Run single command as root?

strarsis · May 10, 2018, 8:33pm

A custom command during deploy should be run as root (only this one command!).
become: yes alone doesn’t work as ansible tries to sudo as the deploying web user.

Adding remote_user: "{{ admin_user }}"to the command is
still insufficient because ansible doesn’t know the sudo password.

I had to add the ansible_become_pass with admin password to inventory to make the it finally work.
The admin password is already set in ansible vault though and ideally it should just work out of the box like the separate server playbook for provisioning does with become: true becoming root from admin user.

strarsis · May 11, 2018, 2:36pm

Any ideas? Why can become: true commands run in server playbook but fail in deploy playbook? Is the remote user forced by the deploy script?

knowler · May 11, 2018, 3:03pm

(I’m going to attempt an answer anyone can feel free to correct me. I’m still learning this stuff.)

I think you’ve answered yourself in your the original post:

admin is the user for provisioning and web is the user for deploys. Each user has sufficient privileges for the tasks they need to accomplish. This is good practice as you wouldn’t want your deploy to be capable of screwing up your server configuration. You should feel confident that deploying (or rolling back a deploy) is a safe action.

From what I can tell, the web user does have sudo access to services:

github.com

roots/trellis/blob/master/roles/users/tasks/main.yml#L42-L50


      
              label: "{{ item.name }}"
          
          - name: Add web user sudoers items for services
            template:
              src: sudoers.d.j2
              dest: "/etc/sudoers.d/{{ web_user }}-services"
              mode: '0440'
              owner: root
              group: root

This makes sense because php-fpm is reloaded near the end of the deploy:

https://github.com/roots/trellis/blob/master/roles/deploy/hooks/finalize-after.yml#L36-L39

So I guess in your case, you should either:

Assess whether this is a task for provisioning instead of deployment.
In the users role, grant web user the limited but sufficient privileges to accomplish the task.

I don’t know how to guide you on that second one, but — unless someone smarter swoops in to give a smart answer — I know from experience that you can learn a lot from just reading through the Ansible roles Trellis has going. That’s where I would start.

fullyint · May 11, 2018, 4:01pm

I agree with everything @knowler said, also the part about

you can learn a lot from just reading through the Ansible roles Trellis has going

For example, how Trellis loads the sudo password:

github.com

roots/trellis/blob/b556ccdb2b3183eba4a9530b206a402422deeca3/roles/connection/tasks/main.yml#L77-L81


      
          - name: Load become password
            set_fact:
              ansible_become_pass: "{% raw %}{% for user in vault_users | default([]) if user.name == ansible_user %}{{ user.password | default('') }}{% endfor %}{% endraw %}"
            when: ansible_user != 'root' and not cli_ask_become_pass | default(false) and ansible_become_pass is not defined
            no_log: true

Here are some example tasks you could insert in deploy.yml

    - set_fact:
        ansible_become_pass: "{% raw %}{{ (vault_users | selectattr('name', 'equalto', admin_user) | first).password }}{% endraw %}"
      no_log: true

    - command: whoami
      register: whodis
      remote_user: "{{ admin_user }}"
      become: yes

    - debug:
        msg: user is {{ whodis.stdout }}

Output:

user is root

Or, don’t bother with the task automatically loading sudo password, but just invoke ansible-playbook with --ask-become-pass option (or -K for short).

strarsis · May 11, 2018, 4:31pm

Thanks!
I add the mount and umount commands as allowable sudo commands for user web. This seems to be the least intrusive way.