ansible.builtin.git ignores become_user when executing without an inventory

[C0rn3j]

Summary

The git submodule launches as root when using a local connection (no inventory defined), ignoring become_user.

This leads to the module failing.

The module runs fine with an inventory when initiating an SSH connection.

Left side of the screenshot is with the supplied inventory through SSH.

Right side is when inventory is removed and same playbook is ran.

Issue Type

Bug Report

Component Name

git

Ansible Version

$ ansible --version
ansible [core 2.14.3]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/c0rn3j/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.10/site-packages/ansible
  ansible collection location = /home/c0rn3j/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.10.10 (main, Mar  5 2023, 22:26:53) [GCC 12.2.1 20230201] (/usr/bin/python)
  jinja version = 3.1.2
  libyaml = True

Configuration

# if using a version older than ansible-core 2.12 you should omit the '-t all'
$ ansible-config dump --only-changed -t all
CONFIG_FILE() = /etc/ansible/ansible.cfg

OS / Environment

Arch Linux

Steps to Reproduce

/etc/ansible/hosts

 all:
   hosts:
   children:
     lxd:
       hosts:
         localhost:

Problematic task:

- name: Install/update lxd-completion-zsh for {{ username }}
  become: true
  become_user: '{{ username }}'
  ansible.builtin.git:
    repo: https://github.com/endaaman/lxd-completion-zsh
    dest: /home/{{ username }}/.oh-my-zsh/custom/plugins/lxd-completion-zsh

Expected Results

Module launches as user specified in become_user

Actual Results

Module only launches as the specified user when an inventory is defined and SSH connection is used.

fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to set a new url https://github.com/endaaman/lxd-completion-zsh for origin:  fatal: detected dubious ownership in repository at '/home/c0rn3j/.oh-my-zsh/custom/plugins/lxd-completion-zsh'\nTo add an exception for this directory, call:\n\n\tgit config --global --add safe.directory /home/c0rn3j/.oh-my-zsh/custom/plugins/lxd-completion-zsh\n"}

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibot]

Files identified in the description:

• lib/ansible/modules/git.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[C0rn3j]

@bcoca the above comment is irrelevant to my issue, please reopen again.

[sivel]

@C0rn3j I'm not sure any information you have provided indicates that become is not working. The error you are getting states:

fatal: detected dubious ownership in repository at '/home/c0rn3j/.oh-my-zsh/custom/plugins/lxd-completion-zsh'
To add an exception for this directory, call:

    git config --global --add safe.directory /home/c0rn3j/.oh-my-zsh/custom/plugins/lxd-completion-zsh

To determine if sudo is being used, would require you to provide us with logs using -vvv. Please provide text based logs, and not screenshots.

needs_info

[C0rn3j]

TASK [zsh : Install/update lxd-completion-zsh for c0rn3j] **********************************************************************************************************************************************************************************
task path: /root/configs/roles/zsh/tasks/main.yaml:45
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: c0rn3j
<127.0.0.1> EXEC /bin/sh -c 'echo ~c0rn3j && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/c0rn3j/.ansible/tmp `"&& mkdir "` echo /home/c0rn3j/.ansible/tmp/ansible-tmp-1679416229.326483-742251-173087779788020 `" && echo ansible-tmp-1679416229.326483-742251-173087779788020="` echo /home/c0rn3j/.ansible/tmp/ansible-tmp-1679416229.326483-742251-173087779788020 `" ) && sleep 0'
Using module file /usr/lib/python3.10/site-packages/ansible/modules/git.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-741875ilxp_1mp/tmp2_eukzx1 TO /home/c0rn3j/.ansible/tmp/ansible-tmp-1679416229.326483-742251-173087779788020/AnsiballZ_git.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/c0rn3j/.ansible/tmp/ansible-tmp-1679416229.326483-742251-173087779788020/ /home/c0rn3j/.ansible/tmp/ansible-tmp-1679416229.326483-742251-173087779788020/AnsiballZ_git.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python /home/c0rn3j/.ansible/tmp/ansible-tmp-1679416229.326483-742251-173087779788020/AnsiballZ_git.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/c0rn3j/.ansible/tmp/ansible-tmp-1679416229.326483-742251-173087779788020/ > /dev/null 2>&1 && sleep 0'
fatal: [localhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "accept_hostkey": false,
            "accept_newhostkey": false,
            "archive": null,
            "archive_prefix": null,
            "bare": false,
            "clone": true,
            "depth": null,
            "dest": "/home/c0rn3j/.oh-my-zsh/custom/plugins/lxd-completion-zsh",
            "executable": null,
            "force": false,
            "gpg_whitelist": [],
            "key_file": null,
            "recursive": true,
            "reference": null,
            "refspec": null,
            "remote": "origin",
            "repo": "https://github.com/endaaman/lxd-completion-zsh",
            "separate_git_dir": null,
            "single_branch": false,
            "ssh_opts": null,
            "track_submodules": false,
            "umask": null,
            "update": true,
            "verify_commit": false,
            "version": "HEAD"
        }
    },
    "msg": "Failed to set a new url https://github.com/endaaman/lxd-completion-zsh for origin:  fatal: detected dubious ownership in repository at '/home/c0rn3j/.oh-my-zsh/custom/plugins/lxd-completion-zsh'\nTo add an exception for this directory, call:\n\n\tgit config --global --add safe.directory /home/c0rn3j/.oh-my-zsh/custom/plugins/lxd-completion-zsh\n"
}

