Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upCannot use git module with custom `key_file` or `ssh_opts` as non-root user on system with noexec `/tmp` #30064
Comments
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
ansibot
Sep 12, 2017
Contributor
From @carljm on 2015-08-13T18:41:10Z
For anyone running across this before it's fixed, the workaround I'm using is to write a ~/.ssh/config for the user in question with the line IdentityFile {{ myproject_home }}/deploy_key in it, and then remove key_file from the git module opts.
In terms of the desired fix, I'm not sure there is any location Ansible can strictly guarantee is writable and executable when sudoing to an arbitrary user. A third fallback option which would likely work in most cases is the user's homedir, as long as it's cleaned up afterwards. Ultimately it may be useful just to have tmp_dir be a config option to the git module, so it's possible to make it work even in very unusual cases.
|
From @carljm on 2015-08-13T18:41:10Z For anyone running across this before it's fixed, the workaround I'm using is to write a In terms of the desired fix, I'm not sure there is any location Ansible can strictly guarantee is writable and executable when sudoing to an arbitrary user. A third fallback option which would likely work in most cases is the user's homedir, as long as it's cleaned up afterwards. Ultimately it may be useful just to have |
ansibot
added
the
affects_1.9
label
Sep 12, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
ansibot
Sep 12, 2017
Contributor
From @carljm on 2015-08-13T18:41:10Z
Turns out Python's tempfile.mkstemp() respects the TMPDIR environment variable, so simply setting TMPDIR is also an option here. As far as I'm concerned that's adequate; maybe a documentation note about this would be a sufficient fix?
|
From @carljm on 2015-08-13T18:41:10Z Turns out Python's |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
ansibot
Sep 12, 2017
Contributor
From @scottjs on 2015-08-13T18:41:10Z
Hi. I'm running Ansible 2.1.1.0 and also having this problem but I'm not sure how to fix it! Any ideas?
|
From @scottjs on 2015-08-13T18:41:10Z Hi. I'm running Ansible 2.1.1.0 and also having this problem but I'm not sure how to fix it! Any ideas? |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
ansibot
Sep 12, 2017
Contributor
From @davidpanofsky on 2015-08-13T18:41:10Z
We were able to work around this by setting the TEMP environment variable to a directory which can be written to by the user. You may also need to add TEMP to your sudo env_keep list.
|
From @davidpanofsky on 2015-08-13T18:41:10Z We were able to work around this by setting the TEMP environment variable to a directory which can be written to by the user. You may also need to add TEMP to your sudo env_keep list. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
ansibot
Sep 12, 2017
Contributor
From @isaacfife on 2015-08-13T18:41:10Z
I just ran into this problem with version 2.1.2.0 and was successfully able to use @carljm's workaround with IdentityFile in the ssh config.
|
From @isaacfife on 2015-08-13T18:41:10Z I just ran into this problem with version 2.1.2.0 and was successfully able to use @carljm's workaround with IdentityFile in the ssh config. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
ansibot
Sep 12, 2017
Contributor
From @briceburg on 2015-08-13T18:41:10Z
FWIW, we're using the TMPDIR workaround as follows;
# remote-deployment
###################
- name: git checkout
environment:
TMPDIR: "{{ BLUEACORN_DIR }}/tmp"
git:
repo: "{{ REPO_REMOTE }}"
version: "{{ REPO_REF }}"
key_file: "{{ BLUEACORN_DIR }}/keys/github-deploy.key"
...|
From @briceburg on 2015-08-13T18:41:10Z FWIW, we're using the TMPDIR workaround as follows; # remote-deployment
###################
- name: git checkout
environment:
TMPDIR: "{{ BLUEACORN_DIR }}/tmp"
git:
repo: "{{ REPO_REMOTE }}"
version: "{{ REPO_REF }}"
key_file: "{{ BLUEACORN_DIR }}/keys/github-deploy.key"
... |
ansibot
referenced this issue
Sep 12, 2017
Closed
Cannot use git module with custom `key_file` or `ssh_opts` as non-root user on system with noexec `/tmp` #1912
ansibot
added
bug_report
needs_info
needs_template
support:core
labels
Sep 12, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
ansibot
added
module
and removed
needs_info
needs_template
labels
Sep 13, 2017
bcoca
referenced this issue
Sep 28, 2017
Open
normalize temp dir/file usage (remote_tmp, etc) #31022
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
idgdmg
Sep 30, 2017
This issue STILL exists on Ansible 2.1 AND Ansible 2.50!!
