At TBits.net, we have decided to use Ansible for setting up our servers.
The most documented way of installing something on a machine via Ansible is using sudo: you create a normal user (eg. called deploy), that you can use with SSH to login to the machine, and if that user has sudo permissions (eg. part of the group wheel in CentOS), then you can install software with root privileges.
The call is quite easy:
ansible-playbook myplaybook.yaml --user=deploy --ask-become-pass |
Now we wanted to limit access only to users who have the actual password for root.
Finally, this worked on the command line:
ansible-playbook myplaybook.yaml --user=deploy --become --become-method=su --ask-become-pass |
Now, I wanted to specify these parameters in my ansible.cfg file. It took me a while to find out how to do this. I found https://github.com/ansible/ansible/blob/devel/lib/ansible/config/base.yml which was helpful.
[defaults] remote_user=deploy [privilege_escalation] become = true become_method = su become_ask_pass = true |
Two pitfalls that are solved by this:
- You need to specify the become settings in section
privilege_escalation, not just indefaults. - The command line parameter
ask-become-passbecomesbecome_ask_passin the config file.
This works with Ansible 2.3.2 on CentOS 7.4.