用于sudo_user的Ansible和ForwardAgent

时间:2015-08-19 09:45:09

标签: ssh ansible

有人能说我,我做错了什么?我正在使用Amazon EC2实例并希望将代理转发到用户rails,但是当我运行下一个任务时:

- acl: name={{ item }} etype=user entity=rails permissions=rwx state=present
  with_items:
    - "{{ ansible_env.SSH_AUTH_SOCK|dirname }}"
    - "{{ ansible_env.SSH_AUTH_SOCK }}"
  sudo: true

我看到失败的结果:

(item=/tmp/ssh-ULvzaZpq2U) => {"failed": true, "item": "/tmp/ssh-ULvzaZpq2U"}
msg: path not found or not accessible!

当我手动尝试时,没有安塞,它看起来不错:

setfacl -m rails:rwx "$SSH_AUTH_SOCK"
setfacl -m rails:x $(dirname "$SSH_AUTH_SOCK")
sudo -u rails ssh -T git@github.com //Hi KELiON! You've successfully authenticated, but GitHub does not provide shell access.

我甚至尝试运行新实例并运行test ansible playbook:

#!/usr/bin/env ansible-playbook
---
- hosts: all
  remote_user: ubuntu
  tasks:
    - user: name=rails
      sudo: true
    - name: Add ssh agent line to sudoers
      lineinfile:
        dest: /etc/sudoers
        state: present
        regexp: SSH_AUTH_SOCK
        line: Defaults env_keep += "SSH_AUTH_SOCK"
      sudo: true
    - acl: name={{ item }} etype=user entity=rails permissions=rwx state=present
      with_items:
        - "{{ ansible_env.SSH_AUTH_SOCK|dirname }}"
        - "{{ ansible_env.SSH_AUTH_SOCK }}"
      sudo: true
    - name: Test that git ssh connection is working.
      command: ssh -T git@github.com
      sudo: true
      sudo_user: rails

ansible.cfg是:

[ssh_connection]
pipelining=True
ssh_args=-o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s

[defaults]
sudo_flags=-HE
hostfile=staging

但结果相同。有什么想法吗?

3 个答案:

答案 0 :(得分:5)

我遇到了同样的问题,并在https://github.com/ansible/ansible/issues/7235#issuecomment-45842303

找到答案

我的解决方案与他有点不同,因为acl不适合我,所以我:

  1. 更改了ansible.cfg:
  2. 
        [defaults]
        sudo_flags=-HE
        [ssh_connection]
        # COMMENTED OUT: ssh_args = -o ForwardAgent=yes
    
    
    1. 添加了包含以下内容的任务/ ssh_agent_hack.yml:
    2. 
          - name: "(ssh-agent hack: grant access to {{ deploy_user }})"
            # SSH-agent socket is forwarded for the current user only (0700 file). Let's change it
            # See: https://github.com/ansible/ansible/issues/7235#issuecomment-45842303
            # See: http://serverfault.com/questions/107187/ssh-agent-forwarding-and-sudo-to-another-user
            become: false
            file: group={{deploy_user}} mode=g+rwx path={{item}}
            with_items:
            - "{{ ansible_env.SSH_AUTH_SOCK|dirname }}"
            - "{{ ansible_env.SSH_AUTH_SOCK }}"
      
      

      注意 - become: false设置是因为我以root用户身份进行操作 - 如果你将ssh作为其他东西,那么你需要成为root来进行修复,然后在下面成为你的deploy_user(如果它不是你正在使用ssh的用户。

      1. 然后从我的deploy.yml playbook中调用它:
      2. 
            - hosts: apps
              gather_facts: True
              become: True
              become_user: "{{deploy_user}}"
              pre_tasks:
              - include: tasks/ssh_agent_hack.yml
                tags: [ 'deploy' ]
              roles:
              - { role: carlosbuenosvinos.ansistrano-deploy, tags: [ 'deploy' ] }
        
        

        附注 - 向〜/ .ssh / config中的主机条目添加ForwardAgent yes并不会影响有效的方法(我尝试了所有8种组合: - 只设置sudo_flags但不是ssh_args有效,但它没有&#t; t如果您在〜/ .ssh / config中为opensssh设置转发开启或关闭 - 在ubuntu trusty下测试)

        另请注意:我在ansible.cfg中有pipelining = True

答案 1 :(得分:0)

这对我有用v2.3.0.0

  

$ vi ansible.cfg

[defaults]
roles_path = ./roles
retry_files_enabled = False
[ssh_connection]
ssh_args=-o ControlMaster=auto -o ControlPersist=60s -o ControlPath=/tmp/ansible-ssh-%h-%p-%r -o ForwardAgent=yes
  

$ vi roles / pull-code / tasks / main.yml

- name: '(Hack: keep SSH forwarding socket)'
  lineinfile:
      dest: /etc/sudoers
      insertafter: '^#?\s*Defaults\s+env_keep\b'
      line: 'Defaults    env_keep += "SSH_AUTH_SOCK"'

- name: '(Hack: grant access to the socket to {{app_user}})'
  become: false
  acl: name='{{item}}' etype=user entity='{{app_user}}' permissions="rwx" state=present
  with_items:
      - "{{ ansible_env.SSH_AUTH_SOCK|dirname }}"
      - "{{ ansible_env.SSH_AUTH_SOCK }}"

- name: Pull the code
  become: true
  become_user: '{{app_user}}'
  git:
      repo: '{{repository}}'
      dest: '{{code_dest}}'
      accept_hostkey: yes 

答案 2 :(得分:0)

我知道这个答案对党来说太晚了,但是当我将解决方案精简到最低限度时,其他答案似乎有点过于复杂。这是一个示例剧本,用于克隆需要通过ssh进行访问身份验证的git repo:

- hosts: all
  connection: ssh
  vars:
    # forward agent so access to git via ssh works
    ansible_ssh_extra_args: '-o ForwardAgent=yes'
    utils_repo: "git@git.example.com:devops/utils.git"
    utils_dir: "/opt/utils"
  tasks:
    - name: Install Utils
      git:
        repo: "{{ utils_repo }}"
        dest: "{{ utils_dir }}"
        update: true
        accept_hostkey: yes
      become: true
      become_method: sudo
      # Need this to ensure we have the SSH_AUTH_SOCK environment variable
      become_flags: '-HE'