Run a handler as a different user
260 views
Skip to first unread message
Gordon Ross
Sep 23, 2016, 11:29:28 AM9/23/16
to ansible...@googlegroups.com
I have a handler that I wish to run as a different user to the user Ansible normal logs in as.
My playbooks execute with the “—become” flag so they run as root, but this particular task needs to run as the application user.
I’m my handlers/main.yaml , I’ve got the entry:
- name: Update Rancid RCS files
command: /usr/lib/rancid/bin/rancid-cvs
become_user: rancid
become: yes
But Ansible still tries to run the command as root. (The command refuses to run as root)
If I change the handler to:
- name: Update Rancid RCS files
action: command /usr/lib/rancid/bin/rancid-cvs
remote_user: rancid
become: no
And setup the necessary SSH keys, the command runs fine as the correct user.
What am I doing wrong that’s preventing the first method from working?
I’m running Ansible 2.1.1.0
Thank you,
GTG
--
Gordon Ross,
My playbooks execute with the “—become” flag so they run as root, but this particular task needs to run as the application user.
I’m my handlers/main.yaml , I’ve got the entry:
- name: Update Rancid RCS files
command: /usr/lib/rancid/bin/rancid-cvs
become_user: rancid
become: yes
But Ansible still tries to run the command as root. (The command refuses to run as root)
If I change the handler to:
- name: Update Rancid RCS files
action: command /usr/lib/rancid/bin/rancid-cvs
remote_user: rancid
become: no
And setup the necessary SSH keys, the command runs fine as the correct user.
What am I doing wrong that’s preventing the first method from working?
I’m running Ansible 2.1.1.0
Thank you,
GTG
--
Gordon Ross,
Brian Coca
Sep 23, 2016, 11:32:46 AM9/23/16
to ansible...@googlegroups.com
The difference is that in the first case you are trying to login as your 'normal' user and then sudo/su to the rancid user and that does not seem to work.
The second will login as the rancid user and not use sudo/su at all.
Without any errors I can only speculate that why this works/doesn't seems to be related to how your permissions are setup.
----------
Brian Coca
Gordon Ross
Sep 23, 2016, 3:11:30 PM9/23/16
to ansible...@googlegroups.com
Running Ansible with verbose:
<mgmtsrv1> ESTABLISH SSH CONNECTION FOR USER: ansible
<mgmtsrv1> SSH: EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/etc/ansible/ansible_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/home/gr306/.ansible/cp/ansible-ssh-%h-%p-%r mgmtsrv1 '/bin/sh -c '"'"'sudo -H -S -n -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-reldgrhxvqzvmhecqvgicikpadbwqkct; LANG=en_GB.UTF-8 LC_ALL=en_GB.UTF-8 LC_MESSAGES=en_GB.UTF-8 /usr/bin/python'"'"'"'"'"'"'"'"' && sleep 0'"'”’'
GTG
> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CACVha7chK3F6xzHX3HASicGufpaZ_HP%3DbQcO9Qpp9eL832s3%3DQ%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
<mgmtsrv1> ESTABLISH SSH CONNECTION FOR USER: ansible
<mgmtsrv1> SSH: EXEC ssh -C -q -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/etc/ansible/ansible_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/home/gr306/.ansible/cp/ansible-ssh-%h-%p-%r mgmtsrv1 '/bin/sh -c '"'"'sudo -H -S -n -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-reldgrhxvqzvmhecqvgicikpadbwqkct; LANG=en_GB.UTF-8 LC_ALL=en_GB.UTF-8 LC_MESSAGES=en_GB.UTF-8 /usr/bin/python'"'"'"'"'"'"'"'"' && sleep 0'"'”’'
GTG
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CACVha7chK3F6xzHX3HASicGufpaZ_HP%3DbQcO9Qpp9eL832s3%3DQ%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages