Permission denied while copy with sudo (Related to issue 2837)

Archives Ansible Project
1

Hi everybody,

Another newbie in Ansible …
And I have a problem of permission with the copy task…

Problem when I launch the playbook :
ansible-playbook -k -K -i dev all.yml -vvv

failed: [acomputer.se] => {“failed”: true, “item”: “”}

msg: Could not replace file: /home/xxx/.ansible/tmp/ansible-1374162746.23-59345204944449/source to /etc/ntp.conf: [Errno 13] Permission denied: ‘/home/xxx/.ansible/tmp/ansible-1374162746.23-59345204944449/source’

My configuration is:

role/common/tasks/main.yml

  • name: ensure NTP point out to the ntp server
    copy: src=ntp.conf dest=/etc/ntp.conf owner=root group=root mode=0644

all.yml

  • hosts: all
    sudo: yes
    roles:
  • common

My investigation shows me some relationship with this issues (https://github.com/ansible/ansible/issues/2837).

In my case the copy task move (instead of copy) the source file to /etc/.ntp… but the source file is read only for root !!!

I could reproduce the problem with this linux command :

sudo mv /home/xxx/.ansible/tmp/ansible-1374162746.23-59345204944449/source /etc/.ntp.conf.bug

mv: cannot remove `/home/xxx/.ansible/tmp/ansible-1374162746.23-59345204944449/source’: Permission denied

Of course the mod of the file doesn’t allow the write access :

~% ll /home/xxx/.ansible/tmp/ansible-1374162746.23-59345204944449
total 44
-rw-r–r-- 1 xxx yyy 38960 Jul 18 18:32 copy
-rw-r–r-- 1 xxx yyy 1860 Jul 18 17:52 source

Questions :

  1. Is there a possibility to change the mod of the source file somehow ?
  2. Is there any reason to move the file instead of always copy it (see the patch https://github.com/bcoca/ansible/commit/bdeb370d7942119944ee4d04e94391fe6ffe2ff3) ? because in any case the tempdir will be deleted (I try to patch with success).
  3. for myself : Am I the only one ?
    Thank you to have read this long topic.

Best regards,
Vincent

2

Before we dive into questions, as is a good case with all of these kind of reports, please share the version of Ansible you are using.

Sounds like your user might not own ~/.ansible here or something.

Anyway, there’s an outstanding patch from Brian to tweak the code to do renames in a few cases that may fix you up here, but I’m curious about what is unique about your system – not a frequent report I’ve heard about.

3

Thanks for your answer.
Effectively with the version of ansible is better. So I tried first with 1.2 (rpm from epel) but it happens with release1.2.1 and even the development branch.

I’m the owner of ~/.ansible. But now you talk about “unique” maybe one thing: the home directory is nfs mount. So when I launch ansible from computer A to computer B, ansible use the same “drive” space.

This pull request can be more explicit : https://github.com/ansible/ansible/pull/3587.

Best regards,
Vincent

4

Is NFS mounted with root squash?

Brian Coca

5

I’m not enough expert to say yes or no immediately.
Just let me google how to check that.

BTW Is there a way to change the temp dir?

6

run mount and it should show the options with which nfs was set up, it is probably the cause of this issue as root generally can do anything on a local box and should (selinux baring) never get a permission denied error.

yes, changing the temp dir will solve this case, there is a env var and an ansible.cfg setting.

7

From the exports table the NFS is exported with root_squash (default behaviour)

8

Well, that explains the failure.

As a workaround defining the ansible tmp dir outside of the NFS mount, which you should do anyways. You really wan’t to keep the ansible tmp files local to the machine, specially if you are doing servers in parallel with the same home mounted.

9

Just for clarification, have you tried the development branch as of about 20 minutes ago?

Some code changes in that regard and want to make sure you’re trying latest before I try to replicate things.

–Michael

10

But yes, Brian is correct. The ansible remote temp path should probably be configured and forced to /tmp in this case.

11

I have just pull the last version but it is the same behaviour.

~/projects/cfg-maxlab-ansible/etc/ansible% ansible-playbook --version
ansible-playbook 1.3 (devel f4b1e426ea) last updated 2013/07/19 18:08:52 (GMT +200)

TASK: [ensure NTP point out to the ntp server] *************************
failed: [computerA.se] => {“failed”: true, “item”: “”}
msg: Could not replace file: /home/xxx/.ansible/tmp/ansible-1374250532.29-44727094344629/source to /etc/ntp.conf: [Errno 13] Permission denied: ‘/home/xxx/.ansible/tmp/ansible-1374250532.29-44727094344629/source’

By changing the temp directory it works.

Thank you Michael and Brian.

Vincent

12

Ok, thanks, good data. I think we can improve the error message quality and also possibly tech the system to retry at the other location.

13

Hi vincent,

mee to facing the same issue…
changing the tmp directory means, what you mean??

you mean to change that in our hosts???

can u explain litttle bit clear…

14

When i am creating directory i am getting permission denied…

ansible version 2.4.3

“msg”: "There was an issue creating /etc/xxxx as requested: [Errno 13] Permission denied: b’/etc/xxxx’

15

There’s a configuration option, remote_tmp. Setting that to a system directory (like /tmp or /var/tmp ) can fix this error.

16

Hello @Toshio ,

Thanks for your response, i tried and i changed in the ansible.cfg file to remote_tmp: /var/tmp and still same error…

Yaml file i am using…
name: using
hosts: all
tasks:

  • name: creates directory
    file:
    path: /etc/xxxx
    state: directory
    owner: root
    group: root
    mode: 0755

Error i am getting…

“msg”: "There was an issue creating /etc/xxxx as requested: [Errno 13] Permission denied: b’/etc/xxxx’

Any help…

thanks

17

Your having a different problem than the person you replied to. Your issue is that you don’t have permission on the directory that you are asking ansible to create (/etc/xxxx ). The original poster was having problems with an internal ansible temporary directory.

For your issue, you need the user you are logging into the remote machine as to have permission to create that directory or you need to use ansible’s become facilities to become a user with sufficient permissions to create the directory.

For instance, on my machines ansible will log into the remote machine as an unprivilrged user and then use sudo with password to become root. Using your playing, I’d invoke ansible with a commandline like this:

ansible-playbook --become --become-user=root -K test.yml