help while running sudo in Ansible playbooks
Ramakrishna Veeragandham
Hi Ansible team,
I am Ram. We need some help in running the Ansible playbook ( specifically how to add sudo while running playbooks ). in your environment, we can run all admin related commands with sudo acess ( by adding sudo in front of command . For example, sudo vgs or sudo vi /etc/sudoers ). We don't have root access and hence we don't wanted to run the playbooks with direct root access .
Most of our servers ( Redhat / Solaris / Aix ) doesn't have root access. The possibility of running all admin activities are by running sudo <command> as admin ( sysunx ) user.
I mean, after logging to the server with sysunx account, we run the admin related command as sudo <command>. How to simulate this in Ansible.
#Playbook code
[root@sgdlvapp03infra splunk_forwarder]# cat sudo_test_solaris.yml
---
- hosts: dev
gather_facts: yes
#become: yes
become_user: sysunx
become_method: sudo
ignore_errors: true
vars_files:
- /var/lib/ansible_playbooks/inventory/password.yml
#- /var/lib/ansible_playbooks/inventory/auth.yml
tasks:
- name: ping
ping:
- name: touch file '/opt/testfile'
shell: touch /opt/testfile
args:
warn: false
register: shell_output
- name: Print status
debug: var=shell_output
- name: touch file '/opt/testfile' using file module
file:
path: /opt/testfile
state: touch
register: output
- name: Print status
debug: var=output
- name: remove file '/opt/testfile'
file:
path: /opt/testfile
state: absent
register: deleted
- name: Print status after deletion
debug: var=deleted
[root@sgdlvapp03infra splunk_forwarder]#
[root@sgdlvapp03infra splunk_forwarder]# ansible-playbook sudo_test_solaris.yml --ask-vault-pass -i ../../inventory/test_INV
Vault password:
PLAY [dev] *****************************************************************************************************************************************************************
TASK [Gathering Facts] *****************************************************************************************************************************************************
ok: [10.4.67.141]
TASK [ping] ****************************************************************************************************************************************************************
ok: [10.4.67.141]
TASK [touch file '/opt/testfile'] ******************************************************************************************************************************************
fatal: [10.4.67.141]: FAILED! => {"changed": true, "cmd": "touch /opt/testfile", "delta": "0:00:00.016422", "end": "2021-01-15 12:53:02.654437", "msg": "non-zero return code", "rc": 1, "start": "2021-01-15 12:53:02.638015", "stderr": "touch: cannot create /opt/testfile: Permission denied", "stderr_lines": ["touch: cannot create /opt/testfile: Permission denied"], "stdout": "", "stdout_lines": []}
...ignoring
TASK [Print status] ********************************************************************************************************************************************************
ok: [10.4.67.141] => {
"shell_output": {
"changed": true,
"cmd": "touch /opt/testfile",
"delta": "0:00:00.016422",
"end": "2021-01-15 12:53:02.654437",
"failed": true,
"msg": "non-zero return code",
"rc": 1,
"start": "2021-01-15 12:53:02.638015",
"stderr": "touch: cannot create /opt/testfile: Permission denied",
"stderr_lines": [
"touch: cannot create /opt/testfile: Permission denied"
],
"stdout": "",
"stdout_lines": []
}
}
TASK [touch file '/opt/testfile' using file module] ************************************************************************************************************************
fatal: [10.4.67.141]: FAILED! => {"changed": false, "msg": "Error, could not touch target: [Errno 13] Permission denied: '/opt/testfile'", "path": "/opt/testfile"}
...ignoring
TASK [Print status] ********************************************************************************************************************************************************
ok: [10.4.67.141] => {
"output": {
"changed": false,
"failed": true,
"msg": "Error, could not touch target: [Errno 13] Permission denied: '/opt/testfile'",
"path": "/opt/testfile"
}
}
TASK [remove file '/opt/testfile'] ****************************************************************************************************************************************
ok: [10.4.67.141]
TASK [Print status after deletion] *****************************************************************************************************************************************
ok: [10.4.67.141] => {
"deleted": {
"changed": false,
"failed": false,
"path": "/opt/testfile",
"state": "absent"
}
}
PLAY RECAP *****************************************************************************************************************************************************************
10.4.67.141 : ok=8 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=2
[root@sgdlvapp03infra splunk_forwarder]#
[root@sgdlvapp03infra splunk_forwarder]#
[root@sgdlvapp03infra splunk_forwarder]# cat ../../inventory/test_INV
[dev]
#sgdlvapp03infra ansible_ssh_user=root ansible_ssh_pass='{{ root_password }}'
10.4.67.141
[dev:vars]
ansible_ssh_user=sysunx
ansible_ssh_pass='{{ password }}'
ansible_become_pass='{{ password }}'
ansible_python_interpreter=/usr/bin/python
[root@sgdlvapp03infra splunk_forwarder]#
For example, How I am running sudo commands manually on target machine access is shown below.
