infra
/
host-provisioner
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Set shell when using su for become
infra/host-provisioner/pipeline/head This commit looks good Details 

Since the host-provisioner connects to the target machine as root, it
only uses "become" to drop privileges.  Unprivileged users often have a
non-login shell set (e.g. `/bin/false` or `/sbin/nologin`), which
prevents `su` from working, as it uses the target user's shell by
default.  Fortunately, we can override the shell with the `-s` argument,
which we can tell Ansible to add via the `ansible_become_flags`
variable.
master
Dustin 2025-07-09 08:49:54 -05:00
parent 926b679865
commit 91c23894a2
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
host_provisioner.py
View File

@ -63,7 +63,15 @@ def amqp_connect() -> pika.BlockingConnection:
def apply_playbook(*args: str) -> None: def apply_playbook(*args: str) -> None:
cmd = ['ansible-playbook', '-u', 'root', '-e', 'ansible_become_method=su'] cmd = [
'ansible-playbook',
'-u',
'root',
'-e',
'ansible_become_method=su',
'-e',
"ansible_become_flags='-s /bin/sh'",
]
cmd += args cmd += args
log.debug('Running command: %s', cmd) log.debug('Running command: %s', cmd)
subprocess.run(cmd, check=True, stdin=subprocess.DEVNULL) subprocess.run(cmd, check=True, stdin=subprocess.DEVNULL)