Thanks, I am looking at the raw module which seems to suite my need. And what about the shell module with a previously delivered shell script containing my reload nginx command ? Would it work ?
On Friday, January 27, 2017 at 1:46:15 AM UTC+1, Matt Martz wrote: > > As you can see in the command that is executed by Ansible: > > sudo -H -S -n -u root /bin/bash > > You cannot restrict individual commands, as we execute everything through > a sudoed shell. > > The recommendation is that sudo should be configure to allow any command > to be executed, and not be restricted. > > The only other option would be to not use the purpose built Ansible > modules, but instead use raw or such to execute those commands directly. > > On Thu, Jan 26, 2017 at 3:13 PM Jonathan Bouzekri <[email protected] > <javascript:>> wrote: > >> Hi, >> >> I am migrating to a new architecture and I have provisioned my servers >> with an ansible playbook. I am also using ansible to deploy my source code. >> >> I want to be able to reload nginx when the configuration change without >> having to : >> >> * give sudo rights on ALL commands to the deploy user >> * having to pass a become-pass in the command line >> >> In my previous installation, I was doing everything manually and I had >> added this settings to allow my deployment user to reload the nginx >> configuration : >> >> deploy ALL(ALL) NOPASSWD: /usr/local/sbin/nginx -t, /usr/local/sbin/nginx >> -s reload >> >> How can I have the same feature with Ansible ? Or what is the command >> which is executed when we use the service module and the state reloaded ? >> >> Right now, I have this error : >> >> sshpass -d15 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o >> StrictHostKeyChecking=no -o User=deploy -o ConnectTimeout=10 -o >> ControlPath=/home/deploy/.ansible/cp/ansible-ssh-%h-%p-%r -tt >> x.x.x.x '/bin/bash -c '"'"'sudo -H -S -n -u root /bin/bash -c >> '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-lttadeaqujrmkjjfqaswosxpazzwmsoj; >> /usr/bin/python >> /home/deploy/.ansible/tmp/ansible-tmp-1485445894.86-256748839860893/systemd.py; >> >> rm -rf >> "/home/deploy/.ansible/tmp/ansible-tmp-1485445894.86-256748839860893/" > >> /dev/null 2>&1'"'"'"'"'"'"'"'"' && sleep 0'"'"'' >> >> fatal: [x.x.x.x]: FAILED! => { >> "changed": false, >> "failed": true, >> "invocation": { >> "module_args": { >> "name": "nginx", >> "state": "reloaded" >> }, >> "module_name": "service" >> }, >> "module_stderr": "Shared connection to x.x.x.x closed.\r\n", >> "module_stdout": "sudo: a password is required\r\n", >> "msg": "MODULE FAILURE" >> } >> >> Note that I am provisioning a CentOS 7.3 server with Ansible 2.2.1. >> >> Thanks >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/40e856bc-de0d-4a58-ac06-bc379025f728%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/40e856bc-de0d-4a58-ac06-bc379025f728%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- > Matt Martz > @sivel > sivel.net > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/59242257-9722-41b0-aeba-100b3a0a4aba%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
