When trying to add a user using Ansible, I set ansible_become_user in my inventory to an account on the server that is a sudoer, but adding a user still fails with this error:
usermod: cannot open /etc/passwd usermod: failed to unlock /etc/passwd
I tested on the server running the command like this from my normal ssh account:
sudo -u <sudo_user> useradd test
useradd: cannot open /etc/passwd
useradd: failed to unlock /etc/passwd
If I su to my sudo account and run sudo useradd test, it works just fine.
I can also get it to work from my base SSH account by running su <sudo_user> -c "sudo useradd test".
The variable to set on your playbook/task is become_user not ansible_become_user. ansible_become_user is used when you set the value for a specific host/group in your inventory. See the privilege escalation doc
Moreover, you also have to set become: true for the above option to have any effect.
A quick example (does not become anything with debug, just to put you on track)
---
- hosts: all
become: true
become_user: someone
tasks:
- name: dummy task with play's defaults
debug:
msg: I would run with play's become_user
- name: dummy task with overriden user
become_user: some_other
debug:
msg: I would run with the overriden become_user
You can try another option, that is execute it like other user, for example root, and try it again.
For do it, edit /etc/sysconfig/jenkins
Then search for:
JENKINS_USER="jenkins"
And change it for
JENKINS_USER="root"
This should resolve the issue.
Another way is to add jenkins to visudo
Related
I know my question is what become is designed to solve. And I do use it. However, my command seems to still be run as the ssh user. I'm trying to execute a which psql command to get the executable path. Running which psql as ssh user gives a different output than running the same command as my become user which is the output I want.
EDIT The problem is the $PATH variable ansible is using as suggested in comments. It is not using the correct $PATH variable. How can I direct ansible to use postgres users $PATH variable? Using environment module didn't work for me as suggested here https://serverfault.com/questions/734560/ansible-become-user-not-picking-up-path-correctly
EDIT2 So a solution is to use the environment module and set the path to the path I know has the psql executable but this seems hacky. Ideally, I'd like to just be able to use the become users path and not have to explicitly set it. Here's the hacky solution:
- name: Check if new or existing host
command: which psql
environment:
PATH: "/usr/pgsql-13/bin/:{{ansible_env.PATH}}"
become: yes
become_user: postgres
Playbook
---
- name: Playbook Control
hosts: all
become: yes
become_user: postgres
tasks:
- name: Check if new or existing host
shell: whoami && which psql
register: output
Relevant Output (the same as if I were to run the task command as my_user on myhost.net)
"stdout_lines": [
"postgres",
"/usr/bin/psql"
]
Expected Output (the output if I were to run the task command as postgres user on myhost.net)
"stdout_lines": [
"postgres",
"/usr/pgsql-13/bin/psql"
]
Inventory
myhost.net
[all:vars]
ansible_connection=ssh
ansible_user=my_user
Command
ansible-playbook --ask-vault-pass -vvv -i temp_hosts playbook.yml
In vault I only have the ssh pass of my_user.
Running the playbook with -vvv flag shows me that escalation was successful and that the output of this task is the output of running the command as ssh user, not become user. Any ideas?
Ansible by default uses sudo as the default become method.
Depending on how your linux system is configured (check /etc/sudoers), it could be that your $PATH variable is preserved for sudo commands.
You can either change this, or force ansible to use a different become method such as su:
https://docs.ansible.com/ansible/latest/user_guide/become.html#become-directives
I am attempting to install and use docker for the first time. I have followed the guidelines provided in the answer to this question:
sudo groupadd docker
which at this point returns (as expected):
groupadd: group 'docker' already exists
I then attempt to add the user to the group:
sudo usermod -aG docker $wb_s2s
which only returns
Options:
-b, --badnames allow bad names
-c, --comment COMMENT new value of the GECOS field
-d, --home HOME_DIR new home directory for the user account
-e, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE
-f, --inactive INACTIVE set password inactive after expiration
to INACTIVE
-g, --gid GROUP force use GROUP as new primary group
...
I then try to log out and lock back in and/or restart the computer/docker (I've tried everything). But when I run:
docker run hello-world
I get an error:
docker: Got permission denied while trying to connect to the Docker daemon socket at ... connect: permission denied. See 'docker run --help'.
Can anyone tell me where I went wrong?
When you add your user to the group, the docs meant literally $USER to refer to your user wb_s2s (which is a variable presented in your shell's environment for purposes like this)
adding $ will make it a variable the shell interprets as an empty string
% echo $USER
ti7
% echo $ti7
% echo $whatever
You could use the $USER variable, or just remove the $ from your attempt to add your user to the group
-sudo usermod -aG docker $wb_s2s
+sudo usermod -aG docker wb_s2s
I am trying to run a simple Ansible playbook that shows a content of 'home' directory.
