Summary of ansible general user Su switching problem

Before I had summed up a little Ansible series Bowen, this article also take the previous space bar. In the current network application, the security-hardened host is not allowed to log in directly to the root user, and many commands require root users to perform, without rebuilding the current network. Hope that through a common user first landing, and then Su-cut to root execution. and the passwords for the regular and root users of each host are different. It is hoped that you do not need to interactively enter the password when executing through the ansible, but directly after the output.

One, ansible hosts configuration file

In the previous series of articles, we mentioned that the password can be written to the hosts configuration file, by querying the official website of the relevant information to understand, in addition to Ansible_ssh_user, ansible_ssh_pass variables, but also for the SU switch provided ansible_su_ Pass variable, through which we can write the root password directly into the configuration file. Specifically as follows:

The code is as follows	Copy Code
[Root@361way.com ~]# cat/etc/ansible/hosts [TEST01] 10.212.52.14 ansible_ssh_user=test ansible_ssh_pass=111111 ansible_su_pass=*i2145 10.212.52.16 ansible_ssh_user=test ansible_ssh_pass=xyz123 ansible_su_pass=mn1pokm 10.212.52.252 Ansible_ssh_user=amos ansible_ssh_pass=asdf Ansible_su_pass=xyzp) okm

Note: The ansible version I tested was 1.9, and in the new 2.0 version, the variable was changed Ansible_become_pass replaced the previous ansible_sudo_pass or Ansible_su_pass, Refer to the official document for details.

Second, ansible command parameters

When you perform ansible-h viewing, you see the following entry:

The code is as follows	Copy Code
-S,--su run operations with SU (deprecated, use become) -R Su_user,--su-user=su_user Run operations with SU as this user (Default=root) (deprecated, use become)

Third, SU switch execution

So combining the top two, we do a simple test:

The code is as follows	Copy Code
[Root@361way.com ~]# ansible all-s-R root-m shell-a ' uptime ' 10.212.52.252 | Success | Rc=0 >> 16:13pm up 5:40, 2 users, load average:0.08, 0.21, 0.30 10.212.52.16 | Success | Rc=0 >> 16:26pm up 538 days 23:17, 2 users, load average:0.00, 0.01, 0.05 10.212.52.14 | Success | Rc=0 >> 16:24pm up 538 days 22:39, 2 users, load average:0.00, 0.01, 0.05

Note here that the ordinary user's home directory is to exist, and cut the normal user to have write permission, or there will be similar to the following error:

code is as follows

copy code

10.212.52.252 | FAILED => authentication or permission failure. In some cases, your may have been able to authenticate and did no have on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in/tmp. Failed command was:mkdir-p $HOME/.ansible/tmp/ansible-tmp-1449456070.96-212322517029279 && echo $HOME/. ansible/tmp/ansible-tmp-1449456070.96-212322517029279, exited with result 1:mkdir:cannot Create directory '/home/ Amos/.ansible ': Permission denied

Of course, if this ordinary user does not have a home directory or home directory does not write permission to modify the remote host can also be done, modify the Ansible host Ansible.cfg configuration file, as follows:

The code is as follows	Copy Code
[Root@361way.com ~]# Vim/etc/ansible/ansible.cfg Locate the following line: Remote_tmp = $HOME/.ansible/tmp Amended to Remote_tmp =/tmp/.ansible/tmp

The TMP directory generally has write permissions, change to temporary directory for/TMP.

And then we look at the remote host's message log file to confirm that it is really through the normal user switching:

The code is as follows	Copy Code
Dec 3 11:36:20 linux su: (to root) test ON/DEV/PTS/1//switch from normal user test to SU switch to root log Dec 3 11:36:20 Linux ansible-command:invoked with Creates=none executable=none chdir=none args=uptime removes=None NO_LO What G=none shell=true warn=true//ansible to perform

function to achieve, and finally to say, because the configuration file involves more than one host of user name password, so the file security work must be done well.