I have an user created in VagrantFile and whenever I run a command with sudo it asks for a password. I don't know what that password is, so I would appreciate some help on this matter
I have tried to set up the following without success:
config.ssh.username = "Sorin"
config.ssh.password = "6282"
config.ssh.insert_key = false
User created as following in Vagrantfile:
bootstrap = <<SCRIPT
useradd -m Sorin --groups sudo
su -c "printf 'cd /home/Sorin\nsudo su Sorin' >> .bash_profile" -s /bin/sh vagrant
SCRIPT`
config.vm.box = "centos/7"
config.vm.hostname = "centos7"
VAGRANT_COMMAND = ARGV[0]
if VAGRANT_COMMAND == "ssh"
config.ssh.username = "Sorin"
end
config.vm.provision "shell", inline: "#{bootstrap}", privileged: true
end
Sorin#centos7 ~ $ sudo yum install whois
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for Sorin:
I was able to do it myself by reconnecting to user Vagrant which doesn't require any password to run as root.
Then I ran the following commands to:
# passwd Sorin to change the user password for Sorin:
# Visudo to access and edit etc/sudoers:
`## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL`
The ''#" did not exist on my end to remove it. Remove it if exists on your end on the second line in front of %wheel
Save changes and return to editor.
4.# usermod -aG wheel Sorin to Add the user I created to the wheel group.
# su USERNAME - to switch to the Sorin user account that I created.
$ groups
Sorin wheel
sudo whoami to check if it was root, the first time it asked for password.
Related
When I use the following config in Vagrant:
Vagrant.configure("2") do |config|
config.ssh.forward_agent = true
end
While running git, I can use ssh agent forwarding on the guest with user: vagrant, but it does not work with the user: root (I get permission denied).
I need it to work with the user: root as puppet provisioning runs as root.
Is there a way to force vagrant to also allow ssh agent forwarding with the user: root?
My understanding is that it isn't possible to make a privileged vm.provision section work with SSH agent forwarding. Fundamentally, a privileged section needs to do a sudo, which breaks the link to the SSH agent.
That said, I use agent forwarding for accessing Git repos when provisioning with Puppet. I split the git and puppet commands into separate sections, privileged or not as needed:
Vagrant.configure(2) do |config|
config.vm.box = "centos/7"
config.ssh.forward_agent = true
config.vm.provision "shell", inline: <<-SHELL
yum -y update
yum install -y git
rpm -Uvh https://yum.puppet.com/puppet6-release-el-7.noarch.rpm
yum install -y puppet-agent
SHELL
config.vm.provision "shell", inline: <<-SHELL, privileged: false
mkdir -p ~/.ssh
chmod 700 ~/.ssh
# You may get failure to autenticate error messages without this.
ssh-keyscan -H github.com >> ~/.ssh/known_hosts
git clone git#github.com:group/control.git /vagrant/control
cd /vagrant/control
git checkout branch
SHELL
config.vm.provision "shell", inline: <<-SHELL
cd /vagrant/control
/opt/puppetlabs/bin/puppet apply manifest/site.pp
SHELL
end
I have just discovered Ansible and it is great! I have written some cool playbooks to manage 0downtime docker deployments on my servers, but I waste quite a bit of time waiting things to happen due to the fact that I sometimes have to work with poor internet connection. So i thought, I might be able to run Ansible against boot2docker, but got no success and after doing a lil bit of research I realized it would be too hacky and it would never behave like my actual Ubuntu server. So here I am trying to make it work with Vagrant.
I want to achive something like Laptop > Ansible > Vagrant Box; don`t want to run the playbooks from the Vagrant Box!
VagrantFile
Vagrant.configure(2) do |config|
config.vm.box = "ubuntu/trusty64"
config.ssh.forward_agent = true
end
vagrant ssh-config
Host default
HostName 127.0.0.1
User vagrant
Port 2222
UserKnownHostsFile /dev/null
StrictHostKeyChecking no
PasswordAuthentication no
IdentityFile "/Users/cesco/Code/vagrant/.vagrant/machines/default/virtualbox/private_key"
IdentitiesOnly yes
LogLevel FATAL
ForwardAgent yes
Thanks to some SO question I was able to do this:
$ vagrant ssh-config > vagrant-ssh
$ ssh -F vagrant-ssh default
$ vagrant#vagrant-ubuntu-trusty-64:~$
But I keep getting localhost | FAILED => SSH Error: Permission denied (publickey,password).every time I try to run the Ansible ping ont the vagrant box.
