使用 become/become_user 的 Ansible 2.1.0 无法设置临时文件的权限
Ansible 2.1.0 using become/become_user fails to set permissions on temp file
我的服务器上有一个 ansible 2.1.0,我通过 vagrant 和 PC 进行部署。
角色"deploy"有:
- name: upload code
become: true
become_user: www-data
git: repo=git@bitbucket.org:****.git
dest=/var/www/main
key_file=/var/www/.ssh/id_rsa
accept_hostkey=true
update=yes
force=yes
register: fresh_code
notify: restart php-fpm
tags: fresh_code
在这种情况下,使用 ansible 2.1.0 我得到一个错误:
fatal: [default]: FAILED! => {"failed": true, "msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user. For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}
我在我的 PC 上使用的 ansible 2.0.1.0 是正常的 - 文件夹 /var/www/ 有文件夹 main 与所有者和组 www-data
如果我只使用 became_user: www-data 并且如果我使用 become_method: sudo 和 became_user: www-data - 我得到同样的错误
需要做什么来解决这个问题?
问题是 www-data 无法访问您默认的非 root ansible 用户创建的用于连接到机器的相同文件。此外,错误消息清楚地指向 ansible's documentation,它描述了从 ansible 2.0 或更低版本升级时必须使用哪些选项来解决此问题。
他们提出了三种正确解决问题的方法:
- Use pipelining. When pipelining is enabled, Ansible doesn’t save the module to a temporary file on the client. Instead it pipes the module to the remote python interpreter’s stdin. Pipelining does not work for non-python modules.
- Install filesystem acl support on the managed host. If the temporary directory on the remote host is mounted with filesystem acls enabled and the setfacl tool is in the remote PATH then Ansible will use filesystem acls to share the module file with the second unprivileged instead of having to make the file readable by everyone.
- Don’t perform an action on the remote machine by becoming an unprivileged user. Temporary files are protected by UNIX file permissions when you become root or do not use become. In Ansible 2.1 and above, UNIX file permissions are also secure if you make the connection to the managed machine as root and then use become to an unprivileged account.
或者如果你不能做任何这些修复,那么你可以用一种更不安全的方式强制 ansible 到 运行(这似乎是 ansible 2 及以下版本的默认设置),这也应该修复您的问题,但不会解决潜在的安全风险:
If you can’t make any of the changes above to resolve the problem and you decide that the machine you’re running on is secure enough for the modules you want to run there to be world readable you can turn on allow_world_readable_tmpfiles in the ansible.cfg file. Setting allow_world_readable_tmpfiles will change this from an error into a warning and allow the task to run as it did prior to 2.1.
在 debian/ubuntu 上,您可以通过首先在远程主机上安装 acl 软件包来解决此问题,就像执行此任务一样:
- name: install setfacl support
become: yes
apt: pkg=acl
与 redhat/centos 相同——在远程主机上安装 acl 包:
- name: install setfacl support
become: yes
yum: name=acl
我的服务器上有一个 ansible 2.1.0,我通过 vagrant 和 PC 进行部署。 角色"deploy"有:
- name: upload code
become: true
become_user: www-data
git: repo=git@bitbucket.org:****.git
dest=/var/www/main
key_file=/var/www/.ssh/id_rsa
accept_hostkey=true
update=yes
force=yes
register: fresh_code
notify: restart php-fpm
tags: fresh_code
在这种情况下,使用 ansible 2.1.0 我得到一个错误:
fatal: [default]: FAILED! => {"failed": true, "msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user. For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}
我在我的 PC 上使用的 ansible 2.0.1.0 是正常的 - 文件夹 /var/www/ 有文件夹 main 与所有者和组 www-data
如果我只使用 became_user: www-data 并且如果我使用 become_method: sudo 和 became_user: www-data - 我得到同样的错误
需要做什么来解决这个问题?
问题是 www-data 无法访问您默认的非 root ansible 用户创建的用于连接到机器的相同文件。此外,错误消息清楚地指向 ansible's documentation,它描述了从 ansible 2.0 或更低版本升级时必须使用哪些选项来解决此问题。
他们提出了三种正确解决问题的方法:
- Use pipelining. When pipelining is enabled, Ansible doesn’t save the module to a temporary file on the client. Instead it pipes the module to the remote python interpreter’s stdin. Pipelining does not work for non-python modules.
- Install filesystem acl support on the managed host. If the temporary directory on the remote host is mounted with filesystem acls enabled and the setfacl tool is in the remote PATH then Ansible will use filesystem acls to share the module file with the second unprivileged instead of having to make the file readable by everyone.
- Don’t perform an action on the remote machine by becoming an unprivileged user. Temporary files are protected by UNIX file permissions when you become root or do not use become. In Ansible 2.1 and above, UNIX file permissions are also secure if you make the connection to the managed machine as root and then use become to an unprivileged account.
或者如果你不能做任何这些修复,那么你可以用一种更不安全的方式强制 ansible 到 运行(这似乎是 ansible 2 及以下版本的默认设置),这也应该修复您的问题,但不会解决潜在的安全风险:
If you can’t make any of the changes above to resolve the problem and you decide that the machine you’re running on is secure enough for the modules you want to run there to be world readable you can turn on
allow_world_readable_tmpfilesin theansible.cfgfile. Settingallow_world_readable_tmpfileswill change this from an error into a warning and allow the task to run as it did prior to 2.1.
在 debian/ubuntu 上,您可以通过首先在远程主机上安装 acl 软件包来解决此问题,就像执行此任务一样:
- name: install setfacl support
become: yes
apt: pkg=acl
与 redhat/centos 相同——在远程主机上安装 acl 包:
- name: install setfacl support
become: yes
yum: name=acl