When running my script I keep getting "ERROR! the field 'hosts' is required but was not set". Can anyone please tell me what it is that I am missing. I am currently trying to implement DISA stig hardening on to 2 centos 6 virtual machines.
---
- name: Stig implementation
hosts: Database
tasks:
- name: upgrade all packages
command: yum upgrade -y
- name: update all packages
command: yum update -y
- name: /etc/passd file is owned by root
command: chown root:root /etc/passwd
- name: remove rsh-server package
command: yum erase rsh-server
- name: bootload configuration owner is root
command: chgrp root /etc/grub.conf
- name: rshd service disabled
command: chkconfig rsh off
- name: rexecd service disabled
command: chkconfig rexec off
- name: remove telnet and telnet-server
command: yum erase telnet-server && yum erase telnet
- lineinfile: dest=/etc/ssh/sshd_config
state=present
regexp='PermitEmptyPasswords'
line='PermitEmptyPasswords no'
backup=yes
- lineinfile: dest=/etc/ssh/sshd_config
state=present
regexp='HostbasedAuthentication'
line='HostbasedAuthentication no'
backup=yes
- name: Change etc/group ownership
command: chgrp root /etc/group
- name: operating system must connect to external networks
command: chkconfig ip6tables on && service ip6tables start
- name: add lines
lineinfile: dest=/etc/audit/audit.rules
line='{{item}}'
with_items:
- '-w /sbin/insmod -p x -k modules'
- '-w /sbin/rmmod -p x -k modules'
- '-w /sbin/modprobe -p x -k modules'
- '-a always,exit -F arch=[b64] -S init_module -S delete_module -k modules'
- name: disable xinetd
command: chkconfig xinetd off && service xinetd stop
- name: turn off and disable netconsole
command: chkconfig netconsole off && service netconsole stop
A copy of my host file
[localhost]
x.x.x.x
[Database]
x.x.x.x
x.x.x.x
I suppose this is a playbook... could you try removing the second line:
---
- hosts: Database
tasks:
...
Related
Ansible host:
CentOS 6( 2.6.32-754.35.1.el6.x86_64)
Python version 2.6
Ansible version 2.6
Test virtual machine:
CentOS 7 (CentOS Linux release 7.9.2009 (Core) 3.10.0-1160.11.1.el7.x86_64)
Python 2.7.5
how I added the user to the test server:
groupadd -g 590 www
groupadd -g 591 playbookuser
adduser -u 690 -g 591 playbookuser
usermod -a -G www playbookuser
mkdir -p /home/playbookuser/.ssh/
echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAA==">> /home/playbookuser/.ssh/authorized_keys
chmod 600 /home/playbookuser/.ssh/authorized_keys
chown -R playbookuser.playbookuser /home/playbookuser/
In /etc/sudoers addet "playbookuser ALL=(ALL) NOPASSWD:ALL"
then I create and run playbook:
---
- hosts: all
become: yes
become_method: sudo
gather_facts: no
tasks:
- name: backup sshd config
copy:
src: /etc/ssh/sshd_config
dest: /etc/ssh/sshd_config.bak
backup: yes
Ansible connects by ssh to the test machine and executes commands from the user playbookuser
Then the playbook will not work, what is the problem please tell me ?
PS. if you run the same command from the user in the console with the sudo prefix , then everything is ok.
but I get this error:
MSG:
an error occurred while trying to read the file '/etc/ssh/sshd_config': [Errno 13] Permission denied: '/etc/ssh/sshd_config'
to retry, use: --limit #/var/lib/****/workspace/test_adm_deploy/174/backup_sshd%20_config.retry
The answer to this is listed in a comment.
remote_src: yes
Should be added.
backup: yes
Should be removed.
I login to server (CentOs 7) as my user and execute double sudo to become root. No password is required at such times.
Command: sudo sudo su
I need to install applications on such server as root user using Ansible (2.7)
Unfortunately, when i try following it gives: ""msg": "Timeout (12s) waiting for privilege escalation prompt: ""
---
- name: Copy file
become: true
become_method: su
hosts: all
tasks:
- name: Copy file
copy:
src: abc.txt
dest: /tmp/
I have tried other versions like changing become_method to sudo, etc. But they don't work. Any suggestion will help?
I have to run a symfony clear cache on several hosts as the user apache which has /sbin/nologin as shell in /etc/passwd. usually I do this with the following command: sudo su - apache -s /bin/bash -c "php /var/www/html/api/bin/console cache:clear --env=prod"
Currently my playbook looks like this:
---
- name: "test"
hosts: app-servers
gather_facts: yes
become: yes
tasks:
- name: "Clear symfony cache"
command: sudo su - apache -s /bin/bash -c "php /var/www/html/api/bin/console cache:clear --env=prod"
But during the run I receive a warning:
[WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running sudo
I tried several combination but I was never able to get it work.