Ansible inventory
[staging]
vagrant#localhost
Ansible config
[ssh_connection]
ssh_args = -o UserKnownHostsFile=/dev/null \
-o StrictHostKeyChecking=no \
-o PasswordAuthentication=no \
-o IdentityFile=/Users/cesco/.vagrant.d/insecure_private_key \
-o IdentitiesOnly=yes \
-o LogLevel=FATAL \
-p 2222
How do I translate the ssh file to ansible configurantion?
It does not work on the command line also!
ssh -vvv vagrant#localhost -p 2222 -i /Users/cesco/.vagrant.d/insecure_private_key -o IdentitiesOnly=yes -o LogLevel=FATAL -o PasswordAuthentication=no -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
To use vagrant with and classic ssh connection, first add another private IP to your Vagrant file.
config.vm.network "private_network", ip: "192.168.1.2"
Reload your instance
vagrant reload
Then you can connect by ssh using the private key.
ssh -vvv vagrant#192.168.1.2 -p 2222 -i /Users/cesco/.vagrant.d/insecure_private_key
That is the best way.
You misunderstand. The vagrant ansible plugin does not run ansible from the vagrant, but instead SSHs into the vagrant from your local box. That's the way to go since it means with a few small changes you can target a remote host instead.
To get it working you need to add something like this to your Vagrantfile:
config.vm.provision "ansible" do |ansible|
ansible.playbook = "ansible/vagrant.yml"
ansible.sudo = true
ansible.ask_vault_pass = true # comment out if you don't need
ansible.verbose = 'vv' # comment out if you don't want
ansible.groups = {
"tag_Role_myrole" => ["myrole"]
}
ansible.extra_vars = {
role: "myrole"
}
end
# Set the name of the VM.
config.vm.define "myrole" do |myrole|
luigi.vm.hostname = "myrole"
end
Create/update your ansible.cfg file with:
hostfile = ../.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory
Create a hosts inventory file containing:
localhost=127.0.0.1 ansible_connection=local
Now vagrant up will bring up and provision the instance, or run vagrant provision to (re)provision a running vagrant.
To run a playbook directly against your vagrant use:
ansible-playbook -u vagrant --private-key=~/.vagrant.d/insecure_private_key yourplaybook.yml
I have a user didongo (user & group didongo), and the nginx server (user & group www-data). I've setup Capifony to login as didongo user: the first time I deploy setfacl command works ok (while the logs folder is empty). But after the web application, served by nginx, has generated some logs (prod.log) the very next deploy fails, with an setfacl error.
I'm sure I'm doing a noob error with the permissions between the user and the web server, but I don't see what error. I see that didongo should not be able to change permissions of a file he hasn't permissions to. But then, how I'm supposed to configure the server or Capifony?
Thanks!
Relevant (hope so) Capifony deploy.rb config:
set :user, "didongo"
set :webserver_user, "www-data"
set :permission_method, :acl
set :use_set_permissions, true
set :shared_children, [app_path + "/logs", web_path + "/uploads", "vendor"]
set :writable_dirs, ["app/cache", "app/logs"]
This is the Capifony error:
$ setfacl -R -m u:didongo:rwx -m u:www-data:rwx /home/didongo/staging/shared/app/logs
setfacl: /home/didongo/staging/shared/app/logs/prod.log: Operation not permitted
Some data on the ACL:
$ getfacl app/logs
# file: logs
# owner: didongo
# group: didongo
user::rwx
user:www-data:rwx
user:didongo:rwx
group::rwx
mask::rwx
other::r-x
default:user::rwx
default:user:www-data:rwx
default:user:didongo:rwx
default:group::rwx
default:mask::rwx
default:other::r-x
# file: logs/prod.log
# owner: www-data
# group: www-data
user::rw-
user:www-data:rwx #effective:rw-
user:didongo:rwx #effective:rw-
group::rwx #effective:rw-
mask::rw-
other::r--
Try this once with sudo and after you will no need to use sudo
sudo sh -c 'setfacl -R -m u:didongo:rwX -m u:www-data:rwX /home/didongo/staging/shared/app/logs'
Because you need to set x+ permissions, read this What is trailing Plus indicates
The problem here, is that prod.log file was created automatically so its owner is www-data. Capifony runs deployment as didongo user. One user can't do setfacl to the other owner's file.
So just add didongo to the group www-data: sudo adduser didongo www-data
Finally I managed this creating different PHP-FPM pools with the same permissions as the user. This way I can have different users separated from each other. And as a bonus deploy.rb is simplified.
