Permission denied while copy with sudo (Related to issue 2837)

[Vincent Hardion]

Hi everybody,

Another newbie in Ansible ...  

And I have a problem of permission with the copy task...

Problem when I launch the playbook :

 ansible-playbook -k -K -i dev all.yml -vvv

...

 failed: [acomputer.se] => {"failed": true, "item": ""}

 msg: Could not replace file: /home/xxx/.ansible/tmp/ansible-1374162746.23-59345204944449/source to /etc/ntp.conf: [Errno 13] Permission denied: '/home/xxx/.ansible/tmp/ansible-1374162746.23-59345204944449/source'

My configuration is:

 # role/common/tasks/main.yml

 - name: ensure NTP point out to the ntp server

   copy: src=ntp.conf dest=/etc/ntp.conf owner=root group=root mode=0644

 # all.yml

 - hosts: all

   sudo: yes

   roles:

   - common

My investigation shows me some relationship with this issues (https://github.com/ansible/ansible/issues/2837).

In my case the copy task move (instead of copy) the source file to /etc/.ntp... but the source file is read only for root !!!

I could reproduce the problem with this linux command :

sudo mv /home/xxx/.ansible/tmp/ansible-1374162746.23-59345204944449/source /etc/.ntp.conf.bug

mv: cannot remove `/home/xxx/.ansible/tmp/ansible-1374162746.23-59345204944449/source': Permission denied

Of course the mod of the file doesn't allow the write access :

~% ll /home/xxx/.ansible/tmp/ansible-1374162746.23-59345204944449       

total 44

-rw-r--r-- 1 xxx yyy 38960 Jul 18 18:32 copy

-rw-r--r-- 1 xxx yyy  1860 Jul 18 17:52 source

Questions :

1. Is there a possibility to change the mod of the source file somehow ?
2. Is there any reason to move the file instead of always copy it (see the patch https://github.com/bcoca/ansible/commit/bdeb370d7942119944ee4d04e94391fe6ffe2ff3) ? because in any case the tempdir will be deleted (I try to patch with success).
3. for myself : Am I the only one ?

Thank you to have read this long topic.

Best regards,

Vincent

[Michael DeHaan]

Before we dive into questions, as is a good case with all of these kind of reports, please share the version of Ansible you are using.

Sounds like your user might not own ~/.ansible here or something.

Anyway, there's an outstanding patch from Brian to tweak the code to do renames in a few cases that may fix you up here, but I'm curious about what is unique about your system -- not a frequent report I've heard about.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--

Michael DeHaan <mic...@ansibleworks.com>
CTO, AnsibleWorks, Inc.
http://www.ansibleworks.com/

[Vincent Hardion]

Thanks for your answer.

Effectively with the version of ansible is better. So I tried first with 1.2 (rpm from epel) but it happens with release1.2.1 and even the development branch.

I'm the owner of ~/.ansible. But now you talk about "unique" maybe one thing: the home directory is nfs mount. So when I launch ansible from computer A to computer B, ansible use the same "drive" space.

This pull request can be more explicit : https://github.com/ansible/ansible/pull/3587.

Best regards,

Vincent

[Brian Coca]

Is NFS mounted with root squash?

Brian Coca

[Vincent Hardion]

I'm not enough expert to say yes or no immediately.

Just let me google how to check that.

BTW Is there a way to change the temp dir? 

On Fri, Jul 19, 2013 at 1:59 PM, Brian Coca <bria...@gmail.com> wrote:

Is NFS mounted with root squash?

Brian Coca

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/yCN_yXa_GkM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

[Brian Coca]

run mount and it should show the options with which nfs was set up, it is probably the cause of this issue as root generally can do anything on a local box and should (selinux baring) never get a permission denied error.

yes, changing the temp dir will solve this case, there is a env var and an ansible.cfg setting.

On Fri, Jul 19, 2013 at 11:05 AM, Vincent Hardion <vincent...@gmail.com> wrote:

not enough expert to say yes or no immediately.

