Ansible:运行 命令作为不同的用户,但不使用 sudo
Ansible: Run command as different user but not with sudo
我的总体目标是通过 ansible 为特定用户重新启动 pulseaudio(因此,如果您有更好的想法,我很乐意听取它:))
我想 运行 以用户 myuser 的身份执行以下命令,根据 pulseaudio 的说法,这不应该以 sudo/root 的身份执行。
$([[ $(pulseaudio -k) -eq 0 ]] || exit 0; sleep 5; [[ $(pulseaudio -D --exit-idle-time=-1) -eq 0 ]] || exit 0)
如果我在它自己的机器上测试它,效果很好。如果 pulseaudio 处于 运行ning 状态,它会杀死 pulseaudio,如果 pulseaudio 已经停止,它会再次启动它并且不会失败。
尝试 1 [等待密码超时]:
我的 ansible 任务(作为角色的一部分)如下所示:
- name: restart pulse audio
shell: '$([[ $(pulseaudio -k) -eq 0 ]] || exit 0; sleep 5; [[ $(pulseaudio -D --exit-idle-time=-1) -eq 0 ]] || exit 0)'
args:
executable: /bin/bash
become: true
become_method: sudo
become_flags: "su - {{ ansible_user }} -c"
但是如果我 运行 我得到错误 FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: "}
如果我以 root 身份登录那台机器并输入 sudo su - myuser,我会收到 myuser 提示,这是我所期望的。
那么如何为 myuser 指定密码以便 ansible 可以使用它?
尝试 2 [不正确的 su 密码]:
ansible 任务:
- name: restart pulse audio
shell: '$([[ $(pulseaudio -k) -eq 0 ]] || exit 0; sleep 5; [[ $(pulseaudio -D --exit-idle-time=-1) -eq 0 ]] || exit 0)'
args:
executable: /bin/bash
become: true
become_method: su
become_user: myuser
我也尝试使用 become_user 而不是 become_flags 但没有成功。然后我得到了错误:FAILED! => {"msg": "Incorrect su password"}
尝试 3 [命令 get 作为 sudo 执行]:
如果我首先尝试了 Calum Halpin 的建议,pulseaudio 会启动,但是作为 sudo,这不是我想要的,我需要 myuser 启动 pulseaudio。
ansible 任务:
- name: restart pulse audio
shell: '$([[ $(pulseaudio -k) -eq 0 ]] || exit 0; sleep 5; [[ $(pulseaudio -D --exit-idle-time=-1) -eq 0 ]] || exit 0)'
args:
executable: /bin/bash
become: true
become_method: sudo
become_user: myuser
我得到以下输出:
{"changed": true,
"cmd": "$([[ $(pulseaudio -k) -eq 0 ]] || exit 0; sleep 5; [[ $(pulseaudio -D --exit-idle-time=-1) -eq 0 ]] || exit 0)",
"delta": "0:00:05.110839", "end": "2019-06-23 11:11:43.686776", "rc": 0, "start": "2019-06-23 11:11:38.575937",
"stderr": "E: [pulseaudio] main.c: Failed to kill daemon: No such file or directory\nW: [pulseaudio] main.c: This program is not intended to be run as root (unless --system is specified).",
"stderr_lines": ["E: [pulseaudio] main.c: Failed to kill daemon: No such file or directory", "W: [pulseaudio] main.c: This program is not intended to be run as root (unless --system is specified)."],
"stdout": "", "stdout_lines": []}
尝试 2.1 和 3.1 [使用 remote_user: myuser]
我尝试将 palybook 中的 remote_user 设置为 myuser,但所有结果都保持不变。
我的配置/环境:
我的become变量配置如下:
ansible_connection: ssh
ansible_user: myuser
ansible_ssh_pass: 1234
ansible_become: yes
ansible_become_user: root
ansible_become_pass: 1234
剧本看起来像:
- hosts: myhost
connection: local
become: ansible_become
become_user: ansible_become_user
roles:
- role: pulse-audio-config
如果您的远程用户拥有完整的 sudo 权限:
- name: restart pulse audio
shell: '$([[ $(pulseaudio -k) -eq 0 ]] || exit 0; sleep 5; [[ $(pulseaudio -D --exit-idle-time=-1) -eq 0 ]] || exit 0)'
args:
executable: /bin/bash
become: true
become_method: sudo
become_user: myuser
确保 ansible_become_pass 设置为远程用户的密码。
或者将 become 方法设置为 su,将 ansible_become_pass 设置为 myuser 的密码。
或者如果您的剧本结构适合它,您可以将 remote_user 设置为 myuser。
确保您没有在组或主机变量中设置成为用户,因为这将覆盖 play/task 设置:https://docs.ansible.com/ansible/latest/user_guide/become.html#directives.
