msg: Failed to change ownership of the temporary files Ansible (via chmod nor setfacl) needs to create …

[ELLIOTTCABLE]

❔ What are you experiencing an issue with?

Latest Release

❔ Version

v2.3.0

🐞 Description

Attempting to run the professormanhattan.deno role, without arguments or other roles, resulted in this error-message:

fatal: [angelica.my.domain]: FAILED! => 
  msg: |-
    Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chmod: invalid mode: ‘A+user:{{ ansible_user if ansible_os_family == 'Windows' else omit }}:rx:allow’
    Try 'chmod --help' for more information.
    }). For information on working around this, see https://docs.ansible.com/ansible-core/2.14/user_guide/become.html#risks-of-becoming-an-unprivileged-user

… reading some docs, and doing some Googling, I tried the following:

1. turning on root-login, and switching my inventory to instruct the playbook to run as root — the error changed to this, but still occurs:

   TASK [professormanhattan.deno : Ensure custom facts directory exists] ***********************************************************************
   fatal: [angelica.my.domain]: FAILED! => 
     msg: Failed to change ownership of the temporary files Ansible (via chmod nor setfacl) needs to create despite connecting as a privileged user. Unprivileged become user would be unable to read the file.

2. Adding the aisbergg.acl to ensure setfacl exists (now it does), but still the same error;

3. Configuring ansible to use a different remote_tmp = /tmp/.ansible/tmp directory, still the same error.

⏺️ Steps To Reproduce

# playbook.yaml
- name: All hosts idk
  hosts: all
  roles:
     - aisbergg.acl
     - professormanhattan.deno

$ ansible-playbook -vvv -i hosts.yaml playbook.yaml

📒 Relevant Log Output

Full log: https://gist.github.com/ELLIOTTCABLE/7552cae76038df5c4dd7be675e567e08

TASK [professormanhattan.deno : Ensure custom facts directory exists] ***********************************************************************
task path: /Users/me/.ansible/roles/professormanhattan.deno/tasks/install-Linux.yml:2
<angelica.my.domain> ESTABLISH SSH CONNECTION FOR USER: root
<angelica.my.domain> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/Users/me/.ansible/cp/ff06be8640"' angelica.my.domain '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /var/tmp `"&& mkdir "` echo /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046 `" && echo ansible-tmp-1682189697.719-66762-41816168064046="` echo /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046 `" ) && sleep 0'"'"''
<angelica.my.domain> (0, b'ansible-tmp-1682189697.719-66762-41816168064046=/var/tmp/ansible-tmp-1682189697.719-66762-41816168064046\n', b'')
Using module file /Users/me/.local/share/rtx/installs/python/3.11.3/lib/python3.11/site-packages/ansible/modules/file.py
<angelica.my.domain> PUT /Users/me/.ansible/tmp/ansible-local-66646jp_5ws3t/tmpmy41hutq TO /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046/AnsiballZ_file.py
<angelica.my.domain> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/Users/me/.ansible/cp/ff06be8640"' '[angelica.my.domain]'
<angelica.my.domain> (0, b'sftp> put /Users/me/.ansible/tmp/ansible-local-66646jp_5ws3t/tmpmy41hutq /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046/AnsiballZ_file.py\n', b'')
<angelica.my.domain> ESTABLISH SSH CONNECTION FOR USER: root
<angelica.my.domain> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/Users/me/.ansible/cp/ff06be8640"' angelica.my.domain '/bin/sh -c '"'"'setfacl -m '"'"'"'"'"'"'"'"'u:{{ ansible_user if ansible_os_family == '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'Windows'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' else omit }}:r-x'"'"'"'"'"'"'"'"' /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046/ /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046/AnsiballZ_file.py && sleep 0'"'"''
<angelica.my.domain> (2, b'', b'setfacl: Option -m: Invalid argument near character 3\n')
<angelica.my.domain> Failed to connect to the host via ssh: setfacl: Option -m: Invalid argument near character 3
<angelica.my.domain> ESTABLISH SSH CONNECTION FOR USER: root
<angelica.my.domain> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/Users/me/.ansible/cp/ff06be8640"' angelica.my.domain '/bin/sh -c '"'"'chmod u+x /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046/ /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046/AnsiballZ_file.py && sleep 0'"'"''
<angelica.my.domain> (0, b'', b'')
<angelica.my.domain> ESTABLISH SSH CONNECTION FOR USER: root
<angelica.my.domain> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/Users/me/.ansible/cp/ff06be8640"' angelica.my.domain '/bin/sh -c '"'"'chown '"'"'"'"'"'"'"'"'{{ ansible_user if ansible_os_family == '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'Windows'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' else omit }}'"'"'"'"'"'"'"'"' /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046/ /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046/AnsiballZ_file.py && sleep 0'"'"''
<angelica.my.domain> (1, b'', b"chown: invalid user: \xe2\x80\x98{{ ansible_user if ansible_os_family == 'Windows' else omit }}\xe2\x80\x99\n")
<angelica.my.domain> Failed to connect to the host via ssh: chown: invalid user: ‘{{ ansible_user if ansible_os_family == 'Windows' else omit }}’
<angelica.my.domain> ESTABLISH SSH CONNECTION FOR USER: root
<angelica.my.domain> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="root"' -o ConnectTimeout=10 -o 'ControlPath="/Users/me/.ansible/cp/ff06be8640"' angelica.my.domain '/bin/sh -c '"'"'rm -f -r /var/tmp/ansible-tmp-1682189697.719-66762-41816168064046/ > /dev/null 2>&1 && sleep 0'"'"''
<angelica.my.domain> (0, b'', b'')
fatal: [angelica.my.domain]: FAILED! => 
  msg: Failed to change ownership of the temporary files Ansible (via chmod nor setfacl) needs to create despite connecting as a privileged user. Unprivileged become user would be unable to read the file.

