使用成为/become_user的Ansible 2.1.0无法设置临时文件的权限 [英] Ansible 2.1.0 using become/become_user fails to set permissions on temp file
问题描述
我的服务器上有ansible 2.1.0,可以通过 vagrant 进行部署,也可以在PC上进行部署. 部署"角色有:
I have an ansible 2.1.0 on my server, where I do deployment via vagrant and on PC too. The role "deploy" have :
- name: upload code
become: true
become_user: www-data
git: repo=git@bitbucket.org:****.git
dest=/var/www/main
key_file=/var/www/.ssh/id_rsa
accept_hostkey=true
update=yes
force=yes
register: fresh_code
notify: restart php-fpm
tags: fresh_code
在这种情况下,如果使用Ansible 2.1.0,则会收到错误消息:
In this case with ansible 2.1.0 I get an error:
fatal: [default]: FAILED! => {"failed": true, "msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user. For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}
我在PC上使用的ansible 2.0.1.0,通常都是-文件夹/var/www/拥有所有者和组www-data为主的文件夹
It it ansible 2.0.1.0 which I use on my PC, is all normally - folder /var/www/ have folder main with owner and group www-data
如果我仅使用begin_user:www-data,并且如果我使用begin_method:sudo与begin_user:www-data-我遇到相同的错误
If I use only became_user: www-data and if I use become_method: sudo with became_user: www-data - i got same error
该如何解决?
推荐答案
问题是www-data无法访问您用于连接到计算机的默认非root匿名用户创建的相同文件.错误消息也明确指向 ansible的文档,其中描述了您必须选择的选项从ansible 2.0或更低版本升级时,可以解决此问题.
The problem is that www-data cannot access the same files your default non-root ansible user created you use to connect to the machine. Also the error message clearly points to ansible's documentation which describes what options you have to fix this issue when upgrading from ansible 2.0 or below.
他们建议了三种方法来正确解决此问题:
They suggest three ways to properly fix the issue:
- 使用流水线.启用流水线后,Ansible不会将模块保存到客户端上的临时文件中.相反,它将模块通过管道传递到远程python解释器的stdin.管道不适用于非python模块.
- 在托管主机上安装文件系统ACL支持.如果在启用了文件系统acls的情况下挂载了远程主机上的临时目录,并且setfacl工具在远程PATH中,则Ansible将使用文件系统acls与第二个非特权用户共享模块文件,而不必使每个人都可以读取该文件./li>
- 请勿通过成为非特权用户来对远程计算机执行操作.当您成为root用户或不使用turn时,临时文件将受到UNIX文件权限的保护.在Ansible 2.1及更高版本中,如果您以root用户身份连接到托管计算机,然后使用成为非特权帐户,则UNIX文件权限也是安全的.
- Use pipelining. When pipelining is enabled, Ansible doesn’t save the module to a temporary file on the client. Instead it pipes the module to the remote python interpreter’s stdin. Pipelining does not work for non-python modules.
- Install filesystem acl support on the managed host. If the temporary directory on the remote host is mounted with filesystem acls enabled and the setfacl tool is in the remote PATH then Ansible will use filesystem acls to share the module file with the second unprivileged instead of having to make the file readable by everyone.
- Don’t perform an action on the remote machine by becoming an unprivileged user. Temporary files are protected by UNIX file permissions when you become root or do not use become. In Ansible 2.1 and above, UNIX file permissions are also secure if you make the connection to the managed machine as root and then use become to an unprivileged account.
或者,如果您无法进行任何这些修复,则可以强制ansible以更不安全的方式运行(这在ansible 2及以下版本中似乎是默认设置),这也应该可以解决您的问题,但不会解决潜在的安全风险:
Or if you cannot do any of these fixes, then you can force ansible to run in a bit more insecure way (which seemed to be the default in ansible 2 and below), which should also fix your problem, but would not fix the underlying security risk:
如果您无法进行上述任何更改来解决问题,并且您确定所运行的计算机对于要在其中运行的模块而言具有足够的安全性,可以在世界范围内读取,则可以打开
在 ansible.cfg文件中.设置allow_world_readable_tmpfiles会将其从错误更改为警告,并允许任务像2.1之前那样运行.
If you can’t make any of the changes above to resolve the problem and you decide that the machine you’re running on is secure enough for the modules you want to run there to be world readable you can turn on
allow_world_readable_tmpfilesin theansible.cfgfile. Settingallow_world_readable_tmpfileswill change this from an error into a warning and allow the task to run as it did prior to 2.1.
这篇关于使用成为/become_user的Ansible 2.1.0无法设置临时文件的权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
