From 91c23894a22e37d8a8492d41ad37356aff1a30a4 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 9 Jul 2025 08:49:54 -0500
Subject: [PATCH] Set shell when using su for become

Since the host-provisioner connects to the target machine as root, it
only uses "become" to drop privileges.  Unprivileged users often have a
non-login shell set (e.g. `/bin/false` or `/sbin/nologin`), which
prevents `su` from working, as it uses the target user's shell by
default.  Fortunately, we can override the shell with the `-s` argument,
which we can tell Ansible to add via the `ansible_become_flags`
variable.
---
 host_provisioner.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/host_provisioner.py b/host_provisioner.py
index 43a7765..ec096ca 100644
--- a/host_provisioner.py
+++ b/host_provisioner.py
@@ -63,7 +63,15 @@ def amqp_connect() -> pika.BlockingConnection:
 
 
 def apply_playbook(*args: str) -> None:
-    cmd = ['ansible-playbook', '-u', 'root', '-e', 'ansible_become_method=su']
+    cmd = [
+        'ansible-playbook',
+        '-u',
+        'root',
+        '-e',
+        'ansible_become_method=su',
+        '-e',
+        "ansible_become_flags='-s /bin/sh'",
+    ]
     cmd += args
     log.debug('Running command: %s', cmd)
     subprocess.run(cmd, check=True, stdin=subprocess.DEVNULL)