Linux Ansible 将以什么用户身份运行我的命令?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/21670747/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What user will Ansible run my commands as?
提问by Michael
Background
背景
My question seems simple, but it gets more complex really fast.
我的问题看起来很简单,但它很快就会变得更加复杂。
Basically, I got really tired of maintaining my servers manually (screams in background)and I decided it was time to find a way to make being a server admin much more liveable. That's when I found Ansible. Great huh? Sure beats making bash scripts (louder scream)for everything I wanted to automate.
基本上,我真的厌倦了手动维护我的服务器(在后台尖叫),我决定是时候找到一种方法让服务器管理员变得更生活了。那时我发现了 Ansible。很棒吧?当然比为我想要自动化的所有内容制作 bash 脚本(更响亮的尖叫声)更胜一筹。
What's the problem?
有什么问题?
I'm having a lot of trouble figuring out what user my Ansible playbook will run certain things as. I also need the ability to specify what user certain tasks will run as. Here are some specific use cases:
我很难弄清楚我的 Ansible playbook 将以什么用户身份运行某些事情。我还需要能够指定某些任务将以何种用户身份运行。以下是一些具体的用例:
Cloning a repo as another user:
以另一个用户的身份克隆一个 repo:
My purpose with this is it run my node.js webapp from another user, who we'll call bill(that can only use sudo to run a script that I made that starts the node server, as opposed to root or my user that can use sudo for all commands). To do this, I need the ability to have Ansible's git module clone my git repo as bill. How would I do that?
我这样做的目的是从另一个用户运行我的 node.js webapp,我们称之为bill(只能使用 sudo 运行我制作的启动节点服务器的脚本,而不是 root 或我的用户可以对所有命令使用 sudo)。为此,我需要能够让 Ansible 的 git 模块将我的 git repo 克隆为bill。我该怎么做?
Knowing how Ansible will gain root:
了解 Ansible 如何获得根:
As far as I understand, you can set what user Ansible will connect to the server you're maintaining by defining 'user' and the beginning of the playbook file. Here's what I don't understand: if I tell it to connect via my username, joe, and ask it to update a package via the apt module, how will it gain root? Sudo usually prompts me for my password, and I'd prefer keeping it that way (for security).
据我了解,您可以通过定义“用户”和剧本文件的开头来设置 Ansible 将连接到您维护的服务器的用户。这是我不明白的:如果我告诉它通过我的用户名joe进行连接,并要求它通过 apt 模块更新包,它将如何获得 root 权限?Sudo 通常会提示我输入密码,我更愿意保持这种方式(为了安全起见)。
Final request
最终请求
I've scoured the Ansible docs, done some (what I thought was thorough) Googling, and generally just tried to figure it out on my own, but this information continues to elude me.
我已经搜索了 Ansible 文档,做了一些(我认为是彻底的)谷歌搜索,并且通常只是试图自己弄清楚,但这些信息仍然让我望而却步。
I am very new to Ansible, and while it's mostly straight-forwards, I would benefit greatly if I could understand exactly how Ansible runs, on which users it runs, and how/where I can specify what user to use at different times.
我对 Ansible 非常陌生,虽然它大多是直截了当的,但如果我能准确了解 Ansible 的运行方式、它在哪些用户上运行,以及我如何/在哪里可以指定在不同时间使用哪个用户,我将受益匪浅。
Thank you tons in advance
提前谢谢你
采纳答案by mHymanson
You may find it useful to read the Hosts and Users section on Ansible's documentation site:
您可能会发现阅读 Ansible 文档站点上的主机和用户部分很有用:
http://docs.ansible.com/playbooks_intro.html#hosts-and-users
http://docs.ansible.com/playbooks_intro.html#hosts-and-users
In summary, ansible will run all commands in a playbook as the user specified in the remote_uservariable (assuming you're using ansible >= 1.4, userbefore that). You can specify this variable on a per-task basis as well, in case a task needs to run as a certain user.
