受管节点上特定 sudo 命令的可靠行为 [英] ansible behavior to specific sudo commands on managed nodes

查看:27
本文介绍了受管节点上特定 sudo 命令的可靠行为的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

这里讨论当受管节点上的用户被授予特定命令的 sudo 权限时的 ansible 行为.

Here to discuss the ansible behavior when user at managed nodes is given sudo privileges to specific commands.

我在远程托管主机 [rm-host.company.com] 上对特定命令具有 sudo 权限.其中两个是:

I have sudo privileges on remote managed host [rm-host.company.com] to specific commands. Two of them are:

   /bin/mkdir /opt/somedir/unit*
   /bin/chmod 2775 /opt/somedir/unit*

PS: 远程节点的/opt/somedir 已经存在.

PS: /opt/somedir at remote nodes exists already.

我的ansible控制机版本:

My ansible control machine version:

ansible 2.7.10
python version = 2.7.5 (default, Mar 26 2019, 22:13:06) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]

当我使用 ansbile "file" 模块时,YAML 代码失败,即使我对 chmod 和 mkdir 有 sudo 权限,如上所述.

YAML code fails when I use ansbile "file" module even though I have sudo privileges to chmod and mkdir as listed above.

   - name:  7|Ensure Directory - "/opt/somedir/{{ ENV_CHOSEN }}" Permissions are 2775

     become: yes
     become_method: sudo
     file: path="/opt/somedir/{{ ENV_CHOSEN }}" state=directory mode=2775

     when:
       - ansible_facts['os_family'] == "CentOS" or ansible_facts['os_family'] == "RedHat"
       - ansible_distribution_version | int >= 6
       - http_dir_path.stat.exists == true
       - http_dir_path.stat.isdir == true
       - CreateWebAgentEnvDir is defined
       - CreateWebAgentEnvDir is succeeded

     register: ChangeDirPermission

   - debug:
       var: ChangeDirPermission

运行时错误:

TASK [7|Ensure Directory - "/opt/somedir/unitc" Permissions are 2775] **************************************************************************************************************************************************************************************
fatal: [rm-host.company.com]: FAILED! => {"changed": false, "module_stderr": "FIPS mode initialized\r\nShared connection to rm-host.company.com closed.\r\n", "module_stdout": "sudo: a password is required\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
        to retry, use: --limit @/u/joker/scripts/Ansible/playbooks/agent/plays/agent_Install.retry

PLAY RECAP ***************************************************************************************************************************************************************************************************************************************************
rm-host.company.com     : ok=9    changed=2    unreachable=0    failed=1

但是当我使用命令模块时会成功,如下所示:

But succeeds when I use command module, like so:

  - name:  7|Ensure Directory - "/opt/somedir/{{ ENV_CHOSEN }}" Permissions are 2775

     command: sudo /bin/chmod 2775 "/opt/somedir/{{ ENV_CHOSEN }}"

     when:
       - ansible_facts['os_family'] == "CentOS" or ansible_facts['os_family'] == "RedHat"
       - ansible_distribution_version | int >= 6
       - http_dir_path.stat.exists == true
       - http_dir_path.stat.isdir == true
       - CreateagentEnvDir is defined
       - CreateagentEnvDir is succeeded

     register: ChangeDirPermission

   - debug:
       var: ChangeDirPermission

捕获的成功运行时调试输出:

Success Runtime debug output captured:

TASK [7|Ensure Directory - "/opt/somedir/unitc" Permissions are 2775] **************************************************************************************************************************************************************************************
 [WARNING]: Consider using 'become', 'become_method', and 'become_user' rather than running sudo

changed: [rm-host.company.com]

TASK [debug] *************************************************************************************************************************************************************************************************************************************************
ok: [rm-host.company.com] => {
    "ChangeDirPermission": {
        "changed": true,
        "cmd": [
            "sudo",
            "/bin/chmod",
            "2775",
            "/opt/somedir/unitc"
        ],
        "delta": "0:00:00.301570",
        "end": "2019-06-22 13:20:17.300266",
        "failed": false,
        "rc": 0,
        "start": "2019-06-22 13:20:16.998696",
        "stderr": "",
        "stderr_lines": [],
        "stdout": "",
        "stdout_lines": [],
        "warnings": [
            "Consider using 'become', 'become_method', and 'become_user' rather than running sudo"
        ]
    }
}

问题:

如何在不使用命令模块的情况下完成这项工作?我想坚持使用 'become'、'become_method' 的 ansible 核心模块,而不是在命令模块中运行 sudo.

How can I make this work without using command module? I want to stick to ansible core modules using 'become', 'become_method' rather than running sudo in command module.

注意:

它在为所有命令启用 sudo 时起作用.但是 [ user ALL=(ALL) NOPASSWD: ALL ] 不能在远程主机上给出.我所在群组的公司政策不允许.

It works when sudo is enabled for ALL commands. But [ user ALL=(ALL) NOPASSWD: ALL ] cannot be given on remote host. Not allowed by company policy for the group I am in.

推荐答案

简短的回答是你不能.ansible 的工作方式是在远程主机中执行 python 脚本(raw、command 和 shell 模块除外).请参阅文档.

The short answer is you can't. The way ansible works is by executing python scripts in the remote host (except for the raw, command and shell modules). See the docs.

file 模块执行 这个脚本 带有一长串参数.但是 ansible 将首先成为所需的用户,在这种情况下 root 通过在远程 ssh 会话中运行 sudo -H -S -n -u root/bin/sh(请请记住,此命令在您的情况下可能略有不同).

The file module executes this script with a long line of parameters. But ansible will first become the required user, in this case root by running sudo -H -S -n -u root /bin/sh in the remote ssh session (please bear in mind that this command might be slightly different in your case).

一旦远程登录的用户成为 root 用户,Ansible 将上传并执行 file.py 脚本.

Once the user logged remotely has become the root user, Ansible will upload and execute the file.py script.

在您的情况下,您需要在需要运行特权命令的情况下恢复使用原始命令、命令或 shell.

It looks like in your case, you'll need to revert to use the raw, command or shell in the cases you need to run the privileged commands.

要更好地理解这一点并查看正在执行的命令的详细信息和顺序,请使用参数 -vvvv 运行 ansible-playbook.

To understand this a bit better and see the detail and order of the commands being executed, run ansible-playbook with the parameter -vvvv.

这篇关于受管节点上特定 sudo 命令的可靠行为的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