在角色 main.yml 内更改 remote_user
Change remote_user within main.yml in role
我是ansible新手。
我正在尝试创建一个角色,在该角色中我以 root 身份启动该剧本,然后在下一个剧本中我切换到另一个用户并继续。以下文件在角色本身内。
---
# tasks file for /etc/ansible/roles/dashmn
#
- name: create users logged in as root
remote_user: root
import_tasks: whoami.yml
import_tasks: create_users.yml
import_tasks: set_sudoer.yml
- name: log in as dashadmin
remote_user: dashadmin
become: true
import_tasks: whoami.yml
import_tasks: disable_rootlogin.yml
import_tasks: update_install_reqs.yml
import_tasks: configure_firewall.yml
import_tasks: add_swap.yml
我添加了一个将用户添加到 /etc/sudoer.d
的 sudoer 任务
---
- name: set passwordless sudo
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
我创建了一个 deploy.yml,它使用我创建的角色,如下所示。
---
- hosts: test-mn
roles:
- dashmn
当我语法检查 deploy.yml
[DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set to allow bad characters in group names
by default, this will change, but still be user configurable on deprecation. This feature will be removed in
version 2.10. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
[WARNING]: While constructing a mapping from /etc/ansible/roles/dashmn/tasks/main.yml, line 4, column 3, found
a duplicate dict key (import_tasks). Using last defined value only.
[WARNING]: While constructing a mapping from /etc/ansible/roles/dashmn/tasks/main.yml, line 10, column 3, found
a duplicate dict key (import_tasks). Using last defined value only.
任何有关如何组织它以使其更好的帮助将不胜感激。
现在,我的问题是,如果在任务文件中我自己删除了剧本,只保留 import_tasks 一切正常,但它不使用用户 dashadmin,它使用 root。
我想创建用户,然后只以 dashadmin 身份登录并以 dashadmin 身份工作。
我也遇到了错误
FAILED! => {"msg": "Missing sudo password"}
明显有问题,只是不确定哪里出了问题。
这是 /etc/sudoers 文件
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL) NOPASSWD: ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
首先,您定义import_tasks的方式基本上只会按照警告所说执行最后一个import_tasks。
其次,remote_user 用于登录定义的主机,但如果您想以用户身份登录然后使用其他用户执行任务,则需要定义 become_user。默认情况下,become_user 设置为 root。
所以下面可能是您如何更改角色的 import_tasks:
/etc/ansible/roles/dashmn/tasks/main.yml
- name: create users logged in as root
block:
- import_tasks: whoami.yml
- import_tasks: create_users.yml
- import_tasks: set_sudoer.yml
remote_user: root
- name: log in as dashadmin
block:
- import_tasks: whoami.yml
- import_tasks: disable_rootlogin.yml
- import_tasks: update_install_reqs.yml
- import_tasks: configure_firewall.yml
- import_tasks: add_swap.yml
remote_user: dashadmin
become: yes
参考privilege escalation了解更多详情。
Q: "Change remote_user within main.yml in a role"
简答:请参阅“玩 3”中的示例,了解如何为每个任务更改 remote_user。
详情:关键字remote_user可用于剧本的所有对象:play、role、block、task。参见 Playbook Keywords。
最佳做法是以非特权用户身份连接到远程主机并提升权限。例如,
- name: Play 1
hosts: test_01
remote_user: user1
become: true
tasks:
- command: whoami
register: result
- debug:
var: result.stdout
给予
ok: [test_01] =>
result.stdout: root
如果不提升权限,任务将由 remote_user 在远程主机上执行。例如,
- name: Play 2
hosts: test_01
remote_user: user1
tasks:
- command: whoami
register: result
- debug:
var: result.stdout
给予
ok: [test_01] =>
result.stdout: user1
可以为每个任务声明 remote_user。例如
- name: Play 3
hosts: test_01
remote_user: user1
tasks:
- command: whoami
register: result
- debug:
var: result.stdout
- command: whoami
remote_user: user2
register: result
- debug:
var: result.stdout
给予
ok: [test_01] =>
result.stdout: user1
ok: [test_01] =>
result.stdout: user2
所有剧本都可以放在一本剧本中。
sudoers 文件的示例
root.test_01# cat /usr/local/etc/sudoers
...