PLAY RECAP *********************************************************************************************************************************************************************************************************************************
localhost                  : ok=13   changed=0    unreachable=0    failed=1    skipped=2    rescued=0    ignored=0   

[0] # ls -l /home/c0rn3j/.oh-my-zsh/custom/plugins/ 
drwxr-xr-x c0rn3j c0rn3j 4.0 KB Sun Jun 27 15:29:05 2021  example
drwxr-xr-x c0rn3j c0rn3j 4.0 KB Tue Jan  3 02:05:44 2023  lxd-completion-zsh

Weirdly enough, it seems to depend on how I log into root to execute the playbook.

If I use su from my user, and then execute the playbook with no inventory, I get this fail.

If I use ssh root@localhost from my user, and then execute the playbook with no inventory, it works fine.

[sivel]

Ok, when using implicit localhost, we will use the local connection plugin. The local connection plugin will run the modules as the user you executed ansible-playbook as, which I assume is c0rn3j from the logs. I will also assume that username as used in become_user: '{{ username }}' is also c0rn3j.

In the above case, become will be ignored, as it's not needed, since you are already the user c0rn3j.

As far as I can see, this is not a bug, but there are some local configurations in your environment causing issues. There isn't enough information for me to go on, but if you are just running su and not su - then that could be a cause, as it's inheriting the non-root users environment, and not simulating a full login.

[C0rn3j]

All of those assumptions are correct.

but if you are just running su and not su - then that could be a cause

I am indeed running just su to trigger this, and it does work with su -.

It seems to be caused by USER and LOGNAME environment variables, unsetting both of those (which were set to my username) makes the local connection work.

I think I understand why you do not believe that it is a bug, but wouldn't it be better if Ansible made a call to check the current user instead of relying on the environment variables?

[sivel]

It isn't ansible that is failing at this point, well it is, but the underlying problem is coming from git, and we are just bubbling the error up. git must be using the USER/LOGNAME env vars to determine whether the ownership is "dubious" or not.

[C0rn3j]

git must be using the USER/LOGNAME env vars to determine whether the ownership is "dubious" or not.

Hm, I am not sure if that's the case.

% whoami; USER='root';LOGNAME='root'; git pull
c0rn3j
Already up to date.

# whoami; USER='root';LOGNAME='root'; git pull
root
fatal: detected dubious ownership in repository at '/home/c0rn3j/.oh-my-zsh/custom/plugins/lxd-completion-zsh'

# whoami; USER='c0rn3j';LOGNAME='c0rn3j'; git pull
root
fatal: detected dubious ownership in repository at '/home/c0rn3j/.oh-my-zsh/custom/plugins/lxd-completion-zsh'

[sivel]

Ok, some of the information you have provided wasn't straight forward, but I think I see now.

You are using su to become root, and then are running the playbook, expecting it to become the user c0rn3j for the git task, but it's not, and additionally the verbose output is indicating you are already running as the c0rn3j user.

I expect that the problem is that the local connection plugin has made the determination you are running as c0rn3j and not root as a result of the USER/LOGNAME env vars. This is as a result of using python stdlib getpass.getuser() to get the local user, which states:

This function checks the environment variables LOGNAME, USER, LNAME and USERNAME, in order, and returns the value of the first one which is set to a non-empty string

As such, we are not using become, because we've determined that the "remote" user and the become user are the same.

FWIW, we do have a config that would allow this to work as is, but it's possible we may still classify this as a bug, but it will require some discussion with other members of the core team.

