search

ansible-middleware / amq

A collection to manage AMQ brokers
Apache License 2.0
16 stars 12 forks source link

AMQ-program directory is owned by root. #13

Closed RobertFloor closed 2 years ago

RobertFloor commented 2 years ago
SUMMARY

The default installation makes root the owner of the folder /opt/amq/amq-broker and its subfolder. I believe the amq-broker user should be the owner of this directory. The ownership by root creates a problem when running the task that masks the passwords (actual command: /opt/amq/amq-broker/bin/artemis mask -- amq-broker)

ISSUE TYPE
ANSIBLE VERSION
❯ ansible --version
ansible [core 2.13.3]
  config file = None
  configured module search path = ['/Users/robertfloor/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/6.3.0/libexec/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/robertfloor/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.10.6 (main, Aug 11 2022, 13:49:25) [Clang 13.1.6 (clang-1316.0.21.2.5)]
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
# /Users/robertfloor/.ansible/collections/ansible_collections
Collection                                Version
----------------------------------------- -------
ansible.posix                             1.4.0
community.general                         3.1.0
geerlingguy.mac                           1.1.2
haAMQ.ansibleCollection                   1.0.0
middleware_automation.redhat_csp_download 1.2.2
amq/playbooks main !1 ?1 ❯
STEPS TO REPRODUCE

Run the playbook as specified in the readme: ansible-playbook -i hosts_vagrant.yml activemq.yml -v

It fails on this task: 

---
- name: Set masked user password
  block:
    - name: Get masked password for user
      ansible.builtin.command: "{{ amq_broker.instance_home }}/bin/artemis mask -- '{{ item.password }}'"
      register: mask_pwd
      changed_when: False
      #no_log: True
    - name: Add masked password to users list
      ansible.builtin.set_fact:
        amq_broker_masked_users: "{{ amq_broker_masked_users | default([]) + [ { 'user': item.user, 'password': mask_pwd.stdout | replace('result: ',''), 'role': item.role } ] }}"
      #no_log: True
      when: item.password is defined and item.password | length > 0
EXPECTED RESULTS
ACTUAL RESULTS

< TASK [amq_broker : Get masked password for user] >

    \   ^__^
     \  (oo)\_______
        (__)\       )\/\
            ||----w |
            ||     ||
fatal: [192.168.2.212]: FAILED! => {"changed": false, "cmd": "/opt/amq/amq-broker/bin/artemis mask -- amq-broker", "msg": "[Errno 13] Permission denied: b'/opt/amq/amq-broker/bin/artemis'", "rc": 13, "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
fatal: [192.168.2.211]: FAILED! => {"changed": false, "cmd": "/opt/amq/amq-broker/bin/artemis mask -- amq-broker", "msg": "[Errno 13] Permission denied: b'/opt/amq/amq-broker/bin/artemis'", "rc": 13, "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}

I believe it is caused by the ownership of the amq-broker directory by root 


[root@amq1 amq-broker]# ll
total 0
drwxr-xr-x. 2 root       root        44 Aug 25 08:15 bin
drwxr-x---. 3 amq-broker amq-broker  20 Aug 25 08:15 data
drwxr-xr-x. 2 root       root       226 Aug 25 08:15 etc
drwxr-xr-x. 2 root       root         6 Aug 25 08:15 lib
drwxr-xr-x. 2 root       root         6 Aug 25 08:15 log
drwxr-xr-x. 2 root       root         6 Aug 25 08:15 tmp
[root@amq1 amq-broker]# pwd
/opt/amq/amq-broker
guidograzioli commented 2 years ago

note to self: check become https://github.com/ansible-middleware/amq/blame/0e30d7f970fa49b46e92716bc57b978cc175c7d4/roles/amq_broker/tasks/systemd.yml#L51

RobertFloor commented 2 years ago

Hi, thanks for the fixes. I was trying the latest version in main. I ran the playbook again and it went a little bit further. However, it failed at another task (I removed the no_log settings for this task): 

< TASK [amq_broker : Configure users] >
 -------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

fatal: [192.168.2.211]: FAILED! => {"msg": "Failed to get information on remote file (/opt/amq/amq-broker/etc/artemis-users.properties): Permission denied"}
fatal: [192.168.2.212]: FAILED! => {"msg": "Failed to get information on remote file (/opt/amq/amq-broker/etc/artemis-users.properties): Permission denied"}

These are the permissions for the etc folder:

[root@amq1 etc]# ll
total 44
-rw-r--r--. 1 amq-broker amq-broker   966 Sep  2 07:38 artemis-roles.properties
-rw-r--r--. 1 amq-broker amq-broker  1166 Sep  2 07:38 artemis-users.properties
-rw-r--r--. 1 amq-broker amq-broker  3101 Sep  2 07:38 artemis.profile
-rw-r--r--. 1 amq-broker amq-broker  1521 Sep  2 07:38 bootstrap.xml
-rw-r--r--. 1 amq-broker amq-broker 12150 Sep  2 07:38 broker.xml
-rw-r--r--. 1 amq-broker amq-broker  1316 Sep  2 07:38 jolokia-access.xml
-rw-r--r--. 1 amq-broker amq-broker  3259 Sep  2 07:38 logging.properties
-rw-r--r--. 1 amq-broker amq-broker  1086 Sep  2 07:38 login.config
-rw-r--r--. 1 amq-broker amq-broker  2364 Sep  2 07:38 management.xml

I am running Ansible with the default user for Ansible. I don't know if this meant to be?