Ansible : Not able to switch user from remote machine - ansible

I am new to Ansible. Trying to copy some files to remote machine.
I am able to copy to remote server's tmp folder, but not able to copy to a particular users folder.
I think it is possible if we can switch to that particular user. But I am not able to do so using playbook.
Please help me on this.
Regards,
KP

This is a permission issue. The user which you use to connect to the host does not have permissions to write to that other users folder.
If you have access to that users account (e.g. your ssh key is accepted) you can simply define the user per task through remote_user:
- copy: src=...
dest=...
remote_user: <SET_OWNER_HERE>
If you do not have access, you can use the sudo flag to execute a task with root permissions. But make sure you set the permissions correctly or the user might not be able to read/write those files:
- copy: src=...
dest=...
owner=<SET_OWNER_HERE>
group=<SET_GROUP_HERE>
mode=0644
sudo: yes
Also, you can define the username as which the sudo command is executed with sudo_user:
- copy: src=...
dest=...
sudo: yes
sudo_user: <SET_OWNER_HERE>
If sudo requires a password from you, you have to provide it or the task will hang forever without any error message.
You can define this globally in the ansible.cfg:
ask_sudo_pass=True
Or pass the option when you call your playbook:
ansible-playbook ... --ask-sudo-pass

Related

Automate server setup with Ansible SSH keypairs fails without sshpass

I'm am using Ansible and want to automate my VPS & Homelab setups. I'm running into an issue, which is the initial connection.
If I have a fresh VPS that has never been used or logged into, how can I remotely configure the node from my laptop?
ansible.cfg
[defaults]
inventory = ./inventory
remote_user = root
host_key_checking = false
ansible_ssh_common_args = "-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
inventory
[homelab]
0.0.0.0 <--- actual IP here
./playbooks/add_pub_keys.yaml
---
- hosts: all
become: yes
tasks:
- name: Install public key on remote node
authorized_key:
state: present
user: root
key: "{{lookup('file','~/.ssh/homelab.pub')}}"
Command
ansible-playbook playbooks/add_public_keys.yaml
Now, this fails with permission denied, which makes sense because there is nothing that would allow connection to the remote node.
I tried adding -ask-pass to the command:
ansible-playbook playbooks/add_public_keys.yaml -ask-pass
and typing in the root password, but that fails and says I need sshpass, which is not recommended and not readily available to install on Mac due to security. How should I think about this initial setup process?
When I get issues like this I try and replicate the problem using ansible ad-hoc commands and go back to basics. It helps to prove where the issue is located.
Are you able to run ansible ad-hoc commands against your remote server using the password?
ansible -i ip, all -m shell -a 'uptime' -u root -k
If you can't, something is up with the password or possible in the ansible.cfg.

How to become a user with root priveleges in ansible

I am setting up a playbook that automatically configures my workstation. This will hopefully allow me to quickly install linux somewhere and automatically have all the resources I need.
One of the steps is installing homebrew and I cannot figure out how to do it.
I have created this playbook
- hosts: localhost
become: yes
become_user: myUser
tasks:
- name: Download homebrew install script from source
get_url:
url: https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh
dest: ~/Downloads/install_homebrew.sh
mode: 'u+rwx'
- name: Install homebrew
shell: ~/Downloads/install_homebrew.sh
and run it with ansible-playbook myplaybook.yaml.
However, when I execute it, there is a permission denied error. Apparently this is because of how the copy-module works (here). So I thought I'd just run the sudo ansible-playbook myplaybook.yaml instead. This leads to the exact same permission error. I guess this is because I have become_user: myUser.
However, when i remove become_user, I obviously get another error Destination /root/Downloads does not exist because my destination is coded to the users download-directory.
So how can I execute the playbook as the user myUser but with root privileges? This would allow me to access the root-stuff but still refer to my home-directory. In theory this should be possible since I can run
sudo ls -a /root && ls ~/
and get both the content of the root-folder and of my home directory. But I don't know how to do this in ansible.

