尝试使用 Ansible 安装软件包时如何修复权限被拒绝错误？

Question

我正在尝试编写一个简单的 Ansible Playbook，请查看下面的 sn-ps。使用 Ansible 2.4.0.0、Ubuntu 17.04、Python 2.7.13。 这是我第一次使用 Ansible 和 Playbooks，所以请不要太苛刻。我做错了什么？

playbook.yml

---
- name: install packages
  hosts: dbservers
  become: yes
  become_method: sudo
  become_user: user

  tasks:
  - name: Update repositories cache and install "python-minimal" package
  apt:
    name: python-minimal
    update_cache: yes

主机文件

 ---
 [dbservers]
 db ansible_host=127.0.0.1 ansible_port=22 ansible_user=user ansible_ssh_pass=pass ansible_become_pass=pass ansible_become_user=user

命令：ansible-playbook -i hosts playbook.yml -vvv

上面的命令返回以下错误：

The full traceback is:
  File "/tmp/ansible_yozgsn/ansible_module_apt.py", line 287, in <module>
    import apt

fatal: [db]: FAILED! => {
    "changed": false, 
    "cmd": "apt-get update", 
    "failed": true, 
    "invocation": {
        "module_args": {
            "allow_unauthenticated": false, 
            "autoclean": false, 
            "autoremove": false, 
            "cache_valid_time": 0, 
            "deb": null, 
            "default_release": null, 
            "dpkg_options": "force-confdef,force-confold", 
            "force": false, 
            "force_apt_get": false, 
            "install_recommends": null, 
            "name": "python-minimal", 
            "only_upgrade": false, 
            "package": [
                "python-minimal"
            ], 
            "purge": false, 
            "state": "present", 
            "update_cache": true, 
            "upgrade": null
        }
    }, 
    "msg": "W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)\nE: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)\nE: Unable to lock directory /var/lib/apt/lists/\nW: Problem unlinking the file /var/cache/apt/pkgcache.bin - RemoveCaches (13: Permission denied)\nW: Problem unlinking the file /var/cache/apt/srcpkgcache.bin - RemoveCaches (13: Permission denied)", 
    "rc": 100, 
    "stderr": "W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)\nE: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)\nE: Unable to lock directory /var/lib/apt/lists/\nW: Problem unlinking the file /var/cache/apt/pkgcache.bin - RemoveCaches (13: Permission denied)\nW: Problem unlinking the file /var/cache/apt/srcpkgcache.bin - RemoveCaches (13: Permission denied)\n", 
    "stderr_lines": [
        "W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)", 
        "E: Could not open lock file /var/lib/apt/lists/lock - open (13: Permission denied)", 
        "E: Unable to lock directory /var/lib/apt/lists/", 
        "W: Problem unlinking the file /var/cache/apt/pkgcache.bin - RemoveCaches (13: Permission denied)", 
        "W: Problem unlinking the file /var/cache/apt/srcpkgcache.bin - RemoveCaches (13: Permission denied)"
    ], 
    "stdout": "Reading package lists...\n", 
    "stdout_lines": [
        "Reading package lists..."
    ]
}

编辑：如果我通过 SSH 连接到同一台机器，我可以手动更新 apt-cache 并使用同一用户（使用 sudo）安装软件包。如果我在 Playbook 中运行命令“whoami”，它会返回预期结果（用户名）。

Answer 1

如果您的用户具有 sudo 访问权限，请使用 become: -

tasks:
  - name: Update repositories cache and install "python-minimal" package
    become: yes
    apt:
      name: python-minimal
      update_cache: yes

Answer 2

我认为您混淆了become_user 和remote_user。 remote_user 是 Ansible 将用于 ssh 到服务器的用户，become_user 是 Ansible 将在服务器上切换并运行任务的用户。您可以在Ansible's docs 中找到有关become_user 和remote_user 的更多信息。

所以这里发生的事情是您的剧本正试图成为“用户”用户并安装软件包。它不是以根用户身份安装软件包，这正是您所需要的。要解决此问题，您可以从 playbook 中删除 become_user 参数（become_user 默认为 root），或者您可以将 become_user 参数添加到您的任务中。

- name: Update repositories cache and install "python-minimal" package
  apt:
    name: python-minimal
    update_cache: yes
  become_user: root