Ansible: how to run a command as user that no shell - ansible

I have to run a symfony clear cache on several hosts as the user apache which has /sbin/nologin as shell in /etc/passwd. usually I do this with the following command: sudo su - apache -s /bin/bash -c "php /var/www/html/api/bin/console cache:clear --env=prod"
Currently my playbook looks like this:
---
- name: "test"
hosts: app-servers
gather_facts: yes
become: yes
tasks:
- name: "Clear symfony cache"
command: sudo su - apache -s /bin/bash -c "php /var/www/html/api/bin/console cache:clear --env=prod"
But during the run I receive a warning:
[WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running sudo
I tried several combination but I was never able to get it work.
I'm an ansible noobie and I would like to understand the best way to run this task using ansible.

---
- name: "test"
hosts: app-servers
gather_facts: yes
become: yes
become_user: apache
become_flags: '-s /bin/bash'
tasks:
- name: "Clear symfony cache"
command: "php /var/www/html/api.sellsecure.com/bin/console cache:clear --env=prod"

Related

ansible execute shell script with differenr user

I am trying to execute shell script using ansible shell module as shown in below code
-name : Execute
become_user: someuser
shell:
cmd: "./script.ksh"
chdir: "/path/to/script"
But the script still uses my login instead of "someuser". How this can be fixed ?
As suggested by #β.εηοιτ.βε the become: yes is missing, see exapmles and explanation in Become directives.
do you think become: yes is nothing but sudo ?
The default setting (atleast in my case) uses sudo.
To see the default become_method being used, check your "closest" ansible.cfg in the hierarchy.
You can run the playbook in verbose mode and by using -vvv increase verbosity to see the exact commands being used.
If the become: yes with become_user: <username> doesn't help try using a different become_method.
Example with su and su -:
- name : Execute
shell:
cmd: "./script.ksh"
chdir: "/path/to/script"
become: yes
become_user: someuser
become_method: "su"
or:
- name : Execute
shell:
cmd: "su - someuser -c './script.ksh'"
chdir: "/path/to/script"
become: yes
In this case you will most likely recieve the following warning:
[WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running su

How does sudo and become in ansible go work together?

- name: "read env"
shell: "sudo env"
become: true
I have above snippet in Ansible, I want to know the behaviour of using become and sudo together. I am aware become's default action is to turn the action as sudo. In that case will my sudo in the beginning of shell command get nullified ?
I am getting a different results with shell: "sudo env" and shell: "env" when become is set to true/yes
You do not need to add sudo to your commands when you are using become: true. You can checkout become_method from documentation. It will append sudo for you when you use become: true.
I highly recommend to read documentation for privilege escalation: https://docs.ansible.com/ansible/latest/user_guide/become.html
UPDATE
I did misunderstood your question sorry. The default become_method is sudo in ansible.cfg. When you set become: true without specifying become_method it will basically add a sudo prefix to your cmd. Here i created a example:
# privilege_escalation.yaml
---
- name: privilege escalation
hosts: localhost
tasks:
- name: command without any escalation
shell: env
- name: command with sudo
shell: sudo env
- name: command with become and sudo
shell: sudo env
become: yes
You can run example with this command:
ansible-playbook -vvv --ask-become-pass privilege_escalation.yaml
The first task will run env. In the results you can see USER=your_user line that represents current user.
When you use sudo in command, second task will run sudo env. In the results you can see USER=root and
SUDO_USER=your_user. This means you escalated your privileges to become root when running env command. SUDO_USER environment variable represents the user who invoked sudo.
The last task will run sudo sudo env. In the results you can see USER=root and
SUDO_USER=root. This means the first you become root user, after that root user executed sudo env command.
I hope this helps.

How to use Double Sudo in Ansible without password for root access

I login to server (CentOs 7) as my user and execute double sudo to become root. No password is required at such times.
Command: sudo sudo su
I need to install applications on such server as root user using Ansible (2.7)
Unfortunately, when i try following it gives: ""msg": "Timeout (12s) waiting for privilege escalation prompt: ""
---
- name: Copy file
become: true
become_method: su
hosts: all
tasks:
- name: Copy file
copy:
src: abc.txt
dest: /tmp/
I have tried other versions like changing become_method to sudo, etc. But they don't work. Any suggestion will help?

