I'm logging into another computer as the unprivileged user ansible and I'd like to have ansible enable a systemd user service for the user bob.
Without ansible, the solution would be ssh bob#machine followed by systemctl --user enable service
However, with ansible, there are two problems:
Newer versions of ansible will refuse to become the unprivileged user bob if already logged in as another unprivileged user (ansible).
Even if this worked, dbus would not be started and systemctl would not be able to talk to systemd (if I understood this correctly).
A horribly ugly workaround would be to execute the shell command, have the remote host ssh into itself as bob and run the systemctl raw command there.
Is there a nicer way to get this done?
Both options are feasible.
remote_user: bob
- hosts: test_01
become: no
remote_user: admin
tasks:
- command: whoami
register: result
- debug:
var: result.stdout
- command: whoami
remote_user: bob
register: result
- debug:
var: result.stdout
gives (abridged)
result.stdout: admin
result.stdout: bob
pipelining = true quoting from Becoming an Unprivileged User
Use pipelining. When pipelining is enabled, Ansible doesn’t save the module to a temporary file on the client. Instead, it pipes the module to the remote python interpreter’s stdin. Pipelining does not work for python modules involving file transfer (for example: copy, fetch, template), or for non-python modules.
- hosts: test_01
become: no
remote_user: admin
tasks:
- command: whoami
register: result
- debug:
var: result.stdout
- command: whoami
become_user: bob
become_method: sudo
become: yes
register: result
- debug:
var: result.stdout
gives (abridged) the same result
result.stdout: admin
result.stdout: bob
with
shell> grep pipe ansible.cfg
pipelining = true
Related
I am trying to run a playbook with these tasks on a few thousand servers
- name: Check root login config
shell: "egrep -i '^PermitRootLogin' /etc/ssh/sshd_config|awk '{print $2}'"
register: config_value
async : 3
become: yes
poll: 1
- name: "config value"
debug: msg="{{ inventory_hostname }} - {{ config_value.stdout }}"
They have slightly varied configs but this should work on most of them. While running it ,ansible gets stuck somewhere in the middle on some hosts where my user doesn't have passwordless sudo or sudo privileges.
I want to skip those servers where this doesn't work.Is there a way to do that ?
ansible-playbook -i hosts playbook.yml --ask-become-pass
I tried giving a wrong password too ,but it still hangs.
Ansible continues with the rest of the hosts if one task fails on one or more hosts. You could use that behaviour by provoking it before the actual tasks. Don't set become in the playbook, do this instead:
- name: Ping or fail host
become: true
ping:
- name: Check root login config
become: true
shell: "egrep -i '^PermitRootLogin' /etc/ssh/sshd_config|awk '{print $2}'"
register: config_value
async : 3
become: yes
poll: 1
- name: "config value"
debug: msg="{{ inventory_hostname }} - {{ config_value.stdout }}"
I am new to ansible.
i am trying to create a role where i start the playbook as root and then in the next play i switch to a different user and continue. The following files are within the role itself.
---
# tasks file for /etc/ansible/roles/dashmn
#
- name: create users logged in as root
remote_user: root
import_tasks: whoami.yml
import_tasks: create_users.yml
import_tasks: set_sudoer.yml
- name: log in as dashadmin
remote_user: dashadmin
become: true
import_tasks: whoami.yml
import_tasks: disable_rootlogin.yml
import_tasks: update_install_reqs.yml
import_tasks: configure_firewall.yml
import_tasks: add_swap.yml
i added a sudoer task that adds users to /etc/sudoer.d
---
- name: set passwordless sudo
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
I created a deploy.yml that uses the role i created as follows.
---
- hosts: test-mn
roles:
- dashmn
when i syntax-check the deploy.yml
[DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set to allow bad characters in group names
by default, this will change, but still be user configurable on deprecation. This feature will be removed in
version 2.10. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
[WARNING]: While constructing a mapping from /etc/ansible/roles/dashmn/tasks/main.yml, line 4, column 3, found
a duplicate dict key (import_tasks). Using last defined value only.
[WARNING]: While constructing a mapping from /etc/ansible/roles/dashmn/tasks/main.yml, line 10, column 3, found
a duplicate dict key (import_tasks). Using last defined value only.
