非 root 用户不允许 Ansible chown 操作

Question

我在 Ansible 剧本中有以下内容:

- name: Create certificates directory
  file:
    dest: "{{ '~/wireguard/certs' | expanduser }}"
    state: directory
    owner: "{{ ansible_user_id }}"
    group: "{{ ansible_user_id }}"
    mode: 0700
  run_once: true
  delegate_to: localhost

但是，当它在剧本中运行时，出现以下错误:

fatal: [1.2.3.4 -> localhost]: FAILED! => {
  "changed": false,
  "gid": 1000,
  "group": "alex",
  "mode": "0755",
  "msg": "chown failed: [Errno 1] Operation not permitted: b'/home/alex/wireguard'",
  "owner": "alex",
  "path": "/home/alex/wireguard",
  "size": 4096,
  "state": "directory",
  "uid": 1000
}

我需要以 root 身份运行它还是其他？如果我确实需要以 root 身份运行它，become 是否有效？

Answer 1

我需要以 root 身份运行还是其他？

需要root。参见示例 Changing Ownership

"The super user, root, has the unrestricted capability to change the ownership of any file but normal users can change the ownership of only those files that they own."

这实际上意味着普通用户只能将他们拥有的文件组更改为他们所属的组。

如果我确实需要以 root 身份运行它，是否可行？

是的。 become作品。常用become plugin是sudo . become_user 的默认值为 root。

- file:
  become: yes
  become_method: sudo
  ...

一般来说，让远程/登录用户成为root。但在您的特定情况下，由于 delegate_to: localhost，启用运行游戏的用户。例如更改 localhost

$ grep alex /etc/sudoers
alex ALL=(ALL) NOPASSWD: ALL

参见 plugin list其他选项。