Privileges for become_user
38 views
Skip to first unread message
Torsten Lorenz
Sep 12, 2019, 7:47:40 AM9/12/19
to Ansible Project
Hi @ all,
i try to start/stop a service with ansible adn need to execute the comand with sudo:
executing
"sudo /usr/bin/systemctl start filebeat.service"
executing
"sudo /usr/bin/systemctl start filebeat.service"
works pretty fine, but i would like to use the service-modul.
My playbook looks like this:
- name: testplay hosts: hostname
tasks: - name: stop filebeat become: true become_method: sudo become_user: root service: name: filebeat.service state: stopped
i get this error:
ASK [stop filebeat] ************************************************************************************************************************************************************************************************************************fatal: [vlq23007]: FAILED! => {"changed": false, "module_stderr": "Shared connection to hostname closed.\r\n", "module_stdout": "Sorry, user sudouser is not allowed to execute '/bin/sh -c echo BECOME-SUCCESS-sodoffndzuoxshzljbtmzwmyfysryhkf; /usr/bin/python /home/sudouser/.ansible/tmp/ansible-tmp-1568288715.75-4453183611448/systemd.py; rm -rf \"/home/sudouser/.ansible/tmp/ansible-tmp-1568288715.75-4453183611448/\" > /dev/null 2>&1' as root on hostname.\r\n", "msg": "MODULE FAILURE", "rc": 1}
Are there any ideas how to fix it?
greetz
Torsten
Dick Visser
Sep 12, 2019, 8:08:17 AM9/12/19
to ansible...@googlegroups.com
Hi
The user you connect as ('becomeuser' - I suppose that's obfuscated)
isn't allowed to do sudo.
If you fix that things are likely to start working.
On a related note, you can remove become_user as that it set to its
default (root), as well as become_method, which default to sudo.
So basically just "become: true" is needed.
Dick
> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2ca4e26c-8d54-4a30-a09b-77c70d88b78d%40googlegroups.com.
--
Dick Visser
Trust & Identity Service Operations Manager
GÉANT
The user you connect as ('becomeuser' - I suppose that's obfuscated)
isn't allowed to do sudo.
If you fix that things are likely to start working.
On a related note, you can remove become_user as that it set to its
default (root), as well as become_method, which default to sudo.
So basically just "become: true" is needed.
Dick
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2ca4e26c-8d54-4a30-a09b-77c70d88b78d%40googlegroups.com.
--
Dick Visser
Trust & Identity Service Operations Manager
GÉANT
Vladimir Botka
Sep 12, 2019, 8:15:26 AM9/12/19
to 'Torsten Lorenz' via Ansible Project
On Thu, 12 Sep 2019 04:47:39 -0700 (PDT)
me@master: ssh sudouser@hostname
sudouser@hostname: sudo su
root@hostname:
Take a look at /etc/sudoers. You can run "sudo /usr/bin/systemctl ..."
because this command it's specifically allowed, I guess.
HTH, Cheers,
-vlado
> executing
> "sudo /usr/bin/systemctl start filebeat.service"
> works pretty fine, but i would like to use the service-modul.
>
> My playbook looks like this:
> - name: testplay
> hosts: hostname
>
> tasks:
> - name: stop filebeat
> become: true
> become_method: sudo
> become_user: root
> service:
> name: filebeat.service
> state: stopped
>
> ASK [stop filebeat]
> "sudo /usr/bin/systemctl start filebeat.service"
> works pretty fine, but i would like to use the service-modul.
>
> My playbook looks like this:
> - name: testplay
> hosts: hostname
>
> tasks:
> - name: stop filebeat
> become: true
> become_method: sudo
> become_user: root
> service:
> name: filebeat.service
> state: stopped
>
> fatal: [vlq23007]: FAILED! => {"changed": false, "module_stderr": "Shared
> connection to hostname closed.\r\n", "module_stdout": "Sorry, user sudouser
> is not allowed to execute '/bin/sh -c echo
> BECOME-SUCCESS-sodoffndzuoxshzljbtmzwmyfysryhkf; /usr/bin/python
> /home/sudouser/.ansible/tmp/ansible-tmp-1568288715.75-4453183611448/systemd.py;
> rm -rf
> \"/home/sudouser/.ansible/tmp/ansible-tmp-1568288715.75-4453183611448/\" >
> /dev/null 2>&1' as root on hostname.\r\n", "msg": "MODULE FAILURE", "rc": 1}
Make sure user "sudouser" is able to become root with "sudo su".
