user vs sudo vs sudo_user in ansible playbooks

sudo ansible
Michael picture Michael · Nov 24, 2013 · Viewed 63k times · Source

I have read the Ansible documentation but I am still a bit confused about the three following parameters in ansible playbooks: user, sudo, sudo_user.

I have tried the following playbooks with different combination of the parameters:

  1. user:deploy => Works

  2. user:deploy and sudo: True => Hangs on the git task

  3. user:deploy, sudo: True and sudo_user: deploy => Works

What does sudo_user actually do? When and why should I use each of these combinations?

- hosts: all
  user: deploy
  sudo: True
  sudo_user: deploy

  tasks:
      - name: Ensure code directory
        file: dest=/home/deploy/code state=directory

      - name: Deploy app
        git: [email protected]:YAmikep/djangotutorial.git dest=/home/deploy/code

Thanks

Answer

leucos picture leucos · Nov 24, 2013

  • user is the user you're ssh'ing as. With your config, you're ssh'ing as deploy.

  • sudo_user is the user you're sudo'ing on the host when sudo: yes is set.

So I think in your case none of sudo and sudo_user are necessary if you can ssh as deploy.

However, if you ssh as root, you need to set sudo_user: deploy and sudo: yes.

If you ask for 'sudo' but don't specify any user, Ansible will use the default set in your ~/.ansible.cfg (sudo_user), and will default to root.

Note that user is deprecated (because it's confusing). You should use remote_user instead.

EDIT: Case #2 probably hangs because of ssh confirmation issues : you probably have bitbucket.org host key in ~deploy/.ssh/known_hosts but NOT in ~root/.ssh/known_hosts

UPDATE: As of Ansible 2.x, use become and become_user instead of the deprecated sudo and sudo_user. Example usage:

- hosts: all
  user: deploy
  become: true
  become_user: deploy

  tasks:
      - name: Ensure code directory
        file: dest=/home/deploy/code state=directory

      - name: Deploy app
        git: [email protected]:YAmikep/djangotutorial.git dest=/home/deploy/cod

Related questions

Ansible non-root sudo user and "become" privilege escalation

I've set up a box with a user david who has sudo privileges. I can ssh into the box and perform sudo operations like apt-get install. When I try to do the same thing using Ansible's "become privilege escalation", I …

Read More
Ansible 2.1.0 using become/become_user fails to set permissions on temp file

I have an ansible 2.1.0 on my server, where I do deployment via vagrant and on PC too. The role "deploy" have : - name: upload code become: true become_user: www-data git: [email protected]:****.git dest=/var/www/main …

Read More
How to fix 'sudo: no tty present and no askpass program specified' error?

I am trying to compile some sources using a makefile. In the makefile there is a bunch of commands that need to be ran as sudo. When I compile the sources from a terminal all goes fine and the make …

Read More