用于sudo_user的Ansible和ForwardAgent

Question

有人能说我,我做错了什么？我正在使用Amazon EC2实例,并希望将代理转发到用户rails,但是当我运行下一个任务时:

- acl: name={{ item }} etype=user entity=rails permissions=rwx state=present
  with_items:
    - "{{ ansible_env.SSH_AUTH_SOCK|dirname }}"
    - "{{ ansible_env.SSH_AUTH_SOCK }}"
  sudo: true

我看到失败的结果:

(item=/tmp/ssh-ULvzaZpq2U) => {"failed": true, "item": "/tmp/ssh-ULvzaZpq2U"}
msg: path not found or not accessible!

当我尝试手动,没有ansible时,它看起来很好:

setfacl -m rails:rwx "$SSH_AUTH_SOCK"
setfacl -m rails:x $(dirname "$SSH_AUTH_SOCK")
sudo -u rails ssh -T git@github.com //Hi KELiON! You've successfully authenticated, but GitHub does not provide shell access.

我甚至尝试运行新实例并运行测试ansible playbook:

#!/usr/bin/env ansible-playbook
---
- hosts: all
  remote_user: ubuntu
  tasks:
    - user: name=rails
      sudo: true
    - name: Add ssh agent line to sudoers
      lineinfile:
        dest: /etc/sudoers
        state: present
        regexp: SSH_AUTH_SOCK
        line: Defaults env_keep += "SSH_AUTH_SOCK"
      sudo: true
    - acl: name={{ item }} etype=user entity=rails permissions=rwx state=present
      with_items:
        - "{{ ansible_env.SSH_AUTH_SOCK|dirname }}"
        - "{{ ansible_env.SSH_AUTH_SOCK }}"
      sudo: true
    - name: Test that git ssh connection is working.
      command: ssh -T git@github.com
      sudo: true
      sudo_user: rails

ansible.cfg是:

[ssh_connection]
pipelining=True
ssh_args=-o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s

[defaults]
sudo_flags=-HE
hostfile=staging

但结果相同.有任何想法吗？

Answer 1

我有同样的问题,并在https://github.com/ansible/ansible/issues/7235#issuecomment-45842303找到答案

我的解决方案与他有点不同,因为acl不适合我,所以我:

1. 更改了ansible.cfg:

    [defaults]
    sudo_flags=-HE
    [ssh_connection]
    # COMMENTED OUT: ssh_args = -o ForwardAgent=yes

2. 添加了包含以下内容的任务/ ssh_agent_hack.yml:

    - name: "(ssh-agent hack: grant access to {{ deploy_user }})"
      # SSH-agent socket is forwarded for the current user only (0700 file). Let's change it
      # See: https://github.com/ansible/ansible/issues/7235#issuecomment-45842303
      # See: http://serverfault.com/questions/107187/ssh-agent-forwarding-and-sudo-to-another-user
      become: false
      file: group={{deploy_user}} mode=g+rwx path={{item}}
      with_items:
      - "{{ ansible_env.SSH_AUTH_SOCK|dirname }}"
      - "{{ ansible_env.SSH_AUTH_SOCK }}"

注意 - become: false设置是因为我以root身份进行ssh - 如果你将ssh作为其他东西,那么你将需要成为root来进行修复,然后在下面成为你的deploy_user(如果不是你正在使用ssh的用户)如).

3. 然后从我的deploy.yml playbook中调用它:

    - hosts: apps
      gather_facts: True
      become: True
      become_user: "{{deploy_user}}"
      pre_tasks:
      - include: tasks/ssh_agent_hack.yml
        tags: [ 'deploy' ]
      roles:
      - { role: carlosbuenosvinos.ansistrano-deploy, tags: [ 'deploy' ] }

附注 - 向〜/ .ssh/config中的主机条目添加ForwardAgent是没有影响到什么工作(我尝试了所有8种组合: - 只设置sudo_flags而不是ssh_args有效但是如果设置转发或者无关紧要关于〜/ .ssh/config for opensssh - 在ubuntu trusty下测试)

另请注意:我在ansible.cfg中有pipelining = True