Becoming Root or Other Users

Document Control

TODO:

Overall structure.
Initial draft complete
Testing
Ready

Running a command as another user

Run the command module and use the--become flag

Shell

ansible localhost -m command -a 'id' -b -u cmihai'

yaml equivalent

- name: Ansible playbook
  hosts: localhost
  connection: local
  tasks:
    - command: id
      become: true
      become_user: root

adhoc output

localhost | CHANGED | rc=0 >>
uid=0(root) gid=0(root) groups=0(root),990(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

playbook output

ansible-playbook site.yml -v
Using /etc/ansible/ansible.cfg as config file
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'


PLAY [Ansible playbook] ***********************************************************************************************************************************************************************

TASK [Gathering Facts] ************************************************************************************************************************************************************************
ok: [localhost]

TASK [command] ********************************************************************************************************************************************************************************
changed: [localhost] => {"changed": true, "cmd": ["id"], "delta": "0:00:00.001805", "end": "2020-01-05 19:38:01.805624", "rc": 0, "start": "2020-01-05 19:38:01.803819", "stderr": "", "stderr_lines": [], "stdout": "uid=0(root) gid=0(root) groups=0(root),990(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023", "stdout_lines": ["uid=0(root) gid=0(root) groups=0(root),990(docker) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"]}

PLAY RECAP ************************************************************************************************************************************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Using command in a playbook

When running as a playbook, resut can only be seen in verbose mode (ex: -v). Normally, you would collect this into a variable using the register option.

A few useful flags:

--ask-pass - connection password (ex: SSH pass).
--user REMOTE_USER - connect as this user (ex: SSH user).
--become - change to a different user. Defaults to root.
--ask-become-pass - ask for privilege escalation password. Ex: what password to use for sudo.

Best practice

Just like with sudo, it's a best practice to only use become when required, instead of turning it at the playbook or config level.

Using become_user can be used to perform actions as a different user. For example, let's say you wish to copy dotfiles as for your regular user acount, or you only wish to install pip modules for a specific user.

Setting up ansible.cfg

[privilege_escalation]
become                  = false
become_method           = sudo
become_user             = root
become_ask_pass         = false

While you can set up priviledge escaltion in a ansible.cfg file in the play directory, it's best to require become on a per-task basis instead.

Creating a devops user

It's a common practice to create a devops or ansible user.

useradd devops
passwd devops

Setting up passwordless sudoers

shell

sudo visudo -f /etc/sudoers.d/devops

visudo

%devops  ALL=(ALL)       NOPASSWD: ALL

Copy your SSH key

shell

ssh-copy-id devops@myhost

Last update: 2020-01-19