=====
How to reproduce:
- Step 1 : verifying that the host "dev-web-sf-98" has /tmp mounted as "noexec"
[root@dev-web-sf-98 /]# umount /tmp
[root@dev-web-sf-98 /]# mount /tmp
[root@dev-web-sf-98 /]# mount -l | grep '/tmp'
/dev/mapper/cl-tmp on /tmp type xfs (rw,nosuid,nodev,noexec,relatime,seclabel,attr2,inode64,noquota)
- Step 2 - Running the playbook with "-vvv" flag
TASK [narfweb7 : Update the Apache NG from GIt bitbucket] **********************************************************************************************************************
task path: /home/ansible/roles/narfweb7/tasks/main.yml:33
Using module file /usr/lib/python2.7/site-packages/ansible/modules/source_control/git.py
<dev-web-sf-98.idgesg.net> ESTABLISH SSH CONNECTION FOR USER: ansible
<dev-web-sf-98.idgesg.net> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/7e3e9fc98d dev-web-sf-98.idgesg.net '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
<dev-web-sf-98.idgesg.net> (0, '/home/ansible\n', '')
<dev-web-sf-98.idgesg.net> ESTABLISH SSH CONNECTION FOR USER: ansible
<dev-web-sf-98.idgesg.net> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/7e3e9fc98d dev-web-sf-98.idgesg.net '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /home/ansible/ansible-tmp-1506632167.8-135732001963201 `" && echo ansible-tmp-1506632167.8-135732001963201="` echo /home/ansible/ansible-tmp-1506632167.8-135732001963201 `" ) && sleep 0'"'"''
<dev-web-sf-98.idgesg.net> (0, 'ansible-tmp-1506632167.8-135732001963201=/home/ansible/ansible-tmp-1506632167.8-135732001963201\n', '')
<dev-web-sf-98.idgesg.net> PUT /var/tmp/tmpieGK9F TO /home/ansible/ansible-tmp-1506632167.8-135732001963201/git.py
<dev-web-sf-98.idgesg.net> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/7e3e9fc98d '[dev-web-sf-98.idgesg.net]'
<dev-web-sf-98.idgesg.net> (0, 'sftp> put /var/tmp/tmpieGK9F /home/ansible/ansible-tmp-1506632167.8-135732001963201/git.py\n', '')
<dev-web-sf-98.idgesg.net> ESTABLISH SSH CONNECTION FOR USER: ansible
<dev-web-sf-98.idgesg.net> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/7e3e9fc98d dev-web-sf-98.idgesg.net '/bin/sh -c '"'"'chmod u+x /home/ansible/ansible-tmp-1506632167.8-135732001963201/ /home/ansible/ansible-tmp-1506632167.8-135732001963201/git.py && sleep 0'"'"''
<dev-web-sf-98.idgesg.net> (0, '', '')
<dev-web-sf-98.idgesg.net> ESTABLISH SSH CONNECTION FOR USER: ansible
<dev-web-sf-98.idgesg.net> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/7e3e9fc98d -tt dev-web-sf-98.idgesg.net '/bin/sh -c '"'"'sudo -H -S -n -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-xkrgzxxvlriwyvhnayerqrokswyjknwp; TMP=/weblogs/tmp TMPDIR=/weblogs/tmp TEMP=/weblogs/tmp /usr/bin/python /home/ansible/ansible-tmp-1506632167.8-135732001963201/git.py; rm -rf "/home/ansible/ansible-tmp-1506632167.8-135732001963201/" > /dev/null 2>&1'"'"'"'"'"'"'"'"' && sleep 0'"'"''
<dev-web-sf-98.idgesg.net> (0, '\r\n{"msg": "Failed to download remote objects and refs: fatal: cannot exec \'/tmp/tmp46URlH\': Permission denied\\nfatal: unable to fork\\n", "failed": true, "cmd": ["/usr/bin/git", "fetch", "origin"], "invocation": {"module_args": {"executable": null, "refspec": null, "force": true, "track_submodules": false, "reference": null, "dest": "/home/ansible/apachengconfigs", "verify_commit": false, "clone": true, "umask": null, "update": true, "accept_hostkey": true, "ssh_opts": null, "repo": "git@bitbucket.org:ansiblefastly/apachengconfigs.git", "depth": null, "version": "v24", "bare": false, "remote": "origin", "key_file": "/home/ansible/.ssh/id_rsa_bitbucket", "archive": null, "recursive": true}}}\r\n', 'Shared connection to dev-web-sf-98.idgesg.net closed.\r\n')
fatal: [dev-web-sf-98.idgesg.net]: FAILED! => {
"changed": false,
"cmd": [
"/usr/bin/git",
"fetch",
"origin"
],
"failed": true,
"invocation": {
"module_args": {
"accept_hostkey": true,
"archive": null,
"bare": false,
"clone": true,
"depth": null,
"dest": "/home/ansible/apachengconfigs",
"executable": null,
"force": true,
"key_file": "/home/ansible/.ssh/id_rsa_bitbucket",
"recursive": true,
"reference": null,
"refspec": null,
"remote": "origin",
"repo": "git@bitbucket.org:ansiblefastly/apachengconfigs.git",
"ssh_opts": null,
"track_submodules": false,
"umask": null,
