Ansible非root用户sudo用户并“成为"用户.特权升级 [英] Ansible non-root sudo user and "become" privilege escalation
问题描述
我设置了一个具有sudo权限的用户david
的盒子.我可以把它装进盒子里,然后执行apt-get install
这样的sudo操作.当我尝试使用Ansible的成为特权升级"执行相同的操作时,出现permission denied
错误.因此,一个简单的剧本可能看起来像这样:
I've set up a box with a user david
who has sudo privileges. I can ssh into the box and perform sudo operations like apt-get install
. When I try to do the same thing using Ansible's "become privilege escalation", I get a permission denied
error. So a simple playbook might look like this:
simple_playbook.yml:
---
- name: Testing...
hosts: all
become: true
become_user: david
become_method: sudo
tasks:
- name: Just want to install sqlite3 for example...
apt: name=sqlite3 state=present
我使用以下命令运行此剧本:
I run this playbook with the following command:
ansible-playbook -i inventory simple_playbook.yml --ask-become-pass
这会提示我输入密码,然后出现以下错误(缩写):
This gives me a prompt for a password, which I give, and I get the following error (abbreviated):
fatal: [123.45.67.89]: FAILED! => {...
failed: E: Could not open lock file /var/lib/dpkg/lock - open (13:
Permission denied)\nE: Unable to lock the administration directory
(/var/lib/dpkg/), are you root?\n", ...}
为什么我的权限被拒绝?
Why am I getting permission denied?
其他信息
我正在运行Ansible 2.1.1.0,目标是Ubuntu 16.04.如果我根据Ansible<使用remote_user
和sudo
选项. v1.9,它可以正常工作,如下所示:
remote_user: david
sudo: yes
I'm running Ansible 2.1.1.0 and am targeting a Ubuntu 16.04 box. If I use remote_user
and sudo
options as per Ansible < v1.9, it works fine, like this:
remote_user: david
sudo: yes
更新
本地和远程用户名相同.为了使此工作正常进行,我只需要指定become: yes
(请参阅@techraf的答案):
The local and remote usernames are the same. To get this working, I just needed to specify become: yes
(see @techraf's answer):
推荐答案
为什么我的权限被拒绝?
Why am I getting permission denied?
因为APT 需要根权限(请参见错误:are you root?
),并且您正在以david
身份运行任务.
Because APT requires root permissions (see the error: are you root?
) and you are running the tasks as david
.
根据这些设置:
become: true
become_user: david
become_method: sudo
Ansible使用sudo
方法变为david
.它基本上运行Python脚本,并在前面加上sudo david
.
Ansible becomes david
using sudo
method. It basically runs its Python script with sudo david
in front.
远程机器上的用户"david"具有sudo特权.
the user 'david' on the remote box has sudo privileges.
这意味着david
可以使用sudo
-executable执行命令(部分或全部)以更改子进程(命令)的有效用户.如果未提供用户名,则此过程将以root
帐户运行.
It means david
can execute commands (some or all) using sudo
-executable to change the effective user for the child process (the command). If no username is given, this process runs as the root
account.
比较这两个命令的结果:
Compare the results of these two commands:
$ sudo whoami
root
$ sudo david whoami
david
回到APT问题,您(从CLI)以及Ansible(使用您的帐户与SSH连接)都需要运行:
Back to the APT problem, you (from CLI) as well as Ansible (connecting with SSH using your account) need to run:
sudo apt-get install sqlite3
不是:
sudo david apt-get install sqlite3
这将失败,并显示非常准确的消息Ansible.
which will fail with the very exact message Ansible displayed.
默认情况下,以下剧本将升级为root用户:
The following playbook will escalate by default to the root user:
---
- name: Testing...
hosts: all
become: true
tasks:
- name: Just want to install sqlite3 for example...
apt: name=sqlite3 state=present
这篇关于Ansible非root用户sudo用户并“成为"用户.特权升级的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!