New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot use git module with custom `key_file` or `ssh_opts` as non-root user on system with noexec `/tmp` #30064

Open
ansibot opened this Issue Sep 12, 2017 · 10 comments

Comments

Projects
None yet
4 participants
@ansibot
Contributor

ansibot commented Sep 12, 2017

ISSUE TYPE

bug report

COMPONENT NAME

git module

ANSIBLE VERSION

1.9.2
$ ansible --version
ansible 1.9.2
configured module search path = None

CONFIGURATION

$ cat ansible.cfg
[defaults]
roles_path=roles/

OS / ENVIRONMENT

CentOS 6.5.

SUMMARY

**:

When using key_file or ssh_opts with the git module, it writes an ssh wrapper script to a temporary location and then git executes it.

This temporary script is written to the module dir, if accessible to the current user, or otherwise to the default system temp dir.

When sudoing to a non-root, non-ansible user, the module dir generally isn't be accessible, so it falls back to the system temp dir.

But in a system with a noexec-mounted /tmp dir, this fails with "cannot exec: permission denied", as originally reported in #6567

This is the same basic scenario as #7375, but the fix there failed to account for the noexec-tmp possibility.

**

STEPS TO REPRODUCE

**:

On a target system with a noexec-mounted /tmp, run a task such as this:

- name: clone MyProject codebase
  sudo_user: "{{ myproject_user }}"
  git: repo={{ myproject_repo_clone_url }}
       version={{ myproject_ref }}
       key_file={{ myproject_home }}/deploy_key
       dest={{ myproject_repo_dir }}

**

EXPECTED RESULTS

**:

Repo should be successfully cloned, as the given sudo_user, using the given key_file.

**

ACTUAL RESULTS

**:

TASK: [myrole | clone MyProject codebase] ************************************ 
failed: [server.example.com] => {"cmd": "/usr/bin/git ls-remote 'ssh:********@github.com/myorg/MyProject.git' -h refs/heads/master", "failed": true, "rc": 128}
stderr: fatal: cannot exec '/tmp/tmpyWsoGi': Permission denied
fatal: unable to fork

msg: fatal: cannot exec '/tmp/tmpyWsoGi': Permission denied
fatal: unable to fork

Copied from original issue: ansible/ansible-modules-core#1912

@ansibot

This comment has been minimized.

Show comment
Hide comment
@ansibot

ansibot Sep 12, 2017

Contributor

From @carljm on 2015-08-13T18:41:10Z

For anyone running across this before it's fixed, the workaround I'm using is to write a ~/.ssh/config for the user in question with the line IdentityFile {{ myproject_home }}/deploy_key in it, and then remove key_file from the git module opts.

In terms of the desired fix, I'm not sure there is any location Ansible can strictly guarantee is writable and executable when sudoing to an arbitrary user. A third fallback option which would likely work in most cases is the user's homedir, as long as it's cleaned up afterwards. Ultimately it may be useful just to have tmp_dir be a config option to the git module, so it's possible to make it work even in very unusual cases.

Contributor

ansibot commented Sep 12, 2017

From @carljm on 2015-08-13T18:41:10Z

For anyone running across this before it's fixed, the workaround I'm using is to write a ~/.ssh/config for the user in question with the line IdentityFile {{ myproject_home }}/deploy_key in it, and then remove key_file from the git module opts.

In terms of the desired fix, I'm not sure there is any location Ansible can strictly guarantee is writable and executable when sudoing to an arbitrary user. A third fallback option which would likely work in most cases is the user's homedir, as long as it's cleaned up afterwards. Ultimately it may be useful just to have tmp_dir be a config option to the git module, so it's possible to make it work even in very unusual cases.

@ansibot ansibot added the affects_1.9 label Sep 12, 2017

@ansibot

This comment has been minimized.

Show comment
Hide comment
@ansibot

ansibot Sep 12, 2017

Contributor

From @carljm on 2015-08-13T18:41:10Z

Turns out Python's tempfile.mkstemp() respects the TMPDIR environment variable, so simply setting TMPDIR is also an option here. As far as I'm concerned that's adequate; maybe a documentation note about this would be a sufficient fix?

Contributor

ansibot commented Sep 12, 2017

From @carljm on 2015-08-13T18:41:10Z

Turns out Python's tempfile.mkstemp() respects the TMPDIR environment variable, so simply setting TMPDIR is also an option here. As far as I'm concerned that's adequate; maybe a documentation note about this would be a sufficient fix?

@ansibot

This comment has been minimized.

