ansible - 如何以非 root 用户身份使用 'package:' 模块?
问题描述
我想要一本剧本来验证是否安装了某些软件包,如果没有安装则使该系统失败。我想我可以package:
以非 root 用户身份使用该模块并让它验证软件包是否已安装。
我认为idempotency
Ansible 会允许(实际上鼓励)这种用法。这是我应该升级的错误或增强功能,还是我忽略了实现这一目标的简单方法?
这是我的测试手册:
---
- name: Show package module non-root usage
hosts: all
become: false
tasks:
- name: Check that a packages is installed
package:
name:
- vim-common
state: installed
作为普通用户,我可以看到vim-common
已安装:
$ rpm -qa vim-common
vim-common-8.0.1763-15.el8.x86_64
$ dnf list vim-common
Not root, Subscription Management repositories not updated
Last metadata expiration check: 0:00:29 ago on Thu 21 Jan 2021 12:50:56 PM CST.
Installed Packages
vim-common.x86_64 2:8.0.1763-15.el8 @rhel-8-for-x86_64-appstream-rpms
$
但是当我运行剧本时,我得到了这个错误而不是“成功”结果:
$ ansible-playbook package_check.yml -i localhost, --connection=local
PLAY [Show package module non-root usage] *********************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************************
ok: [localhost]
TASK [Check that a packages is installed] *********************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "This command has to be run under the root user.", "results": []}
PLAY RECAP ****************************************************************************************************************************
localhost : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
$
正如预期的那样,当我以 root 身份运行它时,它可以正常工作:
$ sudo ansible-playbook package_check.yml -i localhost, --connection=local
PLAY [Show package module non-root usage] *********************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************************
ok: [localhost]
TASK [Check that a packages is installed] *********************************************************************************************
ok: [localhost]
PLAY RECAP ****************************************************************************************************************************
localhost : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
$
我的系统是Red Hat Enterprise Linux release 8.3 (Ootpa)
Ansible 2.10:
$ ansible-playbook --version
ansible-playbook 2.10.4
config file = /home/dan/.ansible.cfg
configured module search path = ['/home/dan/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
executable location = /usr/local/bin/ansible-playbook
python version = 3.6.8 (default, Aug 18 2020, 08:33:21) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
更新#1
搜索 Ansible 代码,该dnf.py
模块来自:
$ egrep -C3 "This command has to be run under the root user." /usr/local/lib/python3.6/site-packages/ansible/modules/dnf.py
# before running it.
if not dnf.util.am_i_root():
self.module.fail_json(
msg="This command has to be run under the root user.",
results=[],
)
self.base = self._base(
$
如果我注释掉那个根检查块:
$ egrep -C3 "This command has to be run under the root user." /usr/local/lib/python3.6/site-packages/ansible/modules/dnf.py
# before running it.
# if not dnf.util.am_i_root():
# self.module.fail_json(
# msg="This command has to be run under the root user.",
# results=[],
# )
self.base = self._base(
$
我现在可以运行 playbook 并确认包已安装,无需 root 权限:
$ ansible-playbook package_check.yml -i localhost, --connection=local
PLAY [Show package module non-root usage] *********************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************************
ok: [localhost]
TASK [Check that a packages is installed] *********************************************************************************************
ok: [localhost]
PLAY RECAP ****************************************************************************************************************************
localhost : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
$
更新#2
稍微修改剧本以检查已安装和缺少的软件包:
$ cat package_check.yml
#!/usr/bin/env /usr/local/bin/ansible-playbook
---
- name: Show package module non-root usage
hosts: all
become: false
tasks:
- name: Check that VIM common is installed
package:
name:
- vim-common
state: installed
- name: Check that EMACS is installed
package:
name:
- vim-common
- emacs
state: installed
$
现在我们第一个成功,第二个失败:
$ ansible-playbook package_check.yml -i localhost, --connection=local
PLAY [Show package module non-root usage] *********************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************************
ok: [localhost]
TASK [Check that VIM common is installed] *********************************************************************************************
ok: [localhost]