> connection to hostname closed.\r\n", "module_stdout": "Sorry, user sudouser
> is not allowed to execute '/bin/sh -c echo
> BECOME-SUCCESS-sodoffndzuoxshzljbtmzwmyfysryhkf; /usr/bin/python
> /home/sudouser/.ansible/tmp/ansible-tmp-1568288715.75-4453183611448/systemd.py;
> rm -rf
> \"/home/sudouser/.ansible/tmp/ansible-tmp-1568288715.75-4453183611448/\" >
> /dev/null 2>&1' as root on hostname.\r\n", "msg": "MODULE FAILURE", "rc": 1}
me@master: ssh sudouser@hostname
sudouser@hostname: sudo su
root@hostname:
Take a look at /etc/sudoers. You can run "sudo /usr/bin/systemctl ..."
because this command it's specifically allowed, I guess.
HTH, Cheers,
-vlado
Torsten Lorenz
Sep 12, 2019, 8:19:44 AM9/12/19
to Ansible Project
Hi, thanks for your answer.
its working, but thats not more than a workarround....
the user is allowed to use sudo. If i change my playbook to:
tasks:
- name: restart Filebeat per Command shell: "sudo /usr/bin/systemctl start filebeat.service filebeat.service"
its working, but thats not more than a workarround....
I think the problem is, that the sudo-template exactly contains the command "/usr/bin/systemctl * filebeat.service filebeat.service" an ansible uses any other command to start/stop the service
greetz
Dick Visser
Sep 12, 2019, 8:33:58 AM9/12/19
to ansible...@googlegroups.com
That is correct, ansible is hard (or impossible) to use with such a restrictive environment:
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/73be629f-8e1b-48c6-b213-58cd4688d0ff%40googlegroups.com.
Sent from a mobile device - please excuse the brevity, spelling and punctuation.
RAVITZ
Sep 12, 2019, 9:28:42 AM9/12/19
to ansible...@googlegroups.com
Use become:true next line of hosts at header.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAL8fbwPmUR0HXCipbkpOsdNqKED-Bp-wk-Dg8%3DLZ3YK7eR03Ng%40mail.gmail.com.
Torsten Lorenz
Sep 13, 2019, 2:54:30 AM9/13/19
to Ansible Project
OK,
the sudo-configuration in our enviroment is pretty strict, so i´m sure, that we couldn´t work with ansible in this cases. "Sudo su" to become root isn´t allowed.
thanks a lot
thanks a lot
Vladimir Botka
Sep 13, 2019, 3:58:59 AM9/13/19
to 'Torsten Lorenz' via Ansible Project
On Thu, 12 Sep 2019 23:54:30 -0700 (PDT)
Hi,
FYI, there are other plugins
https://docs.ansible.com/ansible/latest/plugins/become.html#plugin-list
How are you going to "become" root? Just curious to learn the limitations of
Ansible.
Thank you,
-vlado
FYI, there are other plugins
https://docs.ansible.com/ansible/latest/plugins/become.html#plugin-list
How are you going to "become" root? Just curious to learn the limitations of
Ansible.
Thank you,
-vlado
Torsten Lorenz
Sep 13, 2019, 4:13:03 AM9/13/19
to Ansible Project
Hi,
ih´ve already seen this page and think that become_exe is what i´m searching for. But i´m not able to download this plugin, the github-page is not available.
Thats how i log in and use sudo-commands manuel on this system:
-> Login with my personal user (No Sudo-privileges)
-> Sudo su - sudouser
-> Type sudo /usr/bin/systemctl start filebeat.service
-> Type sudo /usr/bin/systemctl start filebeat.service
ansible uses the sudouser directly to execute commands on the remote servers....
Vladimir Botka
Sep 13, 2019, 4:36:17 AM9/13/19
to 'Torsten Lorenz' via Ansible Project
On Fri, 13 Sep 2019 01:13:02 -0700 (PDT)
> > How are you going to "become" root? Just curious to learn the limitations
> > of Ansible.
configure the system and as result you can´t "work with ansible in this
cases".
Cheers,
-vlado
"'Torsten Lorenz' via Ansible Project" <ansible...@googlegroups.com>
wrote:
> > > the sudo-configuration in our enviroment is pretty strict, so i´m sure,
> > > that we couldn´t work with ansible in this cases. "Sudo su" to become
> > > root isn´t allowed thanks a lot.
wrote:
> > > the sudo-configuration in our enviroment is pretty strict, so i´m sure,
> > > that we couldn´t work with ansible in this cases. "Sudo su" to become
> > How are you going to "become" root? Just curious to learn the limitations
> > of Ansible.
> Thats how i log in and use sudo-commands manuel on this system:
> -> Login with my personal user (No Sudo-privileges)
> -> Sudo su - sudouser
> -> Type sudo /usr/bin/systemctl start filebeat.service
Well, when you're not allowed to "become" root then you are not allowed to
> -> Login with my personal user (No Sudo-privileges)
> -> Sudo su - sudouser
> -> Type sudo /usr/bin/systemctl start filebeat.service
configure the system and as result you can´t "work with ansible in this
cases".
Cheers,
-vlado
Reply all
Reply to author
Forward
0 new messages