Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Ansible 2.1.0 using become/become_user fails to set permissions on temp file

I have an ansible 2.1.0 on my server, where I do deployment via vagrant and on PC too. The role "deploy" have :

- name: upload code
  become: true
  become_user: www-data
  git: [email protected]:****.git
     dest=/var/www/main
     key_file=/var/www/.ssh/id_rsa
     accept_hostkey=true
     update=yes
     force=yes
 register: fresh_code
 notify: restart php-fpm
 tags: fresh_code

In this case with ansible 2.1.0 I get an error:

fatal: [default]: FAILED! => {"failed": true, "msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user. For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}

It it ansible 2.0.1.0 which I use on my PC, is all normally - folder /var/www/ have folder main with owner and group www-data

If I use only became_user: www-data and if I use become_method: sudo with became_user: www-data - i got same error

What need to do to resolve this?

like image 438
DeamonMV Avatar asked Apr 15 '16 12:04

DeamonMV


2 Answers

On debian/ubuntu you can resolve this by first installing the acl package on the remote host, like with this ansible task:

- name: install setfacl support
  become: yes
  apt: pkg=acl

Same thing with redhat/centos -- install the acl package on the remote host:

- name: install setfacl support
  become: yes
  yum: name=acl
like image 141
Justin Ludwig Avatar answered Oct 20 '22 15:10

Justin Ludwig


The problem is that www-data cannot access the same files your default non-root ansible user created you use to connect to the machine. Also the error message clearly points to ansible's documentation which describes what options you have to fix this issue when upgrading from ansible 2.0 or below.

They suggest three ways to properly fix the issue:

  • Use pipelining. When pipelining is enabled, Ansible doesn’t save the module to a temporary file on the client. Instead it pipes the module to the remote python interpreter’s stdin. Pipelining does not work for non-python modules.
  • Install filesystem acl support on the managed host. If the temporary directory on the remote host is mounted with filesystem acls enabled and the setfacl tool is in the remote PATH then Ansible will use filesystem acls to share the module file with the second unprivileged instead of having to make the file readable by everyone.
  • Don’t perform an action on the remote machine by becoming an unprivileged user. Temporary files are protected by UNIX file permissions when you become root or do not use become. In Ansible 2.1 and above, UNIX file permissions are also secure if you make the connection to the managed machine as root and then use become to an unprivileged account.

Or if you cannot do any of these fixes, then you can force ansible to run in a bit more insecure way (which seemed to be the default in ansible 2 and below), which should also fix your problem, but would not fix the underlying security risk:

If you can’t make any of the changes above to resolve the problem and you decide that the machine you’re running on is secure enough for the modules you want to run there to be world readable you can turn on allow_world_readable_tmpfiles in the ansible.cfg file. Setting allow_world_readable_tmpfiles will change this from an error into a warning and allow the task to run as it did prior to 2.1.

like image 31
SztupY Avatar answered Oct 20 '22 14:10

SztupY