I’m confused with the use of become_user.
With config given in OP:
- the work that ansible will do is put into a python script on the remote machine, something like: /tmp/ansible…/setup.py
- that directory and file is created as the user “remote_user” (only they and root has access).
- then we’re given the option to do “become_user” (eg; postgres) to perform said tasks (…setup.py)
- BUT postgres doesnt have permissions to that file
So if the become_user can’t ever access the setup.py - when would become_user be useful ?
ERROR :: “msg”: “Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chown: /tmp/ansible-tmp-1530091102.27-83986154285412/: Operation not permitted.\nchown: /tmp/ansible-tmp-1530091102.27-83986154285412/setup.py: Operation not permitted.\n}). For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user”
Ways to resolve this include:
- Use . When pipelining is enabled, Ansible doesn’t save the module to a temporary file on the client. Instead it pipes the module to the remote python interpreter’s stdin. Pipelining does not work for python modules involving file transfer (for example: copy, fetch, template), or for non-python modules.
- (Available in Ansible 2.1) Install POSIX.1e filesystem acl support on the managed host. If the temporary directory on the remote host is mounted with POSIX acls enabled and the setfacl tool is in the remote
PATH then Ansible will use POSIX acls to share the module file with the second unprivileged user instead of having to make the file readable by everyone.
- Don’t perform an action on the remote machine by becoming an unprivileged user. Temporary files are protected by UNIX file permissions when you
becomeroot or do not use become. In Ansible 2.1 and above, UNIX file permissions are also secure if you make the connection to the managed machine as root and then use become to an unprivileged account.
Pipelining is not worked.
Don’t have idea on POSIX acl support, Could you pls elaborate how to install on AIX box.
FYI
My Case:
remote _user : xxxxxxx able to ssh then after become_user should have privileges to run ansible-tmp module.
but ansible-tmp file is created in /tmp folder which mentioned in Ansible.cfg file , by remote_user: xxxxx with only read permission.
Error ::ERROR :: “msg”: “Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chown: /tmp/ansible-tmp-1530091102.27-83986154285412/: Operation not permitted.\nchown: /tmp/ansible-tmp-1530091102.27-83986154285412/setup.py: Operation not permitted.\n}). For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user”