It runs successfully, but when I use:
become_user: "{{ TARGET_USER }}"
I get error:
"sudo: a password is required\r\n"
The 'Ansible user' is "blnapp1" and the 'Target user' is "couchbase"
I added permissions for "blnapp1" and "couchbase" users inside sudoers file as follows:
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
blnapp1 ALL=(ALL) NOPASSWD: ALL
blnapp1 ALL=(ALL) ALL
ansible ALL= NOPASSWD: /home/blnapp1/playbook #path to playbook
couchbase ALL=(ALL) NOPASSWD: ALL
couchbase ALL=(ALL) ALL
I also added to all of the users ssh public key of each other into /.ssh/authorized_keys
Here is my inventory file:
web1 ansible_host=**** ansible_connection=local
[couchbase-install:children]
couchbase_cluster_nodes
couchbase_server_nodes
[couchbase_cluster_nodes]
primary1 ansible_host=**** ansible_user=blnapp1 TARGET_USER=couchbase couchbase_primary_cluster_node=**** couchbase_cluster_admin_port=*** couchbase_bucket_name=exampleBucket group_server=default
[couchbase_server_nodes]
[all:vars]
#configuration_mode can be vars or cc
configuration_mode=vars
couchbase_data_path="/userdata/data/CB/var/lib/couchbase/data"
couchbase_index_path= "/userdata/data/CB/var/lib/couchbase/data"
yum_path="sudo /bin/yum"
#couchbase_admin="Administrator"
#couchbase_password="Administrator"
And here is my playbook:
---
- name: I-test
hosts: primary1
become: true
become_user: "{{ TARGET_USER }}"
tasks:
- debug:
msg: 'TARGET_USER is: "{{ TARGET_USER }}"'
- name: show repo content
shell:
cmd: ls -la /home
The only way I found is to add "blnapp1" user to 'wheel' group. However, I really don't want "blnapp1" to have 'wheel' permissions..
Thanks in advance!
blnapp1 ALL=(ALL) NOPASSWD: ALL
blnapp1 ALL=(ALL) ALL
Those 2 lines basically tell the exact same thing: let blnapp1 launch any command as anyone. But the first one tells sudo not to ask for a password while the second one doesn't.
And after testing quickly against a debian:buster docker image, it appears only the last line encountered rules in this case, making sudo always ask for a password.
Simply remove the second line in your sudoers file. Note that you have the exact same problem for your couchbase user.
We have a user userA on the server which has access to sudo. I can login into the server and run sudo su - userA to switch to new user. However if I use Ansible, it is throwing me below error:
fatal: [node1]: FAILED! => {"changed": false, "module_stderr": "Shared connection to node1 closed.\r\n", "module_stdout": "\r\nSorry, user abc is not allowed to execute '/bin/sh -c echo BECOME-SUCCESS-pzwmlpcvzvwafleunmvpwioi; /usr/bin/python /var/tmp/ansible-tmp-1533926060.36-184244176073120/setup.py' as userA on node1.\r\n", "msg": "MODULE FAILURE", "rc": 1}
Ansible file:
---
- hosts: all
become: yes
become_user: userA
become_method: sudo
tasks:
- name: Create file
command: touch /home/userA/testing
We don't have access to sudoers file. Is there a way to fix this without changing sudoers file?
I depends... If the sudoers configuration permits running /usr/bin/su - userA* (with a wildcard at the end allowing for the -c argument), then you can add become-configuration to your task in the following way:
- name: Create file
command: touch /home/userA/testing
vars:
ansible_become: true
ansible_become_method: su
ansible_become_user: userA
ansible_become_exe: 'sudo -p "Password: " su -'
If the password is required by sudoers, you must run ansible-playbook with --ask-become-pass (-K) option and connecting user's password (as for sudo).
First three parameters can be written directly as parameters to the task / play.
Otherwise you are probably destined for running expect module (likely on the controller machine) with all the drawbacks.
you can SetUID chmod u+s file on the files you want to run with UserA from userB. For Example, /usr/bin/passwd is a root file which has SetUID, so, any user can change its own passwd (using passwd command) while running the /usr/bin/passwd as root.
ls -l /usr/bin/passwd
-rwsr-xr-x. 1 root root 27832 Jun 10 2014 /usr/bin/passwd
passwd
Changing password for user user.
Changing password for user.
(current) UNIX password:
I try configure ansible for become other user:
My ansible.cfg entries
sudo_flags=
ssh_args = -t -t
sudo_exe = sudo /bin/su
I can escalate privilege on remote host only one way (and this works in ssh session):
sudo /bin/su anyuser -
Example playbook:
---
- hosts: anyhosts
become: true
become_user: anyuser
tasks:
- name: check becoming anyuser
command: "ls -ltha"
When i run my simple playbook, in verbose log output i see -u option:
'"'"'sudo /bin/su -u anyuser -
How i can disable/remove this -u option in playbook or ansible.cfg?
You have told Ansible that sudo is sudo /bin/su, but as far as Ansible knows it's still using sudo, which supports -u argument. If you want to use some other command for privilege escalation, consider setting become_method.
However, it's not clear why you're not just using sudo, since you appear to have sudo privileges. Possibly setting sudo_exe = sudo sudo would actually solve the problem, since the first sudo would get you root access (which appears to work just fine, based on your question), and then root would be able to run sudo -u ..., which should work just fine.