Problem: I do not see how to enable the use of the service apache2 with sudo without password. I can enable it for all user commands, but as this seems like a bad idea, I only want to activate some commands.
Context: I'm trying to configure a streaming distribution / deployment system, and in this context, I let Ansible execute some commands on the target computers. Some of these commands unfortunately require sudo and I have to remove the corresponding password prompt. Ideally, all permissions in this process work with saved keys instead of passwords.
(Machine names have been replaced with placeholder values.)
target.example.com under Ubuntu 18.04 LTS and Apache 2.x
control.example.com under Ubuntu 16.04 LTS and Ansible 2.7.8
/etc/sudoers.d/ansible on machine
ansible ALL = NOPASSWD: / usr / sbin / service / usr / sbin / apache2 *
/ etc / ansible / hostson machine
~ / deploy.yml on machine
--- - hosts: production remote_user: ansible Tasks: - name: stop apache shell: service apache2 stop become: yes become_method: sudo - name: start apache shell: service apache2 start become: yes become_method: sudo
ansible-playbook ~ / deploy.yml sure
control.example.com, I receive an error
sudo: a password is required. I can reproduce the prompt for the password when connecting to the target via
ssh email@example.com and then running
sudo service apache2 stop and
sudo service apache2 start. Therefore, I hesitantly state that the problem lies somewhere with the sudo configuration on
target.example.com and Ansible is only the messenger.
I've tried different configurations of
/etc/sudoers.d/ansiblemainly because I am not at all sure of the correct syntax and have tried all kinds of expressions to see what works. The only job I've found is
ansible ALL = NOPASSWD: ALL, which I want to avoid for security reasons.