#includedir /usr/local/etc/sudoers.d
admin ALL=(ALL) NOPASSWD: ALL
user1 ALL=(ALL) NOPASSWD: ALL
user2 ALL=(ALL) NOPASSWD: ALL
我是ansible新手。
我正在尝试创建一个角色,在该角色中我以 root 身份启动该剧本,然后在下一个剧本中我切换到另一个用户并继续。以下文件在角色本身内。
---
# tasks file for /etc/ansible/roles/dashmn
#
- name: create users logged in as root
remote_user: root
import_tasks: whoami.yml
import_tasks: create_users.yml
import_tasks: set_sudoer.yml
- name: log in as dashadmin
remote_user: dashadmin
become: true
import_tasks: whoami.yml
import_tasks: disable_rootlogin.yml
import_tasks: update_install_reqs.yml
import_tasks: configure_firewall.yml
import_tasks: add_swap.yml
我添加了一个将用户添加到 /etc/sudoer.d
的 sudoer 任务---
- name: set passwordless sudo
lineinfile:
path: /etc/sudoers
state: present
regexp: '^%sudo'
line: '%sudo ALL=(ALL) NOPASSWD: ALL'
validate: 'visudo -cf %s'
我创建了一个 deploy.yml,它使用我创建的角色,如下所示。
---
- hosts: test-mn
roles:
- dashmn
当我语法检查 deploy.yml
[DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set to allow bad characters in group names
by default, this will change, but still be user configurable on deprecation. This feature will be removed in
version 2.10. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
[WARNING]: While constructing a mapping from /etc/ansible/roles/dashmn/tasks/main.yml, line 4, column 3, found
a duplicate dict key (import_tasks). Using last defined value only.
[WARNING]: While constructing a mapping from /etc/ansible/roles/dashmn/tasks/main.yml, line 10, column 3, found
a duplicate dict key (import_tasks). Using last defined value only.
任何有关如何组织它以使其更好的帮助将不胜感激。
现在,我的问题是,如果在任务文件中我自己删除了剧本,只保留 import_tasks 一切正常,但它不使用用户 dashadmin,它使用 root。
我想创建用户,然后只以 dashadmin 身份登录并以 dashadmin 身份工作。
我也遇到了错误
FAILED! => {"msg": "Missing sudo password"}
明显有问题,只是不确定哪里出了问题。
这是 /etc/sudoers 文件
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL) NOPASSWD: ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
首先,您定义import_tasks的方式基本上只会按照警告所说执行最后一个import_tasks。
其次,remote_user 用于登录定义的主机,但如果您想以用户身份登录然后使用其他用户执行任务,则需要定义 become_user。默认情况下,become_user 设置为 root。
所以下面可能是您如何更改角色的 import_tasks:
/etc/ansible/roles/dashmn/tasks/main.yml
- name: create users logged in as root
block:
- import_tasks: whoami.yml
- import_tasks: create_users.yml
- import_tasks: set_sudoer.yml
remote_user: root
- name: log in as dashadmin
block:
- import_tasks: whoami.yml
- import_tasks: disable_rootlogin.yml
- import_tasks: update_install_reqs.yml
- import_tasks: configure_firewall.yml
- import_tasks: add_swap.yml
remote_user: dashadmin
become: yes
参考privilege escalation了解更多详情。
Q: "Change remote_user within main.yml in a role"
简答:请参阅“玩 3”中的示例,了解如何为每个任务更改 remote_user。
详情:关键字remote_user可用于剧本的所有对象:play、role、block、task。参见 Playbook Keywords。
最佳做法是以非特权用户身份连接到远程主机并提升权限。例如,
- name: Play 1
hosts: test_01
remote_user: user1
become: true
tasks:
- command: whoami
register: result
- debug:
var: result.stdout
给予
ok: [test_01] =>
result.stdout: root
如果不提升权限,任务将由 remote_user 在远程主机上执行。例如,
- name: Play 2
hosts: test_01
remote_user: user1
tasks:
- command: whoami
register: result
- debug:
var: result.stdout
给予
ok: [test_01] =>
result.stdout: user1
可以为每个任务声明 remote_user。例如
- name: Play 3
hosts: test_01
remote_user: user1
tasks:
- command: whoami
register: result
- debug:
var: result.stdout
- command: whoami
remote_user: user2
register: result
- debug:
var: result.stdout
给予
ok: [test_01] =>
result.stdout: user1
ok: [test_01] =>
result.stdout: user2
所有剧本都可以放在一本剧本中。
sudoers 文件的示例
root.test_01# cat /usr/local/etc/sudoers
...
#includedir /usr/local/etc/sudoers.d
admin ALL=(ALL) NOPASSWD: ALL
user1 ALL=(ALL) NOPASSWD: ALL
user2 ALL=(ALL) NOPASSWD: ALL