I want to run an Ansible playbook to provision a server. I can ssh into the server as a non-root user. I have sudo privileges, but I am not allowed to switch to root user. I effectively just want to execute sudo mkdir /opt/some_directory (the command works when I ssh in and execute the command on the server).
Using become:true produces the error of trying to switch to root user and then creating the directory, I think.
The Code:
- name: "Info: Creating directory."
become: true
file:
path: "{{ directory }}"
state: directory
mode: '0755'
The error I am getting is Sorry, user xxxxx is not allowed to execute '/bin/sh -c echo BECOME-SUCCESS...
Q: "Is there an alternative for Ansible's become: yes? I have sudo privileges, but I am not allowed to switch to root user. I effectively just want to execute sudo mkdir /opt/some_directory ..."
A: No. Quoting from Can’t limit escalation to certain commands
"Privilege escalation permissions have to be general... If you have ‘/sbin/service’ or ‘/bin/chmod’ as the allowed commands this will fail "...
Related
I am new to awx i use pre-exsisting playbook when i run it from ubuntu 20 terminal it works fine but i want to run it through awx when i run it from awx i get this error.
Failed to change ownership of the temporary files Ansible needs to create despite connecting as a privileged user. Unprivileged become user would be unable to read the file`
I install nextcloud from blog and i use these two commands at the end.
chown -R www-data:www-data /var/www/html/nextcloud
chmod -R 775 /var/www/html/nextcloud
the task where it throw error is this:
---
# tasks file for upgrade-nextcloud
- name: "[NC-Upgrade] - Get current version."
become_user: "{{ nextcloud_websrv_user }}"
command: php occ status --output=json
args:
chdir: "{{ nextcloud_webroot }}"
register: nc_current_version
changed_when: false
where become_user: "{{ nextcloud_websrv_user }}" is www-data. When i run it become_user: root then it say /var/www/html/nextcloud directory not found.
Do i need to mount the directory /var/www/html/nextcloud in awx_web container if i run it as a root.
The issue is fix the only problem is
connection:local
in main.yml so just need to remove it and i run it on a remote machine and also didn't provide the ssh credentials.
I'm having, what appears to be, a common issue of running shell/terminal commands via an ansible playbook.
If I were to go onto on of my remote machines and type the command on a fresh terminal window, it works, however attempting to do the same via a playbook is having directory issues.
This is essentially the command, but some of it changed a little for privacy, but its essentially an authenticator...
authenticator authenticate user userkeytab
If I try to just run it as shell, I get an error that the authenticator command cant be found in /bin/sh, so I attempted to use chdir to run the command at the default window, (/Users/username).
Here is roughly, the playbook, with one of my failed attempts... I just don’t know what chdir I should be using...
- hosts: all
tasks:
- name: Reauthenticate login
shell: authenticator authenticate user userkeytab
args:
chdir: ~/
ive also tried usr/local/bin.... any thoughts?
can you try with the 'command' module, example below:
- name: Change the working directory to somedir/ and run the command as db_owner if /path/to/database does not exist.
command: /usr/bin/make_database.sh db_user db_name
become: yes
become_user: db_owner
args:
chdir: somedir/
creates: /path/to/database
Resource:
https://docs.ansible.com/ansible/latest/modules/command_module.html
I want to perform some actions, that do not require using the Administrator account. For example, cloning a git repo or creating a folder.
I tried this:
- name: Create gogo1 directory
win_shell: mkdir c:\tmp\gogo1
become: yes
become_user: vagrant
vars:
ansible_become_pass: vagrant
This creates the desired directoy, but when I am logged in as user vagrant and try to remove it I get:
You'll need to provide administrator permission to delete this folder.
The user Vagrant is not given any permissions to the folder gogo1.
I need to do this in addition:
- name: Change owner of gogo1
win_owner:
path: c:\tmp\gogo1
user: vagrant
recurse: yes
Using win_psexec works as intended. It creates the directory, gives user vagrant the permissions, and thus I can delete it without being prompted with the above message.
- name: Create gogo2 directory
win_psexec:
command: cmd /k "cd c:\tmp && mkdir gogo && exit"
username: vagrant
password: vagrant
How can I use become and become_user to create a folder (or do clone a git repo) and giving the user all necessary permissions and ownership (like win_psexec does?
For become to work as you want you need it to login interactively so the profile for the user is loaded when the folder is created.
To do this you can try to set the login_flags (Ansible 2.5+) on become like so:
- name: Create gogo1 directory
win_shell: mkdir c:\tmp\gogo1
become: yes
become_user: vagrant
become_flags: logon_type=interactive logon_flags=with_profile
vars:
ansible_become_pass: vagrant
You can read all the specifics on become_flags here: http://docs.ansible.com/ansible/latest/user_guide/become.html
I am trying to run a "folder creation" command with my ansible playbook. (Code is below)
The creation requires sudo login to execute.
I run the playbook as follows:
ansible-playbook myfile.yml --ask-pass
This prompts for user account password of remote machine.
The ssh connection gets established, but commands fail with permission denied since its not taking super user password.
How can I fix my issue?
hosts: GSP
tasks:
- name: "make build directory"
command: mkdir -p /home/build/
become: true
become_user: root
- name: "change permissions on the directory"
command: chmod 777 -R /home/
become: true
become_user: root
There's also --ask-become-pass switch for ansible-playbook cli to query user for sudo password.
You can add the ansible_become_pass variable to specify the become password in your playbook.
More details can be found here:
http://docs.ansible.com/ansible/latest/become.html
I am writing an Ansible playbook to automate a series of sudo commands on various hosts. When I execute these commands individually in puTTY, I have no permission problems, as I have been granted proper access. However, when I attempt to create a playbook to do the same thing, I am told
user is not allowed to execute ... on host_name
For example, if I do $ sudo ls /root/, I have no problem, and, once I enter my password, can see the contents of /root/
In the case of my Ansible playbook ...
---
- host: servers
tasks:
- name: ls /root/
shell: ls /root/
become: true
become_method: sudo
...I then get the error mentioned above.
Any ideas why this would be the case? It seems to be telling me I don't have permission to run a command that I otherwise could run in an individual puTTY terminal.
[ ] automate a series of sudo commands on various hosts. When I execute these commands individually [ ]
Any ideas why this would be the case?
Sounds like you configured specific commands in the sudoers file (unfortunately you did not provide enough details, fortunately you asked for "ideas" not the real cause).
Ansible shell module does not run the command you specify prepended with sudo - it runs the whole shell session with sudo, so the command doesn't match what you configured in sudoers.
Either allow all commands to be run with elevated privileges for the Ansible user, or use raw module instead of shell.