可视化: 创建具有 sudo 特权的用户

我已经接管了 Ubuntu 14.04服务器。它有一个名为“ loyer”(与 capistrano 一起使用)的用户，因此，它需要 sudo 特权。有了这个设置，我就可以登录到服务器并执行以下操作:

workstation> ssh deployer@myserver
myserver>  sudo apt-get install git
myserver> exit
workstation>

我正在尝试弄清楚如何使用 Anble (版本2.0.2.0和 python 2.7.3)来创建一个名为“部署器”的用户，并能够使用该 ID 登录到服务器，然后使用类似 sudo 的东西，如“ apt-get install”。我的剧本是这样的:

---
- hosts: example
become: yes
tasks:
- name: Update apt cache
apt:
update_cache: yes
cache_valid_time: 3600


- group: name=sudo state=present


- name: Add deployer user and add it to sudo
user: name=deployer
state=present
createhome=yes
become: yes
become_method: "sudo"


- name: Set up authorized keys for the deployer user
authorized_key: user=deployer key="{{item}}"
with_file:
- /home/jaygodse/.ssh/id_rsa.pub

在运行这个剧本之后，我就可以以“部署者”的身份 ssh 进入机器(例如 ssh 部署者@myserver) ，但是如果我运行一个 sudo 命令，它总是会询问我的 sudo 密码。

我理解“部署者”用户最终必须找到进入 visudo 用户文件的方法，但是我不知道调用哪个神奇的 Anble 咒语，以便我能够以部署者的身份 ssh 进入机器，然后运行 sudo 命令(例如 sudo apt-get install git)而不需要提示输入 sudo 密码。

我到处搜索，似乎找不到一个不需要密码就可以将用户“部署者”放入 sudo 组的 Anble 剧本片段。这是怎么做到的？

150043

- name: Make sure we have a 'wheel' group group: name: wheel state: present - name: Allow 'wheel' group to have passwordless sudo lineinfile: dest: /etc/sudoers state: present regexp: '^%wheel' line: '%wheel ALL=(ALL) NOPASSWD: ALL' validate: 'visudo -cf %s' - name: Add sudoers users to wheel group user: name=deployer groups=wheel append=yes state=present createhome=yes - name: Set up authorized keys for the deployer user authorized_key: user=deployer key="\{\{item}}" with_file: - /home/railsdev/.ssh/id_rsa.pub

小开

To create a user with sudo privileges is to put the user into /etc/sudoers, or make the user a member of a group specified in /etc/sudoers. And to make it password-less is to additionally specify NOPASSWD in /etc/sudoers.

Example of /etc/sudoers:

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL


## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL


## Same thing without a password
%wheel  ALL=(ALL)       NOPASSWD: ALL

And instead of fiddling with /etc/sudoers file, we can create a new file in /etc/sudoers.d/ directory since this directory is included by /etc/sudoers by default, which avoids the possibility of breaking existing sudoers file, and also eliminates the dependency on the content inside of /etc/sudoers.

To achieve above in Ansible, refer to the following:

- name: sudo without password for wheel group
copy:
content: '%wheel ALL=(ALL:ALL) NOPASSWD:ALL'
dest: /etc/sudoers.d/wheel_nopasswd
mode: 0440

You may replace %wheel with other group names like %sudoers or other user names like deployer.

Sometimes it's knowing what to ask. I didn't know as I am a developer who has taken on some DevOps work.

Apparently 'passwordless' or NOPASSWD login is a thing which you need to put in the /etc/sudoers file.

The answer to my question is at Ansible: best practice for maintaining list of sudoers.

The Ansible playbook code fragment looks like this from my problem:

And the best part is that the solution is idempotent. It doesn't add the line

%wheel ALL=(ALL) NOPASSWD: ALL

to /etc/sudoers when the playbook is run a subsequent time. And yes...I was able to ssh into the server as "deployer" and run sudo commands without having to give a password.