Skip to main content Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Ansible - Sudo sometimes

Published: 21-12-2013 | Author: Remy van Elst | Text only version of this article

Table of Contents

This Ansible tutorial shows you how run some actions via sudo and some not. Italso shows you how to run an entire role via sudo or not.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

Ansible has the option to run playbooks via sudo. You can setup passwordlesssudo, but also execute a playbook with the extra --ask-sudo-pass / -K optionso that Ansible asks you for the sudo password. However, you can also have veryspecific control over how and when sudo is used in a playbook.

I have a playbook with a few roles which I use to bootstrap a new debian server.It installs software, sets up ssh, sets up sudo and places a few config files.It is organized in roles, the main playbook looks like this:

---- hosts: new-servers  user: username  connection: ssh # or paramiko  roles:    - { role: basic-debian-setup, sudo: yes }    - { role: git-setup }    - { role: vim }    - { role: bash }    - { role: screen }    - { role: openssh, sudo: yes }    - { role: sudo, sudo: yes }    - { role: postfix, sudo: yes }    - { role: vnstat, sudo: yes }

As you can see, I have a few playbooks run with sudo on, and a few with sudooff. The git-setup, vim, screen and bash playbooks all do basically thesame, they install software and place a configuration file. However, if theentire playbook is run as root, the configuration files placed would be owned byroot. If the playbook is not run via sudo, the software cannot be installed.

Note that in the first case Ansible also supports setting file permissions onfiles. This however is not the case when configuration files are cloned from agit repository. The git module does not support setting permissions, and I don'tlike recursive chmod's.

Here is the vim playbook:

- name: install packages vim and git  apt:     pkg: {{ item }}     state: present     update_cache:"yes  with_items:    - vim-tiny    - git  sudo: yes- name: clone git repository  git:     repo:     dest: /home/{{user}}/conf     version: master  sudo: no- name: create symmlink for vim config  file:     path: /home/{{ user }}/.vimrc     src: /home/{{ user }}/conf/vimrc     state: link     owner: {{ user }}  sudo: no

This playbook makes sure both vim and git are installed. It uses sudo forthat action. It then clones the git repository with my personal dotfiles,without using sudo. If this action would use sudo, the git repository in my homefolder would me owned by root and I could not update it later on without usingsudo. The last action symlinks the .vimrc file from the repo to the correctlocation. If that would be done with sudo I could not remove the file withoutroot access.

If you define a role with sudo, like in the above example the postfix role,then you can use the sudo: no option in that playbook to make sure one or moreactions are not executed with sudo.

Ansible documentation regarding sudo

Tags: ansible, apt, configuration-management, deployment, devops, packages, python, su, sudo, tutorials, yum