copy fails for group ownership

[Stein Inge Morisbak]

I am trying to run the following task:

- name: copy httpd.conf to /etc/httpd/conf folder

  copy: src=httpd.conf dest="/etc/httpd/conf"

Ownership on the server is:

drwxrwsr-x 2 root developers  4096 Sep  8 13:33 .

drwxrwsr-x 5 root developers  4096 Sep  4 17:51 ..

-rw-rw-r-- 1 root developers 34744 Apr  3 16:01 httpd.conf

I am a member of the developers group. The directory and file has write permission for the developers group. However the task fails with this error message:

fatal: [my-box] => failed to parse: {"msg": "Could not replace file: /home/steinim/.ansible/tmp/ansible-tmp-1410176741.01-248154513611723/source to /etc/httpd/conf/httpd.conf: [Errno 1] Operation not permitted: '/etc/httpd/conf/.ansible_tmpZ7a3MQhttpd.conf'", "failed": true}

Am I missing something, or should this work?

[Michael DeHaan]

Can you please share the ansible --version as well as the command line invocation you are using and the stanza of your playbook?

Sounds like you are doing something non-sudo most likely, or non root, that doesn't have enough permissions.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/90f29162-3cd1-4783-a3ca-ada6c1fd5604%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Stein Inge Morisbak]

Yup. It is non-sudo and non-root.

$ ansible --version

ansible 1.7.1

stanza:

---

- hosts: myservers

  roles:

    - httpd

  remote_user: "{{ lookup('env','USER') }}"

  gather_facts: False

  sudo: False

$ ansible-playbook -i test myservers.yml

fatal: [my-box] => failed to parse: {"msg": "Could not replace file: /home/steinim/.ansible/tmp/ansible-tmp-1410212872.62-18948176608778/source to /etc/httpd/conf/httpd.conf: [Errno 1] Operation not permitted: '/etc/httpd/conf/.ansible_tmpy33qxVhttpd.conf'", "failed": true}

Exception OSError: (2, 'No such file or directory', '/etc/httpd/conf/.ansible_tmpy33qxVhttpd.conf') in <bound method _TemporaryFileWrapper.__del__ of <closed file '<fdopen>', mode 'w+b' at 0x1e946f0>> ignored

Since I am in the group developers and have write access to the file and directory I would expect that I can overwrite the file.

[Michael DeHaan]

Can you show more of the playbook in context?

I'm missing task names and such and wanted to be clear about something.

I may have some other questions after that.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7d4c1995-1eb9-4baa-9940-a5b98fc960da%40googlegroups.com.

[Abubakr-Sadik Nii Nai Davis]

Hello Stein, which distro are you running? I usually run into this permission issues with SELINUX on CentOS.

[Stein Inge Morisbak]

I have attached the whole shebang to reproduce it.

Requirements is:

- the same username on the server set up with an authorized key and belonging to a group.

- A file: /etc/httpd/conf/httpd.conf owned by a different user, but writable for the group the first user belongs to.

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/e7OIdscZXMo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgwkrstcxsQ9OTr_OnKFor02OiUsEOJJrdHdZR%3DsM4tf4g%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

- Stein Inge

[Stein Inge Morisbak]

$ sestatus

SELinux status:                 disabled

$ cat /etc/redhat-release

Red Hat Enterprise Linux Server release 6.5 (Santiago)

2014-09-09 18:16 GMT+02:00 Abubakr-Sadik Nii Nai Davis <dwa...@gmail.com>:

Hello Stein, which distro are you running? I usually run into this permission issues with SELINUX on CentOS.

--

You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/e7OIdscZXMo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6b840bb0-2eec-449c-92dc-dc020f5beae6%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

- Stein Inge

[Abubakr-Sadik Nii Nai Davis]

Your attachment does not include the httpd role. Mind sharing it? I have setup what I feel is similar to your playbook and run it successfully.

I think sharing the httpd role may help in reproducing your problem.

[Stein Inge Morisbak]

Og. Sorry.

