How to show a process list using ansible ad-hoc command?
Ansible Ad-hoc Syntax:
ansible <"hosts"> [-m <"module_name">] -a <"arguments"> -u [--become]
Ex:
ansible <"hosts"> -m shell -a 'ps -ef'
Hosts: It can be any entry in the inventory file. For specifying all hosts in inventory, use all or '*'. Wild card patterns are also accepted.
module_name: It's an optional parameter. There are hundreds of modules available in Ansible. By default it is a command. For example, shell, copy, yum, apt, file.
Arguments: We should pass values that are required by the module. It may change according to the module used.
Username: It specifies the user account in which Ansible can execute commands. User account, SSH.
Become: It's an optional parameter specified when we want to execute operations that need sudo privilege. By default become is false.
PS: If you put a -c option, then Ansible will do a dry run of the command. It will not actually be applied on the nodes.
Related
I know my question is what become is designed to solve. And I do use it. However, my command seems to still be run as the ssh user. I'm trying to execute a which psql command to get the executable path. Running which psql as ssh user gives a different output than running the same command as my become user which is the output I want.
EDIT The problem is the $PATH variable ansible is using as suggested in comments. It is not using the correct $PATH variable. How can I direct ansible to use postgres users $PATH variable? Using environment module didn't work for me as suggested here https://serverfault.com/questions/734560/ansible-become-user-not-picking-up-path-correctly
EDIT2 So a solution is to use the environment module and set the path to the path I know has the psql executable but this seems hacky. Ideally, I'd like to just be able to use the become users path and not have to explicitly set it. Here's the hacky solution:
- name: Check if new or existing host
command: which psql
environment:
PATH: "/usr/pgsql-13/bin/:{{ansible_env.PATH}}"
become: yes
become_user: postgres
Playbook
---
- name: Playbook Control
hosts: all
become: yes
become_user: postgres
tasks:
- name: Check if new or existing host
shell: whoami && which psql
register: output
Relevant Output (the same as if I were to run the task command as my_user on myhost.net)
"stdout_lines": [
"postgres",
"/usr/bin/psql"
]
Expected Output (the output if I were to run the task command as postgres user on myhost.net)
"stdout_lines": [
"postgres",
"/usr/pgsql-13/bin/psql"
]
Inventory
myhost.net
[all:vars]
ansible_connection=ssh
ansible_user=my_user
Command
ansible-playbook --ask-vault-pass -vvv -i temp_hosts playbook.yml
In vault I only have the ssh pass of my_user.
Running the playbook with -vvv flag shows me that escalation was successful and that the output of this task is the output of running the command as ssh user, not become user. Any ideas?
Ansible by default uses sudo as the default become method.
Depending on how your linux system is configured (check /etc/sudoers), it could be that your $PATH variable is preserved for sudo commands.
You can either change this, or force ansible to use a different become method such as su:
https://docs.ansible.com/ansible/latest/user_guide/become.html#become-directives
I'm trying to add privilege to Ansible node via Ansible server using "lineinfile" via ad-hoc command as ROOT :
ansible -i rec-apache.inv -m lineinfile -a "path=/etc/sudoers \
line ='ansible-node1 ALL=(ALL:ALL) NO PASSWD:ALL'" --become-method=su --become -K all
I got the following error
ERROR! this task 'lineinfile' has extra params, which is only allowed in the following modules:
shell, win_shell, include_vars, add_host, raw, include_role, meta, set_fact, include,
import_tasks, script, import_role, include_tasks, group_by, command, win_command
I already did the key exchange and everything went good and right . This problems occurs only when I use root user in the server side.
I know that I can do it using playbook ,but I'm interesting on the ad-hoc command. Thank you !
A space after line in line ='...' might have cause Ansible to treat ='...' as a parameter, which is not supported. Try removing the space as: line='ansible-node1 ALL=(ALL:ALL) NO PASSWD:ALL'
I am trying to overcome some limitations in our environment to write up an authorized SSH file for passwordless ssh keys.
I am requiring to perform an ssh as a to a target system, and then run a "sudo su - , and then update the service account authorized_keys with a key"
This eventually has to go onto my ansible scripts.
I am using "ssh -t user#target "sudo su - service-user" - which actually successfully gets me into a shell for service-user. But I am not able to figure out a way to pass along the file modify commands with the above.
Any tips or alternative options?
Note: I need to use "ssh -t" option as the requiretty is not set on target systems.
Cheers!
Depending on what transport you're using you can use ssh_args.
OpenSSH is the default connection type for Ansible on OSes that are new enough to support ControlPersist. (This means basically all operating systems except Enterprise Linux 6 or earlier).
Then you can do something like this in your ansible.cfg:
ssh_args = -t -t
Which will force ansible to connect the same way you do manually.
Then in your playbook or together with the task where you need it specify become and become_user
- name: Some task
debug: msg="this is a test"
become: true
become_user: someuser
su has an option, -c, that allows you to pass along a command to execute instead of launching a new shell.
