mitogen
mitogen copied to clipboard
Published
20 hours ago •
mitogen-hq
mitogen-hq
os.chdir fails if the sudo/become user lacks adequate permissions to chdir prior to task
- Which version of Ansible are you running? 2.8.2
- Is your version of Ansible patched in any way? No
-
Are you running with any custom modules, or
module_utilsloaded? No - Have you tried the latest master version from Git? Yes
- Do you have some idea of what the underlying problem may be? os.chdir in runner.py does not check for permissions before attempting chdir. If permissions for the sudo user prohibit access to the cwd, then the task fails.
- Mention your host and target OS and versions CentOS 7.6.1810
- Mention your host and target Python versions CentOS stock, 2.7.5
- If reporting a crash or hang in Ansible...
[task 12337] 13:59:35.925665 D mitogen.parent: starting no-reply function call to u'local.12340.sudo.postgres': mitogen.core.Dispatcher.forget_chain('testing.apisnetworks.com-12337-7f773bdb9740-5907c1a563401')
[mux 12303] 13:59:35.926584 D ansible_mitogen.services: decrementing reference count for Context(4, u'local.12340.sudo.postgres')
[task 12337] 13:59:35.926955 D mitogen: MitogenProtocol(unix_listener.12303): disconnecting
[task 12337] 13:59:35.927252 D mitogen: Waker(fd=11/12): disconnecting
[task 12337] 13:59:35.927629 D mitogen: Router(Broker(7e50)): stats: 0 module requests in 0 ms, 0 sent (0 ms minify time), 0 negative responses. Sent 0.0 kb total, 0.0 kb avg.
[mux 12303] 13:59:35.929497 D mitogen: <Side of unix_client.12337 fd 76>: empty read, disconnecting
[mux 12303] 13:59:35.929760 D mitogen: MitogenProtocol(unix_client.12337): disconnecting
[mux 12303] 13:59:35.930372 D mitogen.[local.12340.sudo.postgres]: Dispatcher: dispatching (None, u'mitogen.core', u'Dispatcher', u'forget_chain', ('testing.apisnetworks.com-12337-7f773bdb9740-5907c1a563401',), Kwargs({}))
[mux 12303] 13:59:35.930643 D mitogen.[local.12340.sudo.postgres]: Dispatcher: Message(4, 1, 0, 101, 0, '\x80\x02(NX\x0c\x00\x00\x00mitogen.coreX\n\x00\x00\x00Dispatcherq\x01X\x0c\x00\x00\x00forget_'..151) -> None
[mux 12303] 13:59:35.933657 D mitogen.service.[local.12340]: Pool(6a10, size=2, th='MainThread'): initialized
The full traceback is:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py", line 144, in run
res = self._execute()
File "/usr/lib/python2.7/site-packages/ansible/executor/task_executor.py", line 648, in _execute
result = self._handler.run(task_vars=variables)
File "/usr/lib/python2.7/site-packages/ansible_mitogen/mixins.py", line 116, in run
return super(ActionModuleMixin, self).run(tmp, task_vars)
File "/usr/lib/python2.7/site-packages/ansible/plugins/action/normal.py", line 46, in run
result = merge_hash(result, self._execute_module(task_vars=task_vars, wrap_async=wrap_async))
File "/usr/lib/python2.7/site-packages/ansible_mitogen/mixins.py", line 359, in _execute_module
timeout_secs=self.get_task_timeout_secs(),
File "/usr/lib/python2.7/site-packages/ansible_mitogen/planner.py", line 503, in invoke
kwargs=planner.get_kwargs(),
File "/usr/lib/python2.7/site-packages/ansible_mitogen/connection.py", line 445, in call
return self._rethrow(recv)
File "/usr/lib/python2.7/site-packages/ansible_mitogen/connection.py", line 431, in _rethrow
return recv.get().unpickle()
File "/usr/lib/python2.7/site-packages/mitogen/core.py", line 963, in unpickle
raise obj
CallError: exceptions.OSError: [Errno 13] Permission denied: '/usr/local/apnscp/resources/playbooks'
File "<stdin>", line 3661, in _dispatch_one
