Group permissions not being added to user after VM reload during provisioning
16 views
Skip to first unread message
pre...@theinstitutes.org
Dec 3, 2018, 2:01:32 PM12/3/18
to Vagrant
Hello,
playbook.yml
docker.yml
STDOUT
Thank you for any help you can offer,
I've been working on creating a VM that runs docker for Windows users that need to use VirtualBox for other projects. Debian 9 has been selected as a base, and ansible_local is being used for provisioning. Docker installs fine, but when I go to stand up some containers via Lando, there is a permission denied error with docker:
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/info: dial unix /var/run/docker.sock: connect: permission denied
This seems to be caused by the fact that during the provision, the `vagrant` user is not added to the `docker` group. After the provision fails though, using vagrant ssh the `docker` groups is listed in the vagrant user's groups and the same command that failed during provisioning above, works fine. I have added a plugin (vagrant-reload) to restart the server between the install of docker and the use of land in an attempt to refresh the `vagrant` user's permissions, but still, there is no `docker` in the list of the vagrant user's groups. Why is the user permission not being updated on a reload, but is when manually SSHing into the VM with `vagrant ssh`?
Below are specific files:
Vagrantfile
Vagrant.require_version ">= 2.0.0"
hostname = "ti-api-testing.test"
Vagrant.configure("2") do |config| # Set the name of VM config.vm.define "ti-api-testing"
# Networking config.vm.hostname = hostname config.vm.network :private_network, ip: "192.168.115.191"
# SSH config.ssh.forward_agent = true
# Vagrant Box config.vm.box = "geerlingguy/debian9"
# VM Settings config.vm.provider :virtualbox do |v| v.linked_clone = true v.name = hostname v.memory = 2048 v.cpus = 1 v.customize ['modifyvm', :id, '--natdnshostresolver1', 'on'] v.customize ['modifyvm', :id, '--ioapic', 'on'] v.gui = false end
# Synced folders options = { type: 'nfs', create: true } config.vm.synced_folder '../', '/code', options
# Provision config.vm.provision "ansible_local" do |ansible| ansible.compatibility_mode = '2.0' ansible.playbook = "playbook.yml" ansible.verbose = false ansible.tags = "docker" end
# Reload to allow user permissions to update config.vm.provision :reload
config.vm.provision "ansible_local" do |ansible| ansible.compatibility_mode = '2.0' ansible.playbook = "playbook.yml" ansible.verbose = false ansible.tags = "lando" endend---- hosts: all become: yes tags: - docker
vars_files: - config.yml
tasks: - import_tasks: tasks/docker.yml
- hosts: all become: yes tags: - lando
vars_files: - config.yml
tasks: - import_tasks: tasks/lando.yml---- name: Enable HTTPS for apt apt: name: "{{ packages }}" vars: packages: - apt-transport-https - ca-certificates - gnupg2 - software-properties-common
- name: Attach Docker GPG key to apt apt_key: id: 0EBFCD88 file: /vagrant/files/docker.gpg state: present
- name: Get distribution info shell: lsb_release -cs register: release
- name: Add docker repository to apt apt_repository: repo: "deb [arch=amd64] https://download.docker.com/linux/debian {{ release.stdout }} stable"
- name: Install Docker apt: name: docker-ce update_cache: yes---- name: Install Lando apt: deb: /vagrant/files/lando-v3.0.0-rc.1.deb
- name: get the username running the deploy become: false local_action: command whoami register: username_on_the_host
- debug: var=username_on_the_host
- name: get the groups running the deploy become: false local_action: command groups register: groups_on_the_host
- debug: var=groups_on_the_host
- name: Start Lando become: false command: lando start args: chdir: /codeSTDOUT
$ vagrant upBringing machine 'ti-api-testing' up with 'virtualbox' provider...==> ti-api-testing: Cloning VM...==> ti-api-testing: Matching MAC address for NAT networking...==> ti-api-testing: Checking if box 'geerlingguy/debian9' is up to date...==> ti-api-testing: Setting the name of the VM: ti.test==> ti-api-testing: Clearing any previously set network interfaces...==> ti-api-testing: Preparing network interfaces based on configuration... ti-api-testing: Adapter 1: nat ti-api-testing: Adapter 2: hostonly==> ti-api-testing: Forwarding ports... ti-api-testing: 22 (guest) => 2222 (host) (adapter 1)==> ti-api-testing: Running 'pre-boot' VM customizations...==> ti-api-testing: Booting VM...==> ti-api-testing: Waiting for machine to boot. This may take a few minutes... ti-api-testing: SSH address: 127.0.0.1:2222 ti-api-testing: SSH username: vagrant ti-api-testing: SSH auth method: private key==> ti-api-testing: Machine booted and ready![ti-api-testing] GuestAdditions 5.2.22 running --- OK.==> ti-api-testing: Checking for guest additions in VM...==> ti-api-testing: Setting hostname...==> ti-api-testing: Configuring and enabling network interfaces...==> ti-api-testing: Mounting shared folders... ti-api-testing: /code => E:/code/ti-api-testing ti-api-testing: /vagrant => E:/code/ti-api-testing/localDev==> ti-api-testing: Running provisioner: ansible_local... ti-api-testing: Running ansible-playbook... [WARNING] Ansible is being run in a world writable directory (/vagrant), ignoring it as an ansible.cfg source. For more information see https://docs.ansible.com/ansible/devel/reference_appendices/config.html#cfg-in-world-writable-dir
PLAY [all] *********************************************************************
TASK [Gathering Facts] *********************************************************ok: [ti-api-testing]
TASK [Enable HTTPS for apt] ****************************************************changed: [ti-api-testing]
TASK [Attach Docker GPG key to apt] ********************************************changed: [ti-api-testing]
