问题
I'm trying to add the current user to a group in the system, then execute a command that requires permission for that group. My playbook is like so:
- name: Add this user to RVM group
sudo: true
user: state=present name=vagrant append=yes groups=rvm group=rvm
- name: Install Ruby 1.9.3
command: rvm install ruby-1.9.3-p448 creates=/usr/local/rvm/bin/ruby-1.9.3-p448
The problem is that all of this is happening in the same shell. vagrant's shell hasn't been updated with the new groups yet. Is there a clean way to refresh the user's current groups in Ansible? I figure I need to get it to re-connect or open a new shell.
However I tried opening a new shell and it simply hangs:
- name: Open a new shell for the new groups
shell: bash
Of course it hangs: the process never exits!
Same thing with newgrp
- name: Refresh the groups
shell: newgrp
Because it basically does the same thing.
Any ideas?
回答1:
Read the manual.
A solution here is to use the 'executable' parameter for either the 'command' or 'shell' modules.
So I tried using the command module like so:
- name: install ruby 1.9.3
command: rvm install ruby-1.9.3-p448 executable=/bin/bash creates=/usr/local/rvm/bin/ruby-1.9.3-p448
ignore_error: true
But the playbook hung indefinitely. The manual states:
If you want to run a command through the shell (say you are using <, >, |, etc), you actually want the shell module instead. The command module is much more secure as it's not affected by the user's environment.
So I tried using the shell module:
- name: install ruby 1.9.3
shell: rvm install ruby-1.9.3-p448 executable=/bin/bash creates=/usr/local/rvm/bin/ruby-1.9.3-p448
ignore_error: true
And it works!
回答2:
As others already stated, this is because of an active ssh connection to the remote host. The user needs to log out and log in again to activate the new group.
A separate shell action might be a solution for a single task. But if you want to run multiple other tasks and don't want to be forced to write all commands yourself and use the Ansible modules instead, kill the ssh connection.
- name: Killing all ssh connections of current user
delegate_to: localhost
shell: ssh {{ inventory_hostname }} "sudo ps -ef | grep sshd | grep `whoami` | awk '{print \"sudo kill -9\", \$2}' | sh"
failed_when: false
Instead of using Ansibles open ssh connection, we start our own through a shell action. Then we kill all open ssh connections of the current user. This will force Ansible to re-login at the next task.
回答3:
I have seen this problem in capistrano and chef, it happens because you already have a session to the user which does not have the group yet, you would need to close the session and open new session to get the user to see the group that was added.
回答4:
I am on RHEL 7.0 using Ansible 1.8 and the accepted answer did not work for me. The only way I could force Ansible to load the newly added rvm group was to use sg.
- name: add user to rvm group
user: name=ec2-user groups=rvm append=yes
sudo: yes
- name: install ruby
command: sg rvm -c "/usr/local/rvm/bin/rvm install ruby-2.0.0"
来源:https://stackoverflow.com/questions/19867298/ansible-permissions-issue