Sunday, May 28, 2017

Ansible : Privilege escalation (become)

Ansible uses the becomebecome_user, and become_method directives to achieve privilege escalation. You can apply them to an entire play or playbook, set them in an included playbook, or set them for a particular task.
- name: checkout repo
  git: repo=https://github.com/some/repo.git version=master dest={{ dst }}
  become: yes
  become_user: some_user
You can use become_with to specify how the privilege escalation is achieved, the default being sudo.
More Examples:
- name: Ensure the httpd service is running
  service:
    name: httpd
    state: started
  become: yes
To run a command as the apache user:
- name: Run a command as the apache user
  command: somecommand
  become: yes
  become_user: apache
To do something as the nobody user when the shell is nologin:
- name: Run a command as nobody
  command: somecommand
  become: yes
  become_method: su
  become_user: nobody
  become_flags: '-s /bin/sh'

No comments:

Post a Comment