Ansible sudo - ansible become example

Updated on:

Ansible Sudo or Ansible become Introduction

Ansible Sudo or become is a method to run a particular task in a playbook with Special Privileges like root user or some other user.

In the earlier versions of ansible there is an option named as sudo which is deprecated now, Since ansible 2.0 there are two new options named as become and become_user

Let's suppose you want to run a task on the remote server to install some packages using yum. It's very obvious that you should become root user as Non-Root user cannot install packages, in this case, you can use ansible sudo. To be precise ansible become method

Now, Let's discuss another requirement where you have to start a WebSphere application server instance on the remote machine which runs as wsadmin user. In this case, you might want to restart the instance as wsadmin only for which you can execute your ansible task with become-user method

become and become_user both have to be used in a playbook in certain cases where you want your remote user to be non-root.it is more like doing sudo -u someuser before running a task.

When you are not defining the become_user and just use become. Ansible will perform the basic sudo and it will execute the corresponding task as root user

The following diagram can help you understand this better.

Ansible Sudo

Run a Task with sudo - Ansible become

sudo is to execute a task as a root user, in other words, we call it as privileged execution. If you want to execute a certain task as the root user using ansible just become is sufficient

Consider the following playbook where I want to install and restart the apache httpd server and I have used only the become method cause I know the default become_user is root and it does not have to be mentioned

---
  - name: Playbook
    hosts: webservers
    become: yes
    tasks:
      - name: ensure apache is at the latest version
        yum:
          name: httpd
          state: latest
      - name: ensure apache is running
        service:
          name: httpd
          state: started

The preceding playbook is to install the apache web server and the host group named webservers and start it.

You can see that we have used only become here and have not mentioned become_user.

When become is set to yes and become_user is not mentioned the task would by default be run as root user

 

ansible become_user

Run a Task with sudo -u  | Ansible become_user in Playbook

Ansible become_user is to run a particular task as a specific user in general Unix command it can be done with sudo -u <theusername>

to use become_user you should also set the become to yes.  become_user cannot be used without become

Consider the following example where I am trying to start a Weblogic Server Instance as weblogic user

Note*: the following playbook snippet is not complete. It would not work if you run it in your local. Refer to the complete playbook here

- name: Start the AdminServer
  tags: startadminserver
  become: yes
  become_user: weblogic
  shell: "./startWebLogic.sh > adminserver.log &"
  args:
    chdir: "{{oracle_home}}/domains/{{domain_name}}/bin/"
  register: startadminserver
  run_once: yes
  when: ansible_hostname == "{{ groups['app'][0] }}" and amprevalidate is failed
  environment:
          USER_MEM_ARGS: "-Djava.security.egd=file:/dev/./urandom"

You can see that we have to use become and become_user together and starting the weblogic application server.

You can now execute the playbook in a usual way

ansible-playbook playbook.yml

Sometimes, we might need a password to perform sudo (or) become. in such cases, we have to provide that password to Ansible prior while invoking the playbook

 

Ansible become with password

Consider the same playbook given below for this the only difference we are going to do is passing the password as a parameter while invoking the playbook

How to pass the password as a parameter.   ansible-playbook gives you to two options or parameters to pass while you are invoking the playbook

-K (or) --ask-become-pass

Now all we have to do is starting the playbook with this option

ansible-playbook playbook.yml -K

(or)

ansible-playbook playbook.yml – ask-become-pass

this would prompt a password as you are running the command.

 

Ansible become in Ansible AD HOC commands

Now let us see how to use ansible become and become_user in an Ansible AD HOC commands.

In this example, we are going to access one of the privileged configuration files on the Linux server. We are going to check if the user exists by searching the /etc/passwd file. This file CAN ONLY be accessed by root or users with special privileges

 

Using Ansible SUDO module ( deprecated and will be removed in Ansible 2.6 )

$ ansible multi -m shell -a "cat /etc/passwd|grep -i vagrant" -s – ask-sudo-pass
[DEPRECATION WARNING]: The sudo command line option has been deprecated in favor of the "become" command line arguments. This feature will be removed in version 2.6.
 Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
SUDO password:
mwivmapp02 | SUCCESS | rc=0 >>
vagrant:x:1000:1000:vagrant:/home/vagrant:/bin/bash

mwivmapp01 | SUCCESS | rc=0 >>
vagrant:x:1000:1000:vagrant:/home/vagrant:/bin/bash

mwisqldb01 | SUCCESS | rc=0 >>
vagrant:x:1000:1000:vagrant:/home/vagrant:/bin/bash

mwiweb02 | SUCCESS | rc=0 >>
vagrant:x:1000:1000:vagrant:/home/vagrant:/bin/bash

 