Any help on how to organize this to make it better would be appreciated.
Now, my problem is that if in the tasks file i remove the plays themselves and just leave the import_tasks everything works but its not using the user dashadmin, its using root.
i would like to create the users and then only ever login as dashadmin and work as dashadmin.
I also get an error
FAILED! => {"msg": "Missing sudo password"}
something is clearly wrong, just not sure where ive gone wrong.
Here is /etc/sudoers file
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL) NOPASSWD: ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
First of all, the way you defined import_tasks will basically executes the last import_tasks only as the warning says.
Secondly, remote_user is used for logging in to defined host(s) but if you want to login as a user then execute tasks using a different user then you need to define become_user. By default, become_user is set to root.
So probably below is how you can change the role's import_tasks:
/etc/ansible/roles/dashmn/tasks/main.yml
- name: create users logged in as root
block:
- import_tasks: whoami.yml
- import_tasks: create_users.yml
- import_tasks: set_sudoer.yml
remote_user: root
- name: log in as dashadmin
block:
- import_tasks: whoami.yml
- import_tasks: disable_rootlogin.yml
- import_tasks: update_install_reqs.yml
- import_tasks: configure_firewall.yml
- import_tasks: add_swap.yml
remote_user: dashadmin
become: yes
Refer privilege escalation for more details.
Q: "Change remote_user within main.yml in a role"
Short answer: See the example in "Play 3" on how to change remote_user for each task.
Details: Keyword remote_user can be used in all playbook's objects: play, role, block, task. See Playbook Keywords.
The best practice is to connect to the remote host as an unprivileged user and escalate the privilege. For example,
- name: Play 1
hosts: test_01
remote_user: user1
become: true
tasks:
- command: whoami
register: result
- debug:
var: result.stdout
gives
ok: [test_01] =>
result.stdout: root
Without the escalation of priviledge the tasks will be executed by the remote_user at the remote host. For example,
- name: Play 2
hosts: test_01
remote_user: user1
tasks:
- command: whoami
register: result
- debug:
var: result.stdout
gives
ok: [test_01] =>
result.stdout: user1
It's possible to declare the remote_user for each task. For example
- name: Play 3
hosts: test_01
remote_user: user1
tasks:
- command: whoami
register: result
- debug:
var: result.stdout
- command: whoami
remote_user: user2
register: result
- debug:
var: result.stdout
gives
ok: [test_01] =>
result.stdout: user1
ok: [test_01] =>
result.stdout: user2
All plays can be put into one playbook.
Example of sudoers file
root.test_01# cat /usr/local/etc/sudoers
...
#includedir /usr/local/etc/sudoers.d
admin ALL=(ALL) NOPASSWD: ALL
user1 ALL=(ALL) NOPASSWD: ALL
user2 ALL=(ALL) NOPASSWD: ALL
I want to set a cron entry on a remote host, but connecting to the host as a different user.
# task
- name: Cron to ls at a specific time
cron:
name: "perform a listing"
weekday: "6"
minute: "5"
hour: "3"
job: "/bin/ls -lR /mnt/*/"
delegate_to: "{{ my_remote_machine }}"
Problem
This is a startup script on an instance in the cloud.
The script runs as root, there fore will try to connect to {{ my_remote_machine }} as root.
root is obviously disabled by default on most cloud instances.
Because of this, I can't use the become_user keyword.
Do I have any other options?
Simply change the remote_user for the given task to the one you can connect with on the delegated host. Here is a pseudo playbook to give you the basics.
Note: if targeting a host using ansible_connection: local (e.g. default implicit localhost), remote_user is ignored and defaults to the user launching the playbook on the controller.
