-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ansible promised not to change things, but this seems like a big one: file permissions like 666 become 600, in new Ansible 2.10.0 (and in Ansible 2.9.12 too?) #2481
Comments
Got an error message handy, above & beyond the warning?
That's an old version of Ansible not recommended — not sure if that matters! But FYI IIAB's install instructions (https://github.com/iiab/iiab/wiki/IIAB-Installation#install-the-software) ask for /opt/iiab/iiab/scripts/ansible to install Ansible 2.9.12 — or if that's not possible, use Ansible 2.9.6 packaged by apt for Ubuntu 20.04. More context if you know? While IIAB does't fully support Ubuntu 18.04 anymore...is this a wider issue...affecting more than just Ubuntu 18.04? |
my min on ub20.04.1 vm ran to completion. |
@jvonau: I spoke with @georgejhunt and this problem appears to be exclusive to Ubuntu 18.04 (it's repeatable on George's 18.04 VM's) and he clarified that these are running Ansible 2.9.x not 2.7.17 I believe George is installing IIAB by running Any idea why file permissions might be getting screwed up on 18.04? |
This seems related:
https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.10.html#change-to-default-file-permissions
I conclude from the following that we have no choice but to modify our
playbook:
To address CVE-2020-1736, the default permissions for certain files created
by Ansible using atomic_move() were changed from 0o666 to 0o600. The
default permissions value was only used for the temporary file before it
was moved into its place or newly created files. If the file existed when
the new temporary file was moved into place, Ansible would use the
permissions of the existing file. If there was no existing file, Ansible
would retain the default file permissions, combined with the system umask,
of the temporary file.
…On Wed, Aug 12, 2020 at 10:15 AM A Holt ***@***.***> wrote:
@jvonau <https://github.com/jvonau>: I spoke with @georgejhunt
<https://github.com/georgejhunt> and this problem appears to be exclusive
to Ubuntu 18.04 (it's repeatable on George's 18.04 VM's) and he clarified
that it's running Ansible 2.9.x not 2.7.17
George is installing IIAB by running curl d.iiab.io/install.txt | bash as
root.
Any idea why file permissions might be getting screwed up on 18.04?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2481 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAOTQHAO54Z664YWTUVEY5TSALEZXANCNFSM4P3JYE7Q>
.
|
But then we have the data point that U20.04 does not fail this way.
U20.04 ansible --version:
root@box:/opt/iiab/iiab# ansible --version
ansible 2.9.6
config file = /opt/iiab/iiab/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules',
'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
executable location = /usr/bin/ansible
python version = 3.8.2 (default, Jul 16 2020, 14:00:26) [GCC 9.3.0]
root@box:/opt/iiab/iiab#
But on U18.04:
root@box:~# ansible --version
ansible 2.9.9
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/root/.ansible/plugins/modules',
u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/dist-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.17 (default, Apr 15 2020, 17:20:14) [GCC 7.5.0]
root@box:~#
Maybe we just need to pin ansible at 2.9.6 until the dust settles. Or could
we entice U18 to run ansible under python3? Adam was mentioning the python3
issue which I did not understand.
…On Wed, Aug 12, 2020 at 5:44 PM George Hunt ***@***.***> wrote:
This seems related:
https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.10.html#change-to-default-file-permissions
I conclude from the following that we have no choice but to modify our
playbook:
To address CVE-2020-1736, the default permissions for certain files
created by Ansible using atomic_move() were changed from 0o666 to 0o600.
The default permissions value was only used for the temporary file before
it was moved into its place or newly created files. If the file existed
when the new temporary file was moved into place, Ansible would use the
permissions of the existing file. If there was no existing file, Ansible
would retain the default file permissions, combined with the system umask,
of the temporary file.
On Wed, Aug 12, 2020 at 10:15 AM A Holt ***@***.***> wrote:
> @jvonau <https://github.com/jvonau>: I spoke with @georgejhunt
> <https://github.com/georgejhunt> and this problem appears to be
> exclusive to Ubuntu 18.04 (it's repeatable on George's 18.04 VM's) and he
> clarified that it's running Ansible 2.9.x not 2.7.17
>
> George is installing IIAB by running curl d.iiab.io/install.txt | bash
> as root.
>
> Any idea why file permissions might be getting screwed up on 18.04?
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#2481 (comment)>, or
> unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAOTQHAO54Z664YWTUVEY5TSALEZXANCNFSM4P3JYE7Q>
> .