 

Using Ansible become module

$ ansible multi -m shell -a "cat /etc/passwd|grep -i vagrant" -b -K
[DEPRECATION WARNING]: The sudo command line option has been deprecated in favor of the "become" command line arguments. This feature will be removed in version 2.6.
 Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
SUDO password:
mwivmapp02 | SUCCESS | rc=0 >>
vagrant:x:1000:1000:vagrant:/home/vagrant:/bin/bash

mwivmapp01 | SUCCESS | rc=0 >>
vagrant:x:1000:1000:vagrant:/home/vagrant:/bin/bash

mwisqldb01 | SUCCESS | rc=0 >>
vagrant:x:1000:1000:vagrant:/home/vagrant:/bin/bash

mwiweb02 | SUCCESS | rc=0 >>
vagrant:x:1000:1000:vagrant:/home/vagrant:/bin/bash

here

-b is the option for become and by default it will become root user

is to tell ansible to ask for SUDO password

 

Ansible become_user (sudo su) in Ansible AD HOC commands

 

In this example, we are going to create a new file inside a directory /opt/oracle which is owned by weblogic user

In the following ad-hoc command snapshot you can see we have given the username we want to switch to  using --become-user=weblogic option

$ ansible app -m file -a "path=/opt/oracle/binaries state=directory mode=0755" \
-i ansible_hosts -b --become-user=weblogic

mwivmapp01 | SUCCESS => {
    "changed": true,
    "gid": 1001,
    "group": "weblogic",
    "mode": "0755",
    "owner": "weblogic",
    "path": "/opt/oracle/binaries",
    "secontext": "unconfined_u:object_r:usr_t:s0",
    "size": 6,
    "state": "directory",
    "uid": 1001
}
mwivmapp02 | SUCCESS => {
    "changed": true,
    "gid": 1001,
    "group": "weblogic",
    "mode": "0755",
    "owner": "weblogic",
    "path": "/opt/oracle/binaries",
    "secontext": "unconfined_u:object_r:usr_t:s0",
    "size": 6,
    "state": "directory",
    "uid": 1001
}

I think I have covered the various examples of Ansible become and ansible become_user module.

Hope this helps

 

Cheers
Sarav AK

Follow me on Linkedin My Profile
Follow DevopsJunction onFacebook orTwitter
For more practical videos and tutorials. Subscribe to our channel

Buy Me a Coffee at ko-fi.com

Signup for Exclusive "Subscriber-only" Content

 

More from Middleware Inventory

  • Ansible Role to install and build weblogic 12c with Clustering

    The Objective We are going to create an Ansible role (or) playbook to quickly build a distributed, multi-node, Fully featured Weblogic Domain with two managed servers and a horizontal cluster and machines In a single line, Ansible role to build, Weblogic Infrastructure with Managed Server, Admin Server and a Cluster on…

  • How to Run Ansible Playbook Locally | Devops Junction

    In this post, we are going to see how to run the playbook locally on our Localhost on the control machine. How to run Ansible Playbook locally is one of the questions I used to have before I learnt it. Let me tell you how to Run Ansible Playbook Locally…

  • Ansible Dry run
    Ansible Dry Run - How to Run Playbook in Ansible Check mode

    Ansible Dry Run or Ansible Check mode feature is to validate your playbook before execution With the Ansible Dry Run feature, you can execute the playbook without having to actually make changes on the server.  this enables us to see what changes are going to be made when the playbook…

  • Ansible Playbook Examples
    Ansible Playbook Examples - Sample Ansible Playbooks | Devops Junction

    In this post, we are going to see examples of Ansible playbook and various different modules and playbook examples with various modules and multiple hosts. We will start with a basic Ansible playbook and learn what is task and play and what is playbook etc. What is Ansible Playbook It…

  • Ansible get ip address of current host or target

    How to get the IP address of the current or remote host in Ansible. That's the question, this article is going to address. While running a Playbook you might have had a requirement where you need to get the IP address of the connected and current remote host.  There are…