using -vvv increase verbosity to see the exact commands being used.
If the become: yes with become_user: <username> doesn't help try using a different become_method.
Example with su and su -:
- name : Execute
shell:
cmd: "./script.ksh"
chdir: "/path/to/script"
become: yes
become_user: someuser
become_method: "su"
or:
- name : Execute
shell:
cmd: "su - someuser -c './script.ksh'"
chdir: "/path/to/script"
become: yes
In this case you will most likely recieve the following warning:
[WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running su

ansible become_user does not take environment settings

I have linux box, where there is a user "user1", using C shell. The user has .cshrc in its home directory with some useful environment settings.
when I use this ansible logic though, the environment is not set properly for the user.
---
- name: some playbook
hosts: remote_host
become: yes
become_user: root
become_method: sudo
tasks:
- name: Check environment variables for user1
become: yes
become_user: user1
become_method: sudo
shell: "env"
register: envresult
- name: debug env
debug:
var: envresult.stdout
In the output I can see that the variables set in .cshrc are not in the environment. How can I force ansible to process the login scripts of users upon become?
Thank you!
You should add become_flags: "-i" to your playbook. The task then looks like
- name: Check environment variables for user1
become: yes
become_user: user1
become_method: sudo
become_flags: "-i"
shell: "env"
register: envresult
More Information is available at the Ansible documentation.

My playbook is not working. I can't copy the file

Ansible host:
CentOS 6( 2.6.32-754.35.1.el6.x86_64)
Python version 2.6
Ansible version 2.6
Test virtual machine:
CentOS 7 (CentOS Linux release 7.9.2009 (Core) 3.10.0-1160.11.1.el7.x86_64)
Python 2.7.5
how I added the user to the test server:
groupadd -g 590 www
groupadd -g 591 playbookuser
adduser -u 690 -g 591 playbookuser
usermod -a -G www playbookuser
mkdir -p /home/playbookuser/.ssh/
echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAA==">> /home/playbookuser/.ssh/authorized_keys
chmod 600 /home/playbookuser/.ssh/authorized_keys
chown -R playbookuser.playbookuser /home/playbookuser/
In /etc/sudoers addet "playbookuser ALL=(ALL) NOPASSWD:ALL"
then I create and run playbook:
---
- hosts: all
become: yes
become_method: sudo
gather_facts: no
tasks:
- name: backup sshd config
copy:
src: /etc/ssh/sshd_config
dest: /etc/ssh/sshd_config.bak
backup: yes
Ansible connects by ssh to the test machine and executes commands from the user playbookuser
Then the playbook will not work, what is the problem please tell me ?
PS. if you run the same command from the user in the console with the sudo prefix , then everything is ok.
but I get this error:
MSG:
an error occurred while trying to read the file '/etc/ssh/sshd_config': [Errno 13] Permission denied: '/etc/ssh/sshd_config'
to retry, use: --limit #/var/lib/****/workspace/test_adm_deploy/174/backup_sshd%20_config.retry
The answer to this is listed in a comment.
remote_src: yes
Should be added.
backup: yes
Should be removed.

How to use Double Sudo in Ansible without password for root access

I login to server (CentOs 7) as my user and execute double sudo to become root. No password is required at such times.
Command: sudo sudo su
I need to install applications on such server as root user using Ansible (2.7)
Unfortunately, when i try following it gives: ""msg": "Timeout (12s) waiting for privilege escalation prompt: ""
---
- name: Copy file
become: true
become_method: su
hosts: all
tasks:
- name: Copy file
copy:
src: abc.txt
dest: /tmp/
I have tried other versions like changing become_method to sudo, etc. But they don't work. Any suggestion will help?

How to run sudo -u username command in Ansible?

I want to run a specific command as sudo -u username <command name> using Ansible.
I tried below task, but facing permissions issue.
---
-
hosts: all
become: yes
vars_files:
- vars.yml
tasks:
- name: "Create solr cores"
shell: /opt/apps/solr/bin/solr create -c test10
become_flags: '-u solr'
register: core_one
# changed_when: '"\"status\":0" in core_one.stdout'
Could anyone suggest on this?
The correct way to run a task is the following.
Having proper permissions is a prerequisite. Refer to man sudoers to learn more
- name: "Create solr cores"
shell: /opt/apps/solr/bin/solr create -c test10
become: yes
become_user: solr
register: core_one
You already have become: yes on the play level, so just for clarity.
remote_user: ansible
tasks:
- name: "Create solr cores"
shell: /opt/apps/solr/bin/solr create -c test10
become: yes
become_user: solr
register: core_one
In above example ansible connects to remote machine using user 'ansible'. Now this ansible user should have permission to switch to another user. i.e it should have root privileges
What happens with above code:
* ssh connection is made via ansible user (ansible-play does it)
* It uses command "sudo su solr" internally
* Then execute the command which is mentioned in shell

Resources