>
|
Many Thanks @georgejhunt for digging into this and the progress you've made above, if indeed Ansible is changing permissions going forward? (Even if IIAB no longer supports Ubuntu 18.04 since almost 4 months ago, according to https://github.com/iiab/iiab/wiki/IIAB-Platforms -- I still believe this is important to understand!) |
The background upstream issue suggests that the 'default mode change to 0600' is only used when the mode is NOT declared in the stanza with the latest version 2.9.12. Thought that the use of mode was a given when creating files/directories with ansible but I see with 4b1b278 this is no longer the norm. Good news is the change is reverted but needs to be released. |
@jvonau do you happen to know if this ticket's problem is likely to occur with current IIAB installs (http://d.iiab.io) using the brand new Ansible 2.10 ? |
Think you better re-confirm which variant of ansible you want installed, using the apt method in scripts/ansible one would be on the 2.9.X track, with 2.9.12 being the latest, as the apt package name changed between 2.9.X (from ansible) and 2.10.Y (to ansible-base and using python3). 2.10.Y doesn't enter the picture unless one asks to install ansible-base from the beginning. |
Does anybody know how to install "ansible-base | 2.10.0-1ppa~bionic | Ansible, Inc. (2020-08-13)" as listed at https://launchpad.net/~ansible/+archive/ubuntu/ansible ? e.g. what |
I'd try |
No luck so far, on Ubuntu Server 20.04.1 here:
|
You need to add the PPA to use the ansible apt repo. Think the easiest would be to edit scripts/ansible, at Line 67 change "focal" to "XXX" and at Line 94 change "ansible" to "ansible-base", save and run the script. |
This is a bare machine without any IIAB so far, where I'd already run the following:
Which resulted in:
It then failed as follows:
Any ideas to get around this? |
edit /etc/apt/sources.list.d/ansible-ubuntu-ansible-focal.list and change all 'focal' to be 'bionic', then Reason being I don't see a deb with 'focal' in the name at https://launchpad.net/~ansible/+archive/ubuntu/ansible |
That worked...allowing
|
The 2 edits in scripts/ansible mentioned above would of saved you the grief of editing ansible-ubuntu-ansible-focal.list as we create our own iiab-ansible.list file that contains 'bionic'. |
Indeed. This smells like a bug in Ansible 2.10.0's (lack of full) support for Ubuntu 20.04 (Focal Fossa) — given the instructions near the top of https://launchpad.net/~ansible/+archive/ubuntu/ansible say to do:
|
When attempting
|
I would suspect that the 'ini_file' module might of been renamed or is not part of ansible-base and may be part of 'collections' now. |
Unfortunate that https://docs.ansible.com/ansible/latest/modules/ini_file_module.html doesn't mention anything (yet!) When I searched for
Running
Rinse & repeat, searching for each missing module at https://galaxy.ansible.com ? Indeed, running the following seems to solve the above error:
|
After that I suspect it might fail because the underlying debs are not installed, use the list from L94 of scripts/ansible to correct. |
@georgejhunt
Is this related to Ansible's new permissions problem? (Or should we warn IIAB implementers/operators in the text of the above task description if this is the new normal?) So they know (roughly!) how long they might need to wait before giving up here: https://github.com/iiab/iiab/blob/master/roles/osm-vector-maps/tasks/install.yml#L184-L186 |
I ran I don't know of any missing underlying debs (but shout if some such others need to be installed?) |
Then you should not have other issues, apt wise anyway. Should cover what we needed before 2.10, postgre might need the 'collections' treatment and other might crop up. |
Great! Let's do a BIG-sized install later to confirm. @georgejhunt this current MEDIUM-sized install is still stuck (must have hung?) at |
Just move the big vars file into place and run ./iiab-configure, should run the installs for the newly changed *_install flags without having to start from scratch. |
CORRECTION: this step completed 38 minutes later, much more than tripling the total install time — when all other This seems very wrong ?? Certainly it makes for a very unfriendly install experience at the moment :/ |
Underway: |
@jvonau the BIG-sized install failed on 10.8.0.46 here:
Is this possibly a Kolibri 0.14.1 bug, that might go away tomorrow/Friday when Kolibri 0.14.3 is packaged up as a deb file for download from https://learningequality.org/download/ ? |
no clue. |
FYI changing the .deb from Kolibri 0.14.1 (https://learningequality.org/r/kolibri-deb-latest) to 0.14.3 (https://github.com/learningequality/kolibri/releases/download/v0.14.3/kolibri_0.14.3-0ubuntu1_all.deb) leads to the same failure:
...which would seem likely caused by Ansible's 666-to-600 file permissions changes?
|
Yes, that would be the 600 issue, no mode in the stanza used in the role. |
FYI the BIG-sized IIAB install completed on Ansible 2.10.0 (using Conclusions:
|
2.9.12 is hooped in the same way, so until there is a new release consider all new installs broken. Unless U-20 is used with the stock release of ansible 2.9.6. |
One could audit all the uses of copy, template, file, etc and ensure there is a mode declared as @georgejhunt suggests above. |
Presumably installs of IIAB onto Ubuntu 20.04 still work, as this uses Ansible 2.9.6
We could also:
|
After |
On 10.8.0.46 (where I ran
Example 1:
Example 2:
Example 3...contains 839 directories...so this output shows only those up to depth 3:
|
scripts/ansible: temp workaround (revert to Ansible 2.9.6) mitigating #2481
As Ansible 2.9.13 is tested to install BIG-sized IIAB, unlike 2.9.12 & 2.10.0 which suffer from the iiab#2481 permissions issue.
This is confirmed solved by Ansible 2.9.13 as implemented by PR #2501 — and the imminent Ansible 2.10.1+ as explained here: https://docs.ansible.com/ansible/devel/porting_guides/porting_guide_2.10.html#modules |
On ubuntu 18.04 VM, IIAB does not function because of the following sprinkled through the log:
[WARNING]: File '/tmp/heart-beat.txt' created with default permissions '600'. The previous default
was '666'. Specify 'mode' to avoid this warning.
All of the server tree is unreadable by www-data because permissions are set to 0600 (owner root). I have not found a config setting which reverts the new behavior.
I did not encounter this yesterday testing on a rpi4. umask is 0022, which should yield a 0766 default.
Ansible --version is 2.7.17 July 20, 2020
Ansible's promise for "copy" module:
This module is flagged as stableinterface which means that the maintainers for this module guarantee that no backward incompatible interface changes will be made.
Maybe I'm missing something
The text was updated successfully, but these errors were encountered: