Posted in Ansible

Ansible User module system parameter creates home directory

Ansible User module has a parameter named system to create system user. It’s description says:

    When creating an account state=present, setting this to yes makes the user a system account.
    This setting cannot be changed on existing users.

The code for this parameter is:

    if self.system:
        cmd.append('-r')

Ansible user module uses useradd command under the hood. The manpage of useradd for -r option says:

    -r, --system
    Create a system account. System users will be created with no aging information in /etc/shadow, and their numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX range, defined in /etc/login.defs, instead of UID_MIN-UID_MAX (and their GID counterparts for the creation of groups).

    Note that useradd will not create a home directory for such a user, regardless of the default setting in /etc/login.defs (CREATE_HOME). You have to specify the -m options if you want a home directory for a system account to be created.

It clearly says that by default no home directory will be created for a system user. But if you create a user with following task

    - name: create system user
      user:
        name: systemuser
        state: present
        system: true

A home directory will be created for systemuser in /home/systemuser. This is due to create_home option which defaults to true in user module. The system parameter has no effect on create_home option. So, the command used internally in ansible becomes

useradd -r -m /home/systemuser

An issue was created years ago to change this behavior, but was turned down as it would break existing playbooks which is pretty dumb in my opinion. In the meantime, if you want to create a system user with this module without creating home directory, you should use false to create_home parameter explicitly

    - name: create system user
      user:
        name: systemuser
        state: present
        system: true
        create_home: false

I’ve created an ansible role which you can use to manage users for your system. This uses system parameter but behaves as you’d expect and does not create home directory.

sakibmoon

Leave A Comment