Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

run_occ: Failed to set permissions when becoming an unprvileged user #77

Open
jbicha opened this issue Jan 14, 2017 · 8 comments
Open

Comments

@jbicha
Copy link
Contributor

jbicha commented Jan 14, 2017

Controller is running ansible .deb built from today's 2.2-stable branch (pre-2.2.1)
Host is Ubuntu 16.10. (I had to set owncloud__distribution_version: '16.04' since the repo doesn't support 16.10 yet.)

TASK [debops.owncloud : Run given occ commands] ********************************
fatal: [server.example.com]: FAILED! => {"failed": true, "msg": "Failed to set permissions
on the temporary files Ansible needs to create when becoming an unprivileged user
(rc: 1, err: chown: changing ownership of '/tmp/ansible-tmp-1484374434.41-197434920671735/':
Operation not permitted\nchown: changing ownership of
'/tmp/ansible-tmp-1484374434.41-197434920671735 command.py': Operation not
permitted\n). For information on working around this, see
https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}

I tried to work around this by commenting out the become_user line. But then I got this:

fatal: [server.example.com]: FAILED! => {"failed": true, "msg": "the field 'args' has an invalid value ([u'role::owncloud:occ_config', u'role::owncloud:config', u'role::owncloud', u'role::owncloud:config', u'role::owncloud', u'role::owncloud:config', u'role::owncloud']), and could not be converted to an dict. Error was: No JSON object could be decoded\n\nThe error appears to have been in '/home/jeremy/.local/share/debops/debops-playbooks/roles/debops.owncloud/tasks/run_occ.yml': line 59, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Convert occ output into Ansible data structure\n ^ here\n"}

@ypid
Copy link
Member

ypid commented Jan 14, 2017

Have not tested with Ubuntu > 14.04. Also, I think when you are using Ubuntu as server, you would want to go with the LTS versions?

But it looks like a Ansible issue to me. Can you try with other releases like 2.1.x for example?

@drybjed
Copy link
Member

drybjed commented Jan 17, 2017

This is due to Ansible trying to securely change the user context without compromising the security - ie. create files, then change their ownership, then run them. It's usually done with ACLs these days, unless your filesystem does not have them enabled (see the documentation for more details).

I'm assuming that you are doing this in an LXD container and it restricts ACL support in the filesystem, evident by "Operation not permitted". You could check if you can allow ACLs in a given container for this to work.

@jbicha
Copy link
Contributor Author

jbicha commented Jan 18, 2017

@ypid I have the same issue with 2.1.1. But if y'all are going to suggest 2.1.1, you should revert the PHP commit that doesnt' work with 2.1.1!

@drybjed Thanks. Yeah, it works when I run it on a VPS. I guess lxd is causing me some problems; maybe I'll need to learn vagrant then. I tried adding this to .debops.cfg but it didn't help

[ansible defaults]
;allow_world_readable_tmpfiles = True

@ypid
Copy link
Member

ypid commented Jan 18, 2017

@drybjed I thought we would maintain compatibility with Ansbile 2.1.x for a while. I did not update to debops/ansible-php@cafda8dab yet and I see that it would break compatibility. I like Ansible 2.1.x so far 😉

@drybjed Right on with the permission issues. Interesting.

@drybjed
Copy link
Member

drybjed commented Jan 18, 2017

@ypid Yeah, we should probably revert the check change for the time being.

@jbicha Did you write that option in the .debops.cfg file commented out? Remove the ; and check if this option shows up in the generated ansible.cfg configuration file.

@jbicha
Copy link
Contributor Author

jbicha commented Jan 18, 2017

lol, oh that's what the semicolon is for!

@ypid
Copy link
Member

ypid commented Mar 2, 2017

@jbicha Does it work for you now?

@jbicha
Copy link
Contributor Author

jbicha commented Mar 2, 2017

@ypid Probably, I haven't run debops recently.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants