Ansible非root用户sudo用户并“成为"用户.特权升级 [英] Ansible non-root sudo user and "become" privilege escalation

问题描述

我设置了一个具有sudo权限的用户david的盒子.我可以把它装进盒子里，然后执行apt-get install这样的sudo操作.当我尝试使用Ansible的成为特权升级"执行相同的操作时，出现permission denied错误.因此，一个简单的剧本可能看起来像这样:

I've set up a box with a user david who has sudo privileges. I can ssh into the box and perform sudo operations like apt-get install. When I try to do the same thing using Ansible's "become privilege escalation", I get a permission denied error. So a simple playbook might look like this:

simple_playbook.yml:

---
- name: Testing...
  hosts: all
  become: true
  become_user: david
  become_method: sudo

  tasks:
    - name: Just want to install sqlite3 for example...
      apt: name=sqlite3 state=present

我使用以下命令运行此剧本:

I run this playbook with the following command:

ansible-playbook -i inventory simple_playbook.yml --ask-become-pass

这会提示我输入密码，然后出现以下错误(缩写):

This gives me a prompt for a password, which I give, and I get the following error (abbreviated):

fatal: [123.45.67.89]: FAILED! => {...
failed: E: Could not open lock file /var/lib/dpkg/lock - open (13: 
Permission denied)\nE: Unable to lock the administration directory
(/var/lib/dpkg/), are you root?\n", ...}

为什么我的权限被拒绝?

Why am I getting permission denied?

其他信息

我正在运行Ansible 2.1.1.0，目标是Ubuntu 16.04.如果我根据Ansible<使用remote_user和sudo选项. v1.9，它可以正常工作，如下所示: remote_user: david sudo: yes

I'm running Ansible 2.1.1.0 and am targeting a Ubuntu 16.04 box. If I use remote_user and sudo options as per Ansible < v1.9, it works fine, like this: remote_user: david sudo: yes

更新

本地和远程用户名相同.为了使此工作正常进行，我只需要指定become: yes(请参阅@techraf的答案):

The local and remote usernames are the same. To get this working, I just needed to specify become: yes (see @techraf's answer):

推荐答案

为什么我的权限被拒绝?

Why am I getting permission denied?

因为APT 需要根权限(请参见错误:are you root?)，并且您正在以david身份运行任务.

Because APT requires root permissions (see the error: are you root?) and you are running the tasks as david.

根据这些设置:

become: true
become_user: david
become_method: sudo

Ansible使用sudo方法变为david.它基本上运行Python脚本，并在前面加上sudo david.

Ansible becomes david using sudo method. It basically runs its Python script with sudo david in front.

远程机器上的用户"david"具有sudo特权.

the user 'david' on the remote box has sudo privileges.

这意味着david可以使用sudo -executable执行命令(部分或全部)以更改子进程(命令)的有效用户.如果未提供用户名，则此过程将以root帐户运行.

It means david can execute commands (some or all) using sudo-executable to change the effective user for the child process (the command). If no username is given, this process runs as the root account.

比较这两个命令的结果:

Compare the results of these two commands:

$ sudo whoami
root
$ sudo david whoami
david

---

回到APT问题，您(从CLI)以及Ansible(使用您的帐户与SSH连接)都需要运行:

---

Back to the APT problem, you (from CLI) as well as Ansible (connecting with SSH using your account) need to run:

sudo apt-get install sqlite3

不是:

sudo david apt-get install sqlite3

这将失败，并显示非常准确的消息Ansible.

which will fail with the very exact message Ansible displayed.

默认情况下，以下剧本将升级为root用户:

The following playbook will escalate by default to the root user:

---
- name: Testing...   
  hosts: all
  become: true

  tasks:
    - name: Just want to install sqlite3 for example...
      apt: name=sqlite3 state=present

这篇关于Ansible非root用户sudo用户并“成为"用户.特权升级的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！