Hi,
Let me explain our environment first:
We have about 500 cpanel servers which are either openvz VEs or physical
servers. We are now using puppet to manage and carry out any common system
administration tasks on the servers. Direct ssh root login is disabled on
ll these servers.
Requirement: We need to setup ansible to replace puppet.
What I've done:
Since direct ssh root login is disabled, I've created a new user in the
client server and set up key based authentication from ansible master
server. Also gave sudo privileges to this user so that the user has got
sufficient privileges to execute commands as the root user.
I tried a few ansible adhoc commands and they worked for a few times, for
eg:
[ih_ansible_user@ansible /]$ ansible -m shell -a '/etc/init.d/exim status'
test.cpanelserver.com
test.cpanelserver.com | SUCCESS | rc=0 >>
exim (pid 28919 22473 21885 19961 19960 18016 16832 10399 10059 6131 3856
3657 3501 3431 2083 2012) is running...
[ih_ansible_user@ansible /]$ ansible -m shell -a '/etc/init.d/mysql status'
test.cpanelserver.com
test.cpanelserver.com | SUCCESS | rc=0 >>
SUCCESS! MySQL running (13701)
[ih_ansible_user@ansible /]$ ansible -m shell -a 'df -h'
test.cpanelserver.com
test.cpanelserver.com | SUCCESS | rc=0 >>
Filesystem Size Used Avail Use% Mounted on
/dev/simfs 2.0T 1.3T 598G 69% /
But after a few tries, I get the error:
[ih_ansible_user@ansible /]$ ansible -m shell -a '/etc/init.d/httpd status'
test.cpanelserver.com
test.cpanelserver.com| FAILED! => {
"changed": false,
"failed": true,
"module_stderr": "Shared connection to test.cpanelserver.com
closed.\r\n",
"module_stdout": "sudo: PERM_ROOT: setresuid(0, -1, -1): too many
processes\r\n",
"msg": "MODULE FAILURE",
"rc": 1
}
I'm also getting a similar error when I execute the command from the client
server as the ansible user:
ih_ansible_user@test [/root]# sudo httpd status
sudo: PERM_ROOT: setresuid(0, -1, -1): too many processes
Upon searching, I could see that the number of processes for users other
than root is restricted in cpanel servers. The suggested fix is to disable
shell fork bomb protection but it is not secure. Also I'm unable to
increase the limit.
Currently I'm stuck at this point. Please let me know if this is the
correct approach, like adding a new user for ansible etc.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/78f66838-46df-410e-9d30-bd7e9e6cff29%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
