Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Authorize nginx reload without providing become-pass and full sudo privileges

225 views
Skip to first unread message

Jonathan Bouzekri

unread,
Jan 26, 2017, 4:13:59 PM1/26/17
to Ansible Project
Hi,

I am migrating to a new architecture and I have provisioned my servers with an ansible playbook. I am also using ansible to deploy my source code.

I want to be able to reload nginx when the configuration change without having to :

* give sudo rights on ALL commands to the deploy user
* having to pass a become-pass in the command line

In my previous installation, I was doing everything manually and I had added this settings to allow my deployment user to reload the nginx configuration : 

deploy ALL(ALL) NOPASSWD: /usr/local/sbin/nginx -t, /usr/local/sbin/nginx -s reload

How can I have the same feature with Ansible ? Or what is the command which is executed when we use the service module and the state reloaded ?

Right now, I have this error :

sshpass -d15 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o User=deploy -o ConnectTimeout=10 -o ControlPath=/home/deploy/.ansible/cp/ansible-ssh-%h-%p-%r -tt x.x.x.x '/bin/bash -c '"'"'sudo -H -S -n -u root /bin/bash -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-lttadeaqujrmkjjfqaswosxpazzwmsoj; /usr/bin/python /home/deploy/.ansible/tmp/ansible-tmp-1485445894.86-256748839860893/systemd.py; rm -rf "/home/deploy/.ansible/tmp/ansible-tmp-1485445894.86-256748839860893/" > /dev/null 2>&1'"'"'"'"'"'"'"'"' && sleep 0'"'"''

fatal: [x.x.x.x]: FAILED! => {
    "changed": false, 
    "failed": true, 
    "invocation": {
        "module_args": {
            "name": "nginx", 
            "state": "reloaded"
        }, 
        "module_name": "service"
    }, 
    "module_stderr": "Shared connection to x.x.x.x closed.\r\n", 
    "module_stdout": "sudo: a password is required\r\n", 
    "msg": "MODULE FAILURE"
}

Note that I am provisioning a CentOS 7.3 server with Ansible 2.2.1.

Thanks

Matt Martz

unread,
Jan 26, 2017, 7:46:15 PM1/26/17
to ansible...@googlegroups.com
As you can see in the command that is executed by Ansible:

sudo -H -S -n -u root /bin/bash

You cannot restrict individual commands, as we execute everything through a sudoed shell.

The recommendation is that sudo should be configure to allow any command to be executed, and not be restricted.

The only other option would be to not use the purpose built Ansible modules, but instead use raw or such to execute those commands directly.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/40e856bc-de0d-4a58-ac06-bc379025f728%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Matt Martz
@sivel
sivel.net

Johannes Kastl

unread,
Jan 27, 2017, 2:59:17 AM1/27/17
to ansible...@googlegroups.com
On 26.01.17 17:04 Jonathan Bouzekri wrote:

> I want to be able to reload nginx when the configuration change
> without having to :
>
> * give sudo rights on ALL commands to the deploy user
> * having to pass a become-pass in the command line

You can use ansible-vault to encrypt the host_vars file that contains
the become password, and either enter the vault password on execution
or have ansible read it from some file.

But that might not achieve what you want to do. So, what is your goal?
Do you want to restrict the one calling ansible to only be able to
reload nginx?
Then, as Matt said, using the raw module with an explicit sudo call,
that is allowed in /etc/sudoers might work (but is kind of ugly, of
course).

Johannes

signature.asc

Jonathan Bouzekri

unread,
Jan 27, 2017, 9:42:23 AM1/27/17
to Ansible Project
Yes my goal was to restrict on the OS side the commands the deployment user is allowed to execute.

I did not know the raw module. i am looking into it. It does not seem "ugly" ;)

I think that it is quite a drawback on Ansible. If you use it for code shipping, you will have to do some tasks which needs privileges escalation (reload nginx or something else). And the people who are doing the delivery are not necessary engineers who should have access to all commands with a simple sudo. But if this raw module allows me to do this, so big up Ansible !!!! ;)

Anyway thanks for pointing that module to me.

Jonathan Bouzekri

unread,
Jan 27, 2017, 9:43:26 AM1/27/17
to Ansible Project
Thanks, I am looking at the raw module which seems to suite my need. And what about the shell module with a previously delivered shell script containing my reload nginx command ? Would it work ?

Johannes Kastl

unread,
Jan 27, 2017, 10:14:21 AM1/27/17
to ansible...@googlegroups.com
On 27.01.17 15:42 Jonathan Bouzekri wrote:

> I think that it is quite a drawback on Ansible. If you use it for
> code shipping, you will have to do some tasks which needs
> privileges escalation (reload nginx or something else). And the
> people who are doing the delivery are not necessary engineers who
> should have access to all commands with a simple sudo.

If you do not need to do anything else via ansible (at least the
people you mention) then raw module or shell with a script might be best.

As a side not, using a git repository with a post-receive hook that
might be an option for people more used to git than to sudo...
Depends on your exact environment, so YMMV.

Johannes

signature.asc
Reply all
Reply to author
Forward
0 new messages