I boot strap a centos 6.5 AMI with this user data:
#cloud-config
users:
- default
- name: my-user
- sudo: ALL=(ALL) NOPASSWD:ALL
My machine comes up with the user cloud-user as the default user, not my-user. My public key has been copied to the cloud-user. So, in short, it does not work.
If I do this, the default user is my-user:
#cloud-config
user: my-user
sudo: ALL=(ALL) NOPASSWD:ALL
But I cannot sudo -i with this user.
How can I in userdata set my-user to be the default and have sudo provileges set?
You need to change the default user in system, see configuration below.
#cloud-config
system_info:
default_user:
name: my-user
sudo: ALL=(ALL) NOPASSWD:ALL
I verified in openstack environment (should be the same)
ssh use my-user as default user with default private key
sudo is also ok
See http://cloudinit.readthedocs.org/en/latest/topics/examples.html#including-users-and-groups for more detail
Related
I'm trying to get ansible to execute sudo apt-get update. I already have the sudoers setup to run without a password and it works if I login as the user ansible is using and execute sudo apt-get update. If I use the following ansible playbook
---
- name: updates
hosts: pis
tasks:
- name: Update APT
become: true
apt:
update_cache: yes
It will give me the following error
fatal: [127.0.0.1]: FAILED! => {"changed": false, "module_stderr": "Shared connection to 127.0.0.1 closed.\r\n", "module_stdout": "sudo: a password is required\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
but the following playbook works fine
---
- name: updates
hosts: pis
tasks:
- name: Update APT
command: sudo apt-get update
When using become: yes the connection will try to spawn shell as root (as you haven't specified become_user).
It seems you have access to run sudo apt-get update without password, i.e:
/etc/sudodoers may contain something similar to this:
ansible ALL=(ALL) NOPASSWD: /bin/apt-get update
To replicate the issue, login as user ansible and issue a command sudo -i
If you're using a dedicated user (ansible ?) for all ansible connectivity, you might want to give that user access to all commands via sudo without password. Read Here this is however not the best practice, you are always better off giving access to specific commands for security reasons
Add the following line to /etc/sudoers file using visudo /etc/sudoers
ansible ALL=(ALL) NOPASSWD:ALL
If you opt for this, I would also advise to use a key-pair authentication for this privileged account rather than password authentication. More info
My Environment uses work with Linux environments.
My Login process is
1. login to Linux box using my personal ID.
2. then switch to application id ==> sudo su - applicationID
[this switch does not ask a password and takes me to the home domain_path for applicationID]
3. All tasks are performed here.
Can i implement the same switch through Ansible.
Tried become, become_user and also remote_user nothing works
I am getting multiple errors and not sure how to get thru.
It also asks me for a password which i do not have.
Saw multiple posts but cant understand the combination of sudo su - userID
Try this one:
- hosts: application
become: yes
become_exe: "sudo su - applicationID"
become_method: su
tasks:
I've been banging my head on this one for most of the day, I've tried everything I could without success, even with the help of my sysadmin. (note that I am not at all an ansible expert, I've discovered that today)
context: I try to run implement continuous integration of a java service via gitlab. a pipeline will, on a push, run tests, package the jar, then run an ancible playbook to stop the existing service, replace the jar, launch the service again. We have that for the production in google cloud, and it works fine. I'm trying to add an extra step before that, to do the same on localhost.
