git checkout to new branch and change back to local user

Archives Ansible Project
1

Hello All,

Please help to find answers for two questions.

I am trying to clone a remote git repo which I am able to do with git module but does anyone know how I can achieve to do

git checkout -b new branch <username_>

git-crypt unlock

using git module or any other means. ( I can use “command” ) but any other better way?

  1. I know how to make ansible to ssh to remote

become_method = sudo
become_user = name
create a file
set owner = name

but how to achieve, once the owner is set on a remote host

return back to local (control) host,

become a local user,
create a file.
set owner.

Thanks,

2

I can help to address #2 at least for now.

Ansible does not allow you to chain “Become” statements. In other words you cannot log in as user1, become root, and then become user2 (or even user1) in the same play. You could address this in a few different ways that I know of:

  • split the play into multiple plays within a playbook where you can set the become for each different play:

`

3

I can help to address #2 at least for now.

Ansible does not allow you to chain “Become” statements.

This is true; you cannot use two types or levels of privilege escalation at once.

In other words you cannot log in as user1, become root, and then become user2 (or even user1) in the same play.

This is untrue. The privilege escalation settings for each task in a play are independent.

`

  • hosts: localhost
    become: true
    tasks:
  • command: whoami
  • command: whoami
    become_user: email
  • command: whoami
    become: false

`

`

TASK [command] *****************************************************************
changed: [localhost] => {“attempts”: 1, “changed”: true, “cmd”: [“whoami”], “delta”: “0:00:00.002095”, “end”: “2018-03-13 12:38:30.764121”, “rc”: 0, “start”: “2018-03-13 12:38:30.762026”, “stderr”: “”, “stderr_lines”: , “stdout”: “root”, “stdout_lines”: [“root”]}

TASK [command] *****************************************************************
changed: [localhost] => {“attempts”: 1, “changed”: true, “cmd”: [“whoami”], “delta”: “0:00:00.001929”, “end”: “2018-03-13 12:38:30.889973”, “rc”: 0, “start”: “2018-03-13 12:38:30.888044”, “stderr”: “”, “stderr_lines”: , “stdout”: “email”, “stdout_lines”: [“email”]}

TASK [command] *****************************************************************
changed: [localhost] => {“attempts”: 1, “changed”: true, “cmd”: [“whoami”], “delta”: “0:00:00.002009”, “end”: “2018-03-13 12:38:31.004561”, “rc”: 0, “start”: “2018-03-13 12:38:31.002552”, “stderr”: “”, “stderr_lines”: , “stdout”: “ec2-user”, “stdout_lines”: [“ec2-user”]}

`

4

On Tuesday, March 13, 2018 at 7:35:27 AM UTC-7, Patrick Hunt wrote:Hi Patrick,

I can help to address #2 at least for now.

Ansible does not allow you to chain “Become” statements. In other words you cannot log in as user1, become root, and then become user2 (or even user1) in the same play. You could address this in a few different ways that I know of:

  • split the play into multiple plays within a playbook where you can set the become for each different play:

`

  • host: localhost
    become: true
    become_user: root
    become_method: su

tasks:

  • name: some play performed as root

  • host: localhost
    become: true
    become_user: user2
    become_method: su

tasks:

  • name: some other play performed as user2

  • host: localhost
    become: false

tasks:

  • name: some other play performed as user1

    `

  • you could also use a command module workaround (at least with a Nix system) such as:

`

  • hosts: localhost
    become: true
    become_user: root
    become_method: su

tasks:

  • name: some task as root

  • name: some task as user2
    command: su - user2 -c “/home/user2/somecommand.sh”

    `

Hi Patrick,

My follow-up question is… why? In your example you could just create the file as root, set the owner, group, and mode to reflect the user you want it to be.

Thank you very much for suggesting above method and sharing your knowledge.
This playbook will be used by other users in my team on their laptop. Hence creating a file and performing few tasks as the local user.

Thanks,
Balaji Chavdi

5

Good catch. You’re correct, it is possible, I was mistaken. Practically is it possible to be able to provide multiple sets of credentials for your example? I’ve always done a work around, such as I listed in the other comment, since I can pass my current logon (-k) username/password, and can pass 1 set of become credentials (-K), but not a 2nd or 3rd set of become credentials.

6

Well, one of the advantages of sudo as a privilege escalation method is that there aren’t separate sets of credentials for each escalation target, you just have to be permitted to run things as the users in question.

But, yes, it is possible to provide different credentials. It’s easiest to do this non-interactively using a Vault-encrypted variable or another secret lookup method, but there are various ways to make it interactive.

`

  • hosts: localhost
    become: true
    tasks:
  • command: whoami
    become_method: su
    become_user: flowerysong
    vars:
    ansible_become_pass: “{{ user_passwords.flowerysong }}”
  • command: whoami

`

`

TASK [command] *****************************************************************
changed: [localhost] => {“changed”: true, “cmd”: [“whoami”], “delta”: “0:00:00.002181”, “end”: “2018-03-13 15:15:47.586117”, “rc”: 0, “start”: “2018-03-13 15:15:47.583936”, “stderr”: “”, “stderr_lines”: , “stdout”: “flowerysong”, “stdout_lines”: [“flowerysong”]}

TASK [command] *****************************************************************
changed: [localhost] => {“changed”: true, “cmd”: [“whoami”], “delta”: “0:00:00.002159”, “end”: “2018-03-13 15:15:47.717122”, “rc”: 0, “start”: “2018-03-13 15:15:47.714963”, “stderr”: “”, “stderr_lines”: , “stdout”: “root”, “stdout_lines”: [“root”]}

`

7

Thanks Flowerysong…!
These answers helped me a lot…

Thanks all…!