Hi Ansible team,
I am Ram. We need some help in running the Ansible playbook ( specifically
how to add sudo while running playbooks ). in your environment, we can run
all admin related commands with sudo acess ( by adding sudo in front of
command . For example, sudo vgs or sudo vi /etc/sudoers ). We don't have
root access and hence we don't wanted to run the playbooks with direct root
access .
Most of our servers ( Redhat / Solaris / Aix ) doesn't have root access.
The possibility of running all admin activities are by running sudo
<command> as admin ( sysunx ) user.
I mean, after logging to the server with sysunx account, we run the admin
related command as sudo <command>. How to simulate this in Ansible.
#Playbook code
[root@sgdlvapp03infra splunk_forwarder]# cat sudo_test_solaris.yml
---
- hosts: dev
gather_facts: yes
#become: yes
become_user: sysunx
become_method: sudo
ignore_errors: true
vars_files:
- /var/lib/ansible_playbooks/inventory/password.yml
#- /var/lib/ansible_playbooks/inventory/auth.yml
tasks:
- name: ping
ping:
- name: touch file '/opt/testfile'
shell: touch /opt/testfile
args:
warn: false
register: shell_output
- name: Print status
debug: var=shell_output
- name: touch file '/opt/testfile' using file module
file:
path: /opt/testfile
state: touch
register: output
- name: Print status
debug: var=output
- name: remove file '/opt/testfile'
file:
path: /opt/testfile
state: absent
register: deleted
- name: Print status after deletion
debug: var=deleted
[root@sgdlvapp03infra splunk_forwarder]#
[root@sgdlvapp03infra splunk_forwarder]# ansible-playbook
sudo_test_solaris.yml --ask-vault-pass -i ../../inventory/test_INV
Vault password:
PLAY [dev]
*****************************************************************************************************************************************************************
TASK [Gathering Facts]
*****************************************************************************************************************************************************
ok: [10.4.67.141]
TASK [ping]
****************************************************************************************************************************************************************
ok: [10.4.67.141]
TASK [touch file '/opt/testfile']
******************************************************************************************************************************************
fatal: [10.4.67.141]: FAILED! => {"changed": true, "cmd": "touch
/opt/testfile", "delta": "0:00:00.016422", "end": "2021-01-15
12:53:02.654437", "msg": "non-zero return code", "rc": 1, "start":
"2021-01-15 12:53:02.638015", "stderr": "touch: cannot create
/opt/testfile: Permission denied", "stderr_lines": ["touch: cannot create
/opt/testfile: Permission denied"], "stdout": "", "stdout_lines": []}
...ignoring
TASK [Print status]
********************************************************************************************************************************************************
ok: [10.4.67.141] => {
"shell_output": {
"changed": true,
"cmd": "touch /opt/testfile",
"delta": "0:00:00.016422",
"end": "2021-01-15 12:53:02.654437",
"failed": true,
"msg": "non-zero return code",
"rc": 1,
"start": "2021-01-15 12:53:02.638015",
"stderr": "touch: cannot create /opt/testfile: Permission denied",
"stderr_lines": [
"touch: cannot create /opt/testfile: Permission denied"
],
"stdout": "",
"stdout_lines": []
}
}
TASK [touch file '/opt/testfile' using file module]
************************************************************************************************************************
fatal: [10.4.67.141]: FAILED! => {"changed": false, "msg": "Error, could
not touch target: [Errno 13] Permission denied: '/opt/testfile'", "path":
"/opt/testfile"}
...ignoring
TASK [Print status]
********************************************************************************************************************************************************
ok: [10.4.67.141] => {
"output": {
"changed": false,
"failed": true,
"msg": "Error, could not touch target: [Errno 13] Permission
denied: '/opt/testfile'",
"path": "/opt/testfile"
}
}
TASK [remove file '/opt/testfile']
****************************************************************************************************************************************
ok: [10.4.67.141]
TASK [Print status after deletion]
*****************************************************************************************************************************************
ok: [10.4.67.141] => {
"deleted": {
"changed": false,
"failed": false,
"path": "/opt/testfile",
"state": "absent"
}
}
PLAY RECAP
*****************************************************************************************************************************************************************
10.4.67.141 : ok=8 changed=1 unreachable=0
failed=0 skipped=0 rescued=0 ignored=2
[root@sgdlvapp03infra splunk_forwarder]#
[root@sgdlvapp03infra splunk_forwarder]#
[root@sgdlvapp03infra splunk_forwarder]# cat ../../inventory/test_INV
[dev]
#sgdlvapp03infra ansible_ssh_user=root ansible_ssh_pass='{{ root_password
}}'
10.4.67.141
[dev:vars]
ansible_ssh_user=sysunx
ansible_ssh_pass='{{ password }}'
ansible_become_pass='{{ password }}'
ansible_python_interpreter=/usr/bin/python
[root@sgdlvapp03infra splunk_forwarder]#
For example, How I am running sudo commands manually on target machine
access is shown below.
sysunx@dvsun25b:~$
sysunx@dvsun25b:~$ touch /opt/test_file
touch: cannot create /opt/test_file: Permission denied
sysunx@dvsun25b:~$
sysunx@dvsun25b:~$ sudo touch /opt/test_file
sysunx@dvsun25b:~$ ls -lrt /opt/test_file
-rw-r----- 1 root root 0 Jan 15 12:51 /opt/test_file
sysunx@dvsun25b:~$
sysunx@dvsun25b:~$ sudo cat /etc/sudoers | grep sysunx
%sysunxg ALL=(ALL) NOPASSWD: ADMIN01, ADMIN02, ADMIN03, ADMIN04, ADMIN05,
ADMIN06, ADMIN12,!ID02, !FILE01, !FILE02, !FILE03, !FILE04, !FILE07,
!FILE08, !FILE09, !FILE11, !FILE12
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/0572d911-3458-436e-831d-f4403f3c5a57n%40googlegroups.com.