"update": true,
"verify_commit": false,
"version": "v24"
}
},
"msg": "Failed to download remote objects and refs: fatal: cannot exec '/tmp/tmp46URlH': Permission denied\nfatal: unable to fork\n"
}
to retry, use: --limit @/home/ansible/projects/development/web_dev/web_dev.retry
PLAY RECAP *********************************************************************************************************************************************************************
dev-web-sf-98.idgesg.net : ok=4 changed=0 unreachable=0 failed=1
- Step 3. As you see it CLEARLY wants to execute things off the /tmp partition!! Since the operating system does not allow that (noexec)., it fails right awys
Here is the "magic" line 33 that I have submitted earlier:
- name: Update the Apache NG from GIt bitbucket
environment:
TMPDIR: "/weblogs/tmp"
TMP: "/weblogs/tmp"
TEMP: "/weblogs/tmp"
git:
repo: "{{ apache_repo }}"
dest: "{{ apache_narf_config }}"
force: yes
version: v24
accept_hostkey: yes
key_file: "/home/ansible/.ssh/id_rsa_bitbucket"
tags:
- setupwebconfigs
idgdmg
commented
Sep 30, 2017
•
|
This issue STILL exists on Ansible 2.1 AND Ansible 2.50!! ===== How to reproduce:
Here is the "magic" line 33 that I have submitted earlier: |
ansible
deleted a comment from
ansibot
Oct 4, 2017
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
andreaso
Dec 17, 2017
Contributor
As of Ansible 2.4 the Git module always uses a generated wrapper script to run the git binary. Hence the noexec issue is no longer limited to when key_file or ssh_opts are set.
That the wrapper script is now always being used is a side affect of the way I implemented #26072.
|
As of Ansible 2.4 the Git module always uses a generated wrapper script to run the git binary. Hence the noexec issue is no longer limited to when That the wrapper script is now always being used is a side affect of the way I implemented #26072. |
ansibot
added
bug
and removed
bug_report
labels
Mar 1, 2018
added a commit
to kentr/ansible-role-wordpress
that referenced
this issue
May 31, 2018
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
sykosoft
Aug 24, 2018
I just experienced this today, and the noted comment above about no longer limited to just key_file and ssh_opts arguments is true. I'm running Ansible 2.6 (updated from 2.4 to see if this was fixed). As noexec is becoming dramatically more common, this would be great to have fixed. As servers lacking git (for similar reasons as noexec, compliance) is also becoming more common, this should also be tested to work with local delegation.
sykosoft
commented
Aug 24, 2018
|
I just experienced this today, and the noted comment above about no longer limited to just key_file and ssh_opts arguments is true. I'm running Ansible 2.6 (updated from 2.4 to see if this was fixed). As noexec is becoming dramatically more common, this would be great to have fixed. As servers lacking git (for similar reasons as noexec, compliance) is also becoming more common, this should also be tested to work with local delegation. |
ansibot commentedSep 12, 2017
•
edited by ansibotdev
ISSUE TYPE
bug report
COMPONENT NAME
git module
ANSIBLE VERSION
1.9.2
$ ansible --version
ansible 1.9.2
configured module search path = None
CONFIGURATION
$ cat ansible.cfg
[defaults]
roles_path=roles/
OS / ENVIRONMENT
CentOS 6.5.
SUMMARY
**:
When using
key_fileorssh_optswith the git module, it writes an ssh wrapper script to a temporary location and then git executes it.This temporary script is written to the module dir, if accessible to the current user, or otherwise to the default system temp dir.
When sudoing to a non-root, non-ansible user, the module dir generally isn't be accessible, so it falls back to the system temp dir.
But in a system with a noexec-mounted
/tmpdir, this fails with "cannot exec: permission denied", as originally reported in #6567This is the same basic scenario as #7375, but the fix there failed to account for the noexec-tmp possibility.
**
STEPS TO REPRODUCE
**:
On a target system with a noexec-mounted
/tmp, run a task such as this:**
EXPECTED RESULTS
**:
Repo should be successfully cloned, as the given
sudo_user, using the givenkey_file.**
ACTUAL RESULTS
**:
Copied from original issue: ansible/ansible-modules-core#1912