I'm an ansible noobie and I would like to understand the best way to run this task using ansible.
---
- name: "test"
hosts: app-servers
gather_facts: yes
become: yes
become_user: apache
become_flags: '-s /bin/bash'
tasks:
- name: "Clear symfony cache"
command: "php /var/www/html/api.sellsecure.com/bin/console cache:clear --env=prod"
I want to run a specific command as sudo -u username <command name> using Ansible.
I tried below task, but facing permissions issue.
---
-
hosts: all
become: yes
vars_files:
- vars.yml
tasks:
- name: "Create solr cores"
shell: /opt/apps/solr/bin/solr create -c test10
become_flags: '-u solr'
register: core_one
# changed_when: '"\"status\":0" in core_one.stdout'
Could anyone suggest on this?
The correct way to run a task is the following.
Having proper permissions is a prerequisite. Refer to man sudoers to learn more
- name: "Create solr cores"
shell: /opt/apps/solr/bin/solr create -c test10
become: yes
become_user: solr
register: core_one
You already have become: yes on the play level, so just for clarity.
remote_user: ansible
tasks:
- name: "Create solr cores"
shell: /opt/apps/solr/bin/solr create -c test10
become: yes
become_user: solr
register: core_one
In above example ansible connects to remote machine using user 'ansible'. Now this ansible user should have permission to switch to another user. i.e it should have root privileges
What happens with above code:
* ssh connection is made via ansible user (ansible-play does it)
* It uses command "sudo su solr" internally
* Then execute the command which is mentioned in shell
I need to run playbooks on Vagrant boxes and on aws when I setup environment with cloud formation.
In Vagrant file I use ansible-local and everything works fine
name: Setup Unified Catalog Webserver
hosts: 127.0.0.1
connection: local
become: yes
become_user: root
roles: generic
However when I create instance in AWS the ansible playbook fails with error:
sudo: sorry, you must have a tty to run sudo
This happen because it is run as root and it doesnt have tty. But I dont know how to fix it without making change in /etc/sudoers to allow !requiretty
Is there any flags I can setup in ansible.cfg or in my Cloud Formation template?
"#!/bin/bash\n", "\n", "
echo 'Installing Git'\n","
yum --nogpgcheck -y install git ansible htop nano wget\n",
"wget https://s3.eu-central-1.amazonaws.com/XXX -O /root/.ssh/id_rsa\n",
"chmod 600 /root/.ssh/id_rsa\n",
"ssh-keyscan 172.31.7.235 >> /root/.ssh/known_hosts\n",
"git clone git#172.31.7.235:something/repo.git /root/repo\n",
"ansible-playbook /root/env/ansible/test.yml\n
I was able to fix this by setting the transport = paramiko configuration in ansible.cfg.
I have found the following solutions for myself:
1. Change requiretty in /etc/sudoers with sed run playbooks and change it back.
"#!/bin/bash\n", "\n", "
echo 'Installing Git'\n","
yum --nogpgcheck -y install git ansible htop nano wget\n",
"wget https://s3.eu-central-1.amazonaws.com/xx/ansible -O /root/.ssh/id_rsa\n",
"chmod 600 /root/.ssh/id_rsa\n",
"ssh-keyscan 172.31.9.231 >> /root/.ssh/known_hosts\n",
"git clone git#172.31.5.254:somerepo/dev.git /root/dev\n",
"sed -i 's/Defaults requiretty/Defaults !requiretty/g' /etc/sudoers\n",
"\n",
"ansible-playbook /root/dev/env/ansible/uk.yml\n",
"\n",
"sed -i 's/Defaults !requiretty/Defaults requiretty/g' /etc/sudoers\n"
OR
2. In ansible playbook specify variable:
- name: Setup
hosts: 127.0.0.1
connection: local
sudo: {{ require_sudo }}
roles:
- generic
Run in AWS Cloud Formation template would be
"ansible-playbook -e require_sudo=False /root/dev/env/ansible/uk.yml\n"
And for Vagrant in ansible.cfg it can be specified
require_sudo=True
Also in CF template may identify who is running and the pass variable
ansible-playbook -e$(id -u |egrep '^0$' > /dev/null && require_sudo=False || require_sudo=True; echo "require_sudo=$require_sudo") /apps/ansible/uk.yml
If you need to specific connection: paramiko within just one playbook versus a global configuration in ansible.cfg, you can add connection: paramiko following in the playbook, example:
- name: Run checks after deployments
hosts: all
# https://github.com/paramiko/paramiko/issues/1369
connection: paramiko
gather_facts: True