As you can see in the command that is executed by Ansible: sudo -H -S -n -u root /bin/bash
You cannot restrict individual commands, as we execute everything through a sudoed shell. The recommendation is that sudo should be configure to allow any command to be executed, and not be restricted. The only other option would be to not use the purpose built Ansible modules, but instead use raw or such to execute those commands directly. On Thu, Jan 26, 2017 at 3:13 PM Jonathan Bouzekri < [email protected]> wrote: > Hi, > > I am migrating to a new architecture and I have provisioned my servers > with an ansible playbook. I am also using ansible to deploy my source code. > > I want to be able to reload nginx when the configuration change without > having to : > > * give sudo rights on ALL commands to the deploy user > * having to pass a become-pass in the command line > > In my previous installation, I was doing everything manually and I had > added this settings to allow my deployment user to reload the nginx > configuration : > > deploy ALL(ALL) NOPASSWD: /usr/local/sbin/nginx -t, /usr/local/sbin/nginx > -s reload > > How can I have the same feature with Ansible ? Or what is the command > which is executed when we use the service module and the state reloaded ? > > Right now, I have this error : > > sshpass -d15 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o > StrictHostKeyChecking=no -o User=deploy -o ConnectTimeout=10 -o > ControlPath=/home/deploy/.ansible/cp/ansible-ssh-%h-%p-%r -tt > x.x.x.x '/bin/bash -c '"'"'sudo -H -S -n -u root /bin/bash -c > '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-lttadeaqujrmkjjfqaswosxpazzwmsoj; > /usr/bin/python > /home/deploy/.ansible/tmp/ansible-tmp-1485445894.86-256748839860893/systemd.py; > rm -rf > "/home/deploy/.ansible/tmp/ansible-tmp-1485445894.86-256748839860893/" > > /dev/null 2>&1'"'"'"'"'"'"'"'"' && sleep 0'"'"'' > > fatal: [x.x.x.x]: FAILED! => { > "changed": false, > "failed": true, > "invocation": { > "module_args": { > "name": "nginx", > "state": "reloaded" > }, > "module_name": "service" > }, > "module_stderr": "Shared connection to x.x.x.x closed.\r\n", > "module_stdout": "sudo: a password is required\r\n", > "msg": "MODULE FAILURE" > } > > Note that I am provisioning a CentOS 7.3 server with Ansible 2.2.1. > > Thanks > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/40e856bc-de0d-4a58-ac06-bc379025f728%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/40e856bc-de0d-4a58-ac06-bc379025f728%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Matt Martz @sivel sivel.net -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAD8N0v_F%3D%3D75wX%2BU11D7CihWo0M0uDCWoVSqpVf-tfC9w_CjTg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
