I have an ansible 2.1.0 on my server, where I do deployment via vagrant and on PC too. The role "deploy" have :
- name: upload code
become: true
become_user: www-data
git: [email protected]:****.git
dest=/var/www/main
key_file=/var/www/.ssh/id_rsa
accept_hostkey=true
update=yes
force=yes
register: fresh_code
notify: restart php-fpm
tags: fresh_code
In this case with ansible 2.1.0 I get an error:
fatal: [default]: FAILED! => {"failed": true, "msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user. For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}
It it ansible 2.0.1.0 which I use on my PC, is all normally - folder /var/www/ have folder main with owner and group www-data
If I use only became_user: www-data and if I use become_method: sudo with became_user: www-data - i got same error
What need to do to resolve this?
On debian/ubuntu you can resolve this by first installing the acl
package on the remote host, like with this ansible task:
- name: install setfacl support
become: yes
apt: pkg=acl
Same thing with redhat/centos -- install the acl
package on the remote host:
- name: install setfacl support
become: yes
yum: name=acl
The problem is that www-data
cannot access the same files your default non-root ansible user created you use to connect to the machine. Also the error message clearly points to ansible's documentation which describes what options you have to fix this issue when upgrading from ansible 2.0 or below.
They suggest three ways to properly fix the issue:
- Use pipelining. When pipelining is enabled, Ansible doesn’t save the module to a temporary file on the client. Instead it pipes the module to the remote python interpreter’s stdin. Pipelining does not work for non-python modules.
- Install filesystem acl support on the managed host. If the temporary directory on the remote host is mounted with filesystem acls enabled and the setfacl tool is in the remote PATH then Ansible will use filesystem acls to share the module file with the second unprivileged instead of having to make the file readable by everyone.
- Don’t perform an action on the remote machine by becoming an unprivileged user. Temporary files are protected by UNIX file permissions when you become root or do not use become. In Ansible 2.1 and above, UNIX file permissions are also secure if you make the connection to the managed machine as root and then use become to an unprivileged account.
Or if you cannot do any of these fixes, then you can force ansible to run in a bit more insecure way (which seemed to be the default in ansible 2 and below), which should also fix your problem, but would not fix the underlying security risk:
If you can’t make any of the changes above to resolve the problem and you decide that the machine you’re running on is secure enough for the modules you want to run there to be world readable you can turn on
allow_world_readable_tmpfiles
in theansible.cfg
file. Settingallow_world_readable_tmpfiles
will change this from an error into a warning and allow the task to run as it did prior to 2.1.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With