I set ansible_become in my hosts file because I do most things as root when setting up a new machine.
all:
hosts:
ganymede:
ansible_host: ganymede.xcv.org
vars:
ansible_user: ubuntu
ansible_become: yes
ansible_become_user: root
I require the git repo to be cloned as the service account and I cannot figure out how to make that happen
- name: Git
vars:
ansible_become: no
block:
- name: whoami
command: whoami
register: a
- debug:
msg: {{ a.stdout }}
- git:
repo: "[email protected]:fakerepo/ganymede.git"
dest: "/opt/"
force: yes
key_file: ~ganymede/.ssh/id_ed25519
become: yes
become_user: ganymede
Unsetting ansible_become appears to work because the user is ubuntu.
Setting become and become_user has no effect and I want to know what it takes for that to work so that git works correctly.
TASK [debug] ***********************************************
ok: [ganymede] => {
"msg": "ubuntu"
}
TASK [git] *************************************************
fatal: [ganymede]: FAILED! => {
"changed": false,
"cmd": "/usr/bin/git ls-remote [email protected]:fakerepo/ganymede.git -h refs/heads/HEAD",
"msg":
"Warning: Identity file /home/ganymede/.ssh/id_ed25519 not accessible: Permission denied."
"Host key verification failed."
"fatal: Could not read from remote repository."
"Please make sure you have the correct access rights and the repository exists.",
"rc": 128,
"stderr":
"Warning: Identity file /home/ganymede/.ssh/id_ed25519 not accessible: Permission denied."
"Host key verification failed."
"fatal: Could not read from remote repository."
"Please make sure you have the correct access rights and the repository exists.",
"stderr_lines": [
"Warning: Identity file /home/ganymede/.ssh/id_ed25519 not accessible: Permission denied.",
"Host key verification failed.",
"fatal: Could not read from remote repository.",
"",
"Please make sure you have the correct access rights and the repository exists."
],
"stdout": "",
"stdout_lines": []
}
CodePudding user response:
From sivel, one of the member of Ansible development team:
This behavior is documented under precedence rules: https://docs.ansible.com/ansible/latest/reference_appendices/general_precedence.html#precedence-categories
Task/play keywords have lower precedence to variables, since they are less specific to a host.
As such, the inventory variables, have higher precedence than your task specified
become_user. The workaround for your configuration as you have found, is overridingansible_become_userviavars:on the individual task.
Source: Ansible issue 74929
And so, from the documentation page cited in the issue:
Ansible offers four sources for controlling its behavior. In order of precedence from lowest (most easily overridden) to highest (overrides all others), the categories are:
- Configuration settings
- Command-line options
- Playbook keywords
- Variables
Each category overrides any information from all lower-precedence categories. For example, a playbook keyword will override any configuration setting.
Source: Controlling how Ansible behaves: precedence rules
So, your fix is, as described, to override the ansible_become_user in the vars: section of that task:
- git:
repo: "[email protected]:fakerepo/ganymede.git"
dest: "/opt/"
force: yes
key_file: ~ganymede/.ssh/id_ed25519
vars:
ansible_become_user: ganymede
And in order to resolve your further acl issue, you have to install the right acl Python package on you managed nodes, which can be achieved with this task (run as root):
- pip:
name: acl