因为我在 Ansible/Semaphore 方面是菜鸟,所以我需要帮助。 我从这个链接安装了信号量: RL8 上的信号量安装
服务正在运行,我已经在 Semaphore WebGUI 中创建了用户。一些用户被设置为管理员,其余的则没有。
当我的同事开发人员想要创建一个 playbook 并作为测试集命令(本地)来编写一个不应该被允许的文件(安装的 NFS 数据集和文件夹,只有某些用户有权访问)时,这让我感到烦恼。 。任务已完成,文件已写入该文件夹,没有错误或有关权限的警告。
非常有趣的是,文件被写为“root”和组“root”...?!?!?
为什么 Ansible 以 root 用户身份写入文件?根据我的理解,它不应该这样做,而是作为运行该剧本的用户,对吧?如果您需要权限升级,您可以使用布尔参数“become”和“become_user”,您可以在其中定义要运行该特定命令的用户。
如何防止 ansible 以“root”身份运行并造成损害?
ansible.cfg
# Since Ansible 2.12 (core):
# To generate an example config file (a "disabled" one with all default settings, commented out):
# $ ansible-config init --disabled > ansible.cfg
#
# Also you can now have a more complete file by including existing plugins:
# ansible-config init --disabled -t all > ansible.cfg
# For previous versions of Ansible you can check for examples in the 'stable' branches of each version
# Note that this file was always incomplete and lagging changes to configuration settings
# for example, for 2.9: https://github.com/ansible/ansible/blob/stable-2.9/examples/ansible.cfg
[defaults]
host_key_checking = false
主持人
角色文件夹
信号量配置
配置.json
{
"mysql": {
"host": "127.0.0.1:3306",
"user": "root",
"pass": "xxxxxxxxxxxx",
"name": "ansible-db",
"options": null
},
"bolt": {
"host": "",
"user": "",
"pass": "",
"name": "",
"options": null
},
"postgres": {
"host": "",
"user": "",
"pass": "",
"name": "",
"options": null
},
"dialect": "mysql",
"port": "",
"interface": "",
"tmp_path": "/opt/semaphore",
"cookie_hash": "xxxxxxxxxxxxxx=",
"cookie_encryption": "xxxxxxxxxxxxxx=",
"access_key_encryption": "xxxxxxxxxxxxxxx=",
"email_sender": "",
"email_host": "",
"email_port": "",
"email_username": "",
"email_password": "",
"ldap_binddn": "",
"ldap_bindpassword": "",
"ldap_server": "",
"ldap_searchdn": "",
"ldap_searchfilter": "",
"ldap_mappings": {
"dn": "",
"mail": "",
"uid": "",
"cn": ""
},
"telegram_chat": "",
"telegram_token": "",
"max_parallel_tasks": 0,
"email_alert": false,
"email_secure": false,
"telegram_alert": false,
"ldap_enable": false,
"ldap_needtls": false,
"ssh_config_path": "",
"demo_mode": false
}
哦,有一件事值得一提。访问被 nginx 代理“包装”,因此访问点不是 3000,而是普通的旧 80,但这不应该影响任何权限或 ansible 如何执行后台工作。
server {
listen 80;
server_name cyclops.hll.mpg.de;
client_max_body_size 0;
chunked_transfer_encoding on;
location / {
proxy_pass "http://127.0.0.1:3000/";
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
proxy_buffer_size 16k;
proxy_busy_buffers_size 24k;
proxy_buffers 64 4k;
}
location /api/ws {
proxy_pass "http://127.0.0.1:3000/api/ws";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Origin "";
}
我希望有人能告诉我默认使用root用户而不是运行用户导致ansible的原因是什么...
问题在于您的服务定义。它以 root 身份在后台运行。 我已将其更改为我自己的用户,该用户也存在于我的所有节点上。
首先从终端启动并首先停用服务,或添加:
[Unit]
Description=Ansible Semaphore
Documentation=https://docs.ansible-semaphore.com/
Wants=network-online.target
After=network-online.target
ConditionPathExists=/usr/bin/semaphore
ConditionPathExists=/home/tecio/config.json
[Service]
ExecStart=/usr/bin/semaphore service --config /home/tecio/config.json
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
RestartSec=10s
User=tecio
Group=tecio
[Install]
WantedBy=multi-user.target
TECIO 是我的用户,也是在我的案例中执行设置的用户。
不要忘记: sudo rm -d -r /tmp/信号量/
对我来说,无法使用remote_user或其他用户存在的任何内容进行切换。 (以我为例)