Ansible local_action privilege de-escalation or: how to wait for a reboot

I increasingly use Ansible not only for glorious tasks like setting up my various VMs I use for prototyping but also for mundane things like resetting my personal laptop every time I get a new one or break it (dedicated readers of this blog will know me to do that a lot [2],[3],[4]).

Most of these tasks require root privileges since they install software and change system settings and since I find Ansible to be rather verbose, I try to avoid repeating privilege escalation via the become [5] module for every task and declare instead the entire play book to run as root.

Occasionally a play book needs to wait for a VM to reboot before it can carry on. There are plenty of examples [6] around how to do that, but surprisingly they fail at a crucial point when the play book runs with a root user: the local_action will fail claiming that it couldn’t provide a password for sudo. There is a bug report [7] with some controversy around if that is a valid behaviour or not; at the time of this writing a solution hasn’t made it into the Ansible 2.0.2.0 package which is the official release in the Ubuntu 14.04 repositories.

Somewhat surprisingly it is possible to de-escalate global sudo privileges which were obtained with become by specifying sudo: no  at the task level. Ansible will warn about the deprecation of sudo, but hey, it works 🙂

...


  become: yes
  become_user: root
  become_method: sudo



...

    - name: waiting for VM to come back online
      sudo: no
      local_action:
        module: wait_for
          host={{ ansible_host }}
          port=22
          delay=2
          state=started

References

[1] Ansible
https://www.ansible.com/

[2] Ubuntu 14.04 on the Lenovo Thinkpad E540
http://georgovassilis.blogspot.de/2015/02/ubuntu-1404-on-lenovo-thinkpad-e540.html

[3] Ubuntu 12.04 LTS on the HP ProBook 4720s
http://georgovassilis.blogspot.de/2012/04/ubuntu-1204-lts-on-hp-probook-4720s.html

[4] Ubuntu 12.04 (64bit) on the Asus N56VB
http://georgovassilis.blogspot.de/2014/01/ubuntu-1204-64bit-on-asus-n56vb.html

[5] Become (privilege escalation)
http://docs.ansible.com/ansible/become.html

[6] Reboot a server and wait for it to come back
https://support.ansible.com/hc/en-us/articles/201958037-Reboot-a-server-and-wait-for-it-to-come-back

[7]  “delegated for” host sudo setting is being used instead of delegated_to host’s settings #10906
https://github.com/ansible/ansible/issues/10906

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s