sysunx@dvsun25b:~$
sysunx@dvsun25b:~$ touch /opt/test_file
touch: cannot create /opt/test_file: Permission denied
sysunx@dvsun25b:~$
sysunx@dvsun25b:~$ sudo touch /opt/test_file
sysunx@dvsun25b:~$ ls -lrt /opt/test_file
-rw-r----- 1 root root 0 Jan 15 12:51 /opt/test_file
sysunx@dvsun25b:~$
sysunx@dvsun25b:~$ sudo cat /etc/sudoers | grep sysunx
%sysunxg ALL=(ALL) NOPASSWD: ADMIN01, ADMIN02, ADMIN03, ADMIN04, ADMIN05, ADMIN06, ADMIN12,!ID02, !FILE01, !FILE02, !FILE03, !FILE04, !FILE07, !FILE08, !FILE09, !FILE11, !FILE12
Stefan Hornburg (Racke)
> Hi Ansible team,
>
> I am Ram. We need some help in running the Ansible playbook ( specifically how to add sudo while running playbooks ).
> in your environment, we can run all admin related commands with sudo acess ( by adding sudo in front of command . For
> example, sudo vgs or sudo vi /etc/sudoers ). We don't have root access and hence we don't wanted to run the playbooks
> with direct root access .
>
> Most of our servers ( Redhat / Solaris / Aix ) doesn't have root access. The possibility of running all admin activities
> are by running sudo <command> as admin ( sysunx ) user.
>
> I mean, after logging to the server with sysunx account, we run the admin related command as sudo <command>. How to
> simulate this in Ansible.
>
>
Regards
Rackd
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
> ansible-proje...@googlegroups.com <mailto:ansible-proje...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/0572d911-3458-436e-831d-f4403f3c5a57n%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/0572d911-3458-436e-831d-f4403f3c5a57n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.
Ramakrishna Veeragandham
Stefan Hornburg (Racke)
> After adding 'become: true' also no use, its not working.
>
https://docs.ansible.com/ansible/latest/user_guide/become.html
Regards
Racke
>
>
>
> --
> Ecommerce and Linux consulting + Perl and web application programming.
> Debian and Sympa administration. Provisioning with Ansible.
>
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
> ansible-proje...@googlegroups.com <mailto:ansible-proje...@googlegroups.com>.
> To view this discussion on the web visit
> <https://groups.google.com/d/msgid/ansible-project/b355b073-a1de-48d1-af52-f174769d5e26n%40googlegroups.com?utm_medium=email&utm_source=footer>.
Jean-Yves LENHOF
Hi Ansible team,
I am Ram. We need some help in running the Ansible playbook ( specifically how to add sudo while running playbooks ). in your environment, we can run all admin related commands with sudo acess ( by adding sudo in front of command . For example, sudo vgs or sudo vi /etc/sudoers ). We don't have root access and hence we don't wanted to run the playbooks with direct root access .
Most of our servers ( Redhat / Solaris / Aix ) doesn't have root access. The possibility of running all admin activities are by running sudo <command> as admin ( sysunx ) user.
Hi,
Ansible is designed to have all sudo (or su) access (but not remote root acess to be more specific)....So you should be sure thats is no way to have it !
See "Privilege
escalation must be general" on
https://docs.ansible.com/ansible/latest/user_guide/become.html#only-one-method-may-be-enabled-per-host
If not, you can still use the same command you already use with "sudo command" with the shell module (using become: no)... but's ugly and you loose idempotence work of all the module (except shell) that are provided by ansible community
Regards,
JYL
Stefan Hornburg (Racke)
>
> Le 15/01/2021 à 06:08, Ramakrishna Veeragandham a écrit :
>>
>> Hi Ansible team,
>>
>> I am Ram. We need some help in running the Ansible playbook ( specifically how to add sudo while running playbooks
>> ). in your environment, we can run all admin related commands with sudo acess ( by adding sudo in front of command .
>> For example, sudo vgs or sudo vi /etc/sudoers ). We don't have root access and hence we don't wanted to run the
>> playbooks with direct root access .
>>
>> Most of our servers ( Redhat / Solaris / Aix ) doesn't have root access. The possibility of running all admin
>> activities are by running sudo <command> as admin ( sysunx ) user.
>>
> Hi,
>
> Ansible is designed to have all sudo (or su) access (but not remote root acess to be more specific)....So you should be
> sure thats is no way to have it !
>
>
> If not, you can still use the same command you already use with "sudo command" with the shell module (using become:
> no)... but's ugly and you loose idempotence work of all the module (except shell) that are provided by ansible community
>
password is missing in this case.
Regards
Racke
>
> Regards,
>
> JYL
> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
> ansible-proje...@googlegroups.com <mailto:ansible-proje...@googlegroups.com>.
> To view this discussion on the web visit
> <https://groups.google.com/d/msgid/ansible-project/051e75c1-24ef-6722-a4aa-aaa13fc28b60%40lenhof.eu.org?utm_medium=email&utm_source=footer>.
Dick Visser
<ramakri...@gmail.com> wrote:
> I am Ram. We need some help in running the Ansible playbook ( specifically how to add sudo while running playbooks ). in your environment, we can run all admin related commands with sudo acess ( by adding sudo in front of command . For example, sudo vgs or sudo vi /etc/sudoers ).
--
Dick Visser
Trust & Identity Service Operations Manager
GÉANT