Show comment
Hide comment
@ansibot

ansibot Sep 12, 2017

Contributor

From @scottjs on 2015-08-13T18:41:10Z

Hi. I'm running Ansible 2.1.1.0 and also having this problem but I'm not sure how to fix it! Any ideas?

Contributor

ansibot commented Sep 12, 2017

From @scottjs on 2015-08-13T18:41:10Z

Hi. I'm running Ansible 2.1.1.0 and also having this problem but I'm not sure how to fix it! Any ideas?

@ansibot

This comment has been minimized.

Show comment
Hide comment
@ansibot

ansibot Sep 12, 2017

Contributor

From @davidpanofsky on 2015-08-13T18:41:10Z

We were able to work around this by setting the TEMP environment variable to a directory which can be written to by the user. You may also need to add TEMP to your sudo env_keep list.

Contributor

ansibot commented Sep 12, 2017

From @davidpanofsky on 2015-08-13T18:41:10Z

We were able to work around this by setting the TEMP environment variable to a directory which can be written to by the user. You may also need to add TEMP to your sudo env_keep list.

@ansibot

This comment has been minimized.

Show comment
Hide comment
@ansibot

ansibot Sep 12, 2017

Contributor

From @isaacfife on 2015-08-13T18:41:10Z

I just ran into this problem with version 2.1.2.0 and was successfully able to use @carljm's workaround with IdentityFile in the ssh config.

Contributor

ansibot commented Sep 12, 2017

From @isaacfife on 2015-08-13T18:41:10Z

I just ran into this problem with version 2.1.2.0 and was successfully able to use @carljm's workaround with IdentityFile in the ssh config.

@ansibot

This comment has been minimized.

Show comment
Hide comment
@ansibot

ansibot Sep 12, 2017

Contributor

From @briceburg on 2015-08-13T18:41:10Z

FWIW, we're using the TMPDIR workaround as follows;

# remote-deployment
###################
- name: git checkout
  environment:
    TMPDIR: "{{ BLUEACORN_DIR }}/tmp"
  git:
    repo: "{{ REPO_REMOTE }}"
    version: "{{ REPO_REF }}"
    key_file: "{{ BLUEACORN_DIR }}/keys/github-deploy.key"
    ...
Contributor

ansibot commented Sep 12, 2017

From @briceburg on 2015-08-13T18:41:10Z

FWIW, we're using the TMPDIR workaround as follows;

# remote-deployment
###################
- name: git checkout
  environment:
    TMPDIR: "{{ BLUEACORN_DIR }}/tmp"
  git:
    repo: "{{ REPO_REMOTE }}"
    version: "{{ REPO_REF }}"
    key_file: "{{ BLUEACORN_DIR }}/keys/github-deploy.key"
    ...
@ansibot

This comment has been minimized.

Show comment
Hide comment
@ansibot
Contributor

ansibot commented Sep 13, 2017

@idgdmg

This comment has been minimized.

Show comment
Hide comment
@idgdmg

idgdmg Sep 30, 2017

This issue STILL exists on Ansible 2.1 AND Ansible 2.50!!

=====

How to reproduce:

  1. Step 1 : verifying that the host "dev-web-sf-98" has /tmp mounted as "noexec"
[root@dev-web-sf-98 /]# umount /tmp
[root@dev-web-sf-98 /]# mount /tmp
[root@dev-web-sf-98 /]# mount -l | grep '/tmp'

