ansible:如何成为无密码用户
ansible: how to become a passwordless user
我正在尝试使用 ansible 实现以下目标
- 创建一个没有密码的用户
adduser test <-- ok and works on linux machine and works with ansible
- 更改为用户测试
su test <-- works on linux machine, but fails with ansible. I get
incorrect password message
- 作为测试用户将文件从location1复制到location2并更改文件内容。
cp loc1/testfile.txt loc2/testfile.txt && echo "hello" > testfile.txt
---
- name: This is a hello-world example
hosts: all
tasks:
- name: create a passwordless test user
action: user name=test state=present
become: yes
become_user: root
- name: Create a file called '/tmp/testfile.txt' with the content 'hello' using test user.
copy:
content: hello
dest: /tmp/testfile.txt
owner: test
group: test
become_user: test
主要条件:
在执行的那一刻,文件 testfile.txt 已经在 linux 机器上创建,并且有一个组 root 和用户 root。我想覆盖文件并分配不同的用户和组。
我试过各种组合,包括
copy:
content: hello
dest: /tmp/testfile.txt
owner: test
group: test
become: yes
become_user: test
copy:
content: hello
dest: /tmp/testfile.txt
owner: test
group: test
become: yes
become_user: test
become_method: su
copy:
content: hello
dest: /tmp/testfile.txt
owner: test
group: test
become: yes
copy:
content: hello
dest: /tmp/testfile.txt
owner: test
group: test
become_user: test
become_method: su
总是收到有关密码不正确的消息。尴尬的是test用户没有密码
我做错了什么?
更新:
试过这个
How to achieve sudo su - <user> and run all command in ansible <-- 无效
找到答案 - 不可能
https://devops.stackexchange.com/questions/3588/how-do-you-simulate-sudo-su-user-in-ansible
有什么意义?
引用自 Quora(来源:https://www.quora.com/What-is-advantage-of-creating-passwordless-user-in-Linux)
I presume you mean processes such as a webserver, running as the
"apache" user with a locked password (shadow entry of '!!').
This is for security, in case a vulnerability is discovered in the
server code. Prior to the year 2000 or so, it was common for servers
to run as the root user, particularly as this privilege is required to
open network sockets on privileged ports (below 1024), such as 53
(DNS) or 80 (HTTP). As I recall, high-profile breaches of the bind and
sendmail servers caused developers to re-think this strategy. Since
then, services are started with root privilege, the socket opened, and
then privilege is dropped to a non-privileged user ID such as "apache"
or "named". This needs no password, since it is never intended that
anyone login. Rather, a process running as root executes a setuid()
system call to change effective user ID to this user. In the event of
a security breach, an attacker will be limited to the access lists of
this user; for instance, a vulnerable CGI script on a webserver would
be able to access the /tmp directory as the "apache" user, but be
unable to read /etc/shadow for instance, or to write an extra user
into /etc/passwd or modify system binaries in /sbin.
为了避免“使用 ansible 的 sudo 用户不接受密码”中描述的情况:
fatal: [testserver]: FAILED! => {"failed": true, "msg": "Incorrect su password"}
您可以尝试使用 sudo,假设您有 given test user sudo rights:
# Debian systems (Ubuntu / Linux Mint / ElementryOS), add users to the sudo group
sudo usermod -aG sudo username
# On RHEL based systems (Fedora / CentOS), add users to the wheel group
sudo usermod -aG wheel username
然后:
become_user: test
become_method: sudo
发布于:
ansible-playbook -i inventory simple_playbook.yml --ask-become-pass
并输入root密码
我正在尝试使用 ansible 实现以下目标
- 创建一个没有密码的用户
adduser test <-- ok and works on linux machine and works with ansible
- 更改为用户测试
su test <-- works on linux machine, but fails with ansible. I get incorrect password message
- 作为测试用户将文件从location1复制到location2并更改文件内容。
cp loc1/testfile.txt loc2/testfile.txt && echo "hello" > testfile.txt
--- - name: This is a hello-world example hosts: all tasks: - name: create a passwordless test user action: user name=test state=present become: yes become_user: root - name: Create a file called '/tmp/testfile.txt' with the content 'hello' using test user. copy: content: hello dest: /tmp/testfile.txt owner: test group: test become_user: test
主要条件:
在执行的那一刻,文件 testfile.txt 已经在 linux 机器上创建,并且有一个组 root 和用户 root。我想覆盖文件并分配不同的用户和组。
我试过各种组合,包括
copy: content: hello dest: /tmp/testfile.txt owner: test group: test become: yes become_user: test
copy: content: hello dest: /tmp/testfile.txt owner: test group: test become: yes become_user: test become_method: su
copy: content: hello dest: /tmp/testfile.txt owner: test group: test become: yes
copy: content: hello dest: /tmp/testfile.txt owner: test group: test become_user: test become_method: su
总是收到有关密码不正确的消息。尴尬的是test用户没有密码
我做错了什么?
更新:
试过这个
How to achieve sudo su - <user> and run all command in ansible <-- 无效
找到答案 - 不可能
https://devops.stackexchange.com/questions/3588/how-do-you-simulate-sudo-su-user-in-ansible
有什么意义?
引用自 Quora(来源:https://www.quora.com/What-is-advantage-of-creating-passwordless-user-in-Linux)
I presume you mean processes such as a webserver, running as the "apache" user with a locked password (shadow entry of '!!').
This is for security, in case a vulnerability is discovered in the server code. Prior to the year 2000 or so, it was common for servers to run as the root user, particularly as this privilege is required to open network sockets on privileged ports (below 1024), such as 53 (DNS) or 80 (HTTP). As I recall, high-profile breaches of the bind and sendmail servers caused developers to re-think this strategy. Since then, services are started with root privilege, the socket opened, and then privilege is dropped to a non-privileged user ID such as "apache" or "named". This needs no password, since it is never intended that anyone login. Rather, a process running as root executes a setuid() system call to change effective user ID to this user. In the event of a security breach, an attacker will be limited to the access lists of this user; for instance, a vulnerable CGI script on a webserver would be able to access the /tmp directory as the "apache" user, but be unable to read /etc/shadow for instance, or to write an extra user into /etc/passwd or modify system binaries in /sbin.
为了避免“使用 ansible 的 sudo 用户不接受密码”中描述的情况:
fatal: [testserver]: FAILED! => {"failed": true, "msg": "Incorrect su password"}
您可以尝试使用 sudo,假设您有 given test user sudo rights:
# Debian systems (Ubuntu / Linux Mint / ElementryOS), add users to the sudo group
sudo usermod -aG sudo username
# On RHEL based systems (Fedora / CentOS), add users to the wheel group
sudo usermod -aG wheel username
然后:
become_user: test
become_method: sudo
发布于:
ansible-playbook -i inventory simple_playbook.yml --ask-become-pass
并输入root密码