Using "sudo su -" for privilege escalation

Hi there,

I’m trying to patch my hosts from the Katello interface, I don’t install the katello agent on them so I’m trying to use Foreman REX.

I’m not able to run command as root with REX because the way my company elevates privileges is through the “sudo su” command.

Is there a way to customize REX behavior to use “sudo su” ?

It’s working nicely when I use the Katello Ansible Command, because I modified the /etc/foreman-proxy/ansible.cfg to add :

become_method = su
become_exe = “sudo su -”

But sadly patching machines via the interface can only be done with REX and the Job template Katello SSH … , not with Katello Ansible

Is there a way to modify rex to force it to use “sudo su -” ?

Expected outcome:
Working REX

Foreman and Proxy versions:
Foreman 1.24

Foreman and Proxy plugin versions:

Distribution and version:
CentOS Linux release 7.7.1908 (Core)



So apparently I can change from Katello SSH update to Katello Ansible Update, which is nice, by using the “administration => remote_execution_features” and modifying the templates accordingly, sadly the yum update is hanging :confused:

Soooo, Turns out the Katello Ansible Default templates for updating packages have a bug where the template is missing the yes flag for yum.

I filled an issue here :

In the mean time if like me you need it working, the fix is quite simple :
Edit the “Update Package - Katello Ansible Default fix” And go from :

%= render_template(‘Run Command - Ansible Default’, :command => “yum update #{input(‘package’)}”) %>


<%= render_template(‘Run Command - Ansible Default’, :command => “yum update -y #{input(‘package’)}”) %>

Thanks for the analysis, could you please also open a PR against

I’m happy you figured the template assignment, that’s exactly the purpose :slight_smile:

Hi there, sure I’ll do that, on the IRC they told me to also open one here :
So I’ll do both with the same modification

I don’t think these templates live in the community-templates repo yet, however if you see missing -y there too in any of them, it should be fixed there as well. Thanks again for your help!