PLAY RECAP **********************************************************************************************************************************
angelica.my.domain           : ok=4    changed=0    unreachable=0    failed=1    skipped=10   rescued=0    ignored=0

💡 Possible Solution

No response

[ELLIOTTCABLE]

Huh. Ran into this again, in an unrelated situation, two months later. Same error, basically; again with acl installed:

TASK [professormanhattan.deno : Ensure custom facts directory exists] **********
fatal: [eurydice.somewhere]: FAILED! => 
  msg: |-
    Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chmod: invalid mode: ‘A+user:{{ ansible_user if ansible_os_family == 'Windows' else omit }}:rx:allow’
    Try 'chmod --help' for more information.
    }). For information on working around this, see https://docs.ansible.com/ansible-core/2.14/user_guide/become.html#risks-of-becoming-an-unprivileged-user

This is confusing, because the README says:

The role handles the become behavior so you can simply add the role to your playbook without having to worry about commands that should not be run as root.

[ELLIOTTCABLE]

Just to call attention to it, it looks like some become_user value somewhere is set incorrectly, such that template substitution isn't functioning:

err: chmod: invalid mode: ‘A+user:{{ ansible_user if ansible_os_family == 'Windows' else omit }}:rx:allow’

[ELLIOTTCABLE]

Also, it tries to pass the same argument to setfacl, hahaha — earlier in the log, with -vvv enabled:

<eurydice.sth> ESTABLISH SSH CONNECTION FOR USER: None
<eurydice.sth> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s \
  -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey \
  -o PasswordAuthentication=no -o ConnectTimeout=10 -o 'ControlPath="/Users/ec/.ansible/cp/861003508c"' eurydice.sth \
  '/bin/sh -c \
  '"'"'setfacl -m '"'"'"'"'"'"'"'"'u:{{ ansible_user if ansible_os_family == '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'Windows'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"' else omit }}:r-x'"'"'"'"'"'"'"'"' /var/tmp/ansible-tmp-1688151355.624567-7202-71179258779996/ /var/tmp/ansible-tmp-1688151355.624567-7202-71179258779996/AnsiballZ_file.py && sleep 0'"'"''
<eurydice.sth> (2, b'', b'setfacl: Option -m: Invalid argument near character 3\n')
<eurydice.sth> Failed to connect to the host via ssh: setfacl: Option -m: Invalid argument near character 3

[alexbmw00]

Hi Guys,

Solution applied in 'execution-environment.yml'

Since it is Windows access, the user is Administrator or another windows account (no exist in EE container), causing a problem in the artifacts' tmp file.

If you activate the debugging level 5 (winrm), you will notice a setfacl message passing the Administrator user, as it is localhost (delegate_to: localhost), this user does not exist in podman.

append in file: execution-environment.yml

additional_build_steps: prepend: | RUN useradd -r my_windows_another_user_name RUN useradd -r Administrator append:

• RUN id my_windows_another_user_name
• RUN id Administrator