Creating a directory on Ubuntu using ansible playbook

I'm trying to create an ec2 instance through ansible playbook and then run a few commands on it. The ec2 instance is created sucessfully and also ssh'd into it. Now, when I try to run this command:
- name: Create scripts directory
ansible.builtin.file:
path: /scripts
state: directory
mode: '0755'
An error is generated:
{"changed": false, "msg": "There was an issue creating /scripts as requested: [Errno 30] Read-only file system: '/scripts'", "path": "/scripts"}
I have specified the mode as 0755 which is read write execute permissions. So why is it giving an error, the same error even for 0777? I'm new to ansible and Ubuntu in general.
you have to add the option become to use the admin privilege (your user have to be sudo er...)
- name: Create scripts directory
ansible.builtin.file:
path: /scripts
state: directory
mode: '0755'
become: yes
here you create a folder on level root, are you sure to do that?
To specify a password for sudo, run ansible-playbook with --ask-become-pass (-K for short). If you run a playbook utilizing become and the playbook seems to hang, most likely it is stuck at the privilege escalation prompt. Stop it with CTRL-c, then execute the playbook with -K and the appropriate password.
Your Ansible user doesn't have the required privileges to create a directory at that level. Either use another user (bad option) or make sure the user has sudo capabilities and use become: yes to execute the command as sudo

Ansible Playbook Error: The powershell shell family is incompatible with the sudo become plugin

I am working on a simple playbook that will ultimately be able to start/stop/restart windows services and I ran into an issue:
fatal: [mspdbwn1w01]: FAILED! => {
"msg": "The powershell shell family is incompatible with the sudo become plugin"
}
Below is the playbook:
- name: Add Host
hosts: localhost
connection: local
strategy: linear
tasks:
- name: Add Temp Host
add_host:
name: "{{ win_client }}"
group: temp
- name: Target Server
connection: winrm
hosts: temp
tasks:
- name: Stop a service
win_service:
name: "{{ service }}"
state: stopped
Google hasn't been much help, and I've tried everything I could find, every variation of become*.
I don't know if it matters, but due to the nature of the environment I work in, I have 2 separate users to log into *nix hosts vs. windows hosts.
Any assistance or guideance would be greatly appreciated.
Your system seems to use sudo as the default become method, which is not compatible with PowerShell. For Windows (and PowerShell), you can use runas as the become method. Add:
become_method: runas
to your playbook or task. You can get a list of all available become methods with:
ansible-doc -t become -l
Example:
doas Do As user
dzdo Centrify's Direct Authorize
enable Switch to elevated permissions on a network device
ksu Kerberos substitute user
machinectl Systemd's machinectl privilege escalation
pbrun PowerBroker run
pfexec profile based execution
pmrun Privilege Manager run
runas Run As user
sesu CA Privileged Access Manager
su Substitute User
sudo Substitute User DO
You can view the documentation for a particular become method with:
ansible-doc -t become runas
If you still get erros, pay attention to the error message, as it most probably is a different one. Using privilege escalation requires the definition of a username and a password for this purpose, for example.

copy files to remote machine's /etc/systemd/ directory using ansible

I an new to ansible. I may be saying something which is completely wrong.
I created VM using KVM, both remote and local are running on Ubuntu 16.0.4
Now I configured ansible by creating a key as
ssh-keygen -t rsa -b 4096 -C "D...#192.168.111.113"
this created key and copied it to remote machine by
ssh-copy-id D...#192.168.111.113
now I tested ssh is working, it is working fine.
I added remote machine's address in /etc/ansible/hosts under [DDAS] group.
now I can ping to remote machine using ansible. Then I wrote Playbook to copy file. I is working fine to copy files to /home/Das1/ only. I mean, I can copy files to location which do not need root permission.
I want to copy these files to /etc/systemd/ directory instead of the /home/das1/. I changed dest in playbook but it gives permission related errors.
Any help is highly appreciated.
Thank
DAS
By default your playbook tasks execute under the context of the user you use to connect to the remote system. Ansible allows you to change the user you use to run a playbook or individual tasks. You can create a new user and give it privileges to the directory you mention or you can use the built-in root user.
To run your entire playbook as root for example put this at the top adjusting for whatever your actual hosts value is:
- hosts: 192.168.111.113
become: true
become_user: root
tasks:
...
Probably the /etc/systemd/ directory does not have "write" privilege for the user you are using.
check the permission for /etc/systemd/ with ls -lrt.

Resources