I am running an ansible script on localhost
to copy a folder to another location.
However,
- name: Copy Network
become: yes
become_user: root
copy:
src: /d/
dest: "/dest/d/"
mode: 0644
tags: [network]
is giving me [Errno 13] Permission denied: b'd/f1'
. I was expecting become_user
will make the command execute as root, didn't work.
The permission of this file is 0600(root:root)
.
Can you please give me pointers to get access to this file to copy it using ansible?
Note:
-
sudo ansible-playbook p.yml
works perfectly however, I don't want to usesudo
with ansible command if it's not required and ansible has a trick for it. -
command: cp -r /d/ /dest/d/
works without appendingsudo
to the ansible command (ansible-playbook p.yml
). However, I don't want to usecommand
if I can help it because of idempotence ©
module hasmode
option required for the task.
Best Answer
The error says: The user who is running ansible-playbook can't read /d/f1.
In the module copy,
become: yes
applies only to writing the file not to reading it. As a result, the module works as expected.Details
By default module
copy
copy files fromsrc
(Local path to a file to copy to the remote server) todest
(Remote absolute path where the file should be copied to). In this casebecome: yes
means Ansible escalate privilege in the remote host, but not in the local master. Despite the fact that the task is running in localhost, i.e both master and the remote host is localhost,become: yes
will apply only to writing the file not to reading it.If it wasn't this way
become: yes
would automatically escalate the privilege in master. This might be a security problem.A: There is no workaround. It would violate the ownership and permissions of the files. For example, given the file at the controller
the playbook below started by an unprivileged user
will crash
One of the solutions is to make the file readable for the user running the playbook. For example, make the file readable for others by the superuser in the first play and use it in the second play
This would work only if the user is allowed to escalate to root at the controller, of course.