/dev/mapper/cl-tmp on /tmp type xfs (rw,nosuid,nodev,noexec,relatime,seclabel,attr2,inode64,noquota)
  1. Step 2 - Running the playbook with "-vvv" flag
TASK [narfweb7 : Update the Apache NG from GIt bitbucket] **********************************************************************************************************************
task path: /home/ansible/roles/narfweb7/tasks/main.yml:33
Using module file /usr/lib/python2.7/site-packages/ansible/modules/source_control/git.py
<dev-web-sf-98.idgesg.net> ESTABLISH SSH CONNECTION FOR USER: ansible
<dev-web-sf-98.idgesg.net> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/7e3e9fc98d dev-web-sf-98.idgesg.net '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
<dev-web-sf-98.idgesg.net> (0, '/home/ansible\n', '')
<dev-web-sf-98.idgesg.net> ESTABLISH SSH CONNECTION FOR USER: ansible
<dev-web-sf-98.idgesg.net> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/7e3e9fc98d dev-web-sf-98.idgesg.net '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /home/ansible/ansible-tmp-1506632167.8-135732001963201 `" && echo ansible-tmp-1506632167.8-135732001963201="` echo /home/ansible/ansible-tmp-1506632167.8-135732001963201 `" ) && sleep 0'"'"''
<dev-web-sf-98.idgesg.net> (0, 'ansible-tmp-1506632167.8-135732001963201=/home/ansible/ansible-tmp-1506632167.8-135732001963201\n', '')
<dev-web-sf-98.idgesg.net> PUT /var/tmp/tmpieGK9F TO /home/ansible/ansible-tmp-1506632167.8-135732001963201/git.py
<dev-web-sf-98.idgesg.net> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/7e3e9fc98d '[dev-web-sf-98.idgesg.net]'
<dev-web-sf-98.idgesg.net> (0, 'sftp> put /var/tmp/tmpieGK9F /home/ansible/ansible-tmp-1506632167.8-135732001963201/git.py\n', '')
<dev-web-sf-98.idgesg.net> ESTABLISH SSH CONNECTION FOR USER: ansible
<dev-web-sf-98.idgesg.net> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/7e3e9fc98d dev-web-sf-98.idgesg.net '/bin/sh -c '"'"'chmod u+x /home/ansible/ansible-tmp-1506632167.8-135732001963201/ /home/ansible/ansible-tmp-1506632167.8-135732001963201/git.py && sleep 0'"'"''
<dev-web-sf-98.idgesg.net> (0, '', '')
<dev-web-sf-98.idgesg.net> ESTABLISH SSH CONNECTION FOR USER: ansible
<dev-web-sf-98.idgesg.net> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/7e3e9fc98d -tt dev-web-sf-98.idgesg.net '/bin/sh -c '"'"'sudo -H -S -n -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-xkrgzxxvlriwyvhnayerqrokswyjknwp; TMP=/weblogs/tmp TMPDIR=/weblogs/tmp TEMP=/weblogs/tmp /usr/bin/python /home/ansible/ansible-tmp-1506632167.8-135732001963201/git.py; rm -rf "/home/ansible/ansible-tmp-1506632167.8-135732001963201/" > /dev/null 2>&1'"'"'"'"'"'"'"'"' && sleep 0'"'"''
<dev-web-sf-98.idgesg.net> (0, '\r\n{"msg": "Failed to download remote objects and refs:  fatal: cannot exec \'/tmp/tmp46URlH\': Permission denied\\nfatal: unable to fork\\n", "failed": true, "cmd": ["/usr/bin/git", "fetch", "origin"], "invocation": {"module_args": {"executable": null, "refspec": null, "force": true, "track_submodules": false, "reference": null, "dest": "/home/ansible/apachengconfigs", "verify_commit": false, "clone": true, "umask": null, "update": true, "accept_hostkey": true, "ssh_opts": null, "repo": "git@bitbucket.org:ansiblefastly/apachengconfigs.git", "depth": null, "version": "v24", "bare": false, "remote": "origin", "key_file": "/home/ansible/.ssh/id_rsa_bitbucket", "archive": null, "recursive": true}}}\r\n', 'Shared connection to dev-web-sf-98.idgesg.net closed.\r\n')
fatal: [dev-web-sf-98.idgesg.net]: FAILED! => {
    "changed": false,
    "cmd": [
        "/usr/bin/git",
        "fetch",
        "origin"
    ],
    "failed": true,
    "invocation": {
        "module_args": {
            "accept_hostkey": true,
            "archive": null,
            "bare": false,
            "clone": true,
            "depth": null,
            "dest": "/home/ansible/apachengconfigs",
            "executable": null,
            "force": true,
            "key_file": "/home/ansible/.ssh/id_rsa_bitbucket",
            "recursive": true,
            "reference": null,
            "refspec": null,
            "remote": "origin",
            "repo": "git@bitbucket.org:ansiblefastly/apachengconfigs.git",
            "ssh_opts": null,
            "track_submodules": false,
            "umask": null,
            "update": true,
            "verify_commit": false,
            "version": "v24"
        }
    },
    "msg": "Failed to download remote objects and refs:  fatal: cannot exec '/tmp/tmp46URlH': Permission denied\nfatal: unable to fork\n"
}
        to retry, use: --limit @/home/ansible/projects/development/web_dev/web_dev.retry

PLAY RECAP *********************************************************************************************************************************************************************
dev-web-sf-98.idgesg.net   : ok=4    changed=0    unreachable=0    failed=1
  1. Step 3. As you see it CLEARLY wants to execute things off the /tmp partition!! Since the operating system does not allow that (noexec)., it fails right awys

