Ansible playbook execution | root restriction
24 views
Skip to first unread message
subin alex
Apr 11, 2019, 12:44:28 AM4/11/19
to ansible...@googlegroups.com
Hi All,
We are facing customer restriction on providing root access to run the ansible playbook .Our playbook needs root access to execute smooth.They are apprehensive about the commands executed by playbook thinking if it compromise their system security.
Our playbook is huge and it's not possible for us to fetch them each os level command it execute.Is there any way to run the playbook using dzdo which can handle this restriction from customer.
Have any of you faced these situation and what are best possible solutions to such deadlock?
Please share your thoughts
Thanks,
Subin
Dick Visser
Apr 11, 2019, 1:00:51 AM4/11/19
to ansible...@googlegroups.com
Your client sounds reasonable.
Using root to run ansible isn’t recommended and common practice is to use a non root account in combination with privilege escalation, which defaults to sudo.
Your case needs a different method:
—become-method=dzdo
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAAanSOSL_xEBjncEV0o4%3DfsTDGa7mtzkLMx8dWyDcarH3JL%2BMA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Sent from a mobile device - please excuse the brevity, spelling and punctuation.
Brian Coca
Apr 18, 2019, 12:29:32 PM4/18/19
to Ansible Project
Don't assume Ansible just runs 'system commands', in many cases the
modules use an API so 'list of system commands' is not something that
will work.
The modules themselves are executed under sudo/user from a temporary
dir in their home, so you can 'match' more or less what that 'command'
will look like but it requires a lot of globbing to allow.
The modules Ansible ships with are open source, so they CAN be
audited, as well as the shared code that operates on the systems.
--
----------
Brian Coca
modules use an API so 'list of system commands' is not something that
will work.
The modules themselves are executed under sudo/user from a temporary
dir in their home, so you can 'match' more or less what that 'command'
will look like but it requires a lot of globbing to allow.
The modules Ansible ships with are open source, so they CAN be
audited, as well as the shared code that operates on the systems.
--
----------
Brian Coca
Reply all
Reply to author
Forward
0 new messages