Does Ansible have to run as root? sudo and --become-user

I have just started looking into Ansible and have built a server on Centos 7. I generally don’t run anything as root so I created an ansible account and group and chown -R ansible:ansible /etc/ansible.

I assumed that this would be OK, but as I start experimenting with commands, it does not seem to use sudo the way I had expected.

As expected this fails because the ansible user does not have access to read /etc/shadow.

-sh-4.2$ ansible localhost -a ‘/bin/cat /etc/shadow’
localhost | FAILED | rc=1 >>
/bin/cat: /etc/shadow: Permission denied

When I try -b and --become-user root, I get this.

-sh-4.2$ ansible localhost -a ‘/bin/cat /etc/shadow’ -b --become-user root
localhost | FAILED | rc=0 >>
MODULE FAILURE

/var/log/secure shows the following.
Sep 13 11:39:43 ansible sudo: servacct_ansible : TTY=pts/3 ; PWD=/home/servacct_ansible ; USER=root ; COMMAND=/bin/sh -c echo BECOME-SUCCESS-jjadcdyvpoluzchkhvkophnzqvhoxrcz; LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/bin/python /home/servacct_ansible/.ansible/tmp/ansible-tmp-1473784783.91-193737108086693/command; rm -rf “/home/servacct_ansible/.ansible/tmp/ansible-tmp-1473784783.91-193737108086693/” > /dev/null 2>&

Am I using --become-user incorrectly?

Using --become-user only sets the user, it does not force using become, you need --become to do that.

This is because you can set using privilege escalation in the inventory also and this lets you mix/match settings.

I thought the -b and --become do the same thing.

If I run this command as root, it works. If I run it as a non-root user, I get the MODULE FAILURE error.

ansible localhost -a ‘/bin/cat /etc/shadow’ --become --become-user root

I found the problem by using the -m service instead of -a. The root user does not have permission to read the ansible tmp files because the home directory is an nfs mount. I’ll move the ansible user out of the NFS directory and that should fix things.

-sh-4.2$ ansible localhost -m service -a “name=rsyslog state=restarted” --become --become-user root
localhost | FAILED! => {
“changed”: false,
“failed”: true,
“module_stderr”: “”,
“module_stdout”: “/usr/bin/python: can’t open file ‘/home/servacct_ansible/.ansible/tmp/ansible-tmp-1473791346.09-103884258170467/service’: [Errno 13] Permission denied\r\n”,
“msg”: “MODULE FAILURE”,
“parsed”: false
}

I have just started looking into Ansible and have built a server on Centos
7. I generally don't run anything as root so I created an ansible account
and group and chown -R ansible:ansible /etc/ansible.

I assumed that this would be OK, but as I start experimenting with
commands, it does not seem to use sudo the way I had expected.

It's perfectly OK to create a user, Ansible work great with sudo.

As expected this fails because the ansible user does not have access to
read /etc/shadow.

-sh-4.2$ ansible localhost -a '/bin/cat /etc/shadow'
localhost | FAILED | rc=1 >>
/bin/cat: /etc/shadow: Permission denied

When I try -b and --become-user root, I get this.
-sh-4.2$ ansible localhost -a '/bin/cat /etc/shadow' -b --become-user root
localhost | FAILED | rc=0 >>
MODULE FAILURE

[snip]

Am I using --become-user incorrectly?

I would not say so. What you are missng is the sudo password.

The become user is default root, so you do not need to specify that.
And you are using -b for become.
But you must provide the sudo password if you don't have NOPASSWORD in sudoers.

So this should work for you:
ansible localhost -a 'cat /etc/shadow' -b --ask-sudo-pass