I’m working on a playbook where I need to remount /home to remove the noexec option, then preform a task, then remount /home adding noexec back, on RHEL 8.8. However, when I use the state: remounted the host system does not appear to have noexec removed. Here is my tasks:
- name: Get /home mount options
ansible.builtin.set_fact:
home_mount_options: "{{ ansible_facts.mounts | selectattr('mount', '==', '/home') | map(attribute='options') | first }}"
tags: remount
- name: Remove 'noexec' mount option
ansible.builtin.set_fact:
modified_home_mount_options: "{{ home_mount_options | regex_replace('(?:^|,)noexec(?:,|$)', ',') | regex_replace('(?:^,)|(?:,$)', '') }}"
tags: remount
- name: Remount /home filesystem to remove noexec
become: true
ansible.posix.mount:
path: "/home"
src: "{{ ansible_facts.mounts | selectattr('mount', '==', '/home') | map(attribute='device') }}"
opts: "{{ modified_home_mount_options }}"
state: remounted
register: home_remount
when: "'noexec' in home_mount_options"
tags: remount
- name: debug | remove after issue is resolved
debug:
msg: "{{ home_remount }}"
tags: remount
Then I see the following output:
PLAY [remount] **************************************************************************************************************************************************************************************************************************
TASK [Gathering Facts] ******************************************************************************************************************************************************************************************************************
ok: [lnx-dpl-dev-01.acuity.com]
TASK [updates : Get /home mount options] ************************************************************************************************************************************************************************************************
ok: [lnx-dpl-dev-01.acuity.com]
TASK [updates : Remove 'noexec' mount option] *******************************************************************************************************************************************************************************************
ok: [lnx-dpl-dev-01.acuity.com]
TASK [updates : Remount /home filesystem to remove noexec] ******************************************************************************************************************************************************************************
changed: [lnx-dpl-dev-01.acuity.com]
TASK [updates : debug] ******************************************************************************************************************************************************************************************************************
ok: [lnx-dpl-dev-01.acuity.com] => {
"msg": {
"backup_file": "",
"boot": "yes",
"changed": true,
"dump": "0",
"failed": false,
"fstab": "/etc/fstab",
"name": "/home",
"opts": "rw,seclabel,nosuid,nodev,relatime",
"passno": "0",
"src": "['/dev/mapper/system_vg-homelv']"
}
}
TASK [updates : Pause to review above statements] ***************************************************************************************************************************************************************************************
Pausing for 180 seconds
(ctrl+C then 'C' = continue early, ctrl+C then 'A' = abort)
Press 'C' to continue the play or 'A' to abort
ok: [lnx-dpl-dev-01.acuity.com]
PLAY RECAP ******************************************************************************************************************************************************************************************************************************
lnx-dpl-dev-01.acuity.com : ok=6 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
I can see in the debug output the the task did change the mount option. However, I’m still seeing noexec is applied on the host system
/dev/mapper/system_vg-homelv on /home type ext4 (rw,nosuid,nodev,noexec,relatime,seclabel)
I’m unable to run a script from my home directory, as I receive a “permission denied” error, as expected when noexec is present on the mount.
The fstab is not updated, as per the mount documentation it shouldn’t be, which is what I would like since this is just a temporary operation.
Then am I reading the documentation incorrectly, is the remounted state not doing something like mount -o remount,exec /home? I know I can change the state to mounted, then I need to supply the fstype, while that’s not a big deal, but if I don’t need to I would prefer not to. Any help would be great.