受管节点上特定sudo命令的不良行为 [英] ansible behavior to specific sudo commands on managed nodes
问题描述
这里讨论当受管节点上的用户被赋予特定命令的sudo特权时的ansible行为.
Here to discuss the ansible behavior when user at managed nodes is given sudo privileges to specific commands.
我在远程受管主机[rm-host.company.com]上具有特定命令的sudo特权.其中两个是:
I have sudo privileges on remote managed host [rm-host.company.com] to specific commands. Two of them are:
/bin/mkdir /opt/somedir/unit*
/bin/chmod 2775 /opt/somedir/unit*
PS:远程节点上的/opt/somedir已经存在.
PS: /opt/somedir at remote nodes exists already.
我的Ansible控制机器版本:
My ansible control machine version:
ansible 2.7.10
python version = 2.7.5 (default, Mar 26 2019, 22:13:06) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
即使使用上面列出的chmod和mkdir的sudo权限,当我使用ansbile文件"模块时,YAML代码也会失败.
YAML code fails when I use ansbile "file" module even though I have sudo privileges to chmod and mkdir as listed above.
- name: 7|Ensure Directory - "/opt/somedir/{{ ENV_CHOSEN }}" Permissions are 2775
become: yes
become_method: sudo
file: path="/opt/somedir/{{ ENV_CHOSEN }}" state=directory mode=2775
when:
- ansible_facts['os_family'] == "CentOS" or ansible_facts['os_family'] == "RedHat"
- ansible_distribution_version | int >= 6
- http_dir_path.stat.exists == true
- http_dir_path.stat.isdir == true
- CreateWebAgentEnvDir is defined
- CreateWebAgentEnvDir is succeeded
register: ChangeDirPermission
- debug:
var: ChangeDirPermission
运行时错误:
TASK [7|Ensure Directory - "/opt/somedir/unitc" Permissions are 2775] **************************************************************************************************************************************************************************************
fatal: [rm-host.company.com]: FAILED! => {"changed": false, "module_stderr": "FIPS mode initialized\r\nShared connection to rm-host.company.com closed.\r\n", "module_stdout": "sudo: a password is required\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
to retry, use: --limit @/u/joker/scripts/Ansible/playbooks/agent/plays/agent_Install.retry
PLAY RECAP ***************************************************************************************************************************************************************************************************************************************************
rm-host.company.com : ok=9 changed=2 unreachable=0 failed=1
但是当我使用命令模块时会成功,例如:
But succeeds when I use command module, like so:
- name: 7|Ensure Directory - "/opt/somedir/{{ ENV_CHOSEN }}" Permissions are 2775
command: sudo /bin/chmod 2775 "/opt/somedir/{{ ENV_CHOSEN }}"
when:
- ansible_facts['os_family'] == "CentOS" or ansible_facts['os_family'] == "RedHat"
- ansible_distribution_version | int >= 6
- http_dir_path.stat.exists == true
- http_dir_path.stat.isdir == true
- CreateagentEnvDir is defined
- CreateagentEnvDir is succeeded
register: ChangeDirPermission
- debug:
var: ChangeDirPermission
捕获到的成功运行时调试输出:
Success Runtime debug output captured:
TASK [7|Ensure Directory - "/opt/somedir/unitc" Permissions are 2775] **************************************************************************************************************************************************************************************
[WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running sudo
changed: [rm-host.company.com]
TASK [debug] *************************************************************************************************************************************************************************************************************************************************
ok: [rm-host.company.com] => {
"ChangeDirPermission": {
"changed": true,
"cmd": [
"sudo",
"/bin/chmod",
"2775",
"/opt/somedir/unitc"
],
"delta": "0:00:00.301570",
"end": "2019-06-22 13:20:17.300266",
"failed": false,
"rc": 0,
"start": "2019-06-22 13:20:16.998696",
"stderr": "",
"stderr_lines": [],
"stdout": "",
"stdout_lines": [],
"warnings": [
"Consider using 'become', 'become_method', and 'become_user' rather than running sudo"
]
}
}
问题:
如何在不使用命令模块的情况下完成这项工作?我想坚持使用'become','become_method'而不是在命令模块中运行sudo的ansible核心模块.
How can I make this work without using command module? I want to stick to ansible core modules using 'become', 'become_method' rather than running sudo in command module.
注意:
当为所有命令启用sudo时,它起作用.但是[ user ALL=(ALL) NOPASSWD: ALL ]不能在远程主机上给出.公司政策不允许我所在的组.
It works when sudo is enabled for ALL commands. But [ user ALL=(ALL) NOPASSWD: ALL ] cannot be given on remote host. Not allowed by company policy for the group I am in.
推荐答案
简短的答案是您不能. ansible的工作方式是通过在远程主机中执行python脚本(raw,command和shell模块除外).请参见文档.
The short answer is you can't. The way ansible works is by executing python scripts in the remote host (except for the raw, command and shell modules). See the docs.
file模块执行此脚本,其中包含一长串参数.但是ansible首先将成为必需的用户,在这种情况下,通过在远程ssh会话中运行sudo -H -S -n -u root /bin/sh来成为root(请记住,此命令在您的情况下可能会略有不同).
The file module executes this script with a long line of parameters. But ansible will first become the required user, in this case root by running sudo -H -S -n -u root /bin/sh in the remote ssh session (please bear in mind that this command might be slightly different in your case).
一旦远程登录的用户成为root用户,Ansible将上载并执行file.py脚本.
Once the user logged remotely has become the root user, Ansible will upload and execute the file.py script.
在您的情况下,您似乎需要恢复以使用原始,命令或外壳程序,以运行特权命令.
It looks like in your case, you'll need to revert to use the raw, command or shell in the cases you need to run the privileged commands.
要对此有一个更好的了解,并查看正在执行的命令的详细信息和顺序,请使用参数-vvvv运行ansible-playbook.
To understand this a bit better and see the detail and order of the commands being executed, run ansible-playbook with the parameter -vvvv.
这篇关于受管节点上特定sudo命令的不良行为的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