TASK [Get distribution info] ***************************************************changed: [ti-api-testing]
TASK [Add docker repository to apt] ********************************************changed: [ti-api-testing]
TASK [Install Docker] **********************************************************changed: [ti-api-testing]
PLAY [all] *********************************************************************
TASK [Gathering Facts] *********************************************************ok: [ti-api-testing]
PLAY RECAP *********************************************************************ti-api-testing : ok=7 changed=5 unreachable=0 failed=0
==> ti-api-testing: Running provisioner: reload...==> ti-api-testing: Attempting graceful shutdown of VM...==> ti-api-testing: Checking if box 'geerlingguy/debian9' is up to date...==> ti-api-testing: Clearing any previously set forwarded ports...==> ti-api-testing: Clearing any previously set network interfaces...==> ti-api-testing: Preparing network interfaces based on configuration... ti-api-testing: Adapter 1: nat ti-api-testing: Adapter 2: hostonly==> ti-api-testing: Forwarding ports... ti-api-testing: 22 (guest) => 2222 (host) (adapter 1)==> ti-api-testing: Running 'pre-boot' VM customizations...==> ti-api-testing: Booting VM...==> ti-api-testing: Waiting for machine to boot. This may take a few minutes... ti-api-testing: SSH address: 127.0.0.1:2222 ti-api-testing: SSH username: vagrant ti-api-testing: SSH auth method: private key==> ti-api-testing: Machine booted and ready![ti-api-testing] GuestAdditions 5.2.22 running --- OK.==> ti-api-testing: Checking for guest additions in VM...==> ti-api-testing: Setting hostname...==> ti-api-testing: Configuring and enabling network interfaces...==> ti-api-testing: Mounting shared folders... ti-api-testing: /code => E:/code/ti-api-testing ti-api-testing: /vagrant => E:/code/ti-api-testing/localDev==> ti-api-testing: Machine already provisioned. Run `vagrant provision` or use the `--provision`==> ti-api-testing: flag to force provisioning. Provisioners marked to run always will still run.==> ti-api-testing: Running provisioner: ansible_local... ti-api-testing: Running ansible-playbook... [WARNING] Ansible is being run in a world writable directory (/vagrant), ignoring it as an ansible.cfg source. For more information see https://docs.ansible.com/ansible/devel/reference_appendices/config.html#cfg-in-world-writable-dir
PLAY [all] *********************************************************************
TASK [Gathering Facts] *********************************************************ok: [ti-api-testing]
PLAY [all] *********************************************************************
TASK [Gathering Facts] *********************************************************ok: [ti-api-testing]
TASK [Install Lando] ***********************************************************changed: [ti-api-testing]
TASK [get the username running the deploy] *************************************changed: [ti-api-testing -> localhost]
TASK [debug] *******************************************************************ok: [ti-api-testing] => { "username_on_the_host": { "changed": true, "cmd": [ "whoami" ], "delta": "0:00:00.002716", "end": "2018-12-03 18:45:21.817641", "failed": false, "rc": 0, "start": "2018-12-03 18:45:21.814925", "stderr": "", "stderr_lines": [], "stdout": "vagrant", "stdout_lines": [ "vagrant" ] }}
TASK [get the groups running the deploy] ***************************************changed: [ti-api-testing -> localhost]
TASK [debug] *******************************************************************ok: [ti-api-testing] => { "groups_on_the_host": { "changed": true, "cmd": [ "groups" ], "delta": "0:00:00.002078", "end": "2018-12-03 18:45:21.972648", "failed": false, "rc": 0, "start": "2018-12-03 18:45:21.970570", "stderr": "", "stderr_lines": [], "stdout": "vagrant cdrom floppy sudo audio dip video plugdev netdev bluetooth", "stdout_lines": [ "vagrant cdrom floppy sudo audio dip video plugdev netdev bluetooth" ] }}
TASK [Start Lando] *************************************************************fatal: [ti-api-testing]: FAILED! => {"changed": true, "cmd": ["lando", "start"], "delta": "0:05:27.664205", "end": "2018-12-03 18:50:49.785852", "msg": "non-zero return code", "rc": 1, "start": "2018-12-03 18:45:22.121647", "stderr": "Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/info: dial unix /var/run/docker.sock: connect: permission denied\nGot per[...] to retry, use: --limit @/vagrant/playbook.retry
PLAY RECAP *********************************************************************ti-api-testing : ok=7 changed=3 unreachable=0 failed=1
Ansible failed to complete successfully. Any error output should bevisible above. Please fix these errors and try again.As some more context, I have tried:
- Creating a `docker` group and adding a new user and tried a `become_user` setting in ansible, but that has an error starting `Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chown: changing ownership of '/var/tmp/ansible-tmp-1543849956.6-23086055711483/': Operation not permitted`
- Using a shell provisioner to run the lando command, but again, still no `docker` group for the `vagrant` user
- Using 1 or 2 ansible_local provision directives to see if the SSH would reset
- Trying the ansible restart option, but that won't work with ansible_local
- Installing ansible on my windows host (not supported by ansible) to try to switch to `ansible` instead of `ansible_local`
- Trying a different OS (centos), but had an issue with installing docker (docker yum repo resulted in 404)
Thank you for any help you can offer,
Phil Preston
Reply all
Reply to author
Forward
0 new messages