New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
become: getcwd: cannot access parent directories: Permission denied #19729
Comments
I think this is a generic problem but I don't think there's a solution in code. If ansible were to switch directories then anything that bases itself off of paths relative to the current working directory wouldn't make sense. |
The traceback indicates the error is on line 10 of the ansiballz module wrapper, which is here: https://github.com/ansible/ansible/blob/devel/lib/ansible/executor/module_common.py#L112 A call to @abadger What's the impact of ignoring that exception? We already handle |
Don't know. As you can see from the comments, it fixed errors of module shadowing on some Linux distributions. But other Linux distros did not have the problem. I can't recall the issue but reading the comment makes me think you could test it by having a module in module_utils that shadowed a python stdlib library that we use or similar. |
Notes from Initial debugging:
Checking now whether this only happens in the AnsiBallZ module wrapper or if it also happens inside of a module. |
Does not affect retrieving the current working directory inside of a module. So it is only at the wrapper level. I think that on other systems, piping a script into python must not set main.file (thus the AttributeError in the exception handler). On osx this seems to be getting set so the script gets to call os.path.abspath() and then fails. Going to try this with world readable tempfiles and no pipelining to confirm whether that's part of the problem. |
Results are that it works with no pipelining but we don't get AttributeError on osx or Linux in this situation. Maybe pipelining isn't setting up permissions on the temporary directories like the non-pipelining case. |
ah. When we're not pipelining, python is passed the full path to the script that it invokes. So in that case, os.path.abspath() does not end up calling getcwd() as main.file already contains an absolute pathname. |
@mattclay I've distilled a test case for testing whether the scriptdir removal from sys.path is necessary on a platform. If I find that OSX does not need that, I'll add OSError as a valid reason to skip scriptdir handling. |
On Ubuntu the scriptdir gets placed into sys.path. This makes some modules (copy) fail because the ansible module gets loaded instead of the stdlib copy module. So we remove scriptdir there. Unfortunately, the scriptdir code uses abspath(). When pipelining, abspath() has to find the cwd. On OSX, finding the cwd when that directory is not executable by the user raises an OSError. Since OSX does not suffer from the scriptdir problem we're able to just skip scriptdir handling if we get that exception. Fixes ansible#19729
On Ubuntu the scriptdir gets placed into sys.path. This makes some modules (copy) fail because the ansible module gets loaded instead of the stdlib copy module. So we remove scriptdir there. Unfortunately, the scriptdir code uses abspath(). When pipelining, abspath() has to find the cwd. On OSX, finding the cwd when that directory is not executable by the user raises an OSError. Since OSX does not suffer from the scriptdir problem we're able to just skip scriptdir handling if we get that exception. Fixes #19729
On Ubuntu the scriptdir gets placed into sys.path. This makes some modules (copy) fail because the ansible module gets loaded instead of the stdlib copy module. So we remove scriptdir there. Unfortunately, the scriptdir code uses abspath(). When pipelining, abspath() has to find the cwd. On OSX, finding the cwd when that directory is not executable by the user raises an OSError. Since OSX does not suffer from the scriptdir problem we're able to just skip scriptdir handling if we get that exception. Fixes #19729 (cherry picked from commit 03510ec)
ISSUE TYPE
COMPONENT NAME
become functionality
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
Orchestrator: Macos 10.11, target 10.12
SUMMARY
When using become with non-privileged user, tasks are failing with
apply to single task on or on include: for example osx_defaults
Problem is I think, ansible should chdir to a world-readable directory before 'become' like / or /tmp. else python is trying its own actions later and failed because of permissions.
Note: ansible user is non-root user with sudo capacity. both this user and root user have private home non-readable by other users.
STEPS TO REPRODUCE
EXPECTED RESULTS
task should apply in user context without failure.
ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: