Mastering Ansible’s “Become” Feature: A Comprehensive Guide
Mastering Privilege Escalation in Ansible: Empowering Secure Automation with the “Become” Feature
Ansible, a cornerstone of modern automation, empowers system administrators with the tools to execute tasks efficiently across distributed environments. One of its notable features is “become,” which facilitates privilege escalation for specific tasks or playbooks. In this article, we’ll explore the various ways to use “become” effectively while adhering to best practices and security considerations.
Understanding Ansible’s “Become”
Privilege escalation allows executing commands or tasks with higher permissions, usually involving switching to a different user, most commonly the superuser (root). Ansible’s “become” feature serves as a pivotal mechanism for handling such elevated operations, enhancing the flexibility and security of automation.
The Best Resources For Ansible
- Udemy: Learn Ansible Automation in 250+examples & practical lessons: Learn Ansible with some real-life examples of how to use the most common modules and Ansible Playbook
- Ansible by Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
- Ansible For Windows By Examples: 50+ Automation Examples For Windows System Administrator And DevOps
- Ansible For Linux by Examples: 100+ Automation Examples For Linux System Administrator and DevOps
- Ansible Linux Filesystem By Examples: 40+ Automation Examples on Linux File and Directory Operation for Modern IT Infrastructure
- Ansible For Containers and Kubernetes By Examples: 20+ Automation Examples To Automate Containers, Kubernetes and OpenShift
- Ansible For Security by Examples: 100+ Automation Examples to Automate Security and Verify Compliance for IT Modern Infrastructure
- Ansible Tips and Tricks: 10+ Ansible Examples to Save Time and Automate More Tasks
- Ansible Linux Users & Groups By Examples: 20+ Automation Examples on Linux Users and Groups Operation for Modern IT Infrastructure
- Ansible For PostgreSQL by Examples: 10+ Examples To Automate Your PostgreSQL database
- Ansible For Amazon Web Services AWS By Examples: 10+ Examples To Automate Your AWS Modern Infrastructure
- Ansible Automation Platform By Example: A step-by-step guide for the most common user scenarios
Using Become Directives
You can control privilege escalation using play or task directives, connection variables, or command-line options. Multiple ways of specifying privilege escalation settings exist, and understanding their precedence is crucial.
become: true: Set this directive at the play or task level to activate privilege escalation. This signifies that the task will be executed with escalated privileges.
become_user: Specify the user with the desired privileges. Importantly, this is the user you “become” during task execution, not necessarily the user you initially login as. The default value is often set to “root.”
become_method: At the play or task level, override the default privilege escalation method in the
ansible.cfgconfiguration file. This allows using specific privilege escalation plugins or methods tailored to your environment.
become_flags: This directive permits using specific flags for tasks or roles. This flexibility is helpful for customizing behavior, such as changing the user when the shell is set to “nologin.”
Putting “Become” into Practice
Let’s explore a few examples of how to use the “become” feature effectively:
- Managing a System Service as a Non-Root User: To manage a system service that requires root privileges while connected as a non-root user, use the default value of
— name: Ensure the httpd service is running ansible.builtin.service: name: httpd state: started become: true
- Running a Command as a Specific User: To execute a command as a different user, specify the
— name: Run a command as the apache user ansible.builtin.command: echo "Hello" become: true become_user: apache
- Executing a Command as the “nobody” User: When dealing with the “nobody” user and the shell is set to “nologin,” you can adjust the behavior using
— name: Run a command as nobody ansible.builtin.command: echo "Hello" become: true become_method: su become_user: nobody become_flags: ‘-s /bin/sh’
Securing Privilege Escalation
Security is paramount when utilizing privilege escalation. Ansible provides safeguards to manage temporary file permissions when becoming an unprivileged user. This is particularly relevant when the connection user and the
become_user are unprivileged. Ansible employs various methods, such as POSIX ACLs,
chmod +a to ensure file accessibility and security during task execution.
Limitations and Considerations
- The connection plugin in use must support privilege escalation methods.
- Only one method can be enabled per host; methods cannot be chained.
- Privilege escalation must be general, as Ansible modules run from temporary files with changing names.
Network Automation and “Become”
For network automation scenarios, starting from Ansible 2.6, privilege escalation for entering enable mode is supported. It replaces the need for
auth_pass options in a provider dictionary. This privilege escalation method can be employed for specific tasks, entire plays, or all plays.
Passwords for Enable Mode
Enabling enable mode often requires a password. This can be provided through the
--ask-become-pass command-line option or set using the
ansible_become_password connection variable in the Ansible Playbook. It’s essential to avoid storing passwords in plain text and consider utilizing Ansible Vault for encrypted password management.
become” feature significantly enhances automation by enabling tasks to be executed with elevated privileges. By understanding how to use directives, connection variables, and command-line options, you can wield privilege escalation effectively and securely. With these insights and best practices, you’ll be equipped to manage tasks that demand higher permissions while maintaining the integrity of your systems and data.
Learn the Ansible automation technology with some real-life examples in my
My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
Want to keep this project going? Please donate