我与特定服务器有无密码连接。在此服务器上,我的用户可以执行“sudo su - user”
> $ ssh host
myuser@host:~ $ sudo su - new_user
new_user@host:~ $
我想通过 Ansible playbook 实现同样的目标。
---
- hosts: my_group
remote_user: myuser
tasks:
- name: "whoami"
become: yes
become_exe: "sudo su -"
become_method: sudo
become_user: "new_user"
command: whoami
register: result
- debug: msg="{{ result.stdout }}"
当我运行剧本时:
> user / ansib $ ansible-playbook int.yaml
PLAY [int] ********************************************************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************************************************
ok: [host]
TASK [who am i] ***************************************************************************************************************************************************
fatal: [host]: FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: "}
PLAY RECAP ********************************************************************************************************************************************************
host : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
调试:
TASK [who am i] ***************************************************************************************************************************************************
task path: /login/myuser/ansib/cert.yaml:10
<host> ESTABLISH SSH CONNECTION FOR USER: myuser
<host> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="myuser"' -o ConnectTimeout=10 -o ControlPath=/login/myuser/.ansible/cp/0dd1c5b064 host '/bin/sh -c '"'"'echo ~myuser && sleep 0'"'"''
<host> (0, '/home/myuser\n', '')
<host> ESTABLISH SSH CONNECTION FOR USER: myuser
<host> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="myuser"' -o ConnectTimeout=10 -o ControlPath=/login/myuser/.ansible/cp/0dd1c5b064 host '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /var/tmp `"&& mkdir /var/tmp/ansible-tmp-1588766128.54-31125-82317805935022 && echo ansible-tmp-1588766128.54-31125-82317805935022="` echo /var/tmp/ansible-tmp-1588766128.54-31125-82317805935022 `" ) && sleep 0'"'"''
<host> (0, 'ansible-tmp-1588766128.54-31125-82317805935022=/var/tmp/ansible-tmp-1588766128.54-31125-82317805935022\n', '')
Using module file /usr/lib/python2.7/site-packages/ansible/modules/commands/command.py
<host> PUT /login/myuser/.ansible/tmp/ansible-local-31097VQMw2J/tmpwKIGsv TO /var/tmp/ansible-tmp-1588766128.54-31125-82317805935022/AnsiballZ_command.py
<host> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="myuser"' -o ConnectTimeout=10 -o ControlPath=/login/myuser/.ansible/cp/0dd1c5b064 '[host]'
<host> (0, 'sftp> put /login/myuser/.ansible/tmp/ansible-local-31097VQMw2J/tmpwKIGsv /var/tmp/ansible-tmp-1588766128.54-31125-82317805935022/AnsiballZ_command.py\n', '')
<host> ESTABLISH SSH CONNECTION FOR USER: myuser
<host> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="myuser"' -o ConnectTimeout=10 -o ControlPath=/login/myuser/.ansible/cp/0dd1c5b064 host '/bin/sh -c '"'"'setfacl -m u:new_user:r-x /var/tmp/ansible-tmp-1588766128.54-31125-82317805935022/ /var/tmp/ansible-tmp-1588766128.54-31125-82317805935022/AnsiballZ_command.py && sleep 0'"'"''
<host> (0, '', '')
<host> ESTABLISH SSH CONNECTION FOR USER: myuser
<host> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="myuser"' -o ConnectTimeout=10 -o ControlPath=/login/myuser/.ansible/cp/0dd1c5b064 -tt host '/bin/sh -c '"'"'sudo su - -H -S -n -u new_user /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-udwnqqirghwxmfmdebilbiitxqeurmzg ; /usr/bin/python /var/tmp/ansible-tmp-1588766128.54-31125-82317805935022/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
<host> ESTABLISH SSH CONNECTION FOR USER: myuser
<host> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="myuser"' -o ConnectTimeout=10 -o ControlPath=/login/myuser/.ansible/cp/0dd1c5b064 host '/bin/sh -c '"'"'rm -f -r /var/tmp/ansible-tmp-1588766128.54-31125-82317805935022/ > /dev/null 2>&1 && sleep 0'"'"''
<host> (0, '', '')
这一行:
sudo su - -H -S -n -u new_user /bin/sh -c
当然,如果我自己运行这个命令,我也会有密码提示。
我也尝试过移动一些东西,我改变了我的剧本,我还添加了become_flags参数:
---
- hosts: my_group
remote_user: myuser
tasks:
- name: "whoami"
become: yes
become_exe: "sudo su -"
become_method: sudo
become_user: "new_user"
become_flags: ""
command: whoami
register: result
- debug: msg="{{ result.stdout }}"
而且好一点了...
sudo su - new_user -c
不幸的是添加“-c”一直要求我输入密码......
知道我是否可以以某种方式成为没有“-c”参数的 new_user,或者以 new_user 身份运行命令?
只要您可以在命令行上将
sudo
转换为 my_user
到 new_user
,无需密码,此剧本应该能够实现这一目的:
- hosts: my_group
remote_user: my_user
tasks:
- command: whoami
become: yes
become_user: new_user
register: result
- debug:
var: result.stdout
如果您无论如何都要使用默认值,则无需指定
become_method
或 become_exe
。
如果仍然出现
Timeout (12s) waiting for privilege escalation prompt
错误,则说明缺少密码提示。因此,请尝试在become_exe中显式给出密码提示,如下所示。
- hosts: all
become: true
become_user: <user>
become_method: su
become_flags:
become_exe: 'sudo -p "Password: " su -'
上面的剧本将运行以下命令:
sudo -p "Password: " su - <user> -c "further commands mentioned on the tasks"
并且您的管理员必须允许您在目标主机上运行
sudo su - <user> -c *
命令才能使此剧本正常工作。并且不要忘记在运行剧本时提供 --ask-become-pass 或 -K 标志。