git Ansible 2.1.0 使用 become/become_user 无法设置临时文件的权限
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/36646880/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Ansible 2.1.0 using become/become_user fails to set permissions on temp file
提问by DeamonMV
I have an ansible 2.1.0 on my server, where I do deployment via vagrantand on PC too. The role "deploy" have :
我的服务器上有一个 ansible 2.1.0,我也通过vagrant和 PC进行部署。“部署”角色有:
- name: upload code
become: true
become_user: www-data
git: [email protected]:****.git
dest=/var/www/main
key_file=/var/www/.ssh/id_rsa
accept_hostkey=true
update=yes
force=yes
register: fresh_code
notify: restart php-fpm
tags: fresh_code
In this case with ansible 2.1.0 I get an error:
在这种情况下,使用 ansible 2.1.0 我得到一个错误:
fatal: [default]: FAILED! => {"failed": true, "msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user. For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}
It it ansible 2.0.1.0 which I use on my PC, is all normally - folder /var/www/ have folder main with owner and group www-data
我在我的电脑上使用的 ansible 2.0.1.0,通常都是 - 文件夹 /var/www/ 有文件夹 main 与所有者和组 www-data
If I use only became_user: www-data and if I use become_method: sudo with became_user: www-data - i got same error
如果我只使用 become_user: www-data 并且如果我使用 become_method: sudo with become_user: www-data - 我有同样的错误
What need to do to resolve this?
需要做什么来解决这个问题?
采纳答案by SztupY
The problem is that www-datacannot access the same files your default non-root ansible user created you use to connect to the machine. Also the error message clearly points to ansible's documentationwhich describes what options you have to fix this issue when upgrading from ansible 2.0 or below.
问题是www-data无法访问您用于连接到机器的默认非 root ansible 用户创建的相同文件。此外,错误消息清楚地指向ansible 的文档,该文档描述了从 ansible 2.0 或更低版本升级时必须使用哪些选项来解决此问题。
They suggest three ways to properly fix the issue:
他们提出了三种正确解决问题的方法:
- Use pipelining. When pipelining is enabled, Ansible doesn't save the module to a temporary file on the client. Instead it pipes the module to the remote python interpreter's stdin. Pipelining does not work for non-python modules.
- Install filesystem acl support on the managed host. If the temporary directory on the remote host is mounted with filesystem acls enabled and the setfacl tool is in the remote PATH then Ansible will use filesystem acls to share the module file with the second unprivileged instead of having to make the file readable by everyone.
- Don't perform an action on the remote machine by becoming an unprivileged user. Temporary files are protected by UNIX file permissions when you become root or do not use become. In Ansible 2.1 and above, UNIX file permissions are also secure if you make the connection to the managed machine as root and then use become to an unprivileged account.
- 使用流水线。启用流水线后,Ansible 不会将模块保存到客户端上的临时文件中。相反,它将模块通过管道传输到远程 python 解释器的标准输入。流水线不适用于非 Python 模块。
- 在托管主机上安装文件系统 acl 支持。如果远程主机上的临时目录在启用文件系统 acls 的情况下挂载,并且 setfacl 工具位于远程 PATH 中,那么 Ansible 将使用文件系统 acls 与第二个非特权共享模块文件,而不必让每个人都可以读取该文件。
- 不要通过成为非特权用户在远程机器上执行操作。当您成为 root 用户或不使用 become 时,临时文件受 UNIX 文件权限保护。在 Ansible 2.1 及更高版本中,如果您以 root 用户身份连接到受管计算机,然后将其用于非特权帐户,则 UNIX 文件权限也是安全的。
Or if you cannot do any of these fixes, then you can force ansible to run in a bit more insecure way (which seemed to be the default in ansible 2 and below), which should also fix your problem, but would not fix the underlying security risk:
或者,如果您无法进行任何这些修复,那么您可以强制 ansible 以更不安全的方式运行(这似乎是 ansible 2 及以下版本的默认设置),这也应该可以解决您的问题,但不会修复底层安全风险:
If you can't make any of the changes above to resolve the problem and you decide that the machine you're running on is secure enough for the modules you want to run there to be world readable you can turn on
allow_world_readable_tmpfilesin theansible.cfgfile. Settingallow_world_readable_tmpfileswill change this from an error into a warning and allow the task to run as it did prior to 2.1.
如果您无法进行上述任何更改来解决问题,并且您确定您正在运行的机器足够安全,您想要在那里运行的模块是世界可读的,您可以
allow_world_readable_tmpfiles在ansible.cfg文件中打开。设置allow_world_readable_tmpfiles会将其从错误更改为警告,并允许任务像 2.1 之前一样运行。
回答by Justin Ludwig
On debian/ubuntu you can resolve this by first installing the aclpackage on the remote host, like with this ansible task:
在 debian/ubuntu 上,您可以通过首先acl在远程主机上安装软件包来解决这个问题,就像这个 ansible 任务一样:
- name: install setfacl support
become: yes
apt: pkg=acl
Same thing with redhat/centos -- install the aclpackage on the remote host:
与 redhat/centos 相同——acl在远程主机上安装包:
- name: install setfacl support
become: yes
yum: name=acl
