使用 --become for ansible_connection=local [英] Using --become for ansible_connection=local

问题描述

使用个人用户帐户 (userx)，我在所有指定的主机上运行 ansible playbook.在 ansible.cfg 中，要使用的远程用户(可以成为 root)是:

With a personal user account (userx) I run the ansible playbook on all my specified hosts. In ansible.cfg the remote user (which can become root) to be used is:

remote_user = ansible

对于远程主机，这一切正常.它以用户 Ansible 的身份连接，并根据需要执行所有任务，同时更改需要 root 权限的信息(如 /etc/ssh/sshd_config).

For the remote hosts this all works fine. It connects as the user Ansible, and executes all tasks as wished for, also changing information (like /etc/ssh/sshd_config) which requires root rights.

但现在我也想在 Ansible 主机上执行剧本.我将以下内容放入我的库存文件中:

But now I also want to execute the playbook on the Ansible host itself. I put the following in my inventory file:

localhost ansible_connection=local

现在确实在本地主机上执行.但是作为 userx，这会导致它需要执行的某些任务拒绝访问".

which now indeed executes on localhost. But as userx, and this results in "Access denied" for some task it needs to do.

这当然有点意料之中，因为 remote_user 讲述的是关于 remote 的信息，而不是本地用户.但是，我仍然希望剧本也可以 --become 在本地，以 root 身份执行任务(例如 sudo su -).好像不行.

This is of course somewhat expected, since remote_user tells something about remote, not the local user. But still, I expected that the playbook would --become locally too, to execute the tasks as root (e.g. sudo su -). It seems no to do that.

使用 --become -vvv 运行剧本告诉我

Running the playbook with --become -vvv tells me

<localhost> ESTABLISH LOCAL CONNECTION FOR USER: userx

而且似乎没有尝试使用 sudo 执行任务.如果不使用 sudo，任务就会失败.

and it seems not to try to execute the tasks with sudo. And without using sudo, the task fails.

如何告诉 ansible 在本地连接上也使用 sudo/become ?

How can I tell ansible to to use sudo / become on the local connection too?

推荐答案

没有什么特别的要求.证明:

Nothing special is required. Proof:

• 剧本:

---
- hosts: localhost
  gather_facts: no
  connection: local
  tasks:
    - command: whoami
      register: whoami
    - debug:
        var: whoami.stdout

执行行:

The execution line:

ansible-playbook playbook.yml --become

结果:

The result:

PLAY [localhost] ***************************************************************************************************

TASK [command] *****************************************************************************************************
changed: [localhost]

TASK [debug] *******************************************************************************************************
ok: [localhost] => {
    "changed": false,
    "whoami.stdout": "root"
}

PLAY RECAP *********************************************************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=0

ESTABLISH LOCAL CONNECTION FOR USER: 消息将始终显示当前用户，因为它是用于连接"的帐户.

The ESTABLISH LOCAL CONNECTION FOR USER: message will always show the current user, as it the account used "to connect".

稍后从模块 get(s) 调用的命令以提升的权限执行.

Later the command(s) called from the module get(s) executed with elevated permissions.

当然，您可以在游戏关卡或单个任务中添加 become: yes.

Of course, you can add become: yes on either play level or for individual tasks.

这篇关于使用 --become for ansible_connection=local的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！