I'm trying to login to a ssh server and to execute something like:
ssh user#domain.com 'sudo echo "foobar"'
Unfortunately I'm getting an error:
sudo: no tty present and no askpass program specified
Google told me to either set the environment variable SSH_ASKPASS or to set askpass in the sudoers file. My remote machine is running on Debian 6 and I've installed the packages ssh-askpass and ssh-askpass-gnome and my sudoers file looks like this:
Defaults env_reset
Defaults askpass=/usr/bin/ssh-askpass
# User privilege specification
root ALL=(ALL) ALL
user ALL=(ALL) ALL
Can someone tell what I'm doing wrong and how to do it better.
There are two ways to get rid of this error message. The easy way is to provide a pseudo terminal for the remote sudo process. You can do this with the option -t:
ssh -t user#domain.com 'sudo echo "foobar"'
Rather than allocating a TTY, or setting a password that can be seen in the command line, do something like this.
Create a shell file that echo's out your password like:
#!/bin/bash
echo "mypassword"
then copy that to the node you want using scp like this:
scp SudoPass.sh somesystem:~/bin
Then when you ssh do the following:
ssh somesystem "export SUDO_ASKPASS=~/bin/SudoPass.sh;sudo -A command -parameter"
Another way is to run sudo -S in order to "Write the prompt to the standard error and read the password from the standard input instead of using the terminal device" (according to man) together with cat:
cat | ssh user#domain.com 'sudo -S echo "foobar"'
Just input the password when being prompted to.
One advantage is that you can redirect the output of the remote command to a file without "[sudo] password for …" in it:
cat | ssh user#domain.com 'sudo -S tar c --one-file-system /' > backup.tar
Defaults askpass=/usr/bin/ssh-askpass
ssh-askpass requires X server, so instead of providing a terminal (via -t, as suggested by nosid), you may forward X connection via -X:
ssh -X user#domain.com 'sudo echo "foobar"'
However, according to current documentation, askpass is set in sudo.conf as Path, not in sudoers.
How about adding this in the sudoers file:
user ALL=(ALL) NOPASSWD: ALL
I want to make a shellscript to install Wine on a Mac
and i want the user to enter his/her password so the script can use it later on to make the installation unattended by automatically entering the password on "sudo" commands. This is what i got for now:
clear
echo Wine Installer v1.0
echo -------------------
echo by Sydcul
sleep 4
clear
echo "Please enter your OS X user password."
echo "It is needed in some parts of the installation."
read PASSWORD
echo "Wine installation starting."
echo "Please do not shut down your system."
mkdir winetmp
cd winetmp
curl -O https://distfiles.macports.org/MacPorts/MacPorts-2.0.3.tar.bz2
tar xjvf MacPorts-2.0.3.tar.bz2
cd MacPorts-2.0.3
echo $PASSWORD | ./configure && make && sudo make install
echo $PASSWORD | sudo port -v selfupdate
echo $PASSWORD | sudo port -v install xorg
echo $PASSWORD | sudo port -v install wine
rm -rf ~/winetmp
clear
echo "Wine is successfully installed and ready for use!"
But at a certain point is still asks for the password.
How can i fix this?
Honestly, I would drop all that $PASSWORD stuff and remove the sudo from all your commands. You are writing an installation script, which should be run with elevated privileges. Have your users execute your script with sudo ./installwine.sh, and then run the commands in the script without sudo. All your port -v stuff will inherit the elevated privileges.
If you'd like to offer your user a nice error message if they forget to run the script with sudo (rather than just having your first call to port fail cryptically), you could check to see if the effective user ID ($EUID) is 0, and print the error message and exit otherwise. See https://askubuntu.com/questions/30148/how-can-i-determine-whether-a-shellscript-runs-as-root-or-not.
You can prompt the user for the password for the first time and then save it in a file (and don't forget to encrypt it).
The next time when you need it you can easily read it from the same file and store it in a variable and then use this command
echo $variablename | sudo -S command
Actually I think sudo doesn't accept password from stdin (you need to specify -S parameter to enable this).
As workaround you can execute sudo su to gain root privileges for all commands.
UPD: I'm not recommend to save password to file cause it is very bad solution from security point.
UPD2: You forget about Xcode, if it is not installed this script fails on compile stage :)
Why don't you just use the custom prompt option for sudo, and let it ask for the password if it needs it?
You start by checking if they're already root or not like this:
SUDO=""
if [[ 0 == $(id -u) ]]
then
SUDO="sudo "
fi
$SUDO command 1
$SUDO command arg arg arg
and then optionally combine that with the ability to customize the sudo prompt using the -p option.
then
SUDO="sudo -p \"I need elevated access for this part. Please enter %u's password:\" "
fi
You still get control over the interface, but don't prompt for a password unless you need it. Some people may have sudo set up for nopassword operation, for example. Others might run your installer as root. Or maybe their pasword is already cached with sudo. Etc. It's best to let sudo manage prompting, possibly using an askpass program (see the -A option) if necessary.