How to run sudo -u username command in Ansible?

I want to run a specific command as sudo -u username <command name> using Ansible.
I tried below task, but facing permissions issue.
---
-
hosts: all
become: yes
vars_files:
- vars.yml
tasks:
- name: "Create solr cores"
shell: /opt/apps/solr/bin/solr create -c test10
become_flags: '-u solr'
register: core_one
# changed_when: '"\"status\":0" in core_one.stdout'
Could anyone suggest on this?
The correct way to run a task is the following.
Having proper permissions is a prerequisite. Refer to man sudoers to learn more
- name: "Create solr cores"
shell: /opt/apps/solr/bin/solr create -c test10
become: yes
become_user: solr
register: core_one
You already have become: yes on the play level, so just for clarity.
remote_user: ansible
tasks:
- name: "Create solr cores"
shell: /opt/apps/solr/bin/solr create -c test10
become: yes
become_user: solr
register: core_one
In above example ansible connects to remote machine using user 'ansible'. Now this ansible user should have permission to switch to another user. i.e it should have root privileges
What happens with above code:
* ssh connection is made via ansible user (ansible-play does it)
* It uses command "sudo su solr" internally
* Then execute the command which is mentioned in shell

Ansible and Wget

I am trying to wget a file from a web server from within an Ansible playbook.
Here is the Ansible snippet:
---
- hosts: all
sudo: true
tasks:
- name: Prepare Install folder
sudo: true
action: shell sudo mkdir -p /tmp/my_install/mysql/ && cd /tmp/my_install/mysql/
- name: Download MySql
sudo: true
action: shell sudo wget http://{{ repo_host }}/MySQL-5.6.15-1.el6.x86_64.rpm-bundle.tar
Invoking it via:
ansible-playbook my_3rparties.yml -l vsrv644 --extra-vars "repo_host=vsrv656" -K -f 10
It fails with the following:
Cannot write to `MySQL-5.6.15-1.el6.x86_64.rpm-bundle.tar' (Permission denied).
FATAL: all hosts have already failed -- aborting
PLAY RECAP ********************************************************************
to retry, use: --limit #/usr2/ihazan/vufroria_3rparties.retry
vsrv644 : ok=2 changed=1 unreachable=0 failed=1
When trying to do the command that fail via regular remote ssh to mimic what ansible would do, it doesn't work as follows:
-bash-4.1$ ssh ihazan#vsrv644 'cd /tmp/my_install/mysql && sudo wget http://vsrv656/MySQL-5.6.15-1.el6.x86_64.rpm-bundle.tar'
Enter passphrase for key '/usr2/ihazan/.ssh/id_rsa':
sudo: sorry, you must have a tty to run sudo
But I can solve it using -t as follows:
-bash-4.1$ ssh -t ihazan#vsrv644 'cd /tmp/my_install/mysql && sudo wget http://vsrv656/MySQL-5.6.15-1.el6.x86_64.rpm-bundle.tar'
Then it works.
Is there a way to set the -t (pseudo tty option) on ansible?
P.S: I could solve it by editing the sudoers file as others propose but that is a manual step I am trying to avoid.
Don't use shell-module when there is specialized modules available. In your case:
Create directories with file-module:
- name: create project directory {{ common.project_dir }}
file: state=directory path={{ common.project_dir }}
Download files with get_url-module:
- name: download sources
get_url: url={{ opencv.url }} dest={{ common.project_dir }}/{{ opencv.file }}
Note the new module call syntax in the examples above.
If you have to use sudo with password remember to give --ask-sudo-pass when needed (see e.g. Remote Connection Information).
In Ansible:
file to manage files/directories
get_url to download what you need
become:yes to use sudo priviledges
See ansible documentation:
https://docs.ansible.com/ansible/latest/modules/modules_by_category.html

Resources