Here is the "magic" line 33 that I have submitted earlier:

- name: Update the Apache NG from GIt bitbucket
  environment:
    TMPDIR: "/weblogs/tmp"
    TMP: "/weblogs/tmp"
    TEMP: "/weblogs/tmp"
  git:
    repo: "{{ apache_repo }}"
    dest: "{{ apache_narf_config }}"
    force: yes
    version: v24
    accept_hostkey: yes
    key_file: "/home/ansible/.ssh/id_rsa_bitbucket"

  tags:
     - setupwebconfigs

idgdmg commented Sep 30, 2017

This issue STILL exists on Ansible 2.1 AND Ansible 2.50!!

=====

How to reproduce:

  1. Step 1 : verifying that the host "dev-web-sf-98" has /tmp mounted as "noexec"
[root@dev-web-sf-98 /]# umount /tmp
[root@dev-web-sf-98 /]# mount /tmp
[root@dev-web-sf-98 /]# mount -l | grep '/tmp'

/dev/mapper/cl-tmp on /tmp type xfs (rw,nosuid,nodev,noexec,relatime,seclabel,attr2,inode64,noquota)
  1. Step 2 - Running the playbook with "-vvv" flag
TASK [narfweb7 : Update the Apache NG from GIt bitbucket] **********************************************************************************************************************
task path: /home/ansible/roles/narfweb7/tasks/main.yml:33
Using module file /usr/lib/python2.7/site-packages/ansible/modules/source_control/git.py
<dev-web-sf-98.idgesg.net> ESTABLISH SSH CONNECTION FOR USER: ansible
<dev-web-sf-98.idgesg.net> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/7e3e9fc98d dev-web-sf-98.idgesg.net '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
<dev-web-sf-98.idgesg.net> (0, '/home/ansible\n', '')
<dev-web-sf-98.idgesg.net> ESTABLISH SSH CONNECTION FOR USER: ansible
<dev-web-sf-98.idgesg.net> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/7e3e9fc98d dev-web-sf-98.idgesg.net '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /home/ansible/ansible-tmp-1506632167.8-135732001963201 `" && echo ansible-tmp-1506632167.8-135732001963201="` echo /home/ansible/ansible-tmp-1506632167.8-135732001963201 `" ) && sleep 0'"'"''
<dev-web-sf-98.idgesg.net> (0, 'ansible-tmp-1506632167.8-135732001963201=/home/ansible/ansible-tmp-1506632167.8-135732001963201\n', '')
<dev-web-sf-98.idgesg.net> PUT /var/tmp/tmpieGK9F TO /home/ansible/ansible-tmp-1506632167.8-135732001963201/git.py
<dev-web-sf-98.idgesg.net> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/7e3e9fc98d '[dev-web-sf-98.idgesg.net]'
<dev-web-sf-98.idgesg.net> (0, 'sftp> put /var/tmp/tmpieGK9F /home/ansible/ansible-tmp-1506632167.8-135732001963201/git.py\n', '')
<dev-web-sf-98.idgesg.net> ESTABLISH SSH CONNECTION FOR USER: ansible
<dev-web-sf-98.idgesg.net> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/7e3e9fc98d dev-web-sf-98.idgesg.net '/bin/sh -c '"'"'chmod u+x /home/ansible/ansible-tmp-1506632167.8-135732001963201/ /home/ansible/ansible-tmp-1506632167.8-135732001963201/git.py && sleep 0'"'"''
<dev-web-sf-98.idgesg.net> (0, '', '')
<dev-web-sf-98.idgesg.net> ESTABLISH SSH CONNECTION FOR USER: ansible
<dev-web-sf-98.idgesg.net> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/7e3e9fc98d -tt dev-web-sf-98.idgesg.net '/bin/sh -c '"'"'sudo -H -S -n -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-xkrgzxxvlriwyvhnayerqrokswyjknwp; TMP=/weblogs/tmp TMPDIR=/weblogs/tmp TEMP=/weblogs/tmp /usr/bin/python /home/ansible/ansible-tmp-1506632167.8-135732001963201/git.py; rm -rf "/home/ansible/ansible-tmp-1506632167.8-135732001963201/" > /dev/null 2>&1'"'"'"'"'"'"'"'"' && sleep 0'"'"''
<dev-web-sf-98.idgesg.net> (0, '\r\n{"msg": "Failed to download remote objects and refs:  fatal: cannot exec \'/tmp/tmp46URlH\': Permission denied\\nfatal: unable to fork\\n", "failed": true, "cmd": ["/usr/bin/git", "fetch", "origin"], "invocation": {"module_args": {"executable": null, "refspec": null, "force": true, "track_submodules": false, "reference": null, "dest": "/home/ansible/apachengconfigs", "verify_commit": false, "clone": true, "umask": null, "update": true, "accept_hostkey": true, "ssh_opts": null, "repo": "git@bitbucket.org:ansiblefastly/apachengconfigs.git", "depth": null, "version": "v24", "bare": false, "remote": "origin", "key_file": "/home/ansible/.ssh/id_rsa_bitbucket", "archive": null, "recursive": true}}}\r\n', 'Shared connection to dev-web-sf-98.idgesg.net closed.\r\n')
fatal: [dev-web-sf-98.idgesg.net]: FAILED! => {
    "changed": false,
    "cmd": [
        "/usr/bin/git",
        "fetch",
        "origin"
    ],
    "failed": true,
    "invocation": {
        "module_args": {
            "accept_hostkey": true,
            "archive": null,
            "bare": false,
            "clone": true,
            "depth": null,
            "dest": "/home/ansible/apachengconfigs",
            "executable": null,
            "force": true,
            "key_file": "/home/ansible/.ssh/id_rsa_bitbucket",
            "recursive": true,
            "reference": null,
            "refspec": null,
            "remote": "origin",
            "repo": "git@bitbucket.org:ansiblefastly/apachengconfigs.git",
            "ssh_opts": null,
            "track_submodules": false,
            "umask": null,
            "update": true,
            "verify_commit": false,
            "version": "v24"
        }
    },
    "msg": "Failed to download remote objects and refs:  fatal: cannot exec '/tmp/tmp46URlH': Permission denied\nfatal: unable to fork\n"
}
        to retry, use: --limit @/home/ansible/projects/development/web_dev/web_dev.retry

