Hi,
Let me explain our environment first:
We have about 500 cpanel servers which are either openvz VEs or physical servers. We are now using puppet to manage and carry out any common system administration tasks on the servers. Direct ssh root login is disabled on ll these servers.
Requirement: We need to setup ansible to replace puppet.
What I’ve done:
Since direct ssh root login is disabled, I’ve created a new user in the client server and set up key based authentication from ansible master server. Also gave sudo privileges to this user so that the user has got sufficient privileges to execute commands as the root user.
I tried a few ansible adhoc commands and they worked for a few times, for eg:
[ih_ansible_user@ansible /]$ ansible -m shell -a ‘/etc/init.d/exim status’ test.cpanelserver.com
test.cpanelserver.com | SUCCESS | rc=0 >>
exim (pid 28919 22473 21885 19961 19960 18016 16832 10399 10059 6131 3856 3657 3501 3431 2083 2012) is running…
[ih_ansible_user@ansible /]$ ansible -m shell -a ‘/etc/init.d/mysql status’ test.cpanelserver.com
test.cpanelserver.com | SUCCESS | rc=0 >>
SUCCESS! MySQL running (13701)
[ih_ansible_user@ansible /]$ ansible -m shell -a ‘df -h’ test.cpanelserver.com
test.cpanelserver.com | SUCCESS | rc=0 >>
Filesystem Size Used Avail Use% Mounted on
/dev/simfs 2.0T 1.3T 598G 69% /
But after a few tries, I get the error:
[ih_ansible_user@ansible /]$ ansible -m shell -a ‘/etc/init.d/httpd status’ test.cpanelserver.com
test.cpanelserver.com| FAILED! => {
“changed”: false,
“failed”: true,
“module_stderr”: “Shared connection to test.cpanelserver.com closed.\r\n”,
“module_stdout”: “sudo: PERM_ROOT: setresuid(0, -1, -1): too many processes\r\n”,
“msg”: “MODULE FAILURE”,
“rc”: 1
}
I’m also getting a similar error when I execute the command from the client server as the ansible user:
ih_ansible_user@test [/root]# sudo httpd status
sudo: PERM_ROOT: setresuid(0, -1, -1): too many processes
Upon searching, I could see that the number of processes for users other than root is restricted in cpanel servers. The suggested fix is to disable shell fork bomb protection but it is not secure. Also I’m unable to increase the limit.
Currently I’m stuck at this point. Please let me know if this is the correct approach, like adding a new user for ansible etc.