- copy: src=httpd.conf dest="/etc/httpd/conf"

9. sep. 2014 18:54 skrev "Abubakr-Sadik Nii Nai Davis" <dwa...@gmail.com> følgende:

Your attachment does not include the httpd role. Mind sharing it? I have setup what I feel is similar to your playbook and run it successfully.

I think sharing the httpd role may help in reproducing your problem.

--

You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/e7OIdscZXMo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4fdd0039-5ce0-49d9-a213-198795321387%40googlegroups.com.

[Abubakr-Sadik Nii Nai Davis]

Can you please tar up the httpd role as you have it and attach it to a reply? 

[Michael DeHaan]

On Tue, Sep 9, 2014 at 12:16 PM, Abubakr-Sadik Nii Nai Davis <dwa...@gmail.com> wrote:

Hello Stein, which distro are you running? I usually run into this permission issues with SELINUX on CentOS.

Shouldn't be related and I want to discourage casting such impressions of SELinux :)

SELinux is pretty darn easy to manage.  Filesystem permissions rarely occur for basic copying, but there are occasions where applications need specific handling if constrained, which can cause frustrations on

development

This does not apply to Ansible though, since it's not really serving anything up - so no Ansible specific SELinux config is required in nearly any case.

 

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6b840bb0-2eec-449c-92dc-dc020f5beae6%40googlegroups.com.

[Michael DeHaan]

As a general rule, I don't crack open tarballs attached to the list - and I would request that since there are thousands of users on this list we don't start using it for attachments.

(I'm not sure I can turn it off).

A gist or github repo would be welcome, or even pastebin for smaller things.

In many cases, it can just be shown inline.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJJkzbazsnJ-xt4rXvwW0h2pUMnyoQzaHputu4_hYFK_yMcWYQ%40mail.gmail.com.

[Abubakr-Sadik Nii Nai Davis]

Well noted.

[Stein Inge Morisbak]

Sorry about the tarball. It won't happen again.

After some further investigation it seems that it might have something to do with SELinux ACL after all. The httpd directory in /etc/httpd/conf has a dot after its access list (drwxr-xr-x.). I don't know if this is the problem yet, but I will do some further investigations. Thanks for mentioning SELinux.

I will keep you posted.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7a2ebd43-1678-4e9e-9884-489862c30c10%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

- Stein Inge

[Michael DeHaan]

Yeah, please let us know.

One point of clarification - I think you may possibly be confusing SELinux and ACLs, which are different things.

ACLs do not come from SELinux, they are managed by setfacl/etc.

(There's also a handy acl module in Ansible!)

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJJkzbbJdSt7s%2BDcqqwaqZzJjRzzSxXVo%2BLWc%2BfvdEW%3Di%2BpG4w%40mail.gmail.com.

[Stein Inge Morisbak]

Hi!

It took some time before i could look into this. Anyway, I think it has to do with this issue: https://github.com/ansible/ansible/issues/7372

The template-module always does `chown`, and that will not work when running as a non-root user when the files are owned by root even if the group has write permission.

- Stein Inge

[Michael DeHaan]

Can you please share what version of Ansible you are using?

(ansible --version)

Thanks!

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c5dbd929-d508-4c01-9791-04a3ff4ba77b%40googlegroups.com.

[Stein Inge Morisbak]

2014-11-05 15:31 GMT+01:00 Michael DeHaan <mic...@ansible.com>:

ansible --version

ansible 1.7.2

--

- Stein Inge

[Toshio Kuratomi]

From earlier on the thread 1.7.1

And yes, there have been some fixes to the devel branch related to owner and group since 1.7.1 that might be the cause of this.  In addition to the two you've linked to, Stein, I believe there's a third where specifying the file name rather than the directory as the destination was a work around.

If you can checkout the development branch from git to test, that would confirm whether we've already fixed this for the next version or not.  Some of those fixes may also have been pulled into the 1.7.2 release - the timing is right but I don't recall whether they were added to that release or are waiting on 1.8.

-Toshio

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgwfwv7BK1FU0XR%2BP5%3DneJpHV2Hf47L_y2u_JC4U5Mub8w%40mail.gmail.com.

[Stein Inge Morisbak]

It works :)

I am using 1.8.1.