community.general.machinectl become – Systemd’s machinectl privilege escalation

Note

This become plugin is part of the community.general collection (version 11.3.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.machinectl.

Synopsis

  • This become plugins allows your remote/login user to execute commands as another user using the machinectl utility.

Parameters

Parameter

Comments

become_exe

string

machinectl executable.

Default: "machinectl"

Configuration:

  • INI entries:

    [privilege_escalation]
become_exe = machinectl

    [machinectl_become_plugin]
executable = machinectl

  • Environment variable: ANSIBLE_BECOME_EXE

  • Environment variable: ANSIBLE_MACHINECTL_EXE

  • Variable: ansible_become_exe

  • Variable: ansible_machinectl_exe

become_flags

string

Options to pass to machinectl.

Default: ""

Configuration:

  • INI entries:

    [privilege_escalation]
become_flags = ""

    [machinectl_become_plugin]
flags = ""

  • Environment variable: ANSIBLE_BECOME_FLAGS

  • Environment variable: ANSIBLE_MACHINECTL_FLAGS

  • Variable: ansible_become_flags

  • Variable: ansible_machinectl_flags

become_pass

string

Password for machinectl.

Configuration:

  • INI entry:

    [machinectl_become_plugin]
password = VALUE

  • Environment variable: ANSIBLE_BECOME_PASS

  • Environment variable: ANSIBLE_MACHINECTL_PASS

  • Variable: ansible_become_password

  • Variable: ansible_become_pass

  • Variable: ansible_machinectl_pass

become_user

string

User you ‘become’ to execute the task.

Default: ""

Configuration:

  • INI entries:

    [privilege_escalation]
become_user = ""

    [machinectl_become_plugin]
user = ""

  • Environment variable: ANSIBLE_BECOME_USER

  • Environment variable: ANSIBLE_MACHINECTL_USER

  • Variable: ansible_become_user

  • Variable: ansible_machinectl_user

Note

Configuration entries listed above for each entry type (Ansible variable, environment variable, and so on) have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up. The entry types are also ordered by precedence from low to high priority order. For example, an ansible.cfg entry (further up in the list) is overwritten by an Ansible variable (further down in the list).

Notes

Note

  • When not using this plugin with user root, it only works correctly with a polkit rule which alters the behaviour of machinectl. This rule must alter the prompt behaviour to ask directly for the user credentials, if the user is allowed to perform the action (take a look at the examples section). If such a rule is not present the plugin only works if it is used in context with the root user, because then no further prompt is shown by machinectl.

  • This become plugin does not work when connection pipelining is enabled. With ansible-core 2.19+, using it automatically disables pipelining. On ansible-core 2.18 and before, pipelining must explicitly be disabled by the user.

Examples

# A polkit rule needed to use the module with a non-root user.
# See the Notes section for details.
/etc/polkit-1/rules.d/60-machinectl-fast-user-auth.rules: |-
  polkit.addRule(function(action, subject) {
    if(action.id == "org.freedesktop.machine1.host-shell" &&
      subject.isInGroup("wheel")) {
        return polkit.Result.AUTH_SELF_KEEP;
    }
  });

Authors

  • Ansible Core Team