At TBits.net, we have decided to use Ansible for setting up our servers.
The most documented way of installing something on a machine via Ansible is using sudo: you create a normal user (eg. called deploy), that you can use with SSH to login to the machine, and if that user has sudo permissions (eg. part of the group wheel in CentOS), then you can install software with root privileges.
The call is quite easy:
ansible-playbook myplaybook.yaml --user=deploy --ask-become-pass
Now we wanted to limit access only to users who have the actual password for root.
Finally, this worked on the command line:
ansible-playbook myplaybook.yaml --user=deploy --become --become-method=su --ask-become-pass
Now, I wanted to specify these parameters in my
ansible.cfg file. It took me a while to find out how to do this. I found https://github.com/ansible/ansible/blob/devel/lib/ansible/config/base.yml which was helpful.
[defaults] remote_user=deploy [privilege_escalation] become = true become_method = su become_ask_pass = true
Two pitfalls that are solved by this:
- You need to specify the become settings in section
privilege_escalation, not just in
- The command line parameter
become_ask_passin the config file.
This works with Ansible 2.3.2 on CentOS 7.4.