Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

msg: Failed to change ownership of the temporary files Ansible (via chmod nor setfacl) needs to create … #1

Open
ELLIOTTCABLE opened this issue Apr 22, 2023 · 4 comments
Open

msg: Failed to change ownership of the temporary files Ansible (via chmod nor setfacl) needs to create … #1

ELLIOTTCABLE opened this issue Apr 22, 2023 · 4 comments
Labels
question Further information is requested

Comments

@ELLIOTTCABLE
Copy link

ELLIOTTCABLE commented Apr 22, 2023
edited
Loading

❔ What are you experiencing an issue with?

Latest Release

❔ Version

v2.3.0

🐞 Description

Attempting to run the professormanhattan.deno role, without arguments or other roles, resulted in this error-message:

fatal: [angelica.my.domain]: FAILED! => 
  msg: |-
    Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chmod: invalid mode: ‘A+user:{{ ansible_user if ansible_os_family == 'Windows' else omit }}:rx:allow’
    Try 'chmod --help' for more information.
    }). For information on working around this, see https://docs.ansible.com/ansible-core/2.14/user_guide/become.html#risks-of-becoming-an-unprivileged-user

… reading some docs, and doing some Googling, I tried the following:

  1. turning on root-login, and switching my inventory to instruct the playbook to run as root — the error changed to this, but still occurs:

    TASK [professormanhattan.deno : Ensure custom facts directory exists] ***********************************************************************
fatal: [angelica.my.domain]: FAILED! => 
  msg: Failed to change ownership of the temporary files Ansible (via chmod nor setfacl) needs to create despite connecting as a privileged user. Unprivileged become user would be unable to read the file.

  2. Adding the aisbergg.acl to ensure setfacl exists (now it does), but still the same error;

  3. Configuring ansible to use a different remote_tmp = /tmp/.ansible/tmp directory, still the same error.

⏺️ Steps To Reproduce

# playbook.yaml
- name: All hosts idk
  hosts: all
  roles:
     - aisbergg.acl
     - professormanhattan.deno
$ ansible-playbook -vvv -i hosts.yaml playbook.yaml

📒 Relevant Log Output

Full log: https://gist.github.com/ELLIOTTCABLE/7552cae76038df5c4dd7be675e567e08

TASK [professormanhattan.deno : Ensure custom facts directory exists] ***********************************************************************
task path: /Users/me/.ansible/roles/professormanhattan.deno/tasks/install-Linux.yml:2
<angelica.my.domain> ESTABLISH SSH CONNECTION FOR USER: root
<angelica.my.domain> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/Users/me/.ansible/cp/ff06be8640"' angelica.my.domain '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /var/tmp `"&& mkdir "` echo /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046 `" && echo ansible-tmp-1682189697.719-66762-41816168064046="` echo /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046 `" ) && sleep 0'"'"''
<angelica.my.domain> (0, b'ansible-tmp-1682189697.719-66762-41816168064046=/var/tmp/ansible-tmp-1682189697.719-66762-41816168064046\n', b'')
Using module file /Users/me/.local/share/rtx/installs/python/3.11.3/lib/python3.11/site-packages/ansible/modules/file.py
<angelica.my.domain> PUT /Users/me/.ansible/tmp/ansible-local-66646jp_5ws3t/tmpmy41hutq TO /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046/AnsiballZ_file.py
<angelica.my.domain> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/Users/me/.ansible/cp/ff06be8640"' '[angelica.my.domain]'
<angelica.my.domain> (0, b'sftp> put /Users/me/.ansible/tmp/ansible-local-66646jp_5ws3t/tmpmy41hutq /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046/AnsiballZ_file.py\n', b'')
<angelica.my.domain> ESTABLISH SSH CONNECTION FOR USER: root
<angelica.my.domain> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/Users/me/.ansible/cp/ff06be8640"' angelica.my.domain '/bin/sh -c '"'"'setfacl -m '"'"'"'"'"'"'"'"'u:{{ ansible_user if ansible_os_family == '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'Windows'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' else omit }}:r-x'"'"'"'"'"'"'"'"' /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046/ /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046/AnsiballZ_file.py && sleep 0'"'"''
<angelica.my.domain> (2, b'', b'setfacl: Option -m: Invalid argument near character 3\n')
<angelica.my.domain> Failed to connect to the host via ssh: setfacl: Option -m: Invalid argument near character 3
<angelica.my.domain> ESTABLISH SSH CONNECTION FOR USER: root
<angelica.my.domain> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/Users/me/.ansible/cp/ff06be8640"' angelica.my.domain '/bin/sh -c '"'"'chmod u+x /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046/ /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046/AnsiballZ_file.py && sleep 0'"'"''
<angelica.my.domain> (0, b'', b'')
<angelica.my.domain> ESTABLISH SSH CONNECTION FOR USER: root
<angelica.my.domain> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/Users/me/.ansible/cp/ff06be8640"' angelica.my.domain '/bin/sh -c '"'"'chown '"'"'"'"'"'"'"'"'{{ ansible_user if ansible_os_family == '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'Windows'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' else omit }}'"'"'"'"'"'"'"'"' /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046/ /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046/AnsiballZ_file.py && sleep 0'"'"''
<angelica.my.domain> (1, b'', b"chown: invalid user: \xe2\x80\x98{{ ansible_user if ansible_os_family == 'Windows' else omit }}\xe2\x80\x99\n")
<angelica.my.domain> Failed to connect to the host via ssh: chown: invalid user: ‘{{ ansible_user if ansible_os_family == 'Windows' else omit }}’
<angelica.my.domain> ESTABLISH SSH CONNECTION FOR USER: root
<angelica.my.domain> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/Users/me/.ansible/cp/ff06be8640"' angelica.my.domain '/bin/sh -c '"'"'rm -f -r /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046/ > /dev/null 2>&1 && sleep 0'"'"''
<angelica.my.domain> (0, b'', b'')
fatal: [angelica.my.domain]: FAILED! => 
  msg: Failed to change ownership of the temporary files Ansible (via chmod nor setfacl) needs to create despite connecting as a privileged user. Unprivileged become user would be unable to read the file.