TASK [Check that EMACS is installed] **************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "2021-01-21 13:27:23,224 [ERROR] dnf.py:724879:MainThread @logutil.py:194 - [Errno 13] Permission denied: '/var/log/rhsm/rhsm.log' - Further logging output will be written to stderr\n2021-01-21 13:27:23,233 [ERROR] dnf.py:724879:MainThread @identity.py:156 - Reload of consumer identity cert /etc/pki/consumer/cert.pem raised an exception with msg: [Errno 13] Permission denied: '/etc/pki/consumer/key.pem'\nTraceback (most recent call last):\n File \"/home/dan/.ansible/tmp/ansible-tmp-1611257242.3944752-724867-4205539601634/AnsiballZ_dnf.py\", line 102, in <module>\n _ansiballz_main()\n File \"/home/dan/.ansible/tmp/ansible-tmp-1611257242.3944752-724867-4205539601634/AnsiballZ_dnf.py\", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/dan/.ansible/tmp/ansible-tmp-1611257242.3944752-724867-4205539601634/AnsiballZ_dnf.py\", line 40, in invoke_module\n runpy.run_module(mod_name='ansible.modules.dnf', init_globals=None, run_name='__main__', alter_sys=True)\n File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n mod_name, mod_spec, pkg_name, script_name)\n File \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n exec(code, run_globals)\n File \"/tmp/ansible_ansible.legacy.dnf_payload_ewju4h_n/ansible_ansible.legacy.dnf_payload.zip/ansible/modules/dnf.py\", line 1330, in <module>\n File \"/tmp/ansible_ansible.legacy.dnf_payload_ewju4h_n/ansible_ansible.legacy.dnf_payload.zip/ansible/modules/dnf.py\", line 1319, in main\n File \"/tmp/ansible_ansible.legacy.dnf_payload_ewju4h_n/ansible_ansible.legacy.dnf_payload.zip/ansible/modules/dnf.py\", line 1294, in run\n File \"/tmp/ansible_ansible.legacy.dnf_payload_ewju4h_n/ansible_ansible.legacy.dnf_payload.zip/ansible/modules/dnf.py\", line 1213, in ensure\n File \"/usr/lib/python3.6/site-packages/dnf/base.py\", line 882, in do_transaction\n tid = self._run_transaction(cb=cb)\n File \"/usr/lib/python3.6/site-packages/dnf/base.py\", line 955, in _run_transaction\n tid = self.history.beg(rpmdbv, using_pkgs, [], cmdline, comment)\n File \"/usr/lib/python3.6/site-packages/dnf/db/history.py\", line 473, in beg\n comment)\n File \"/usr/lib64/python3.6/site-packages/libdnf/transaction.py\", line 763, in beginTransaction\n return _transaction.Swdb_beginTransaction(self, *args)\nlibdnf._error.Error: SQLite error on \"/var/lib/dnf/history.sqlite\": Reading a row failed: attempt to write a readonly database\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
PLAY RECAP ****************************************************************************************************************************
localhost : ok=2 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
$
并以root身份运行按预期工作:
$ sudo ansible-playbook package_check.yml -i localhost, --connection=local
PLAY [Show package module non-root usage] *********************************************************************************************
TASK [Gathering Facts] ****************************************************************************************************************
ok: [localhost]
TASK [Check that VIM common is installed] *********************************************************************************************
ok: [localhost]
TASK [Check that EMACS is installed] **************************************************************************************************
changed: [localhost]
PLAY RECAP ****************************************************************************************************************************
localhost : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
$
解决方案
这是因为state: installed
如果软件包不存在,则安装该软件包。因此,这并不完全等同于轮询您的包管理器以获取数据包。
为此,您将不得不使用package_facts
收集器。
然后,如果您期望的包不存在,您可以轻松地使用failed_when
相同的任务。
这是一个示例剧本:
- hosts: all
gather_facts: no
tasks:
- package_facts:
failed_when: "'apache2' not in ansible_facts.packages"
为了解决您在下面的评论中陈述的用例,您始终可以使用变量ansible_check_mode
:
- hosts: all
gather_facts: no
tasks:
- package_facts:
failed_when: "'apache2' not in ansible_facts.packages"
when: ansible_check_mode
- package:
name: apache2
when: not ansible_check_mode
推荐阅读
- testing - Flutter - 如何在小部件测试中获取文本小部件
- java - 为 WebSocketHandlerDecorator 编写测试 - 委托不能为空
- junit - 使用 Mockito 测试用例失败
- javascript - 从 Jasmine 重置方法的执行上下文
- c# - 获取两个日期之间的日期
- docker - puppet 中的 SSL 证书验证失败
- corda - net.corda.core.flows.UnexpectedFlowEndException:尝试使用空缓冲区访问已结束的会话 SessionId(toLong=8223329095323268472)
- javascript - 如果语句不起作用,如何修复 jQuery 多个 else
- python - 如何修改csv文件中的值
- javascript - 如何修复vscode中的gulp windows脚本主机错误