synchronize module doesn't work with ansible sudo user #4676
Comments
|
cc @tima |
|
Without some debugging output I'm shooting in the dark here. I'm guessing that I'm not taking in to account if Ansible is in sudo mode to use a different username that the usual. That's a guess though. @eggsby can you run your test with -vvv and post it? |
|
@eggsby I think you have described the behavior for the copy module. Example: If I run that task as "jtanner", src evals to /home/jtanner/1 and dest evals to /home/bob/foofile1 @tima fyi |
|
@jctanner ah, that's a different problem entirely. However, the rsync module still doesn't work with sudo: changing to use an absolute path shows the following as the cmd:
I don't know of a good way to get around this, seems like a pretty deep issue with the way rsync works. I would love to see any progress on this end, but currently the module works for many use cases as is. Maybe there should just be a caveat that it currently doesn't work with sudo? Thanks for any help, |
|
Suggested workaround from irc is to append a --rsync-path option to the rsync command if the task is sudo'ed. This will require "Defaults !requiretty" to be set on the remote machine or the following error will occur ... If !requiretty is set, the command should work as expected ... We also have to check that the rsync binary on the originating host supports --rsync-path, which is not a concern for el5 or higher. |
|
@jctanner Is there something that can be done that doesn't require a work around? If I'm following your example, if contacting a remote server, don't run rsync with sudo (cancel it) and instead prepend the remote rsync path with sudo and the user name. Would there be a case where a user would want the initial rsync execution to be run via sudo? It's sort of fuzzy now, but I seem to recall others concluding were to apply sudo was too ambiguous to automatically. I'm not sure though. |
|
@tima my last comment was just recording what was discussed in irc and how it -could- be done with straight rsync. I'm still digging through the code to see if there's a safe way to implement it. |
|
We could probably just see if sudo was set and temporarily set ansible_ssh_user to the sudo user. (Should also include some debug in the output in case this is confusing and mention in docs) |
|
rsync has a lot of options, another possibility would be to use a sudo command to start an rsync daemon on the remote end and sync over rsync:// instead of ssh. Switching the ansible_ssh_user would work for some cases. In some use cases the sudo_user would be locked down from ssh access. I think anything is fine, so long as it is documented. :) |
|
In testing this, I noticed that no matter how we alter the code, it's very likely that the rsync command will need input for the remote password and will hang indefinitely. I added 0adf095 to handle this better by setting a configurable timeout (default = 10s) to the rsync command. |
…estination paths within the synchronize module.
|
5c34ed0 adds some notes to the module docs to clarify what happens when sudo==True. This is the best we can do for now on resolving this issue because there are too many consequences from overriding the destination |
|
Thanks for working this out @jctanner. |
|
Thanks @jctanner It might also be worth noting that you can use the |
There have been a number of issues trying to run 'synchronize' module as a privileged user, such as these examples: ansible/ansible#4676 ansible/ansible#13034 Even with ansible 2.0.2.0 this doesn't seem to work unless the user running on target node has NOPASSWD in sudoers. Avoid this mess by syncing the repo without privileges then letting 'file' module fix up the repo ownership afterwards.
This ensures that `sudo` with `rsync` is allowed for the `bootstrap__sudo_group` even when `requiretty`` has been configured to be the default for users. I use [a role to configure sudo](https://github.com/ypid/ansible-sudo) on my systems and set `!requiretty` as default. Form the manpage: > If set, sudo will only run when the user is logged in to a real tty. When this > flag is set, sudo can only be run from a login session and not via other means > such as cron(8) or cgi-bin scripts. This flag is off by default. So this patch is only required when the admin has changed the default from `!requiretty` to `requiretty` and wants to use `sudo` with `rsync` as a user in the `bootstrap__sudo_group`. Related to: ansible/ansible#4676 (comment)
This ensures that `sudo` with `rsync` is allowed for the `bootstrap__sudo_group` even when `requiretty`` has been configured to be the default for users. I use [a role to configure sudo](https://github.com/ypid/ansible-sudo) on my systems and set `!requiretty` as default. Form the manpage: > If set, sudo will only run when the user is logged in to a real tty. When this > flag is set, sudo can only be run from a login session and not via other means > such as cron(8) or cgi-bin scripts. This flag is off by default. So this patch is only required when the admin has changed the default from `!requiretty` to `requiretty` and wants to use `sudo` with `rsync` as a user in the `bootstrap__sudo_group`. Related to: ansible/ansible#4676 (comment)
|
Files synced by sudo user in non-archive mode can have correct owner at least:
The primary group of remote sudo user seems to be not exposed into the playbook. Setting its default group can be safe enough:
Required dependency for these options is rsync>=3.1.0. |
When you use the new synchronize module with a sudo user it syncs to the ssh user instead of the sudo user.
Instead of syncing to /home/sudo_user/bar it syncs to /home/ssh_user/bar
The text was updated successfully, but these errors were encountered: