Failed to set permissions on temp files with pipelining

[zakabluk]

Hi! I have same problem as in #31125

ISSUE TYPE

• Bug Report

COMPONENT NAME

ssh

ANSIBLE VERSION

ansible 2.4.2.0

ansible 2.4.2.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/usr/lib/python2.7/site-packages/epam_ansible']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Aug  4 2017, 00:39:18) [GCC 4.8.5 20150623 (Red Hat 4.8.5-16)]

CONFIGURATION

OS / ENVIRONMENT

all servers: CentOS Linux release 7.4.1708 @(Core)

SUMMARY

Failed to set permissions on the temporary files Ansible ...

STEPS TO REPRODUCE

Basically: default ansible configuration, test without pipelining=True.

EXPECTED RESULTS

playbook will successful.

ACTUAL RESULTS

When I run playbook without option pipelining=True, I have error

fatal: [10.6.220.125]: FAILED! => {"msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chown: changing ownership of ‘/tmp/ansible-tmp-1516305715.98-191373091817149/’: Operation not permit ted\nchown: changing ownership of ‘/tmp/ansible-tmp-1516305715.98-191373091817149/command.py’: Operation not permitted\n}). For info rmation on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}

[ansibot]

Files identified in the description:
None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibot]

Files identified in the description:

• lib/ansible/plugins/connection/ssh.py

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[abadger]

This is not at all the same problem as #31125 as that one is about pipelining not turning on and this one is about needing a temporary file when running with pipelining enabled.

Could you show me the playbook that you are executing and the output of running ansible-playbook with -vvvv?

[zakabluk]

Hi! Thank you for your answer. No problems. In attach(in your email box) my playbook with roles. This`s print from a /tmp/ directory. [user@epam.com@ecsc00a012d4 tmp]$ ll total 44 drwx------ 2 user users 4096 Jan 23 13:09 ansible-tmp-1516427474.23-114974269333006 drwx------ 2 user users 4096 Jan 23 13:31 ansible-tmp-1516428948.76-248002887908691 -rw------- 1 1878637674 1878600513 2959 Jan 22 14:26 krb5cc_1878637674_pKTbgc p.s. pipelining=True deleted from ansible.cfg.

[abadger]

@zakabluk Looking through the log that you sent me, you're ssh'ing as an unprivileged user and becoming a different unprivileged user. You have pipelining=False and you're getting an error that we're unable to set the permissions on the temporary files. Looking through results.txt I see that your host doesn't have posix acls enabled (From the error, I believe that the setfacl command is present but the filesystem is probably not mounted with acls enabled). Your host also doesn't support chown from an unprivileged user (this is somewhat expected.. It's only supported by older Unices. No version of Linux supports it, for instance) Re-reading your initial post, I think you're also saying that if you turn piplining on, then the error goes away.

Per https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user this is more or less expected. We fail in this case to force you to change a setting to either make Ansible be able to operate in a more secure fashion (piplining=True) or so that you are explicitly taking responsibility for enabling the insecure behaviour (allow_world_readable_tmpfiles=True). You could also enable POSIX acls on your remote host as a third workaround.

[zakabluk]

Tnx, You helped me very mach!