template module ignoring become_user?
169 views
Skip to first unread message
Stephan Hradek
Sep 11, 2015, 6:14:34 AM9/11/15
to Ansible Project
Hi!
I'm trying to run a playbook locally and also trying to use the template module here.
This is an excerpt from my playbook:
when I run this with -vvv I do not see any reference to the apache user:
while other tasks do show such a reference:
Could it be that template module really ignores become_user?
I'm trying to run a playbook locally and also trying to use the template module here.
This is an excerpt from my playbook:
---
- hosts: localhost
gather_facts: no
become: yes
become_user: apache
vars:
version: 1.2
targetdir: /var/apachecontent
targetname: www
tasks:
- name: Fill Templates
template:
src: "{{ targetdir }}/{{ targetname }}-{{ version }}/{{ item.src }}"
dest: "{{ targetdir }}/{{ targetname }}-{{ version }}/{{ item.dest }}"
with_items:
- { src: 'html/index.j2', dest: 'html/index.html' }
when I run this with -vvv I do not see any reference to the apache user:
PLAY ***************************************************************************
TASK [Fill Templates] **********************************************************
ESTABLISH LOCAL CONNECTION FOR USER: vfuser
localhost EXEC (umask 22 && mkdir -p "/tmp/ansible-tmp-1441966241.67-127263559766056" && echo "/tmp/ansible-tmp-1441966241.67-127263559766056")
failed: [localhost] => (item={u'dest': u'html/index.html', u'src': u'html/index.j2'}) => {"failed": true, "item": {"dest": "html/index.html", "src": "html/index.j2"}, "msg": "IOError: [Errno 13] Permission denied: u'/var/apachecontent/www-1.2/html/index.j2'"}while other tasks do show such a reference:
TASK [Update Content] **********************************************************
ESTABLISH LOCAL CONNECTION FOR USER: vfuser
localhost EXEC (umask 22 && mkdir -p "/tmp/ansible-tmp-1441965977.64-37158568156372" && echo "/tmp/ansible-tmp-1441965977.64-37158568156372")
localhost PUT /tmp/tmpt8oCe5 TO /tmp/ansible-tmp-1441965977.64-37158568156372/subversion
localhost EXEC chmod a+r /tmp/ansible-tmp-1441965977.64-37158568156372/subversion
localhost EXEC /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=tmfyqjupodyewrgbbvwhtkupvfcrshff] password: " -u apache /bin/sh -c '"'"'echo BECOME-SUCCESS-tmfyqjupodyewrgbbvwhtkupvfcrshff; LANG=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /tmp/ansible-tmp-1441965977.64-37158568156372/subversion'"'"''
localhost EXEC rm -rf /tmp/ansible-tmp-1441965977.64-37158568156372/ >/dev/null 2>&1
changed: [localhost] => {"changed": true}
Could it be that template module really ignores become_user?
Brian Coca
Sep 11, 2015, 10:02:17 AM9/11/15
to Ansible Project
Modules don't know anything about become, it gets handled by ansible
itself and not the module. We seem to be missing some output as the
last command makes the temp dirs and then you get the error on
permission denied w/o the command that we attempted to execute.
--
Brian Coca
itself and not the module. We seem to be missing some output as the
last command makes the temp dirs and then you get the error on
permission denied w/o the command that we attempted to execute.
--
Brian Coca
Brian Coca
Sep 11, 2015, 10:02:27 AM9/11/15
to Ansible Project
Stephan Hradek
Sep 14, 2015, 1:48:22 AM9/14/15
to Ansible Project
Thanks for answering, Brian.
No, there is no output missing as I reduced the testcase to the bare minimum.
But I think I know where the problem is. Let me explain:
I'm setting this all up in a cloud-like environment where the user I have to use on the target system is not root, but may sudo to root.
What I wanted to achieve is to update the content of a webserver, by regularly polling a subversion repository.
What happens when the playbook was updated is:
a) User vfuser (my crontab user) is starting ansible-playbook
b) the playbook has a become-user: apache and updates its content using subversion
c) some templates now need to be updated which need be done by user apache, as the working copy belongs to apache -> This fails as ansible tries to do this as vfuser
Of course ansible has to do this as vfuser (the one running ansible) as this would be the only valid user in a push-scenario.
Unfortunately I'm in a pull-scenario and so vfuser does not have permission.
I'm doing it now (overly complicated?) like this:
I'm not sure whether or not I found an "edge-case", but I think it could be beneficial, could the template-fill also be run under "become_user".
No, there is no output missing as I reduced the testcase to the bare minimum.
But I think I know where the problem is. Let me explain:
I'm setting this all up in a cloud-like environment where the user I have to use on the target system is not root, but may sudo to root.
What I wanted to achieve is to update the content of a webserver, by regularly polling a subversion repository.
What happens when the playbook was updated is:
a) User vfuser (my crontab user) is starting ansible-playbook
b) the playbook has a become-user: apache and updates its content using subversion
c) some templates now need to be updated which need be done by user apache, as the working copy belongs to apache -> This fails as ansible tries to do this as vfuser
Of course ansible has to do this as vfuser (the one running ansible) as this would be the only valid user in a push-scenario.
Unfortunately I'm in a pull-scenario and so vfuser does not have permission.
I'm doing it now (overly complicated?) like this:
- Update Content
- This is the svn up. getting the content for apache
- Make Templates Accessible
- Does a chmod 0755 on all the updated directories
- Remove Dummy Dargets
- Removes all the html files, which will get created, just in case they already exist
- Create Dummy Targets
- Now create the empty html files and chown them to vfuser
- Fill Templates
- Fill the templates as vfuser
- Set Permission of Targets
- chown back to apache
- Cleanup Templates
- remove the templates
I'm not sure whether or not I found an "edge-case", but I think it could be beneficial, could the template-fill also be run under "become_user".
Brian Coca
Sep 14, 2015, 11:18:22 AM9/14/15
to Ansible Project
The template get's 'filled' on the master so the remote/become users
do not matter at that point, the filled template gets copied to the
target machine as the remote user, which in the case of sudo to non
root user it will go to a more permissive directory (the case is
already handled).
For some reason your task seems to be skipping that step and then not
running the command to copy into place, which should show with -vvvv
but it is not being shown for whatever reason (probably related to why
you are getting an error).
--
Brian Coca
do not matter at that point, the filled template gets copied to the
target machine as the remote user, which in the case of sudo to non
root user it will go to a more permissive directory (the case is
already handled).
For some reason your task seems to be skipping that step and then not
running the command to copy into place, which should show with -vvvv
but it is not being shown for whatever reason (probably related to why
you are getting an error).
--
Brian Coca
Stephan Hradek
Sep 15, 2015, 1:31:21 AM9/15/15
to Ansible Project
Am Montag, 14. September 2015 17:18:22 UTC+2 schrieb Brian Coca:
The template get's 'filled' on the master so the remote/become users
do not matter at that point,
It could (and here does) matter when you run locally because master and target are the same machine.
For some reason your task seems to be skipping that step and then not
running the command to copy into place,
It skips that step because the filling does not work.
Reply all
Reply to author
Forward
0 new messages