I'm using Ansible, among other things, for backing up purposes. I run ansible-playbook
with a non-root user (let's say it is user
) and ssh as user
. After that, I set up privilege escalation to become root
on every server. Until now, no problems.
To fetch a remote directory I have something equivalent to the following rule:
- synchronize:
mode: pull
delete: true
src: "{{ dir }}/"
dest: "{{ tank_base }}/{{ inventory_hostname }}/{{ dir }}/"
rsync_opts:
- "--exclude=tmp*"
- "--exclude=~*"
- "--exclude=*~"
- "--exclude=.gvfs/"
- "--exclude=.cache/"
but for some subdirectory it gives the following error (slightly edited to hide personal data):
fatal: [server]: FAILED! => {"changed": false, "cmd": "/usr/bin/rsync –delay-updates -F –compress –delete-after –archive –rsh 'ssh -S none -o StrictHostKeyChecking=no' –exclude=tmp* –exclude=~* –exclude=*~ –exclude=.gvfs/ –exclude=.cache/ –out-format='<>%i %n%L' \"server:/var/backup/\" \"/var/tank/snapshot/server/backup/\"", "failed": true, "msg": "rsync: opendir \"/var/backup/subdir\" failed: Permission denied (13)\nrsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1650) [generator=3.1.2]\n", "rc": 23}
The subdirectory that fails (/var/backup/subdir
in the above case) is owned by root:root
and it is readable/writable only by the owner. My guess is rsync
is trying to pull the files as user
instead of root
.
How can I pull those directories without compromising the security and possibly without changing anything on the server side? After all privilege escalation is already in place and working.
Best Answer
Not exactly -
synchronize
module runsrsync
locally on the management machine, not on the target node (for which you set up the privilege escalation). Module documentation describes this in details (an excerpt below):So it is accessing your source folder (
server:/var/backup/
in the example) asuser
notroot
.If you don't require password for the
user
tosudo
on the target machine (or just do configure it this way for thersync
command) you can usedelegate_to: <your_server>
parameter combined withrsync_path="sudo rsync"
to run it explicitly withsudo
.