Just let me google how to check that.

BTW Is there a way to change the temp dir? 

--
Brian Coca
Stultorum infinitus est numerus
0110000101110010011001010110111000100111011101000010000001111001011011110111010100100000011100110110110101100001011100100111010000100001

Pedo mellon a minno

[Vincent Hardion]

From the exports table the NFS is exported with root_squash (default behaviour)

[Brian Coca]

Well, that explains the failure. 

As a workaround defining the ansible tmp dir outside of the NFS mount, which you should do anyways. You really wan't to keep the ansible tmp files local to the machine, specially if you are doing servers in parallel with the same home mounted.

You received this message because you are subscribed to the Google Groups "Ansible Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Michael DeHaan]

Just for clarification, have you tried the development branch as of about 20 minutes ago?

Some code changes in that regard and want to make sure you're trying latest before I try to replicate things.

--Michael

Best regards,

Vincent

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--

[Michael DeHaan]

But yes, Brian is correct.   The ansible remote temp path should probably be configured and forced to /tmp in this case.

[Vincent Hardion]

I have just pull the last version but it is the same behaviour.

~/projects/cfg-maxlab-ansible/etc/ansible% ansible-playbook --version

ansible-playbook 1.3 (devel f4b1e426ea) last updated 2013/07/19 18:08:52 (GMT +200)

TASK: [ensure NTP point out to the ntp server] ************************* 

failed: [computerA.se] => {"failed": true, "item": ""}

msg: Could not replace file: /home/xxx/.ansible/tmp/ansible-1374250532.29-44727094344629/source to /etc/ntp.conf: [Errno 13] Permission denied: '/home/xxx/.ansible/tmp/ansible-1374250532.29-44727094344629/source'

By changing the temp directory it works.

Thank you Michael and Brian.

Vincent

You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/yCN_yXa_GkM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

[Michael DeHaan]

Ok, thanks, good data.  I think we can improve the error message quality and also *possibly* tech the system to retry at the other location.

[Vamsi krishna]

Hi vincent,

mee to facing the same issue...

changing the tmp directory means, what you mean??

you mean to change that in our hosts???? 

can u explain litttle bit clear...

[Vamsi krishna]

When i am creating directory i am getting permission denied...

ansible version 2.4.3

"msg": "There was an issue creating /etc/xxxx as requested: [Errno 13] Permission denied: b'/etc/xxxx'

[Toshio Kuratomi]

There's a configuration option, remote_tmp.  Setting that to a system directory (like /tmp or /var/tmp ) can fix this error.

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4bae621f-b1d9-4ed7-87db-3dc76678b30f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Vamsi krishna]

Hello @Toshio ,

Thanks for your response, i tried and i changed in the ansible.cfg file to remote_tmp: /var/tmp and still same error....

Yaml file i am using.... 

 name: using

 hosts: all

 tasks:

   - name: creates directory

     file:

       path: /etc/xxxx

       state: directory

       owner: root

       group: root

       mode: 0755

Error i am getting.... 

"msg": "There was an issue creating /etc/xxxx as requested: [Errno 13] Permission denied: b'/etc/xxxx'  

Any help.....

thanks 

[Toshio Kuratomi]

Your having a different problem than the person you replied to.  Your issue is that you don't have permission on the directory that you are asking ansible to create (/etc/xxxx ).  The original poster was having problems with an internal ansible temporary directory.

For your issue, you need the user you are logging into the remote machine as to have permission to create that directory *or* you need to use ansible's become facilities to become a user with sufficient permissions to create the directory.

For instance, on my machines ansible will log into the remote machine as an unprivilrged user and then use sudo with password to become root.  Using your playing, I'd invoke ansible with a commandline like this:

ansible-playbook --become --become-user=root -K test.yml

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c0a24201-6403-4207-836b-2b10d7ff558b%40googlegroups.com.