-c, --command=COMMAND
pass a single COMMAND to the shell with -c
However, you're authenticating with sudo, which already does this by default; you can just cut su out of the command entirely:
ssh -t user#target "sudo -u service-user <your-command>"
To go one step further, you note that you're planning on putting this into an Ansible playbook. If so, you probably shouldn't be spending too much time trying to do this manually - Ansible will handle running commands remotely (that's one of its primary features, after all), and has a module for modifying the authorized_keys file.
Is it possible avoid sudo word while executing the higher privileged commands to a non-root user via a sudo policy such non-root users should not be able to know that he is executing higher privileged commands and also the usage of sudo might be complex.
Example:
Normal Execution of Sudo Command.
$ sudo -u root /usr/bin/tcpdump
non-root users should execute tcpdump like below.
$ tcpdump
Thanks in advance.
Note: I have defined a Sudo Policy for non-root users. So, when a non-root user executes tcpdump, in the backend it should execute as
sudo -u root tcpdump.
Yes. It is possible.
You should:
1- Create a new specific new group where some users would belong:
groupadd nonroot
2- Add your privileged users to that group:
2.1- Edit /etc/group:
vim /etc/group
2.2- Find the line of new created group. It should look like that:
nonroot:x:127:
2.3- At the end, add your privilaged users:
nonroot:x:127:user1,user2
3- Change the group of your binary:
chgrp nonroot /usr/bin/tcpdump
4- Give group execution permissions to the binary:
chmod g+x /usr/bin/tcpdump
You have to have in count that if the binary reads, writes or executes files which user1 has no permissions, you'll have modify them in the same way.
If you cannot change the group of the binary, check the right answer of post bellow, which is a similar way:
Allow users of a certain group to run a command without sudo
Hope it helps.
NOTE: Commands may differ between different linux/unix distros.
I can see at least two possibilities:
Wrap it in a script (an alias is also possible, but if users can use different shells or just start them manually, it can turn into a maintenence hell)
Set the suid bit on tcpdump, but that means everyone who can invoke tcpdump always does so as the owner.
You might want to explore using sudoers file.
Using CentOS as an example (should be similar for Debian), create a file within sudoers.d with the relevant name, e.g. tcpdump and include the following:
user ALL=NOPASSWD: /usr/bin/tcpdump command
Replace the user and command to suit your purpose. You can find out more here.
This coupled with a alias tcpdump='sudo tcpdump for the user should fit your use case.
This question is a bit specific and I want to do the equivalent of the following code:
# these commands must be run as root
root#server:$ useradd -m -s /bin/bash elspeth # add user named elspeth
# -m creates a home folder, -s sets elspeth to use bash by default
root#server:$ usermod -a -G sudo elspeth # add elspeth to the sudoers group
root#server:$ passwd elspeth # set password for elspeth
root#server:$ su - elspeth # switch-user to being elspeth!
elspeth#server:$
elspeth#server:$ sudo apt-get install nginx
elspeth#server:$ sudo service nginx start
I click "Run as administrator" when opening the Command Prompt, which I assume is "running as root."
I did a little research and found commands like net user (username) (pwd) which I assume are Windows equivalents. Now first, the sudo group part I am confused. I enter:
net localgroup sudo (user) /add
but get a "The specified local group does not exist." Am I to just make a new "sudo" group?
There is also the part of the code setting a user to "use bash by default" of which I do not know/understand the Windows equivalent.
Lastly for the first chunk of code, there is a su command. Would runas be the equivalent? I read that you can switch users from the command prompt on Windows through runas but then I have to specify a program to run (would it be bash in this case?)
And from what I read on StackOverflow, runas is actually the Windows equivalent to Linux's sudo, which gets more confusing for me in the second chunk of code where we have to use sudo (and for what it's worth, sudo is an unrecognized command for me).
For reference and context, this is the book I am using and the exact excerpt dealing with this code:
http://chimera.labs.oreilly.com/books/1234000000754/ch08.html#_user_accounts_ssh_and_privileges
You can't just translate commands like that into Windows; Linux and Windows are completely different especially when it comes to user management.
sudo is just switch user do; it allows you to run a command as another user. In most cases, this is done to allow normal users to execute commands as root.
On Windows, this is "Run As Administrator"; or if you are already part of the Administrator's group - then you can skip this entirely.
The first line adds a user, assigns them a home directory and a shell.
In Windows, you simply add a user; as there really isn't a concept of "shell" in Windows - that is, all users by default use the Windows Desktop Environment - which is their "shell". A shell is just a program that accepts input for execution. Most texts will tell you that cmd.exe (or PowerShell) is the "shell", but this is not strictly true. These are just another interface to execute commands - the main "shell" is Windows itself.
Further, all users get a home directory by default (unless they are a system account).
For more on how to actually create the users and add them to groups, see PowerShell: Create Local User Account
Your last two lines are installing nginx; the closest thing for that command on Windows is chocolatey, but it needs to already be installed.
Otherwise, specifically for nginx you simply download the zip and run the command.