Ansible with su instead of sudo – Homepage of Timotheus Pokorra

At TBits.net, we have decided to use Ansible for setting up our servers.

The most documented way of installing something on a machine via Ansible is using sudo: you create a normal user (eg. called deploy), that you can use with SSH to login to the machine, and if that user has sudo permissions (eg. part of the group wheel in CentOS), then you can install software with root privileges.

The call is quite easy:

ansible-playbook myplaybook.yaml --user=deploy --ask-become-pass

Now we wanted to limit access only to users who have the actual password for root.

Finally, this worked on the command line:

ansible-playbook myplaybook.yaml --user=deploy --become --become-method=su --ask-become-pass

Now, I wanted to specify these parameters in my ansible.cfg file. It took me a while to find out how to do this. I found https://github.com/ansible/ansible/blob/devel/lib/ansible/config/base.yml which was helpful.

[defaults]
remote_user=deploy
 
[privilege_escalation]
become = true
become_method = su
become_ask_pass = true

Two pitfalls that are solved by this:

You need to specify the become settings in section privilege_escalation, not just in defaults.
The command line parameter ask-become-pass becomes become_ask_pass in the config file.

This works with Ansible 2.3.2 on CentOS 7.4.

Ansible with su instead of sudo

Tagged on: Ansible Tbits.net