Just like regular commands you execute on a terminal, some tasks require special permissions for Ansible to successfully execute on your remote node.
It is important to understand the role of permissions upgrades in Ansible so that you can perform your tasks with the appropriate permissions. By default, the task runs as a connection user — this could be root or any normal user with SSH permission to access the remote node in the manifest file.
To run commands with extended permissions, such as commands requiring sudo, you need to include a become directive in your game, set to yes. This can be used as a global setting that works for all missions in the play, or as a single command that applies to each mission. Depending on how your sudo user is set up in the remote node, you may also need to provide the user’s SUdo password. The following example is updating the APT cache, which requires root permission.
Create a new file named playbook-07.yml in your ansible-practice directory.
nano ~/ansible-practice/playbook-07.yml
Copy the codeThen add the following lines to the new PlayBook file.
~/ansible-practice/playbook-07.yml
---
- hosts: all
become: yes
tasks:
- name: Update apt cache
apt:
update_cache: yes
Copy the codeWhen finished, save and close the file.
To run the Playbook, you need to add the -k option to the ansible-playbook command. This will cause Ansible to prompt you for a sudo password for the specified user.
ansible-playbook -i inventory playbook-07.yml -u sammy -K
Copy the codeYou can also change which users you want to switch to during missions or games. To do this, set the become_user directive to the name of the remote user you want to switch to. This is useful when you have several tasks in a game manual that depend on Sudo, but also several tasks that should be run by your average user.
The following example defines that all tasks in this game will be executed as sudo by default. This is set at the game level, right after hosts is defined. The first task creates a file on/TMP with root permission because that is the default became_user value. However, the last task defines its own become_user.
Create a new file named playbook-08.yml in your ansible-practice directory.
nano ~/ansible-practice/playbook-08.yml
Copy the codeAdd the following to the new PlayBook file.
~/ansible-practice/playbook-08.yml
---
- hosts: all
become: yes
vars:
user: "{{ ansible_env.USER }}"
tasks:
- name: Create root file
file:
path: /tmp/my_file_root
state: touch
- name: Create user file
become_user: "{{ user }}"
file:
path: /tmp/my_file_{{ user }}
state: touch
Copy the codeWhen finished, save and close the file.
Ansible_env.user The fact contains the USER name of the connected USER. You can define the USER name when running the ansible-playbook command using the -u option. In this guide, we use Sammy.
ansible-playbook -i inventory playbook-08.yml -u sammy -K
Copy the codeOutputBECOME password: PLAY [all] ********************************************************************************************** TASK [Gathering Facts] ********************************************************************************** ok: [203.0.113.10] TASK [Create root file] * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * changed: [203.0.113.10] TASK [the Create user file] * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * changed: [203.0.113.10] PLAY RECAP * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 203.0.113.10: OK =3 changed=2 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0Copy the codeWhen the game manual is running, you can log in to the remote node to verify that at/TMP, each file has a different ownership information, creating two new files.
SSH [email protected]Copy the codels -la /tmp/my_file*
Copy the codeOutput-rw-r--r-- 1 root root 0 Apr 14 13:19 /tmp/my_file_root
-rw-r--r-- 1 sammy sudo 0 Apr 14 12:07 /tmp/my_file_sammy
Copy the codeFor more information on upgrading permissions in Ansible, refer to the official documentation.