发表新帖
发表新帖

How to switch a user per task or set of tasks?

前端 未结
关注
5 1872
無奈伤痛
無奈伤痛 2020-11-29 17:08

A recurring theme that\'s in my ansible playbooks is that I often must execute a command with sudo privileges (sudo: yes) because I\'d like to do it for a certa

相关标签:
5条回答
  • 终归单人心
    2020-11-29 17:32

    With Ansible 1.9 or later

    Ansible uses the become, become_user, and become_method directives to achieve privilege escalation. You can apply them to an entire play or playbook, set them in an included playbook, or set them for a particular task.

    - name: checkout repo
  git: repo=https://github.com/some/repo.git version=master dest={{ dst }}
  become: yes
  become_user: some_user

    You can use become_with to specify how the privilege escalation is achieved, the default being sudo.

    The directive is in effect for the scope of the block in which it is used (examples).

    See Hosts and Users for some additional examples and Become (Privilege Escalation) for more detailed documentation.

    In addition to the task-scoped become and become_user directives, Ansible 1.9 added some new variables and command line options to set these values for the duration of a play in the absence of explicit directives:

    • Command line options for the equivalent become/become_user directives.
    • Connection specific variables which can be set per host or group.

    As of Ansible 2.0.2.0, the older sudo/sudo_user syntax described below still works, but the deprecation notice states, "This feature will be removed in a future release."

    Previous syntax, deprecated as of Ansible 1.9 and scheduled for removal:

    - name: checkout repo
  git: repo=https://github.com/some/repo.git version=master dest={{ dst }}
  sudo: yes
  sudo_user: some_user
    0 讨论(0)
  • 天涯浪人
    2020-11-29 17:37

    You can specify become_method to override the default method set in ansible.cfg (if any), and which can be set to one of sudo, su, pbrun, pfexec, doas, dzdo, ksu.

    - name: I am confused
  command: 'whoami'
  become: true
  become_method: su
  become_user: some_user
  register: myidentity

- name: my secret identity
  debug:
    msg: '{{ myidentity.stdout }}'

    Should display

    TASK [my-task : my secret identity] ************************************************************
ok: [my_ansible_server] => {
    "msg": "some_user"
}
    0 讨论(0)
  • 北海茫月
    2020-11-29 17:38

    In Ansible >1.4 you can actually specify a remote user at the task level which should allow you to login as that user and execute that command without resorting to sudo. If you can't login as that user then the sudo_user solution will work too.

    ---
- hosts: webservers
  remote_user: root
  tasks:
    - name: test connection
      ping:
      remote_user: yourname

    See http://docs.ansible.com/playbooks_intro.html#hosts-and-users

    0 讨论(0)
  • 礼貌的吻别
    2020-11-29 17:38

    A solution is to use the include statement with remote_user var (describe there : http://docs.ansible.com/playbooks_roles.html) but it has to be done at playbook instead of task level.

    0 讨论(0)
  • 眼角桃花
    2020-11-29 17:43

    In Ansible 2.x, you can use the block for group of tasks:

    - block:
    - name: checkout repo
      git:
        repo: https://github.com/some/repo.git
        version: master
        dest: "{{ dst }}"
    - name: change perms
      file:
      dest: "{{ dst }}"
      state: directory
      mode: 0755
      owner: some_user
  become: yes
  become_user: some user
    0 讨论(0)
 看不清?
提交回复
热议问题