File "master:/usr/lib/python2.7/site-packages/ansible_mitogen/target.py", line 422, in run_module
return impl.run()
File "master:/usr/lib/python2.7/site-packages/ansible_mitogen/runner.py", line 440, in run
self.setup()
File "master:/usr/lib/python2.7/site-packages/ansible_mitogen/runner.py", line 850, in setup
super(NewStyleRunner, self).setup()
File "master:/usr/lib/python2.7/site-packages/ansible_mitogen/runner.py", line 623, in setup
super(ProgramRunner, self).setup()
File "master:/usr/lib/python2.7/site-packages/ansible_mitogen/runner.py", line 374, in setup
self._setup_cwd()
File "master:/usr/lib/python2.7/site-packages/ansible_mitogen/runner.py", line 384, in _setup_cwd
os.chdir(self.cwd)
fatal: [localhost]: FAILED! => {
"msg": "Unexpected failure during module execution.",
"stdout": ""
}
-
If reporting any kind of problem with Ansible, please include the Ansible
version along with output of "ansible-config dump --only-changed".
# ansible-config dump --only-changed DEFAULT_STRATEGY(/usr/local/apnscp/resources/playbooks/ansible.cfg) = mitogen_linear DEFAULT_STRATEGY_PLUGIN_PATH(/usr/local/apnscp/resources/playbooks/ansible.cfg) = [u'/usr/lib/python2.7/site-packages/ansible_mitogen/plugins/strategy']
Sample play to reproduce the behavior:
---
- hosts: localhost
gather_facts: no
tasks:
- name: Become bug
become_user: postgres
become: True
postgresql_user: name=testuser password=abc db=template1 encrypted=yes
register: user_changed
Verification of the permissions:
sudo -u postgres ls -la /usr/local/apnscp/resources/playbooks/
ls: cannot access /usr/local/apnscp/resources/playbooks/: Permission denied
Then if we change permissions to allow access by user "postgres":
chmod 711 /usr/local/apnscp/
sudo -u postgres ls -la /usr/local/apnscp/resources/playbooks/
# ls succeeds
Likewise the play completes as expected:
changed: [localhost] => {
"changed": true,
"invocation": {
"module_args": {
"ca_cert": null,
"conn_limit": null,
"db": "template1",
"encrypted": true,
"expires": null,
"fail_on_user": true,
"login_host": "",
"login_password": "",
"login_unix_socket": "",
"login_user": "postgres",
"name": "testuser",
"no_password_changes": false,
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"port": 5432,
"priv": null,
"role_attr_flags": "",
"session_role": null,
"ssl_mode": "prefer",
"state": "present",
"user": "testuser"
}
},
"queries": [
"CREATE USER \"testuser\" WITH ENCRYPTED PASSWORD %(password)s "
],
"user": "testuser"
}
Seeing this same issue using ansible 2.8 and mitogen 0.2.8; in our case though we're running ansible/mitogen during an AWS user-data script, so it runs as root. The file task fails when we used become_user to switch to a local service account. In our case we can work around it since the become_user wasn't a necessary step for the execution, so we just removed it.
@dw this is actually becoming a pretty major error, it impacts multiple tasks in our playbooks, and we cannot roll back to 0.2.7 because it isn't compatible with ansible 2.8
Looks to be related to the fix from #591
I think I've just hit this as well ... is there a workaround?
My use case is this.. and I think I found a workaround for me:
- name: do something
become_user: "{{ lookup('env', 'USER') }}" # https://github.com/mitogen-hq/mitogen/issues/636
become: true
command:
chdir: /tmp
cmd: my_command
delegate_to: 127.0.0.1 # Run this locally (where you issued ansible from)
This runs local to where I issued the ansible command per delegate_to, so I just become the user who issues the ansible command as a workaround.
