Friday, 5 December 2025

Ansible - 9 . bcome-yes example

 An Ansible playbook to run sudo yum install httpd using a non-root user (like oracle) and privilege escalation (become: yes) would look like this:

[oracle@oel01db playbooks]$ cat install_httpd.yml

---

- name: Install HTTPD using the 'oracle' user with sudo

  hosts: db_servers  # Replace with the name of your host group or host

  remote_user: oracle       # The user Ansible logs in as

  become: yes               # Activates privilege escalation (like 'sudo')

  become_method: sudo       # (Optional but recommended for clarity) Explicitly sets the privilege escalation method to sudo

  become_user: root         # (Optional but recommended for clarity) Specifies the user to become (default is root)

  gather_facts: no


  tasks:

    - name: Ensure httpd is installed

      ansible.builtin.yum:

        name: httpd

        state: present

[oracle@oel01db playbooks]$

You do not strictly need to explicitly mention remote_user: oracle in your playbook or inventory if your SSH client configuration (~/.ssh/config or /etc/ssh/ssh_config) is correctly set up on the Ansible control node to use oracle for those specific target hosts.

However, explicitly setting it is generally considered a best practice for a more robust and clear playbook.

My inventory looks like below. 

[oracle@oel01db inventory]$ cat hosts

[db_servers]

192.168.0.156

[oracle@oel01db inventory]$

Ideally the oracle user should be configured for passwordless sudo (NOPASSWD) on the remote machine for Ansible to work smoothly in an automated or non-interactive environment.

While it is technically possible to run Ansible with a password, passwordless sudo is the standard and recommended practice for automation.

Lets verify that 

[oracle@oel02db ~]$ sudo yum list httpd

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for oracle:
oracle is not in the sudoers file.  This incident will be reported.
[oracle@oel02db ~]$

So its not configured , lets configure it.

I added below lines to /etc/sudoers

[root@oel02db ~]# cat /etc/sudoers | grep -i oracle
oracle ALL=(ALL) NOPASSWD: ALL
[root@oel02db ~]#

Please note, Passwordless sudo is not recommended in production for regular use like oracle , its recommended to configure a dedicated automation use and grant Passwordless sudo to that user.

[root@oel02db ~]# su - oracle
Last login: Fri Dec  5 12:01:24 IST 2025 on pts/0
[oracle@oel02db ~]$
[oracle@oel02db ~]$ sudo yum list httpd
Loaded plugins: langpacks, ulninfo
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
Available Packages
httpd.x86_64                                              2.4.6-99.0.5.el7_9.1                                              ol7_latest
[oracle@oel02db ~]$ rpm -qa |grep -i httpd
[oracle@oel02db ~]$

Install httpd using ansible 

[oracle@oel01db playbooks]$ ansible-playbook  -i ../inventory/hosts install_httpd.yml --syntax-check

playbook: install_httpd.yml
[oracle@oel01db playbooks]$


[oracle@oel01db ansible-project]$ ansible-playbook -i ./inventory/hosts ./playbooks/install_httpd.yml

PLAY [Install HTTPD using the 'oracle' user with sudo] ************************************************************************************************************************************

TASK [Ensure httpd is installed] **********************************************************************************************************************************************************
changed: [192.168.0.156]

PLAY RECAP ********************************************************************************************************************************************************************************
192.168.0.156              : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

[oracle@oel01db ansible-project]$

[root@oel02db ~]# rpm -qa |grep -i httpd
httpd-tools-2.4.6-99.0.5.el7_9.1.x86_64
[root@oel02db ~]#

If your re-run ansible won't do anything 

[oracle@oel01db ansible-project]$ ansible-playbook -i ./inventory/hosts ./playbooks/install_httpd.yml

PLAY [Install HTTPD using the 'oracle' user with sudo] ************************************************************************************************************************************

TASK [Ensure httpd is installed] **********************************************************************************************************************************************************
ok: [192.168.0.156]

PLAY RECAP ********************************************************************************************************************************************************************************
192.168.0.156              : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

[oracle@oel01db ansible-project]$





at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Building a Safer PostgreSQL CI/CD Pipeline with GitHub Actions: Dev → PR Review → Test Promotion

In my previous post, we explored a simple push-to-main deployment strategy . While functional, that model is not considered an industry best...