Ansible local_action privilege de-escalation or: how to wait for a reboot

linux, programming
I increasingly use Ansible not only for glorious tasks like setting up my various VMs I use for prototyping but also for mundane things like resetting my personal laptop every time I get a new one or break it (dedicated readers of this blog will know me to do that a lot [2],[3],[4]).

Most of these tasks require root privileges since they install software and change system settings and since I find Ansible to be rather verbose, I try to avoid repeating privilege escalation via the become [5] module for every task and declare instead the entire play book to run as root.

Occasionally a play book needs to wait for a VM to reboot before it can carry on. There are plenty of examples [6] around how to do that, but surprisingly they fail at a crucial point when the play book runs with a root user: the local_action will fail claiming that it couldn’t provide a password for sudo. There is a bug report [7] with some controversy around if that is a valid behaviour or not; at the time of this writing a solution hasn’t made it into the Ansible 2.0.2.0 package which is the official release in the Ubuntu 14.04 repositories.

Somewhat surprisingly it is possible to de-escalate global sudo privileges which were obtained with become by specifying sudo: no  at the task level. Ansible will warn about the deprecation of sudo, but hey, it works 🙂

...

  become: yes
  become_user: root
  become_method: sudo

...

    - name: waiting for VM to come back online
      sudo: no
      local_action:
        module: wait_for
          host={{ ansible_host }}
          port=22
          delay=2
          state=started

References

[1] Ansible
https://www.ansible.com/

[2] Ubuntu 14.04 on the Lenovo Thinkpad E540
https://blog.georgovassilis.com/2015/02/23/ubuntu-14-04-on-the-lenovo-thinkpad-e540/

[3] Ubuntu 12.04 LTS on the HP ProBook 4720s
https://blog.georgovassilis.com/2012/04/29/ubuntu-12-04-lts-on-the-hp-probook-4720s/

[4] Ubuntu 12.04 (64bit) on the Asus N56VB
https://blog.georgovassilis.com/2014/01/25/ubuntu-12-04-64bit-on-the-asus-n56vb/

[5] Become (privilege escalation)
http://docs.ansible.com/ansible/become.html

[6] Reboot a server and wait for it to come back
https://support.ansible.com/hc/en-us/articles/201958037-Reboot-a-server-and-wait-for-it-to-come-back

[7]  “delegated for” host sudo setting is being used instead of delegated_to host’s settings #10906
https://github.com/ansible/ansible/issues/10906

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.