Saturday, 29 November 2025

Ansible - 3. How become=true works

When Ansible encounters become: true|yes in a play or a task, it instructs Ansible to use a privilege escalation method on the remote host after it has established the initial connection.

1. Initial Connection

Ansible first connects to the remote host using the user defined in your inventory (e.g., ansible_user=ubuntu) via SSH.

2. Privilege Escalation (Becoming Root)

Once connected, Ansible executes the tasks using a privilege escalation tool. The default and most common tool is sudo.

  • Instead of running a task directly as the login user:

    Bash
    # Command executed by Ansible on the remote machine
# as the 'ubuntu' user
apt-get install httpd

    (This will fail because ubuntu doesn't have permissions to install packages)

  • Ansible uses the sudo method to execute the command as root:

    Bash
    # Command executed by Ansible on the remote machine
# via the 'ubuntu' user, but run as root
sudo apt-get install httpd

3. Requirements on the Remote Machine

To use become: true effectively with the default sudo method, the following must be true on your remote machine:

  1. The user Ansible logs in as (e.g., ubuntu) must be present on the remote host.

  2. The user must have sudo privileges. This is usually configured by adding the user to the sudo group or setting up a rule in the /etc/sudoers file.

  3. The user must be able to execute sudo commands without being prompted for a password (a non-interactive session). This is configured via a line in the /etc/sudoers file like:

    username ALL=(ALL) NOPASSWD: ALL
If you set become: true (or become: yes), you do not need to explicitly set the variable ansible_become_method: sudo because sudo is the default privilege escalation method used by Ansible.

So Ansible's default behavior when become: true is set is:

  1. Elevate privileges? --> Yes (become: true).

  2. How to elevate?  --> Use sudo (The default method).

  3. Become which user?  --> Become root (The default user).

⚙️ Alternative Privilege Methods

While sudo is the default, Ansible supports other methods which you can configure using the ansible_become_method variable:

MethodVariablePurpose
sudo (Default)ansible_become_method: sudoUses sudo to switch user. Most common method.
suansible_become_method: suUses su to switch user. Requires the root password.
pbrunansible_become_method: pbrunUses PowerBroker for elevation.

Ansible provides several variables related to privilege escalation:

VariableDefault ValuePurpose
becomefalseEnables privilege escalation. (true, yes, 1)
become_methodsudoSpecifies how to elevate privileges (sudo, su, pbrun, etc.)
become_userrootSpecifies which user to become after elevation. (e.g., set to apache or postgres to run tasks as a service user instead of root)

Default values Ansible uses (very important)

When you write only this:

become: yes

Ansible automatically chooses:

SettingDefault ValueMeaning
become_methodsudoAnsible will use sudo to elevate
become_userrootThe task runs as root
become_flags(no extra flags)Normal sudo behaviour
become_exesudoIt runs /usr/bin/sudo

So your task effectively becomes this:

sudo -u root <your command>

For example,

If you have oracle ALL=(ALL) NOPASSWD: ALL in your /etc/sudoers file,
the command sudo -u root yum install httpd is functionally the same as simply
running sudo yum install httpd for the oracle user.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Building a Safer PostgreSQL CI/CD Pipeline with GitHub Actions: Dev → PR Review → Test Promotion

In my previous post, we explored a simple push-to-main deployment strategy . While functional, that model is not considered an industry best...