Running service with systemd as default user via ansible in ec2 (requests password)
If you have global sudo, add become: no
to the two tasks that do not require sudo privs.
Related videos on Youtube
MikeiLL
Mike Kilmer began blogging in the mid-nineties for his web diary, Obliteration and through work as a web developer, branched out into professional blogging in 2010. Relatively experienced in php, css and wordpress and learning python and more javascript and unix/linux.
Updated on September 18, 2022Comments
-
MikeiLL over 1 year
I'm trying to employ the following Ansible script (part of a playbook) to run unicorn via
systemd
for a rails app on EC2 (micro) instance:--- - name: restart unicorn command: psql -h {{ db_host }} -U {{ db_user }} -d {{ db }} -c "SELECT true FROM pg_tables WHERE tablename = 'order_cycles';" register: table_exists ignore_errors: yes sudo: yes sudo_user: "{{ unicorn_user }}" notify: restart unicorn step 2 #TODO make sure both of these things run as one handler. - name: restart unicorn step 2 service: name: unicorn_{{ app }} state: restarted when: table_exists.stderr.find('does not exist') == -1 # If unicorn isn't actually started yet we probably need this: notify: start unicorn - name: start unicorn service: name: unicorn_{{ app }} state: started
The user configured in the playbook is
ubuntu
, the default (EC2) user and I'm hitting anInteractive authentication required
error there, so I'm just trying to troubleshoot directly in the command line of the deploy-to server and have come upon this roadblock.I can run it as sudo:
$ sudo systemctl start unicorn_myapp.service
Either directly via the server's command line, or by using Ansible's raw method, which succeeds.
But then the rails server, being run by user
ubuntu
can't access it (at least that's an avenue I'm exploring for cause of.sock failed (111: Connection refused
error).If I run it without sudo, a password is requested, but as far as I can tell, EC2 ubuntu user runs without a password.
I know that a workaround might be to create a new user with password and run rails and systemctl/unicorn as that user, but I don't think that's the actual answer to this problem, even more so since the playbook's developer recently removed the
user_password
from the playbook altogether for security reasons.If I can figure out how to run
systemd
as a non-root user at all, maybe I can figure out how to make Ansible succeed at it.Of course it's also not unlikely that I'm approaching it from the wrong angle in the first place, as I'm fairly new to pretty much everything this scenario involves.
-
Michael Hampton over 8 years
-
MikeiLL over 8 yearsThank you much @MichaelHampton. Updated the question and I hope have extracted it from the XY Problem category. Please let me know if it still seems like an unclear or even inappropriate question so I can try updating further or deleting it.... no. i can already see that i need to reverse the question...
-
Michael Hampton over 8 yearsIf psql is connecting to a remote host as a specific user, why do you need to sudo in that step at all? Further, what user is ansible using normally?
-
MikeiLL over 8 yearsWell, I'm using an ansible-playbook that was created by the rails apps developers and I'm not sure why it uses sudo in first task. Second task I was getting the
interaction required
error. How does psql come into play here at all? Does unicorn interact with it? -
MikeiLL over 8 yearsAlso what do you mean psql connecting to a remote host? It's all within the single ec2 instance as far as I know.
-
Michael Hampton over 8 yearsThat play is quite weird. It appears they are calling psql to check the existence of a table, and only restarting unicorn if the table exists.
-
MikeiLL over 8 yearsI thought maybe that was to short-circuit deployment if the psql provisioning had failed. And now I think I understand why you mentioned psql. I was forgetting that first task, since it isn't failing.
-
Michael Hampton over 8 yearsSo, again, what user is ansible configured to use on the remote server?
-
MikeiLL over 8 yearsubuntu, the default (ec2) user.
-
-
MikeiLL over 5 yearsDo you mean add that configuration line to the two Ansible tasks that don't require those privileges? Do you mean 'restart unicorn step 2' and 'restart unicorn'?
-
xddsg over 5 yearsYes. You didn't paste the top level play or your ansible cfg so it's possible you have sudo enabled on every task.
-
MikeiLL over 5 yearsI've been off of this project for a long time now so can't test. But will upvote.