I’m moving from
doas in Ansible
doasin pretty much all my installations. The reason is that
doasis simpler to configure and manage, and I trust the OpenBSD team with regard to producing clean and functional pieces of code.
But how to automate tasks thru
doasinstead of the well established
Well, Ansible allows the definition of an
ansible_become_methodvariable, that can be specified to isntrument
ansibleon how to gain privileges when executing a task. Here I present a few available options to use
One way to quickly test your playbook and your configuration for using
become-method on the command line
doasis to run the playbook with a different command line option:
% ansible-playbook -l ghostbusters --become-method=doas FreeBSD.yml
In the above, I’m running the
FreeBSD.ymlplaybook against the
ghostbustesgroup of hosts, and I’m specifying the
become-methodvariable as to use
Another option, from the command line, is to override the internal variable
ansible_become_method, such as:
% ansible-playbook -l venkman FreeBSD.yml --extra-vars "ansible_become_method=doas"
A simple but not very scalable, according to me, approach, is to specify the particular variable
ansible_become_method in the playbook
ansible_become_methodin the playbook. The variable can be specified on a single task basis, or as a general variable, so for example in your playbook you can place it into the
- hosts: freebsd vars: ansible_become_method: doas ...
This means you don’t have to specify anymore any particular flag on the command line.
A more beautiful approach, according to me, is to specify the
ansible_become_method on a per-host basis
ansible_become_methodon a per-host basis. In my inventory file
hosts, I do have something like:
[freebsd] miguel ingress_ipv4=192.168.222.123 venkman ingress_ipv4=192.168.222.13 ansible_become_method=doas
So my group
freebsdhas two hosts, where only
doasas a pribvilege escalation method.