As a common security habit, I learned that you shouldn't allow root login through ssh on machines open to the world. The way to go is to ssh to your server with a user account, then use sudo. Also Ubuntu disabled ssh-ing as root account by default.
When I'm configuring a server manually I usually execute sudo -i to have a persistent root shell, so that I don't have to type sudo in front of every command.
Now I'm not completely sure what's the best way to do it with Ansible. In Ansible's inventory files, you can specify the user to use for ssh-ing with the ansible_ssh_user variable. In Ansible playbooks and tasks you have these options:
- remote_user - The user to ssh to the machine with for the specific playbook/task
- sudo - If
yes, runs the commands in the playbook/task with sudo - sudo_user - Sudo to a different user and then execute the commands in the playbook/task
So I specified the user I use for ssh-ing with ansible_ssh_user and then I have a couple of tasks that need root privileges.
I have a two of options to do this, but I don't really like them:
I could use
sudo: yesfor every single task that needs root privileges.I don't really like this way because I will have to use this for almost every task.
I could put
sudo: yesin the playbook that includes the roles/tasks.I doubt if this should be the correct way, because like this, all roles/tasks should assume that they always have root privileges. Also, if we would do it like this, why can't I then just set this as an option in the Ansible config, so that all my playbooks (and it's roles/tasks) will always use sudo?
So I wonder, what is the correct way to do this?
