How can I ensure correct permissions when using Ansible to deploy an application

Question

I am having a really hard time understanding how to approach privilege escalation when deploying a python application using Ansible.

In my current setup:

• The VM is provisioned by our sysadmins
• My user (let's call it "John") is not root, but can become it via calling sudo.

No matter what I do via Ansible, it ends being either done via John or root (with become: true).

I would like to:

1. install system packages like python3, pip or supervisord
2. setup separate system user
3. download the code using the git repository
4. create virtualenv
5. install requirements in the virtualenv
6. setup supervisord

The list above is really easy when I do it manually - I log into the VM, I use sudo su - to become superuser to handle points 1-2, then su new-system-user, complete points 3-5 etc.

Some of the tasks are also really easy to do in Ansible when using become: true or using my SSH user, however I get many permission issues when using the newly created system user, and become_user: "{{ system_user }}" in the tasks 3-5 seem not to work as intended.

I would like to ask you - what is the optimal way to tackle this issue? My only workaround is to do everything in the context of my SSH user, and then copy&chown to the new system-user, but this seems like a hack, and I'm pretty sure I'm missing something when it comes to the correct privilege escalation.

Answer 1

Even if I can't answer

What is the optimal way to tackle this issue?

fully, steps 1-3 and 6 might be possible just in a way

---
- hosts: pyapp
  become: true

  tasks:

  - name: Make sure packages are installed 
    yum:
      name: supervisor
      state: latest

  - name: Create group in local system
    group:
      name: pyapp
      gid: '1234'

  - name: Configure local account in system
    user:
      name: "pyapp"
      system: yes
      createhome: yes
      uid: '1234'
      group: '1234'
      shell: /sbin/nologin
      comment: "My Python App"
      state: present

  - name: Download and unpack
    unarchive:
      src: "https://{{ DOWNLOAD_URL }}/myPythonApp.tar.gz"
      dest: "/home/pyapp/"
      remote_src: yes
      owner: "pyapp"
      group: "pyapp"

  - name: Make sure log directory exists
    file:
      path: "/var/log/pyapp"
      state: directory
      owner: 'pyapp'
      group: 'pyapp'
    
  - name: Make sure supervisord config file is provided
    copy:
      src: "pyapp.ini"
      dest: "/etc/supervisord.d/pyapp.ini"
    
  - name: Make sure service becomes started and enabled
    systemd:
      name: supervisord
      state: started
      enabled: true
      daemon_reload: true

  - name: Make sure application is in started state
    supervisorctl:
      name: pyapp
      state: started

with a Configuration File (pyapp.ini) like

[program:pyapp]
directory=/home/pyapp
command=/usr/bin/python /home/pyapp/myPythonApp.py
user=pyapp
process_name=%(program_name)s
autorestart=true
stderr_logfile=/var/log/pyapp/stderr.log
stdout_logfile=/var/log/pyapp/stdout.log

leaving other values in default.

I am using such approach and it just works. Step 3, the download should also be possible by using the git module.

Module Documentaion in order of occurence

• Understanding privilege escalation: become
• group – Add or remove groups
• user – Manage user accounts
• unarchive – Unpacks an archive after (optionally) copying it from the local machine
• file – Manage files and file properties
• copy – Copy files to remote locations
• systemd – Manage systemd units
• supervisorctl – Manage the state of a program or group of programs running via supervisord

Further Readings

You may than have a look into Manages Python library dependencies and the Examples. As well Installing a Distribution Package and Running Supervisor.