I'm a beginner with Ansible, and I need to run some basic tasks on a remote server.
The procedure is as follows:
I log as some user (osadmin)
I run su - to become root
I then do the tasks I need to.
So, I wrote my playbook as follows:
---
- name: Some tasks
become: yes
become_user: root
# become_method: su // Also tried with that.
template: src=repo.j2 dest=/etc/yum.repos.d/test.repo owner=root group=root
register: copy
Also, I have the following in vars/main.yml:
ansible_user: osadmin
ansible_password: password1
ansible_become_password: password2
[ some other values ]
However, when running my tasks, Ansible / the hosts returns me the following:
"Incorrect sudo password"
While I'm sure I gave it the right password. So, I guess I'm not doing this correctly.
What would be the correct way to switch to root via su?
Thank you in advance
From your question, I see that variable values are stored in vars/main.yml. Instead have the variables inside group_vars/all.yml and uncomment # become_method: su.
Modified code
---
- name: Some tasks
become: yes
become_user: root
become_method: su // Also tried with that.
template: src=repo.j2 dest=/etc/yum.repos.d/test.repo owner=root group=root
register: copy
have variables in group_vars/all.yml
ansible_user: osadmin
ansible_password: password1
ansible_become_password: password2
[ some other values ]
I tried this and it works for me.
Related
I'm new to ansible and trying to create new user with encrypted password using ansible-vault. The taget system is OpenBsd, and I'm using ansible 2.10 on Ubuntu 20.04
.
The "problem" is once the playbook finished, I get this message in output
"passord": "NOT_LOGGING_PASSWORD" and the password is not set/update.
I first create and edit my vault file using ansble-vault.
Content of my vault file:
user_pass: pass
Here is my playbook:
- name: Add new user
hosts: all
vars_files:
- "../vars/pass.yml"
tasks:
- name: Add regular user
user:
name: foo
update_password: always
password: "{{ vault_user_pass | password_hash('sha512') }}"
create_home: yes
shell: /bin/sh
generate_ssh_key: yes
ssh_key_type: rsa
ssh_key_bits: 2048
ssh_key_passphrase: ''
become_user: root
Do you have any idea why the password is not set/update ? I tried to print the vault variable to check if var is readable or not, using debug module and yes, it is. The user is created but with another password. I also tried to hash the password using mkpasswd but same results.
If you need further informations, don't hesitate :).
Thank you in advance.
The variable name is user_pass, even though your variable is in a vault file you don't need to use the vault prefix.
Try as below
- name: Add new user
hosts: all
vars_files:
- "../vars/pass.yml"
tasks:
- name: Add regular user
user:
name: foo
update_password: always
password: "{{ user_pass | password_hash('sha512') }}"
create_home: yes
shell: /bin/sh
generate_ssh_key: yes
ssh_key_type: rsa
ssh_key_bits: 2048
ssh_key_passphrase: ''
become_user: root
I am new to ansible script, I am running ansible script from root user inside the ansible playbook I want to execute a script in another user(user12). Below is my ansibe playbook
---
- name: agent installation Script
hosts: <hostname>
gather_facts: False
#Disabling gathering facts because playbook not getting executed on server
tasks:
- name: Copy the creating script to Managed node
copy:
src: Createuser.sh
dest: ~/
mode: 0777
become: true
become_user: root
- name: Copy the agent zip to Managed node
copy:
src:13.2.0.0.0.zip
dest: ~/
mode: 0777
become: true
become_user: root
- name: Copy the agent response file to Managed node
copy:
src: agent.rsp
dest: ~/
mode: 0777
become: true
become_user: root
- name: Execute the script
shell: sh ~/Createuser.sh
become: true
become_user: root
- name: Execute the installation script
shell: sh ~/Agentinstallation.sh
become: true
become_user: user12
The Agentinstallation.sh needs to be run by user12. For user12 password is user12 how to pass this password to execute the above script.
With option -k, this will ask for a connection password.
From the docs:
-k, --ask-pass
ask for connection password
-K, --ask-become-pass
ask for privilege escalation password
Note the difference..
I am running below playbook. which will login to the server using ec2-user but mysql-java-connector will be installed, my test1 user.