PLAY RECAP *********************************************************************************************************************************************************************
dev-web-sf-98.idgesg.net   : ok=4    changed=0    unreachable=0    failed=1
  1. Step 3. As you see it CLEARLY wants to execute things off the /tmp partition!! Since the operating system does not allow that (noexec)., it fails right awys

Here is the "magic" line 33 that I have submitted earlier:

- name: Update the Apache NG from GIt bitbucket
  environment:
    TMPDIR: "/weblogs/tmp"
    TMP: "/weblogs/tmp"
    TEMP: "/weblogs/tmp"
  git:
    repo: "{{ apache_repo }}"
    dest: "{{ apache_narf_config }}"
    force: yes
    version: v24
    accept_hostkey: yes
    key_file: "/home/ansible/.ssh/id_rsa_bitbucket"

  tags:
     - setupwebconfigs

@ansible ansible deleted a comment from ansibot Oct 4, 2017

@andreaso

This comment has been minimized.

Show comment
Hide comment
@andreaso

andreaso Dec 17, 2017

Contributor

As of Ansible 2.4 the Git module always uses a generated wrapper script to run the git binary. Hence the noexec issue is no longer limited to when key_file or ssh_opts are set.

That the wrapper script is now always being used is a side affect of the way I implemented #26072.

Contributor

andreaso commented Dec 17, 2017

As of Ansible 2.4 the Git module always uses a generated wrapper script to run the git binary. Hence the noexec issue is no longer limited to when key_file or ssh_opts are set.

That the wrapper script is now always being used is a side affect of the way I implemented #26072.

@ansibot ansibot added bug and removed bug_report labels Mar 1, 2018

kentr added a commit to kentr/ansible-role-wordpress that referenced this issue May 31, 2018

@sykosoft

This comment has been minimized.

Show comment
Hide comment
@sykosoft

sykosoft Aug 24, 2018

I just experienced this today, and the noted comment above about no longer limited to just key_file and ssh_opts arguments is true. I'm running Ansible 2.6 (updated from 2.4 to see if this was fixed). As noexec is becoming dramatically more common, this would be great to have fixed. As servers lacking git (for similar reasons as noexec, compliance) is also becoming more common, this should also be tested to work with local delegation.

sykosoft commented Aug 24, 2018

I just experienced this today, and the noted comment above about no longer limited to just key_file and ssh_opts arguments is true. I'm running Ansible 2.6 (updated from 2.4 to see if this was fixed). As noexec is becoming dramatically more common, this would be great to have fixed. As servers lacking git (for similar reasons as noexec, compliance) is also becoming more common, this should also be tested to work with local delegation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment