Geek Answers Handbook

Unable: there is sudo but no root

I like to use Ansible to manage our Hadoop cluster configuration (Red Hat works).

I have sudo access and I can manually ssh in the nodes to execute commands. However, I am having problems when I try to run Ansible modules to perform the same tasks. Although I have access to sudo , I cannot become root. When I try to run Ansible scripts that require elevated privileges, I get the following:

Sorry, awoolford is not allowed to execute '/ bin / bash -c echo BECOME-SUCCESS- [...] / usr / bin / python / tmp / ansible -tmp-1446662360.01-231435525506280 / copy' as awoolford on [Some_hadoop_node].

Looking through the documentation , I thought that the become_allow_same_user property could resolve this, and so I added after ansible.cfg :

 [privilege_escalation] become_allow_same_user=yes

Unfortunately, this did not work.

This post assumes that I need permissions for sudo /bin/sh (or some other shell). Unfortunately, this is not possible for security reasons. Here's a snippet from /etc/sudoers :

 root ALL=(ALL) ALL awoolford ALL=(ALL) ALL, !SU, !SHELLS, !RESTRICT

Can Ansible work in such an environment? If so, what am I doing wrong?

+7
redhat ansible ansible-playbook
source share
3 answers

Well, you just can't run /bin/sh or /bin/bash , as your /etc/sudoers shows. What you can do is change the default default shell to something else (the executable variable in ansible.conf ).

Since your sudo policy allows everything by default (it doesnโ€™t seem really safe for me), and I suppose that ansible expects a sh-compatible shell, since you can copy /bin/bash to a different path / name with a really dirty hack and the corresponding set the executable variable (not verified).

+1
source share

In the playbook file (some.yml) install

runthisplaybook.yml

 --- - hosts: label_which_will_work_on_some_servers sudo: yes roles: - some_role_i_want_to_run

Further, in the role //tasks/main.yml for the action you should run as sudo .. use something like become_user (where common_user is the variable defined in some default role \ main.yml as common_user: "this_user_can_sudo ":

 - name: Run chkconfig on init script command: "sudo -u root /sbin/chkconfig --add tomcat" # Set execute permission on run_jmeter_test.sh - name: Set execute permission on run_jmeter_test.sh command: "chmod -R 755 {{ jmeter_perf_tests_results }}" become_user: "{{ common_user }}" # OR Set execute permission on run_jmeter_test.sh - name: Set execute permission on run_jmeter_test.sh command: "sudo -u firstuser sudo -u seconduser chmod -R 755 {{ jmeter_perf_tests_results }}" become_user: "{{ common_user }}" # OR Set execute permission on run_jmeter_test.sh - name: Set execute permission on run_jmeter_test.sh command: "chmod -R 755 {{ jmeter_perf_tests_results }}" become_user: "{{ common_user }}"

PS : when working with a downloadable program,

ansible-playbook runthisplaybook.yml - sudo-user = this_user_can_sudo -i hosts.yml -u user_which_will_connect_from_source_machine --private-key $ {DEPLOYER_KEY_FILE} --extra-vars "target_svr_type = $ {server_type} deploy_environment = $ {DEPLOY_ENVIRONMENT} ansible_user = $ {ANSIBLE_USER} "

0
source share

I think now sudo: yes is lost and replaced with become: yes

 --- - hosts: servers_on_which_you_want_to_run become: yes roles: - some_role

The smiplist solution will simply create ansible.cfg in your playlist directory with the following contents if it does not accept the root :

 [defaults] sudo_user = UsernameToWhichYouWantToUse

Hope this solves your problem.

-one
source share

More articles:


All Articles