---
- hosts: cluster
become: yes
remote_user: ec2-user
tasks:
- name: Create test1 User
user:
name: test1
password: '$6$jQX0JQzf8GB$NI/Pv1rMLyxWYaFCGNsbrun3sfn5bXSzg89Ip.ga2yf3n7hhrjiPsEo5IChIA7X8xVxnuZzm2sWA7IRM6qZOR0'
state: present
shell: /bin/bash # Defaults to /bin/bash
system: no # Defaults to no
createhome: yes # Defaults to yes
home: /home/test1
- name: Add users to sudoers
lineinfile:
dest : /etc/sudoers
state: present
line: 'test1 ALL=(ALL) NOPASSWD: ALL'
- name: Install mysql java connector
become_user: test1
become_method: sudo
yum: name=mysql-connector-java state=present
Gets below error:
fatal: [xxx.xxx.xxx.211]: FAILED! => {"changed": false, "msg": "You need to be root to perform this command.\n", "rc": 1, "results": [""]}
Same error, you should include become and become_user. In some cases add become method. More
- hosts: somehost
name: Install something
become: yes
remote_user: yourname
become
set to yes to activate privilege escalation.
become_user
set to user with desired privileges — the user you become, NOT the user you login as. Does NOT imply become: yes, to allow it to be set
at host level. Default value is root.
Add ansible_user=Your-User and ansible_become=true in /etc/ansible/hosts file to remove this error:
You need to be root to perform this command
Replace become_user: test1 to become_user: root (or delete this line, because become_user is root by default).
Please read Understanding privilege escalation for more information.
I am trying to develop a playbook which could allow root to easily reset the password by running a playbook any time. But it alwasy skips the pretask which does the validation.
---
- hosts: localhost
remote_user: root
become: yes
become_method: sudo
vars_prompt:
- name: "root_password"
prompt: "Enter your new root password"
private: no
when: root_password is not defined
pre_tasks:
- name: fail the play if the user missed out root_password
fail: msg="root password should not be empty"
when: root_password is not defined
tasks:
- name: Change root password
user: name=root update_password=always password={{ root_password }}
The task is set to run when root_password is not defined and whatever value you enter, you do define it in the vars_prompt section. Hence the task is skipped.
Judging from the message you want to fail when it's empty, so the condition should be:
when: root_password == ""
I am creating a playbook which first creates a new username. I then want to run "moretasks.yml" as that new user that I just created. Currently, I'm setting remote_user for every task. Is there a way I can set it for the entire set of tasks once? I couldn't seem to find examples of this, nor did any of my attempts to move remote_user around help.
Below is main.yml:
---
- name: Configure Instance(s)
hosts: all
remote_user: root
gather_facts: true
tags:
- config
- configure
tasks:
- include: createuser.yml new_user=username
- include: moretasks.yml new_user=username
- include: roottasks.yml #some tasks unrelated to username.
moretasks.yml:
---
- name: Task1
copy:
src: /vagrant/FILE
dest: ~/FILE
remote_user: "{{newuser}}"
- name: Task2
copy:
src: /vagrant/FILE
dest: ~/FILE
remote_user: "{{newuser}}"
First of all you surely want to use sudo_user (remote user is the one that logs in, sudo_user is the one who executes the task).
In your case you want to execute the task as another user (the one previously created) just set:
- include: moretasks.yml
sudo: yes
sudo_user: "{{ newuser }}"
and those tasks will be executed as {{ newuser }} (Don't forget the quotes)
Remark: In most cases you should consider remote_user as a host parameter. It is the user that is allowed to login on the machine and that has sufficient rights to do things. For operational stuff you should use sudo / sudo_user
You could split this up into to separate plays? (playbooks can contain multiple plays)
---
- name: PLAY 1
hosts: all
remote_user: root
gather_facts: true
tasks:
- include: createuser.yml new_user=username
- include: roottasks.yml #some tasks unrelated to username.
- name: PLAY 2
hosts: all
remote_user: username
gather_facts: false
tasks:
- include: moretasks.yml new_user=username
There is a gotcha using separate plays: you can't use variables set with register: or set_fact: in the first play to do things in the second play (this statement is not entirely true, the variables are available in hostvars, but I recommend not using variables between roles). Defined variables like in group_vars and host_vars work just fine.
Another tip I'd like to give is to look into using roles http://docs.ansible.com/playbooks_roles.html. While it might seem more complicated at first, it's much easier to re-use them (as you seem to be doing with the "createuser.yml"). Looking at the type of things you are trying to achieve, the 'include all the things' path won't last much longer.
Kind of inline with your issue. Hope it helps. While updating my playbooks for Ansible 2.5 support for Cisco IOS network_cli connection
Credential file created with ansible-vault: auth/secrets.yml
---
creds:
username: 'ansible'
password: 'user_password'
Playbook:
---
- hosts: ios
gather_facts: yes
connection: network_cli
become: yes
become_method: enable
ignore_errors: yes
tasks:
- name: obtain login credentials
include_vars: auth/secrets.yml
- name: Set Username/ Password
set_fact:
remote_user: "{{ creds['username'] }}"
ansible_ssh_pass: "{{ creds['password'] }}"
- name: Find info for "{{ inventory_hostname }}" via ios_facts
ios_facts:
gather_subset: all
register: hardware_fact
Running playbook without auth/secrets.yml creds:
ansible-playbook -u ansible -k playbook.yml -l inventory_hostname