解决方案:
经过几种不同的方法后,我使用以下配置使其工作:
清单中的变量:
ansible_connection: ssh
ansible_user: myuser
ansible_ssh_pass: 1234
ansible_become: yes
ansible_become_user: root
ansible_become_pass: 1234
剧本中:
- hosts: myhost
connection: local
roles:
- role: another-role
- { role: pulse-audio-config,
ansible_become_user: nas }
- role: another-other-role
担任角色:
- name: restart pulse audio
shell: '$([[ $(pulseaudio -k) -eq 0 ]] || exit 0; sleep 5; [[ $(pulseaudio -D --exit-idle-time=-1) -eq 0 ]] || exit 0)'
args:
executable: /bin/bash
become: true
become_method: sudo
become_flags: "su - {{ ansible_become_user }} -c"
我不是专家,但我也面临着同样的问题。我想我找到了一个非常简单的解决方案,当 ansible 用户可以对 myuser:
shell:
cmd: sudo su - myuser -c "ls -la"
我的总体目标是通过 ansible 为特定用户重新启动 pulseaudio(因此,如果您有更好的想法,我很乐意听取它:))
我想 运行 以用户 myuser 的身份执行以下命令,根据 pulseaudio 的说法,这不应该以 sudo/root 的身份执行。
$([[ $(pulseaudio -k) -eq 0 ]] || exit 0; sleep 5; [[ $(pulseaudio -D --exit-idle-time=-1) -eq 0 ]] || exit 0)
如果我在它自己的机器上测试它,效果很好。如果 pulseaudio 处于 运行ning 状态,它会杀死 pulseaudio,如果 pulseaudio 已经停止,它会再次启动它并且不会失败。
尝试 1 [等待密码超时]:
我的 ansible 任务(作为角色的一部分)如下所示:
- name: restart pulse audio
shell: '$([[ $(pulseaudio -k) -eq 0 ]] || exit 0; sleep 5; [[ $(pulseaudio -D --exit-idle-time=-1) -eq 0 ]] || exit 0)'
args:
executable: /bin/bash
become: true
become_method: sudo
become_flags: "su - {{ ansible_user }} -c"
但是如果我 运行 我得到错误 FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: "}
如果我以 root 身份登录那台机器并输入 sudo su - myuser,我会收到 myuser 提示,这是我所期望的。
那么如何为 myuser 指定密码以便 ansible 可以使用它?
尝试 2 [不正确的 su 密码]:
ansible 任务:
- name: restart pulse audio
shell: '$([[ $(pulseaudio -k) -eq 0 ]] || exit 0; sleep 5; [[ $(pulseaudio -D --exit-idle-time=-1) -eq 0 ]] || exit 0)'
args:
executable: /bin/bash
become: true
become_method: su
become_user: myuser
我也尝试使用 become_user 而不是 become_flags 但没有成功。然后我得到了错误:FAILED! => {"msg": "Incorrect su password"}
尝试 3 [命令 get 作为 sudo 执行]:
如果我首先尝试了 Calum Halpin 的建议,pulseaudio 会启动,但是作为 sudo,这不是我想要的,我需要 myuser 启动 pulseaudio。
ansible 任务:
- name: restart pulse audio
shell: '$([[ $(pulseaudio -k) -eq 0 ]] || exit 0; sleep 5; [[ $(pulseaudio -D --exit-idle-time=-1) -eq 0 ]] || exit 0)'
args:
executable: /bin/bash
become: true
become_method: sudo
become_user: myuser
我得到以下输出:
{"changed": true,
"cmd": "$([[ $(pulseaudio -k) -eq 0 ]] || exit 0; sleep 5; [[ $(pulseaudio -D --exit-idle-time=-1) -eq 0 ]] || exit 0)",
"delta": "0:00:05.110839", "end": "2019-06-23 11:11:43.686776", "rc": 0, "start": "2019-06-23 11:11:38.575937",
"stderr": "E: [pulseaudio] main.c: Failed to kill daemon: No such file or directory\nW: [pulseaudio] main.c: This program is not intended to be run as root (unless --system is specified).",
"stderr_lines": ["E: [pulseaudio] main.c: Failed to kill daemon: No such file or directory", "W: [pulseaudio] main.c: This program is not intended to be run as root (unless --system is specified)."],
"stdout": "", "stdout_lines": []}
尝试 2.1 和 3.1 [使用 remote_user: myuser]
我尝试将 palybook 中的 remote_user 设置为 myuser,但所有结果都保持不变。
我的配置/环境:
我的become变量配置如下:
ansible_connection: ssh
ansible_user: myuser
ansible_ssh_pass: 1234
ansible_become: yes
ansible_become_user: root
ansible_become_pass: 1234
剧本看起来像:
- hosts: myhost
connection: local
become: ansible_become
become_user: ansible_become_user
roles:
- role: pulse-audio-config
如果您的远程用户拥有完整的 sudo 权限:
- name: restart pulse audio
shell: '$([[ $(pulseaudio -k) -eq 0 ]] || exit 0; sleep 5; [[ $(pulseaudio -D --exit-idle-time=-1) -eq 0 ]] || exit 0)'
args:
executable: /bin/bash
become: true
become_method: sudo
become_user: myuser
确保 ansible_become_pass 设置为远程用户的密码。
或者将 become 方法设置为 su,将 ansible_become_pass 设置为 myuser 的密码。
或者如果您的剧本结构适合它,您可以将 remote_user 设置为 myuser。
确保您没有在组或主机变量中设置成为用户,因为这将覆盖 play/task 设置:https://docs.ansible.com/ansible/latest/user_guide/become.html#directives.
解决方案:
经过几种不同的方法后,我使用以下配置使其工作:
清单中的变量:
ansible_connection: ssh
ansible_user: myuser
ansible_ssh_pass: 1234
ansible_become: yes
ansible_become_user: root
ansible_become_pass: 1234
剧本中:
- hosts: myhost
connection: local
roles:
- role: another-role
- { role: pulse-audio-config,
ansible_become_user: nas }
- role: another-other-role
担任角色:
- name: restart pulse audio
shell: '$([[ $(pulseaudio -k) -eq 0 ]] || exit 0; sleep 5; [[ $(pulseaudio -D --exit-idle-time=-1) -eq 0 ]] || exit 0)'
args:
executable: /bin/bash
become: true
become_method: sudo
become_flags: "su - {{ ansible_become_user }} -c"
我不是专家,但我也面临着同样的问题。我想我找到了一个非常简单的解决方案,当 ansible 用户可以对 myuser:
shell:
cmd: sudo su - myuser -c "ls -la"