对ansible_connection = local使用--become [英] Using --become for ansible_connection=local

问题描述

我使用个人用户帐户(userx)在所有指定的主机上运行ansible剧本.在ansible.cfg中，要使用的远程用户(可以成为root用户)是:

With a personal user account (userx) I run the ansible playbook on all my specified hosts. In ansible.cfg the remote user (which can become root) to be used is:

remote_user = ansible

对于远程主机，一切正常.它以Ansible用户身份进行连接，并根据需要执行所有任务，还更改了需要root权限的信息(例如/etc/ssh/sshd_config).

For the remote hosts this all works fine. It connects as the user Ansible, and executes all tasks as wished for, also changing information (like /etc/ssh/sshd_config) which requires root rights.

但是现在我也想在Ansible主机本身上执行剧本.我在库存文件中添加了以下内容:

But now I also want to execute the playbook on the Ansible host itself. I put the following in my inventory file:

localhost ansible_connection=local

现在确实在本地主机上执行.但是作为userx，这将导致它需要执行的某些任务访问被拒绝".

which now indeed executes on localhost. But as userx, and this results in "Access denied" for some task it needs to do.

这当然是可以预料的，因为remote_user会告诉您有关 remote 的信息，而不是本地用户的信息.但是我仍然希望剧本也可以在本地--become，以root用户身份执行任务(例如sudo su -).似乎没有这样做.

This is of course somewhat expected, since remote_user tells something about remote, not the local user. But still, I expected that the playbook would --become locally too, to execute the tasks as root (e.g. sudo su -). It seems no to do that.

使用--become -vvv运行剧本会告诉我

<localhost> ESTABLISH LOCAL CONNECTION FOR USER: userx

并且似乎不尝试使用sudo执行任务.而且，如果不使用sudo，任务将失败.

and it seems not to try to execute the tasks with sudo. And without using sudo, the task fails.

我如何告诉ansible也要使用sudo/成为本地连接?

How can I tell ansible to to use sudo / become on the local connection too?

推荐答案

没有特殊要求.证明:

• 剧本:

• The playbook:

---
- hosts: localhost
  gather_facts: no
  connection: local
  tasks:
    - command: whoami
      register: whoami
    - debug:
        var: whoami.stdout

执行行:

The execution line:

ansible-playbook playbook.yml --become

结果:

The result:

PLAY [localhost] ***************************************************************************************************

TASK [command] *****************************************************************************************************
changed: [localhost]

TASK [debug] *******************************************************************************************************
ok: [localhost] => {
    "changed": false,
    "whoami.stdout": "root"
}

PLAY RECAP *********************************************************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=0

ESTABLISH LOCAL CONNECTION FOR USER:消息将始终显示当前用户，因为该帐户用于连接".

The ESTABLISH LOCAL CONNECTION FOR USER: message will always show the current user, as it the account used "to connect".

稍后从模块调用的命令将以更高的权限执行.

Later the command(s) called from the module get(s) executed with elevated permissions.

当然，您可以在播放级别或单个任务中添加become: yes.

Of course, you can add become: yes on either play level or for individual tasks.

这篇关于对ansible_connection = local使用--become的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！