And I just can't understand why ansible fails to do a "sudo service XXXX stop|start" . All I got is
fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "module_stderr": "Sorry, try again.\n[sudo via ansible, key=nbjplyhtvodoeqooejtlnhxhqubibbjy] password: \nsudo: 1 incorrect password attempt\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1}
Here is the the gitlab pipeline stage that I call :
indexer-integration:
stage: deploy integration
script:
- ansible-playbook -i ~/git/ansible/inventory deploy_integration.yml --vault-password-file=/home/gitlab-runner/vault.txt
when: on_success
vault.txt contains the vault encryption password. Here is the deploy_integration.yml
---
- name: deploy integration saleindexer
hosts: localhost
gather_facts: no
user: test-ccc #this is the user that I created as a test
connection: local
vars_files:
- /home/gitlab-runner/secret.txt #holds the sudo password
tasks:
- name: Stop indexer
service: name=indexer state=stopped
become: true
become_user: root
- name: Clean JAR
become: true
become_user: root
file:
state: absent
path: '/PATH/indexer-latest.jar'
- name: Copy JAR
become: true
become_user: root
copy:
src: 'target/indexer-latest.jar'
dest: '/PATH/indexer-latest.jar'
- name: Start indexer
service: name=indexer state=started
become: true
become_user: root
the user 'test-ccc' is another user that I created ( part of the group root and in the sudoer file) to make sure it was not an issue related to the gitlab-runner user ( and because apparently no one here can remembers the sudo password of that user xD )
I've try a lot od thing, including
shell: echo 'password' | sudo -S service indexer stop
that works in command line. But if executed by ansible, all I got is a prompt message asking me to enter the sudo password
Thanks
edit per comment request : The secret.txt has :
ansible_become_pass: password
When using that user in command line (su user / sudo service start ....) and prompted for that password, it works fine. The problem I believe is that either ansible always prompts for password, or the password is not properly passed to the task.
The sshd_config has a line 'PermitRootLogin yes'
ok, thanks to a reponse(now deleted) from techraf, I noticed that the line
user: test-ccc
is actually useless, everything was still run by the 'gitlab-runner' user. So I :
put all my action in a script postbuild.sh
add gitlab-runners to the sudoers and gave the nopassword for that script
gitlab-runner ALL=(ALL) NOPASSWD:/home/PATH/postbuild.sh
removed everrything about passing the password and the secret from the ansible task, and used instead :
shell: sudo -S /home/PATH/postbuild.sh
So that works, the script is executed, service is stop/start. I'll mark this as answered, even though using service: name=indexer state=started and giving NOPASSWD:ALL for the user still caused an error (the one in my comment on the question ) . If anyone can shed light on that in the comment ....
I am new to Ansible. Trying to copy some files to remote machine.
I am able to copy to remote server's tmp folder, but not able to copy to a particular users folder.
I think it is possible if we can switch to that particular user. But I am not able to do so using playbook.
Please help me on this.
Regards,
KP
This is a permission issue. The user which you use to connect to the host does not have permissions to write to that other users folder.
If you have access to that users account (e.g. your ssh key is accepted) you can simply define the user per task through remote_user:
- copy: src=...
dest=...
remote_user: <SET_OWNER_HERE>
If you do not have access, you can use the sudo flag to execute a task with root permissions. But make sure you set the permissions correctly or the user might not be able to read/write those files:
- copy: src=...
dest=...
owner=<SET_OWNER_HERE>
group=<SET_GROUP_HERE>
mode=0644
sudo: yes
Also, you can define the username as which the sudo command is executed with sudo_user:
- copy: src=...
dest=...
sudo: yes
sudo_user: <SET_OWNER_HERE>
If sudo requires a password from you, you have to provide it or the task will hang forever without any error message.
You can define this globally in the ansible.cfg:
ask_sudo_pass=True
Or pass the option when you call your playbook:
ansible-playbook ... --ask-sudo-pass
Some ubuntu cloud images such as this one :
http://cloud-images.ubuntu.com/vagrant/precise/20140120/precise-server-cloudimg-amd64-vagrant-disk1.box
have the file /etc/sudoers.d/vagrant, with the content vagrant ALL=(ALL) NOPASSWD:ALL
Other boxes such as this one https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-13.10_chef-provisionerless.box
doesn't have it, and as a result ansible commands with sudo_user don't work.
I can add the file with :
- name: ensure Vagrant is a sudoer
copy: content="vagrant ALL=(ALL) NOPASSWD:ALL" dest=/etc/sudoers.d/vagrant owner=root group=root
sudo: yes
I'm wondering if something Vagrant should be doing, because this task
will not be applicable when running the ansible playbook on a real (non vagrant) machine.
Vagrant requires privileged access to the VM, either using config.ssh.username = "root", or more commonly, via sudo. The Bento Ubuntu boxes currently configure it directly to /etc/sudoers.
I don't know what ansible's sudo_user does or means, but I guess your provisioning is overriding /etc/sudoers. In this case you really need to ensure you don't lose Vagrant's sudo access to the VM. Or build your own base box which uses sudoers.d.
As a side note, if you create a /etc/sudoers.d/ file, you should also set it's mode to 0440 or at least some older sudo versions refuse to apply it.