PLAY RECAP **********************************************************************************************************************************
angelica.my.domain           : ok=4    changed=0    unreachable=0    failed=1    skipped=10   rescued=0    ignored=0

💡 Possible Solution

No response
@ELLIOTTCABLE ELLIOTTCABLE added the question Further information is requested label Apr 22, 2023
@ELLIOTTCABLE
Copy link
Author

Huh. Ran into this again, in an unrelated situation, two months later. Same error, basically; again with acl installed:

TASK [professormanhattan.deno : Ensure custom facts directory exists] **********
fatal: [eurydice.somewhere]: FAILED! => 
  msg: |-
    Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chmod: invalid mode: ‘A+user:{{ ansible_user if ansible_os_family == 'Windows' else omit }}:rx:allow’
    Try 'chmod --help' for more information.
    }). For information on working around this, see https://docs.ansible.com/ansible-core/2.14/user_guide/become.html#risks-of-becoming-an-unprivileged-user

This is confusing, because the README says:

The role handles the become behavior so you can simply add the role to your playbook without having to worry about commands that should not be run as root.

@ELLIOTTCABLE
Copy link
Author

Just to call attention to it, it looks like some become_user value somewhere is set incorrectly, such that template substitution isn't functioning:

err: chmod: invalid mode: ‘A+user:{{ ansible_user if ansible_os_family == 'Windows' else omit }}:rx:allow’

@ELLIOTTCABLE
Copy link
Author

Also, it tries to pass the same argument to setfacl, hahaha — earlier in the log, with -vvv enabled:

<eurydice.sth> ESTABLISH SSH CONNECTION FOR USER: None
<eurydice.sth> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s \
  -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey \
  -o PasswordAuthentication=no -o ConnectTimeout=10 -o 'ControlPath="/Users/ec/.ansible/cp/861003508c"' eurydice.sth \
  '/bin/sh -c \
  '"'"'setfacl -m '"'"'"'"'"'"'"'"'u:{{ ansible_user if ansible_os_family == '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'Windows'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' else omit }}:r-x'"'"'"'"'"'"'"'"' /var/tmp/ansible-tmp-1688151355.624567-7202-71179258779996/ /var/tmp/ansible-tmp-1688151355.624567-7202-71179258779996/AnsiballZ_file.py && sleep 0'"'"''
<eurydice.sth> (2, b'', b'setfacl: Option -m: Invalid argument near character 3\n')
<eurydice.sth> Failed to connect to the host via ssh: setfacl: Option -m: Invalid argument near character 3

ELLIOTTCABLE added a commit to ELLIOTTCABLE/System that referenced this issue Jun 30, 2023
@ELLIOTTCABLE
(fix) Fork the Deno role until ProfessorManhattan/ansible-deno#1 is f…
e68408c 
…ixed
@alexbmw00
Copy link

Hi Guys,

Solution applied in 'execution-environment.yml'

Since it is Windows access, the user is Administrator or another windows account (no exist in EE container),
causing a problem in the artifacts' tmp file.

If you activate the debugging level 5 (winrm), you will notice a setfacl message passing the Administrator user, as it is localhost (delegate_to: localhost), this user does not exist in podman.

append in file: execution-environment.yml

additional_build_steps:
prepend: |
RUN useradd -r my_windows_another_user_name
RUN useradd -r Administrator
append:
- RUN id my_windows_another_user_name
- RUN id Administrator

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ELLIOTTCABLE @alexbmw00