directory resource fails for mountpoints inside read-only file systems

[chuhn]

The directory resource is unable to manage writable mountpoints inside a read-only file system.
Apparently the logic assumes that the parent directory has to be writable which is not the case here.

Software Version

chef 13.8.7-4 on Debian Buster (but logic in lib/chef/provider/directory.rb is unchanged in the current version)

Replication Case

λ › mkdir /tmp/ro
λ › mount -t tmpfs tmpfs /tmp/ro
λ › mkdir /tmp/ro/rw
λ › mount -o remount,ro /tmp/ro
λ › LANG=C touch /tmp/ro/test
touch: cannot touch '/tmp/ro/test': Read-only file system
λ › mount -t tmpfs tmpfs /tmp/ro/rw
λ › touch /tmp/ro/rw/test
λ ›

directory '/tmp/ro/rw' do
  user 'test'
  group 'test'
  mode 0o0750
end

will fail

Stacktrace

Chef::Exceptions::InsufficientPermissions: directory[/tmp/ro/rw] (cookbook line 42) had an error: Chef::Exceptions::InsufficientPermissions: Cannot create directory[/tmp/ro/rw] at /tmp/ro/rw due to insufficient permissions
/usr/lib/ruby/vendor_ruby/chef/mixin/why_run.rb:240:in `run'
/usr/lib/ruby/vendor_ruby/chef/mixin/why_run.rb:321:in `block in run'
/usr/lib/ruby/vendor_ruby/chef/mixin/why_run.rb:320:in `each'
/usr/lib/ruby/vendor_ruby/chef/mixin/why_run.rb:320:in `run'
/usr/lib/ruby/vendor_ruby/chef/provider.rb:181:in `process_resource_requirements'
/usr/lib/ruby/vendor_ruby/chef/provider.rb:159:in `run_action'
/usr/lib/ruby/vendor_ruby/chef/resource.rb:591:in `run_action'
/usr/lib/ruby/vendor_ruby/chef/runner.rb:70:in `run_action'
/usr/lib/ruby/vendor_ruby/chef/runner.rb:98:in `block (2 levels) in converge'
/usr/lib/ruby/vendor_ruby/chef/runner.rb:98:in `each'
/usr/lib/ruby/vendor_ruby/chef/runner.rb:98:in `block in converge'
/usr/lib/ruby/vendor_ruby/chef/resource_collection/resource_list.rb:94:in `block in execute_each_resource'
[…]

Possible Solution

Test if the given directory exists and is writable. Only test the writability of the parent directory if the directory to be managed does not exist and actually has to be created.

Best

Christopher

[ashwin-msys]

Hi..

With all my understanding I checked all these scenarios where I was able to reproduce the issue.

Here are the following scenarios. (Screenshots attached below.)

Case 1:

• When the parent directory exists.
  • If the parent directory exists and is writable as well then we won't face any issue. Everything will look good. Please refer the
    Screenshot below.
• Screenshot:
  

Case 2:

• When the parent directory exists but having on "read only" permission.
  • In this case we will be facing insufficient permission issue which is correct.
• Screenshot:
  

Case 3:

• When the parent directory doesn't exists.
  • In this case also we are seeing the insufficient permission issue but I guess we should see the different error message like - "Parent Directory does not exists"
  • I have made these changes accordingly. Please refer the Screenshot
• Screenshots:
  

PS: Earlier in case if the directory was does not exists, then also we were seeing the insufficient permissions error. But I have added one extra condition to show the parent directory does not exists error.

[chuhn]

I'm not sure you are getting my point here:

Case 2 is also triggered when the directory to be managed already exists and is writeable itself.
The permissions of the parent directory are completely irrelevant in that case – and should not make the resource fail.