sudo access issue while running Ansible playbook
Ramakrishna V
Hi Ansible team,
I am Ram. We need some help in running the Ansible playbook ( specifically how to add sudo while running playbooks ). in your environment, we can run all admin related commands with sudo acess ( by adding sudo in front of command . For example, sudo vgs or sudo vi /etc/sudoers ). We don't have root access and hence we don't wanted to run the playbooks with direct root access .
Most of our servers ( Redhat / Solaris / Aix ) doesn't have root access. The possibility of running all admin activities are by running sudo <command> as admin ( sysunx ) user.
I mean, after logging to the server with sysunx account, we run the admin related command as sudo <command>. How to simulate this in Ansible.
#Playbook code
[root@sgdlvapp03infra splunk_forwarder]# cat sudo_test_solaris.yml
---
- hosts: dev
gather_facts: yes
#become: yes
become_user: sysunx
become_method: sudo
ignore_errors: true
vars_files:
- /var/lib/ansible_playbooks/inventory/password.yml
#- /var/lib/ansible_playbooks/inventory/auth.yml
tasks:
- name: ping
ping:
- name: touch file '/opt/testfile'
shell: touch /opt/testfile
args:
warn: false
register: shell_output
- name: Print status
debug: var=shell_output
- name: touch file '/opt/testfile' using file module
file:
path: /opt/testfile
state: touch
register: output
- name: Print status
debug: var=output
- name: remove file '/opt/testfile'
file:
path: /opt/testfile
state: absent
register: deleted
- name: Print status after deletion
debug: var=deleted
[root@sgdlvapp03infra splunk_forwarder]#
[root@sgdlvapp03infra splunk_forwarder]# ansible-playbook sudo_test_solaris.yml --ask-vault-pass -i ../../inventory/test_INV
Vault password:
PLAY [dev] *****************************************************************************************************************************************************************
TASK [Gathering Facts] *****************************************************************************************************************************************************
ok: [10.4.67.141]
TASK [ping] ****************************************************************************************************************************************************************
ok: [10.4.67.141]
TASK [touch file '/opt/testfile'] ******************************************************************************************************************************************
fatal: [10.4.67.141]: FAILED! => {"changed": true, "cmd": "touch /opt/testfile", "delta": "0:00:00.016422", "end": "2021-01-15 12:53:02.654437", "msg": "non-zero return code", "rc": 1, "start": "2021-01-15 12:53:02.638015", "stderr": "touch: cannot create /opt/testfile: Permission denied", "stderr_lines": ["touch: cannot create /opt/testfile: Permission denied"], "stdout": "", "stdout_lines": []}
...ignoring
TASK [Print status] ********************************************************************************************************************************************************
ok: [10.4.67.141] => {
"shell_output": {
"changed": true,
"cmd": "touch /opt/testfile",
"delta": "0:00:00.016422",
"end": "2021-01-15 12:53:02.654437",
"failed": true,
"msg": "non-zero return code",
"rc": 1,
"start": "2021-01-15 12:53:02.638015",
"stderr": "touch: cannot create /opt/testfile: Permission denied",
"stderr_lines": [
"touch: cannot create /opt/testfile: Permission denied"
],
"stdout": "",
"stdout_lines": []
}
}
TASK [touch file '/opt/testfile' using file module] ************************************************************************************************************************
fatal: [10.4.67.141]: FAILED! => {"changed": false, "msg": "Error, could not touch target: [Errno 13] Permission denied: '/opt/testfile'", "path": "/opt/testfile"}
...ignoring
TASK [Print status] ********************************************************************************************************************************************************
ok: [10.4.67.141] => {
"output": {
"changed": false,
"failed": true,
"msg": "Error, could not touch target: [Errno 13] Permission denied: '/opt/testfile'",
"path": "/opt/testfile"
}
}
TASK [remove file '/opt/testfile'] ****************************************************************************************************************************************
ok: [10.4.67.141]
TASK [Print status after deletion] *****************************************************************************************************************************************
ok: [10.4.67.141] => {
"deleted": {
"changed": false,
"failed": false,
"path": "/opt/testfile",
"state": "absent"
}
}
PLAY RECAP *****************************************************************************************************************************************************************
10.4.67.141 : ok=8 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=2
[root@sgdlvapp03infra splunk_forwarder]#
[root@sgdlvapp03infra splunk_forwarder]#
[root@sgdlvapp03infra splunk_forwarder]# cat ../../inventory/test_INV
[dev]
#sgdlvapp03infra ansible_ssh_user=root ansible_ssh_pass='{{ root_password }}'
10.4.67.141
[dev:vars]
ansible_ssh_user=sysunx
ansible_ssh_pass='{{ password }}'
ansible_become_pass='{{ password }}'
ansible_python_interpreter=/usr/bin/python
[root@sgdlvapp03infra splunk_forwarder]#
Target server access
sysunx@dvsun25b:~$
sysunx@dvsun25b:~$ touch /opt/test_file
touch: cannot create /opt/test_file: Permission denied
sysunx@dvsun25b:~$
sysunx@dvsun25b:~$ sudo touch /opt/test_file
sysunx@dvsun25b:~$ ls -lrt /opt/test_file
-rw-r----- 1 root root 0 Jan 15 12:51 /opt/test_file
sysunx@dvsun25b:~$
sysunx@dvsun25b:~$ sudo cat /etc/sudoers | grep sysunx
%sysunxg ALL=(ALL) NOPASSWD: ADMIN01, ADMIN02, ADMIN03, ADMIN04, ADMIN05, ADMIN06, ADMIN12,!ID02, !FILE01, !FILE02, !FILE03, !FILE04, !FILE07, !FILE08, !FILE09, !FILE11, !FILE12
Justin Nemmers
--
You received this message because you are subscribed to the Google Groups "Ansible Lockdown" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-lockdo...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-lockdown/270f484e-d9dc-40d4-b794-e044aa94746fn%40googlegroups.com.
Confidential: This email is intended for recipient to which it is addressed. The information contained in this email may be confidential, proprietary, or may contain PII. Any retransmission, review, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you have been asked to provide PII to the sender of this email, then in order to properly secure this information, please send it within an encrypted attachment with the password/key provided under a separate cover, such as in person, by phone, or in a separate email.
Bas Meijer
Bas Meijer
--
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-lockdown/E30D9B1C-2CA2-450D-97FC-FC14C80BD64D%40mindpointgroup.com.