I am having trouble with configuring Ansible and sudo to allow me to SSH into a server and run a command as another user.
I have gone through the questions / answers below and the Ansible documentation here: http://docs.ansible.com/intro_inventory.html
but I still can not get it to work.
Please can someone put me on the right track.
References:
https://stackoverflow.com/questions/24743085/ansible-ssh-as-one-user-and-sudo-as-another
Ansible : using different sudo user for different hosts
I am trying to do this:
server-01 client-01
--------- -----------
foo ----> ssh ---> foo
bar - sudo as root user
Using Ansible,
connect from: server-01
to: client-01
using the user foo
and then use sudo to run a command as user bar
User bar is setup to be able to run any command.
However, I am not sure where the problem is, with sudo or Ansible.
I think the problem is with sudo but I am not sure where.
This ansible command works:
[foo@server-01 ~]$ **ansible client-01 -m raw -a "touch /var/tmp/testfile" --ask-sudo-pass**
sudo password: ********* ( password for foo user )
client-01 | success | rc=0 >>
This one does not work:
[foo@server-01 ~]$ ansible client-01 -m raw -a "touch /etc/testfile" --ask-sudo-pass
sudo password: ********* ( password for foo user )
client-01 | FAILED | rc=1 >>
touch: cannot touch `/etc/testfile': Permission denied
I have SSH authentication without a password setup between server-01 and client-01 for user foo and it works OK.
[foo@server-01 ~]$ id
uid=96(foo) gid=96(foo) groups=96(foo)
[foo@server-01 ~]$ su - foo
Password:
[foo@server-01 ~]$
[foo@server-01 ~]$
[foo@server-01 ~]$ ssh client-01
Last login: Thu Jan 15 16:32:05 2015 from server-01
[foo@client-01 ~]$
This is my setup:
server-01: /etc/ansible/hosts
-------------------------------------
[clients]
client-01 ansible_sudo=true ansible_ssh_user=foo ansible_sudo_user=bar
client-01: /etc/sudoers
-------------------------------------
[root@client-01 ~]# cat /etc/sudoers
#
root ALL=(ALL) ALL
bar ALL=(ALL) ALL
foo ALL=(bar) NOPASSWD: ALL
When on the destination server ( client-01 ) I can test sudo.
I think that sudo is the part that is not working, but due to this I can not setup any of the Ansible Playbooks.
[root@client-01 ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@client-01 ~]# su - bar
[bar@client-01 ~]$ sudo -l
[sudo] password for bar:
User bar may run the following commands on this host:
(ALL) ALL
[bar@client-01 ~]$ sudo touch /etc/tempfile
[bar@client-01 ~]$ ls -alp /etc/tempfile
-rw-r--r-- 1 root root 0 Jan 15 17:08 /etc/tempfile
[bar@client-01 ~]$ sudo rm /etc/tempfile
[bar@client-01 ~]$ exit
logout
[root@client-01 ~]# su - foo
[foo@client-01 ~]$ sudo -l
User foo may run the following commands on this host:
(bar) NOPASSWD: ALL
[foo@client-01 ~]$ sudo touch /etc/tempfile
[sudo] password for foo:
Sorry, user foo is not allowed to execute '/bin/touch /etc/tempfile' as root on client-01.
[foo@client-01 ~]$ exit
logout
Maybe this is the line that is failing:
foo ALL=(bar) NOPASSWD: ALL
I thank you for any help.
Best Answer
touch
, I'd guess it's a filesystem issue and not an ansible one.UPDATE:
Try replacing the
(bar)
in your Sudoers' file withALL
, for now, and see if that works?