如何在查找（ini）上进行权限提升

Question

我的test.yml

      1 - name: Test ini
      2   hosts: localhost
      3   connection: local
      4   become: true
      5 
      6   tasks:
      7 
      8   - name: Verifying /etc/heat/heat.conf Configuration
      9     become_user: root
     10     become_method: sudo
     11     fail: msg="Unable to set in /etc/heat/heat.conf"
     12     when: "lookup('ini', 'max_resources_per_stack section=DEFAULT file=/etc/heat/heat.conf') != '-1'"

错误

$ ansible-playbook test.yml 
 [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'


PLAY [Test ini] ***********************************************************************************************************************

TASK [Gathering Facts] ****************************************************************************************************************
ok: [localhost]

TASK [Verifying /etc/heat/heat.conf Configuration] ************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "The conditional check 'lookup('ini', 'max_resources_per_stack section=DEFAULT file=/etc/heat/heat.conf') != '-1'' failed. The error was: An unhandled exception occurred while running the lookup plugin 'ini'. Error was a <class 'ansible.errors.AnsibleParserError'>, original message: an error occurred while trying to read the file '/etc/heat/heat.conf': [Errno 13] Permission denied: '/etc/heat/heat.conf'\n\nThe error appears to have been in '/home/stack/test.yml': line 8, column 5, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n  - name: Verifying /etc/heat/heat.conf Configuration\n    ^ here\n"}
    to retry, use: --limit @/home/stack/test.retry

PLAY RECAP ****************************************************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=1 

我不知道为什么它不起作用？ ini 文件修改正在使用ini_file 而不指定become_user 或become_user。但它不适用于lookup？甚至我也可以在 shell 中运行crudini --get 命令。

$ ls -la /etc/heat/heat.conf 
-rw-r-----. 1 root heat 85196 May 29 01:39 /etc/heat/heat.conf

更新

只有当我使用 sudo 运行 playbook 时，该 playbook 才有效，例如 sudo ansible-playbook ini_test.yml

更新2

ansible 2.6.11

Answer 1

我是bug。

使用文件 /root/test

> ll /root/test
-rw-r----- 1 root root 30 May 29 15:09 /root/test

剧本

- hosts: localhost
  become_user: root
  become_method: sudo
  become: yes
  tasks:
    - command: whoami
      register: result
    - debug:
        var: result.stdout
    - name: read the file
      debug:
        msg: "{{ lookup('file', '/root/test') }}"

给予（删节）：

ok: [localhost] => {
    "result.stdout": "root"
}
TASK [read the file]
fatal: [localhost]: FAILED! => {"msg": "An unhandled exception occurred while running the lookup plugin 'file'. Error was a <class 'ansible.errors.AnsibleError'>, original message: could not locate file in lookup: /root/test"}

全部启用阅读

> ll /root/test
-rw-r--r-- 1 root root 30 May 29 15:09 /root/test

剧本按预期工作并给出（删节）：

TASK [read the file]
ok: [localhost] => {
    "msg": "Wed May 29 15:09:43 CEST 2019"
}

为了记录。 How should you answer questions that lead to bug reports?.