成为ansible中的非root用户失败

时间:2017-12-18 17:38:44

标签: ansible

我正在尝试使用以下剧本成为ansible中的用户“oracle”:

- hosts: "myhost"
  tasks:         
        - name: install oracle client
          become: yes
          become_user: oracle
          become_method: su
          shell: |
                whoami
          args:
            chdir: /tmp/client
          environment:
            DISTRIB: /tmp/client

我收到错误:

"msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chown: changing ownership of `/tmp/ansible-tmp-1513617986.78-246171259298529/': Operation not permitted\nchown: changing ownership of `/tmp/ansible-tmp-1513617986.78-246171259298529/command.py': Operation not permitted\n}). For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"

我的文章是“https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user

并将以下内容添加到 /etc/ansible/ansible.cfg ,但没有任何效果。

allow_world_readable_tmpfiles = True

My Ansible Version: 

ansible 2.4.2.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.12 (default, Nov 19 2016, 06:48:10) [GCC 5.4.0 20160609]

问题: 有没有办法配置我的主机接受ansible成为oracle用户?

3 个答案:

答案 0 :(得分:3)

从 ansible 2.10 开始,对临时文件的可读性有更细粒度的控制(不推荐使用全局 allow_world_readable_tmpfiles 变量)。

例如要为 shell 模块启用全局可读性,您现在可以在主机级别设置变量 ansible_shell_allow_world_readable_temp: true(在 ansible 2.10.5 中为我工作)。

截至 2021 年 2 月,文档似乎仍然有些缺乏;见https://github.com/ansible/ansible/issues/72264

答案 1 :(得分:1)

要允许成为非特权用户,必须在True

中将两件事设置为/etc/ansible/ansible.cfg

重要: 必须在ansible.cfg中的正确位置取消注释给定设置。 将这些设置附加到ansible.cfg

是不够的 
allow_world_readable_tmpfiles = True
pipelining = True

以编程方式取消注释:

sed -i 's/.*pipelining.*/pipelining = True/' /etc/ansible/ansible.cfg
sed -i 's/.*allow_world_readable_tmpfiles.*/allow_world_readable_tmpfiles = True/' /etc/ansible/ansible.cfg

以下是一个示例剧本,其中显示了如何成为用户oracle

# Setup the infrastructure for Faktura
- hosts: "myhost"
  become: yes
  become_method: sudo
  become_user: oracle
  vars:
    allow_world_readable_tmpfiles: true
  tasks:         


        # an error is thorwn when becoming unpriviledged user. Hence use sudo
        - name: install oracle client
          shell: |
                whoami
          args:
            chdir: /tmp/client
          environment:
            DISTRIB: /tmp/client

答案 2 :(得分:0)

如果您使用的是 Ubuntu 20.04 或更高版本,则需要安装 acl 软件包。

来源:https://github.com/georchestra/ansible/issues/55#issuecomment-651043423

相关问题
最新问题