Ansible with su instead of sudo   October 13th, 2017

At TBits.net, we have decided to use Ansible for setting up our servers.

The most documented way of installing something on a machine via Ansible is using sudo: you create a normal user (eg. called deploy), that you can use with SSH to login to the machine, and if that user has sudo permissions (eg. part of the group wheel in CentOS), then you can install software with root privileges.

The call is quite easy:

ansible-playbook myplaybook.yaml --user=deploy --ask-become-pass

Now we wanted to limit access only to users who have the actual password for root.

Finally, this worked on the command line:

ansible-playbook myplaybook.yaml --user=deploy --become --become-method=su --ask-become-pass

Now, I wanted to specify these parameters in my ansible.cfg file. It took me a while to find out how to do this. I found https://github.com/ansible/ansible/blob/devel/lib/ansible/config/base.yml which was helpful.

[defaults]
remote_user=deploy
 
[privilege_escalation]
become = true
become_method = su
become_ask_pass = true

Two pitfalls that are solved by this:

  • You need to specify the become settings in section privilege_escalation, not just in defaults.
  • The command line parameter ask-become-pass becomes become_ask_pass in the config file.

This works with Ansible 2.3.2 on CentOS 7.4.

Tags: ,
This entry was posted on Friday, October 13th, 2017 at 4:32 pm and is filed under Hosting, Software Development. You can follow any responses to this entry through the RSS 2.0 feed.Both comments and pings are currently closed.

No Responses