---
- name: Play mixing several hosts and users
hosts: some_host_or_group
# Play level remote_user. In short, this is used if not overridden in task.
# See documentation for finer grained info (define in inventory, etc...)
remote_user: root
tasks:
- name: Check who we are on current host
command: id -a
register: who_we_are_current
- debug:
var: who_we_are_current.stdout
- name: Show we can be someone else on delegate
command: id -a
# Task level remote_user: overrides play
remote_user: johnd
delegate_to: "{{ my_remote_machine }}"
register: who_whe_are_delegate
- debug:
var: who_whe_are_delegate.stdout
- name: And of course, this works with your real task as well
cron:
name: "perform a listing"
weekday: "6"
minute: "5"
hour: "3"
job: "/bin/ls -lR /mnt/*/"
remote_user: johnd
delegate_to: "{{ my_remote_machine }}"
I have defined the following in my ansible.cfg
# default user to use for playbooks if user is not specified
# (/usr/bin/ansible will use current user as default)
remote_user = ansible
However I have a playbook bootstrap.yaml where I connect with root rather than ansible
---
- hosts: "{{ target }}"
become: no
gather_facts: false
remote_user: root
vars:
os_family: "{{ osfamily }}}"
roles:
- role: papanito.bootstrap
However it seems that remote_user: root is ignored as I always get a connection error, because it uses the user ansible instead of root for the ssh connection
fatal: [node001]: UNREACHABLE! => {"changed": false,
"msg": "Failed to connect to the host via ssh:
ansible#node001: Permission denied (publickey,password).",
"unreachable": true}
The only workaround for this I could find is calling the playbook with -e ansible_user=root. But this is not convenient as I want to call multiple playbooks with the site.yaml, where the first playbook has to run with ansible_user root, whereas the others have to run with ansible
- import_playbook: playbooks/bootstrap.yml
- import_playbook: playbooks/networking.yml
- import_playbook: playbooks/monitoring.yml
Any suggestions what I am missing or how to fix it?
Q: "remote_user: root is ignored"
A: The playbook works as expected
- hosts: test_01
gather_facts: false
become: no
remote_user: root
tasks:
- command: whoami
register: result
- debug:
var: result.stdout
gives
"result.stdout": "root"
But, the variable can be overridden in the inventory. For example with the inventory
$ cat hosts
all:
hosts:
test_01:
vars:
ansible_connection: ssh
ansible_user: admin
the result is
"result.stdout": "admin"
Double-check the inventory with the command
$ ansible-inventory --list
Notes
It might be also necessary to double-check the role - role: papanito.bootstrap
See Controlling how Ansible behaves: precedence rules
I faced a similar issue, where ec2 instance required different username to ssh with. You could try with below example
- import_playbook: playbooks/bootstrap.yml
vars:
ansible_ssh_user: root
Try this
Instead of “remote_user: root”use “remote_user: ansible” and additional “become: yes” ,”become_user: root”,”become_method: sudo or su”
When I sudo as a user the ansible_env does not have the correct HOME variable set - "/root". However, if I echo the HOME env variable it is correct - "/var/lib/pgsql". Is there no other way to get the home directory of a sudo'ed user?
Also, I have already set "sudo_flags = -H" in ansible.cfg and I cannot login as postgres user.
- name: ansible_env->HOME
sudo: yes
sudo_user: postgres
debug: msg="{{ ansible_env.HOME }}"
- name: echo $HOME
sudo: yes
sudo_user: postgres
shell: "echo $HOME"
register: postgres_homedir
- name: postgres_homedir.stdout
sudo: yes
sudo_user: postgres
debug: msg="{{ postgres_homedir.stdout }}"
Result:
TASK: [PostgreSQL | ansible_env->HOME] ****************************************
ok: [postgres] => {
"msg": "/root"
}
TASK: [PostgreSQL | echo $HOME] ***********************************************
changed: [postgres]
TASK: [PostgreSQL | postgres_homedir.stdout] **********************************
ok: [postgres] => {
"msg": "/var/lib/pgsql"
}
I can replicate the output above by running the playbook as the root user (either locally with - hosts: localhost, or by SSHing as root). The facts gathered by Ansible are those of the root user.
If this is what you are doing, then your workaround seems to be the best way of getting the postgres user's $HOME variable.
Even though you add sudo_user: postgres to the ansible_env->HOME task, the fact will not change since it is gathered at the start of the play.
"~" expands as the non-root user if you use "become: no". In the example below I combine that with an explicit "sudo" to do something as root in the home directory:
- name: Setup | install
command: sudo make install chdir=~/git/emacs
become: no