Hullo Julian. Sorry, can't figure out how to reply to your reply. Anyway: if you have the ability to do so, adjust the sshd config on the target to allow root users to log in, but only from localhost (127.0.0.0/8 or ::1). This is exactly as secure as allowing su or sudo, so does not breach policy.
Then set up ssh port forwarding via a non-root account on the target host. It should forward local connections on the controller host on (say) port 2222, to port 22 on localhost on the target. Finally, do your rsync to the host by connecting to the local port 2222. That will end up connecting across the tunnel to a root login on localhost on the target. From the target host's point of view, it will be a local connection and thus permissible. I have no idea whether Ansible can cope with such a two-step, but it's a relatively common pattern for ssh generally. Assuming you are an ordinary user on the controller and there is an ordinary user fred on the target system: ssh -N -f -L 2222:localhost:22 fred@targethost then ssh -p 2222 root@localhost or rsync -avz -e "ssh -p 2222" root@localhost:/backups/ /backups/ Not sure about that rsync command; you'd have to read the man page for getting ssh to use a different port. The point is that if you connect to TCP port 2222 on the controller, you are actually connecting to TCP port 22 on the target. Put your (the controller user's) public key (not fred's!) in the target root user's ~/.ssh/authorized keys and in fred's ~/.ssh/authorized keys and the whole thing can be passwordless. If you are unable to get ssh root logins to localhost on the target, then I'm stumped too :-) Regards, K. On Friday, April 6, 2018 at 10:30:12 PM UTC+10, Julian Santander wrote: > > Hello, > > I hope someone could offer some guidance on how to solve a scenario I'm > trying to automate. > > The objective is to obtain a back-up of a directory in the target machine > (managed) and needs to be saved to the controller host (where ansible runs). > > Now, the problems: > > 1. I feel I cannot use synchronize as it has its own rules for access > (requiring ssh public keys unlike the rest of the ansible modules). > 2. The back-up needs to be done as a privileged account (but ansible > must login as an unprivileged user able to do sudo or su). This kind of > prevents me from using a local_action/shell doing "sshpass -p XXXX > privileged@host "cd directory_to_back_up && tar -czf - *" > > local_backup_file.tar.gz > 3. There's not enough space in the target machine to create a tar file > of the directory that could later be *fetched*. > 4. The size of the back-up is huge, precluding writing a tar file to > stdout to be stored in a register variable that could be later be written > locally. > > Any ideas on how to handle this? > > > So far I suspect I might need to write my own module, perhaps looking into > how fetch and command are handled to write the output of a command to a > local file without registering anything. > > > Thanks in advance and best regards > > > Julian > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7ca2d620-3517-4b9d-b282-d5abe4c48cb1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