总之,ansible 将按照用户在remote_user变量中指定的身份运行剧本中的所有命令(假设您在此之前使用 ansible >= 1.4 user)。您也可以在每个任务的基础上指定此变量,以防任务需要以特定用户身份运行。
Use sudo: truein any playbook/task to use sudoto run it. Use the sudo_uservariable to specify a user to sudo to if you don't want to use root.
使用sudo: true任何剧本/任务使用sudo来运行它。使用sudo_user变量来指定用户sudo来,如果你不想使用root。
In practice, I've found it easiest to run my playbook as a deployuser that has sudo privileges. I set up my SSH keys so I can SSH into any host as deploywithout using a password. This means that I can run my playbook without using a password and even use sudoif I need to.
在实践中,我发现以deploy具有 sudo 权限的用户身份运行我的剧本最容易。我设置了我的 SSH 密钥,这样我就可以在deploy不使用密码的情况下通过SSH 连接到任何主机。这意味着我可以在不使用密码的情况下运行我的剧本,甚至可以sudo在需要时使用。
I use this same user to do things like cloning git repos and starting/stopping services. If a service needs to run as a lower-privileged user, I let the init script take care of that. A quick Google search for a node.js init.d script revealed this one for CentOS:
我使用同一个用户来做一些事情,比如克隆 git repos 和启动/停止服务。如果服务需要以较低权限的用户身份运行,我会让 init 脚本来处理。在 Google 上快速搜索 node.js init.d 脚本后发现了 CentOS 脚本:
https://gist.github.com/nariyu/1211413
https://gist.github.com/nariyu/1211413
Doing things this way helps to keep it simple, which I like.
以这种方式做事有助于保持简单,这是我喜欢的。
Hope that helps.
希望有帮助。
回答by Jimmy Kane
My 2 cents:
我的 2 美分:
- Ansible uses your local user (eg Mike) to ssh to the remote machine. (That required Mike to be able to ssh to the machine)
- From there it can change to a remote user if needed
- It can also sudo if needed and if Mike is allowed. If no user is specified then root will be selected via your
~/.ansible.cfgon your local machine. - If you supply a remote_user with the sudo param then like no.3 it will not use root but that user.
- Ansible 使用您的本地用户(例如 Mike)通过 ssh 连接到远程机器。(这要求 Mike 能够通过 ssh 连接到机器)
- 如果需要,它可以从那里更改为远程用户
- 如果需要并且允许 Mike,它也可以 sudo。如果未指定用户,则将通过您
~/.ansible.cfg在本地计算机上选择 root 。 - 如果您为 remote_user 提供 sudo 参数,那么像 no.3 一样,它不会使用 root 而是使用该用户。
You can specify different situations and different users or sudo via the playbooks.
您可以通过playbooks指定不同的情况和不同的用户或 sudo 。
Playbook's define which roles will be run into each machine that belongs to the inventory selected.
Playbook 定义了哪些角色将运行到属于所选库存的每台机器中。
I suggest you read Ansible best practicesfor some explanation on how to setup your infrastructure.
我建议您阅读Ansible 最佳实践以了解有关如何设置基础架构的一些说明。
Oh and btw since you are not referring to a specific module that ansible uses and your question is not related to python, then I don't find any use your question having the python tag.
哦,顺便说一句,因为您不是指 ansible 使用的特定模块,并且您的问题与 python 无关,那么我没有发现您的问题带有 python 标签。
回答by Michael
Just a note that Ansible>=1.9 uses privilege escalation commands so you can execute tasks and create resources as that secondary user if need be:
请注意,Ansible>=1.9 使用权限提升命令,因此您可以在需要时以该辅助用户身份执行任务和创建资源:
- name: Install software
shell: "curl -s get.dangerous_software.install | sudo bash"
become_user: root
http://docs.ansible.com/ansible/become.html#become-privilege-escalation
http://docs.ansible.com/ansible/become.html#become-privilege-escalation
