Understanding Sudo Password Configuration in Ansible
In the previous step, we created a basic playbook that used sudo privileges without requiring a password. However, in many real-world scenarios, you will need to provide a sudo password to execute privileged commands. Let's explore how to handle sudo passwords in Ansible.
How Ansible Handles Sudo Passwords
When Ansible needs to run a command with elevated privileges on a remote system, it uses the become
functionality. By default, Ansible uses the sudo
command for privilege escalation, but you can configure it to use other methods like su
, pbrun
, or pfexec
.
If the user running Ansible requires a password to use sudo, Ansible needs to know this password. There are several ways to provide the sudo password to Ansible:
- Command-line option:
-K
or --ask-become-pass
- Playbook variable:
become_password
- Configuration file:
ansible.cfg
- Ansible Vault: For securely storing passwords
Creating a Test User with Sudo Password Requirement
To demonstrate how to handle sudo passwords, let's create a test user that requires a password for sudo operations:
sudo adduser ansible_test
When prompted, enter the password ansible123
and complete the user creation process.
Next, let's give this user sudo privileges but require a password:
echo "ansible_test ALL=(ALL) ALL" | sudo tee /etc/sudoers.d/ansible_test
This configuration allows the ansible_test
user to use sudo, but it will require the user's password each time.
Creating a Playbook with Sudo Password Handling
Now, let's create a playbook that demonstrates how to handle sudo passwords. Create a new file named sudo_password_playbook.yml
in the WebIDE:
---
- name: Playbook with sudo password handling
hosts: localhost
become: true
## We'll provide the become_password when running the playbook
tasks:
- name: Get current user
command: whoami
register: current_user
become: false ## This task doesn't need sudo
- name: Print current user
debug:
msg: "Current user is {{ current_user.stdout }}"
become: false ## This task doesn't need sudo
- name: Run a command with sudo
command: apt update
register: sudo_output
- name: Print sudo command result
debug:
msg: "Command ran with sudo: {{ sudo_output.rc == 0 }}"
Save this file as ~/project/ansible-sudo-lab/sudo_password_playbook.yml
When you want to run a playbook as a user that requires a sudo password, you can use the -K
(or --ask-become-pass
) option to prompt for the password:
ansible-playbook -i inventory sudo_password_playbook.yml -K
Since we're running as the labex
user which has password-less sudo, you won't actually be prompted for a password. However, in a production environment where password-less sudo is not configured, Ansible would prompt you to enter the sudo password.
To simulate this scenario with our test user, you can run the following command (although it won't fully work in this lab environment due to missing SSH setup):
ansible-playbook -i inventory sudo_password_playbook.yml -u ansible_test -K
When prompted for the BECOME password, you would enter ansible123
.
Specifying the Sudo Password in an Ansible Variable
Instead of entering the password interactively, you can provide the sudo password as a variable when running the playbook:
ansible-playbook -i inventory sudo_password_playbook.yml -e "ansible_become_password=ansible123"
This approach is useful for automated scripts where interactive input is not possible. However, it exposes the password in command-line history, which is a security risk. In a production environment, you should use Ansible Vault to securely store sensitive information.