Ansible 非 root sudo 用户并“成为"用户权限提升 [英] Ansible non-root sudo user and "become" privilege escalation
问题描述
我已经为一个拥有 sudo 权限的用户 david
设置了一个框.我可以通过 ssh 进入该框并执行诸如 apt-get install
之类的 sudo 操作.当我尝试使用 Ansible 的成为特权升级"来做同样的事情时,我收到一个 permission denied
错误.所以一个简单的剧本可能是这样的:
simple_playbook.yml:
---- 名称:测试...主持人:全部变成:真的成为用户:大卫成为方法:sudo任务:- 名称:例如只是想安装 sqlite3...apt:名称=sqlite3 状态=存在
我使用以下命令运行此剧本:
ansible-playbook -i inventory simple_playbook.yml --ask-become-pass
这给了我一个输入密码的提示,我给出了密码,然后我收到了以下错误(缩写):
fatal: [123.45.67.89]: 失败!=>{...失败:E:无法打开锁定文件/var/lib/dpkg/lock - open (13:权限被拒绝)\nE: 无法锁定管理目录(/var/lib/dpkg/), 你是 root 吗?\n", ...}
为什么我的权限被拒绝?
其他信息
我正在运行 Ansible 2.1.1.0 并针对 Ubuntu 16.04 机器.如果我按照 Ansible < 使用 remote_user
和 sudo
选项v1.9,它工作正常,像这样:<代码>远程用户:大卫须藤:是的
更新
本地和远程用户名相同.为了让它工作,我只需要指定 become: yes
(见@techraf 的回答):
为什么我的权限被拒绝?
因为 APT 需要 root 权限(请参阅错误:你是 root 吗?
)并且您以 david
的身份运行任务.>
根据这些设置:
变为:true成为用户:大卫成为方法:sudo
Ansible 使用 sudo
方法变成 david
.它基本上以 sudo david
开头运行其 Python 脚本.
远程盒子上的用户 'david' 具有 sudo 权限.
这意味着 david
可以使用 sudo
-executable 执行命令(部分或全部),以更改子进程的有效用户(命令).如果未提供用户名,则此过程将作为 root
帐户运行.
比较这两个命令的结果:
$ sudo whoami根$ 须藤大卫 whoami大卫
<小时>
回到 APT 问题,您(来自 CLI)以及 Ansible(使用您的帐户通过 SSH 连接)需要运行:
sudo apt-get install sqlite3
不是:
sudo david apt-get install sqlite3
这将失败并显示 Ansible 非常准确的消息.
<小时>以下剧本将默认升级到 root 用户:
---- 名称:测试...主持人:全部变成:真的任务:- 名称:例如只是想安装 sqlite3...apt:名称=sqlite3 状态=存在
I've set up a box with a user david
who has sudo privileges. I can ssh into the box and perform sudo operations like apt-get install
. When I try to do the same thing using Ansible's "become privilege escalation", I get a permission denied
error. So a simple playbook might look like this:
simple_playbook.yml:
---
- name: Testing...
hosts: all
become: true
become_user: david
become_method: sudo
tasks:
- name: Just want to install sqlite3 for example...
apt: name=sqlite3 state=present
I run this playbook with the following command:
ansible-playbook -i inventory simple_playbook.yml --ask-become-pass
This gives me a prompt for a password, which I give, and I get the following error (abbreviated):
fatal: [123.45.67.89]: FAILED! => {...
failed: E: Could not open lock file /var/lib/dpkg/lock - open (13:
Permission denied)\nE: Unable to lock the administration directory
(/var/lib/dpkg/), are you root?\n", ...}
Why am I getting permission denied?
Additional information
I'm running Ansible 2.1.1.0 and am targeting a Ubuntu 16.04 box. If I use remote_user
and sudo
options as per Ansible < v1.9, it works fine, like this:
remote_user: david
sudo: yes
Update
The local and remote usernames are the same. To get this working, I just needed to specify become: yes
(see @techraf's answer):
Why am I getting permission denied?
Because APT requires root permissions (see the error: are you root?
) and you are running the tasks as david
.
Per these settings:
become: true
become_user: david
become_method: sudo
Ansible becomes david
using sudo
method. It basically runs its Python script with sudo david
in front.
the user 'david' on the remote box has sudo privileges.
It means david
can execute commands (some or all) using sudo
-executable to change the effective user for the child process (the command). If no username is given, this process runs as the root
account.
Compare the results of these two commands:
$ sudo whoami
root
$ sudo david whoami
david
Back to the APT problem, you (from CLI) as well as Ansible (connecting with SSH using your account) need to run:
sudo apt-get install sqlite3
not:
sudo david apt-get install sqlite3
which will fail with the very exact message Ansible displayed.
The following playbook will escalate by default to the root user:
---
- name: Testing...
hosts: all
become: true
tasks:
- name: Just want to install sqlite3 for example...
apt: name=sqlite3 state=present
这篇关于Ansible 非 root sudo 用户并“成为"用户权限提升的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!