That config is described at https://docs.ansible.com/ansible-core/2.14/reference_appendices/config.html#become-allow-same-user

[NChitty]

I ran across the same StackOverflow thread as mentioned here. Based on my search it is the closest thing I could find and I think I am having a similar issue with slightly different messaging. I am running the git module with implicit localhost and get these logs:

TASK [Cloning dotfiles] ********************************************************************************************************************************************************************
task path: /home/nchitty/ansible/tasks/dotfiles.yml:1
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: nchitty
<127.0.0.1> EXEC /bin/sh -c 'echo ~nchitty && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/nchitty/.ansible/tmp `"&& mkdir "` echo /home/nchitty/.ansible/tmp/ansible-tmp-1705808833.4301481-40839-5668593622618 `" && echo ansible-tmp-1705808833.4301481-40839-5668593622618="` echo /home/nchitty/.ansible/tmp/ansible-tmp-1705808833.4301481-40839-5668593622618 `" ) && sleep 0'
Using module file /usr/lib/python3.11/site-packages/ansible/modules/git.py
<127.0.0.1> PUT /home/nchitty/.ansible/tmp/ansible-local-40533tpdxplvf/tmpfqnqlqam TO /home/nchitty/.ansible/tmp/ansible-tmp-1705808833.4301481-40839-5668593622618/AnsiballZ_git.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/nchitty/.ansible/tmp/ansible-tmp-1705808833.4301481-40839-5668593622618/ /home/nchitty/.ansible/tmp/ansible-tmp-1705808833.4301481-40839-5668593622618/AnsiballZ_git.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python /home/nchitty/.ansible/tmp/ansible-tmp-1705808833.4301481-40839-5668593622618/AnsiballZ_git.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/nchitty/.ansible/tmp/ansible-tmp-1705808833.4301481-40839-5668593622618/ > /dev/null 2>&1 && sleep 0'
fatal: [localhost]: FAILED! => {
    "changed": false,
    "cmd": "/usr/bin/git ls-remote git@github.com:NChitty/dotFiles.git -h refs/heads/main",
    "invocation": {
        "module_args": {
            "accept_hostkey": true,
            "accept_newhostkey": false,
            "archive": null,
            "archive_prefix": null,
            "bare": false,
            "clone": true,
            "depth": null,
            "dest": "/home/nchitty/dotFiles",
            "executable": null,
            "force": false,
            "gpg_whitelist": [],
            "key_file": null,
            "recursive": true,
            "reference": null,
            "refspec": null,
            "remote": "origin",
            "repo": "git@github.com:NChitty/dotFiles.git",
            "separate_git_dir": null,
            "single_branch": false,
            "ssh_opts": null,
            "track_submodules": false,
            "umask": null,
            "update": true,
            "verify_commit": false,
            "version": "main"
        }
    },
    "msg": "git@github.com: Permission denied (publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.",
    "rc": 128,
    "stderr": "git@github.com: Permission denied (publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n",
    "stderr_lines": [
        "git@github.com: Permission denied (publickey).",
        "fatal: Could not read from remote repository.",
        "",
        "Please make sure you have the correct access rights",
        "and the repository exists."
    ],
    "stdout": "",
    "stdout_lines": []
}

---

Task

- name: Cloning dotfiles
  become: true
  become_user: "{{ lookup('env', 'USER') }}"
  ansible.builtin.git:
    repo: git@github.com:NChitty/dotFiles.git
    dest: "{{ lookup('env', 'HOME') }}/dotFiles"
    accept_newhostkey: true
    version: main

---

I've tried various combinations of not including become, including key_file, editing ansible.conf with ssh settings, etc.

EDIT: FWIW, to sanity check this error, I ran locally git ls-remote [...], /usr/bin/git ls-remote [...], sudo git ls-remote [...] and sudo /usr/bin/git ls-remote [...] and get the error for each of the sudoed versions while no errors for the rest.

EDIT 2: Version:

ansible [core 2.16.2]
  config file = None
  configured module search path = ['/home/nchitty/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.11/site-packages/ansible
  ansible collection location = /home/nchitty/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.11.6 (main, Nov 14 2023, 09:36:21) [GCC 13.2.1 20230801] (/usr/bin/python)
  jinja version = 3.1.2
  libyaml = True

[juresaht2]

Issue still occurs 1 year later.

Basically the issue occurs when cloning as root, but the target directory is not owned by root.

The workaround is to change directory ownership before cloning, or as the stackoverflow post states:
https://stackoverflow.com/a/72529557/2897386

- name: UPDATE - Safe Directory
  command: git config --global --add safe.directory {{ project_root }}/shared/source
  check_mode: no