Ansible

The Ansible Become Directive to Run Commands as Specified User

Using Ansible, you can perform various operations on remote machines using raw commands or Ansible playbooks. By default, an Ansible playbook is executed on the remote host as the same user on the Ansible controller. That means that if you need to run a command as another user on the remote machine, you will need to specify it explicitly in your Ansible playbook.

To implement the functionality of running commands as another user, you will need to use the sudo feature that is available in Linux systems. The Ansible become directive allows you to run commands as the specified user.

The user’s information is specified in an Ansible playbook using the become variables, such as become_pass, to specify the password of the user become_user, as well as which user can run the command.

How to Run Ansible Tasks as Root

To run a specific command as the root user in Ansible, you can implement the become directive and set the value to ‘true.’ Doing this tells Ansible to implement sudo with no arguments when running the command.

For example, consider an Ansible playbook that updates the MySQL-server package and then restarts it. In normal Linux operations, you would need to log in as the root user to perform such tasks. In Ansible, you can simply call the become: yes directive, as shown below:

- hosts: all  

  become: yes  

  tasks:      

    - name: Ansible run as root and update sys      

        yum:

           name: mysql-server        

           state: latest    

    - name:      

        service.service:
          name: mysqld        

           state: restarted

In the above playbook, we used the become directive and did not specify the become_user user, since any commands under the become directive are run as root by default.

This is similar to specifying it as:

- hosts: all  

  become: yes  

  become_user: root  

  tasks:      

    - name: Ansible run as root and update sys      

        yum:
         name: mysql-server

          state: latest

    - name:service.service:

         name: mysqld        

         state: restarted

How to Run Ansible Tasks as Sudo

To run an Ansible task as a specific user, rather than the normal root user, you can use the become_user directive and pass the user’s username to execute the task. This is quite like using the sudo -u command in Unix.

To implement the become_user directive, you must activate the become directive first, as the become_user is unusable without this directive activated.

Consider the following playbook, in which the command is run as the nobody user.

- name: Run a command as another user(nobody)
command: ps aux

become: true

become_method: su

become_user: nobody

become_flags: '-s /bin/bash'

In the above playbook snippet, we implemented the become, become_user, and other become directives.

  1. become_method: This sets the privilege escalation method, such as su or sudo.
  2. become_user directive: This specifies the user to run the command as; this does not imply become: yes.
  3. become_flags: This sets the flags to be used for the specified task.

You can now run the above playbook with the ansible-playbook filename.yml and see the result for yourself. For tasks with an output, you may need to implement the debug module.

How to Run Ansible become with Password

To run a become directive that requires a password, you can tell Ansible to ask for a password when invoking the specified playbook.

For example, to run a playbook with a password, enter the command below:

ansible-playbook become_pass.yml --ask-become-pass

You can also specify the -K flag, which performs similar operations to the above command. For example:

ansible-playbook become_pass.yml -K

Once specified, you will be prompted for a password when the tasks are executing.

NOTE: You can also use the become directive in Ansible AD HOC raw commands using the -b flag. To learn more, check out the documentation provided below:

https://linkfy.to/becomeDocumentation

Conclusion

After reading this article, you should now know how to use the Ansible BECOME directive to perform privileges escalation for various tasks.

For security reasons, it is better to implement restrictions for various accounts and explicitly specify when they are used. So, privileges escalation is an important aspect of using of sudo and su in Ansible.

About the author

John Otieno

John Otieno

My name is John and am a fellow geek like you. I am passionate about all things computers from Hardware, Operating systems to Programming. My dream is to share my knowledge with the world and help out fellow geeks. Follow my content by subscribing to LinuxHint mailing list