community.general.machinectl become – Systemd’s machinectl privilege escalation

Note

This become plugin is part of the community.general collection (version 10.1.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.machinectl.

Synopsis

  • This become plugins allows your remote/login user to execute commands as another user via the machinectl utility.

Parameters

Parameter

Comments

become_exe

string

Machinectl executable.

Default: "machinectl"

Configuration:

  • INI entries:

    [privilege_escalation]
    become_exe = machinectl
    
    [machinectl_become_plugin]
    executable = machinectl
    
  • Environment variable: ANSIBLE_BECOME_EXE

  • Environment variable: ANSIBLE_MACHINECTL_EXE

  • Variable: ansible_become_exe

  • Variable: ansible_machinectl_exe

become_flags

string

Options to pass to machinectl.

Default: ""

Configuration:

  • INI entries:

    [privilege_escalation]
    become_flags = ""
    
    [machinectl_become_plugin]
    flags = ""
    
  • Environment variable: ANSIBLE_BECOME_FLAGS

  • Environment variable: ANSIBLE_MACHINECTL_FLAGS

  • Variable: ansible_become_flags

  • Variable: ansible_machinectl_flags

become_pass

string

Password for machinectl.

Configuration:

  • INI entry:

    [machinectl_become_plugin]
    password = VALUE
    
  • Environment variable: ANSIBLE_BECOME_PASS

  • Environment variable: ANSIBLE_MACHINECTL_PASS

  • Variable: ansible_become_password

  • Variable: ansible_become_pass

  • Variable: ansible_machinectl_pass

become_user

string

User you ‘become’ to execute the task.

Default: ""

Configuration:

  • INI entries:

    [privilege_escalation]
    become_user = ""
    
    [machinectl_become_plugin]
    user = ""
    
  • Environment variable: ANSIBLE_BECOME_USER

  • Environment variable: ANSIBLE_MACHINECTL_USER

  • Variable: ansible_become_user

  • Variable: ansible_machinectl_user

Notes

Note

  • When not using this plugin with user root, it only works correctly with a polkit rule which will alter the behaviour of machinectl. This rule must alter the prompt behaviour to ask directly for the user credentials, if the user is allowed to perform the action (take a look at the examples section). If such a rule is not present the plugin only work if it is used in context with the root user, because then no further prompt will be shown by machinectl.

Examples

# A polkit rule needed to use the module with a non-root user.
# See the Notes section for details.
/etc/polkit-1/rules.d/60-machinectl-fast-user-auth.rules: |
  polkit.addRule(function(action, subject) {
    if(action.id == "org.freedesktop.machine1.host-shell" &&
      subject.isInGroup("wheel")) {
        return polkit.Result.AUTH_SELF_KEEP;
    }
  });

Authors

  • Ansible Core Team

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.