74

Recently I started digging into Ansible and writing my own playbooks. However, I have a troubles with understanding difference between become and become_user. As I understand it become_user is something similar to su <username>, and become means something like sudo su or "perform all commands as a sudo user". But sometimes these two directives are mixed.

Could you explain the correct meaning of them?

Timur Shtatland
  • 12,024
  • 2
  • 30
  • 47
Andrii Rusanov
  • 4,405
  • 2
  • 34
  • 54

4 Answers4

146

become_user defines the user which is being used for privilege escalation.

become simply is a flag to either activate or deactivate the same.

Here are three examples which should make it clear:

  1. This task will be executed as root, because root is the default user for privilege escalation:

     - do: something
   become: true

  2. This task will be executed as user someone, because the user is explicitly set:

     - do: something
   become: true
   become_user: someone

  3. This task will not do anything with become_user, because become is not set and defaults to false/no:

     - do: something
   become_user: someone

...unless become was set to true on a higher level, e.g. a block, the playbook, group or host-vars etc.

Here is an example with a block:

    - become: true
      block:
        - do: something
          become_user: someone
        - do: something

The first 1st is ran as user someone, the 2nd as root.

As I understand it become_user is something similar to su , and become means something like sudo su or "perform all commands as a sudo user".

The default become_method is sudo, so sudo do something or sudo -u <become_user> do something

Fineprint: Of course "do: something" is pseudocode. Put your actual Ansible module there.

udondan
  • 57,263
  • 20
  • 190
  • 175
  • So if I want to enable privilege escalation for tasks in playbook I can set become: True once before I define tasks, and afterwards just use become_user whenever I want, right? – Andrii Rusanov Jul 10 '16 at 10:21
  • 4
    That depends on what you mean with "once before". If you set `become` on a single task, it only is active for that single task. If you want to set `become` for multipel tasks you need to set it on a higher level. You could use [blocks](http://docs.ansible.com/ansible/playbooks_blocks.html) or [includes](http://docs.ansible.com/ansible/playbooks_roles.html#task-include-files-and-encouraging-reuse) for this or set in on your role. – udondan Jul 10 '16 at 10:40
  • @udondan i am getting the error while using your point no 2. Can you please help me? – Tech Learner Jun 30 '18 at 16:49
13
  1. become: yes = sudo
    become_user: user_name = sudo -u user_name
  2. become: yes
    become_user: root is equivalent of become: yes

this link is explaining the difference clearly.

AATHITH RAJENDRAN
  • 4,689
  • 8
  • 34
  • 58
0

If I need to run a batch of task with sudo, I often use an include_task statement. It also helps a lot to keep a large playbook split up in parts. For example

 - name: prepare task x
   include_tasks: x-preparation.yml
   when: condition is true
   args:
     apply:
       become: yes

This is also a handy approach when using tags:

  - name: execute tasks x
     include_tasks: x-execution.yml
     args:
       apply:
         tags: exec
     tags:
     - exec

Important is that you need to put a tag on the include_tasks statement as well Hope this is helpful for anyone

oneindelijk
  • 606
  • 1
  • 6
  • 18
0

Become yes will make run the code block as root user by default. If you add become_user: "user1" along with become: yes then current code block will run as user1.

Balram Parmar
  • 1
  • 1