REX ignores become_user in Ansible role

Oleg_Mcnoleg · April 26, 2023, 3:09pm

Problem:

Running Ansible roles via REX ignores become_user

We have roles that run various tasks as non root users.

Our Ansible roles are ran via the “Ansible Roles - Ansible Default” job template. Any task that contains become with become_user are being being ran as root.

We have the below host parameters:

remote_execution_ssh_user = rexuser

We have the below global settings:

SSH User: root
Effective User: root
Effective User Method: sudo

The same roles execute as expected when ran independently of Foreman Job Templates.

Expected outcome:

We expect Foreman to run the tasks using the become and become_user

Foreman and Proxy versions:

3.1.1.3

Foreman and Proxy plugin versions:

tfm-rubygem-smart_proxy_ansible-3.3.1-4

Distribution and version:

Red Hat 7.9

Other relevant data:

This is a test task ran inside an imported role

cat /etc/ansible/roles/testrole/tasks/main.yml

---

- name: Test Role
  command: id
  register: output
  become: true
  become_user: test01

- debug:
    msg: "{{ output.stdout }}"

When executed, the id output shows as the root user, not test01 user:

    ok: [myhost.mydomain] => {
        "msg": "uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"
    }

How can we used become_user inside Ansible Roles when ran via Job Templates.

aruzicka · May 5, 2023, 1:52pm

If the connection user and effective user are different, then all the become_user: in playbooks are ignored, but that is ansible’s behavior. It is roughly analogous to running ansible-playbook --user rexuser --become-user root .... If you do this, you should observe the same behaviour. Either you have to let Foreman control the users or you can do it inside the playbooks, but you can’t really have both at the same time.

frostygresh · June 14, 2023, 4:22pm

I have encounter the same issue running a role from within Foreman.

- name: Register with Azure
  command:
    cmd: "./config.sh --unattended --url {{ azure_org_url }} --auth pat --token {{ azure_pat_token }} --pool Chef-Pipeline --acceptTeeEula"
    chdir: "{{ workspace_directory_path }}"
    creates: "{{ workspace_directory_path }}/.agent"
  become: yes
  become_user: "{{ svc_owner_user }}"

In the above task the become user should be dictated by “svc_owner_user” but instead when the role is executed by Ansible via Foreman it is run as root (script has a check that calls out if running as root). If I run the same role via a playbook and ansible-playbook, the role executes as exepected.

---
- hosts: "{{ my_hosts }}"
  roles:
    - chef_az_pipeline_server

I cannot accept the explanation that it is one or the other. The REXUSER should not keep the role’s task from become any user they need as long as the sudo rule allows it.

Oleg_Mcnoleg · June 14, 2023, 7:42pm

Hi,

Try updating your task with the below:

become: yes
ansible_become_user: "{{ svc_owner_user }}"

We have global “effective user” set as root, so ansible_become_user gets set as root by default for whole task when executed by Forman Job templates. Try overriding it with the above.

HTH