I';我无法使用Been运行ansible playbook来启动monit服务
剧本:I';我无法使用Been运行ansible playbook来启动monit服务,ansible,Ansible,剧本: hosts: all become: yes gather_facts: no serial: 2 tasks: - name: Stop the services command: cmd: sudo monit_stop_all - pause: seconds: 30 - name: Start the services command: cmd: sudo monit_start_al
hosts: all
become: yes
gather_facts: no
serial: 2
tasks:
- name: Stop the services
command:
cmd: sudo monit_stop_all
- pause:
seconds: 30
- name: Start the services
command:
cmd: sudo monit_start_all
我可以通过根访问权限在我的LDAP上运行此功能。当我试图问我的团队成员谁没有根访问下面的错误。他可以使用ldap手动运行此操作
fatal: [server.va.test.com]: FAILED! => {"changed": false, "module_stderr": "Shared connection to closed.\r\n", "module_stdout": "\r\nSorry, user aaaa is not allowed to execute '/bin/sh -c echo BECOME-SUCCESS-aarprofdidwbskuhweylzrdcftraxroe; /usr/bin/python /tmp/ansible-aaaa /ansible-tmp-1590785647.34-182050508855820/command.py' as root on server.va.test.com.\r\n", "msg": "MODULE FAILURE", "rc": 1}
晚会迟到了(和往常一样),但我今天遇到了一个类似的问题&我想和大家分享一下我的解决办法
在我使用-b(--been)的情况下,我希望ansible像这样运行我的cmd(multipath-ll):
sudo-ll
我不想切换到root然后执行
此外,我希望尽可能保持sudoers文件的紧凑性,只允许用户运行multipath命令
我的错误:
FAILED! => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"module_stderr": "Shared connection to x.x.x.x closed.\r\n",
"module_stdout": "\r\n",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
当然,我使用visudo添加了多路径:
%mygroup ALL=/usr/sbin/multipath
这在本地登录时工作正常,但是命令失败,如上所述,使用Ansible
原因相当简单。Ansible用python包装您的命令并上传到远程主机,然后以特定方式执行该命令:
~/.ansible/tmp/ansible-tmp-1609501018.2236042-3982366-65719562472760/AnsiballZ_command.py
如果使用-vvv运行ansible命令,您将看到正在运行的进程,包括sudo:
EXEC sshpass -d10 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'User="XXXX"'
-o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/a9398511fb -tt X.X.X.X '/bin/sh
-c '"'"'sudo -H -S -p "[sudo via ansible, key=xxxxxxxxxxxxxxxxxxxx] password:" -u
root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-xxxxxxxxxxxxxxxxxxx ;
/usr/libexec/platform-python /home/XXXX/.ansible/tmp/ansible-tmp-1609502378.1193943-
3984795-278513799191839/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation succeeded
<X.X.X.X> (1, b'\r\n', b'Shared connection to X.X.X.X closed.\r\n')
因此,为了保持尽可能紧密,我通过visudo包含了这些可执行文件:
%mygroup ALL=/usr/sbin/multipath
%mygroup ALL=/usr/libexec/platform-python
%mygroup ALL=/bin/echo
%mygroup ALL=/bin/sh
现在一切都正常了。您已经
变成了:yes
,因此您不需要在命令中使用sudo
。我也尝试了,并收到了相同的errorCheck用户权限。ansible-b-m ping是否都能工作?
%mygroup ALL=/usr/sbin/multipath
%mygroup ALL=/usr/libexec/platform-python
%mygroup ALL=/bin/echo
%mygroup ALL=/bin/sh