deploy fail on "Ensure GIT deployment key is up to date (local key file)"

[grosmanal]

Hello, Deployment with ansistrano failed on step : Ensure GIT deployment key is up to date (local key file). Here is the error log with maximum ansible verbosity :

The full traceback is:
Traceback (most recent call last):
  File "/tmp/ansible_copy_payload_jFYFtt/ansible_copy_payload.zip/ansible/module_utils/basic.py", line 2575, in atomic_move
    shutil.move(b_src, b_tmp_dest_name)
  File "/usr/lib/python2.7/shutil.py", line 325, in move
    copy2(src, real_dst)
  File "/usr/lib/python2.7/shutil.py", line 153, in copy2
    copyfile(src, dst)
  File "/usr/lib/python2.7/shutil.py", line 96, in copyfile
    with open(src, 'rb') as fsrc:
IOError: [Errno 13] Permission non accordée: '/home/localadmin/.ansible/tmp/ansible-tmp-1596613784.4476206-4719340430651/source'

fatal: [webservice.algam.net]: FAILED! => {
    "changed": false,
    "checksum": "35ef419775acc53f8c32cdeaa5315ab07f7f65bb",
    "diff": [],
    "invocation": {
        "module_args": {
            "_original_basename": "svc_gitlab_id_rsa",
            "attributes": null,
            "backup": false,
            "checksum": "35ef419775acc53f8c32cdeaa5315ab07f7f65bb",
            "content": null,
            "delimiter": null,
            "dest": "/opt/webserviceBUG/git_identity_key",
            "directory_mode": null,
            "follow": false,
            "force": true,
            "group": null,
            "local_follow": null,
            "mode": 256,
            "owner": null,
            "regexp": null,
            "remote_src": null,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": "/home/localadmin/.ansible/tmp/ansible-tmp-1596613784.4476206-4719340430651/source",
            "unsafe_writes": null,
            "validate": null
        }
    },
    "msg": "Failed to replace file: /home/localadmin/.ansible/tmp/ansible-tmp-1596613784.4476206-4719340430651/source to /opt/webserviceBUG/git_identity_key: [Errno 13] Permission non accordée: '/home/localadmin/.ansible/tmp/ansible-tmp-1596613784.4476206-4719340430651/source'"
}

After some research, I found the issue is caused by the presence of partitions on the target deployment host. Ansistrano overwrites git_identity_key file each time the deploy script is launched. According to this, the permission of this file has to be 400 (nobody can read it). In case of a unique partition filesystem, moving the file from temporary ansible directory to the «ansistrano deploy to» directory, python does not need to read the file, it only change «filesystem table of contents» (I suppose). This works fine

But in case of multiple partitions filesystem, more specifically : if the home of the remote user used by ansible (localadmin for me) is on a different partition of the deployment directory (ansistrano_deploy_to value, /opt/webserviceBUG in the previous log), python need to read the file to copy the content on another filesystem before removing the file. Because of the lack of read permission python failed to open the file in the ansible temporary directory.

As a workaround, I found that deleting git_identity_key in ansible_deploy_to directory before trying to overwrite it doesn't trigger this issue (and I don't understand why)

[ricardclau]

Not sure what to do here as this seems to be a problem related to the way Ansible works + your setup

[dkmatt0]

Hello,

To fix that, I add a before setup tasks :

- name: Fix bug with git ssh key
  file:
    path: "{{ ansistrano_deploy_to }}/git_identity_key"
    mode: u+r
  ignore_errors: true
  no_log: true

But I think there is a problem with the role.

[smichelet]

I encounter the issue too. Indeed, it seems this issue happens when the key on the destination path is on a different partition than the home directory of the user used by Ansible. In this case and as it was said in the first post, Ansible needs the read permissions on the destination file. Also, this issue shouldn't occur if we use the root user because this user can read all files even if there is no read permissions.

The issue doesn't happen anymore when I use the fix suggested on the previous message of this thread. Also, if I remove the shred task (ANSISTRANO | GIT | Shred GIT deployment key), the issue doesn't happen anymore too.

Before the shred task, the key file on the destination path has the 400 permissions and after the shred task, the permissions are set to 200. Then the issue occurs because the read permissions are missing.

Could we get rid of the shred task or add a variable to activate it or not ?

[ricardclau]

We certainly can add a boolean to make the shred task optional for cases like yours if it causes a problem in your particular setups. If you can please submit a PR with a boolean default to keep the shred step I will merge it straight away

Also, if you can refer to this issue in the README.md when documenting the new variable that will be helpful for other users

[smichelet]

Hello.

As you suggested, I've submitted a pull request (with your recommandations) to fix this issue and give the ability not to execute the shred command.

[dkmatt0]

Hello @ricardclau Please can you create a new tag with this commit if possible ? Thank you !! :)

[ricardclau]

Sorry, real life came in after merging, 3.11.0 is being baked at the moment, please allow some minutes for Travis to finish and post to Ansible Galaxy. Thanks for your contribution!

[smichelet]

The tag has been created. Thank you. This issue can be closed now.

[smichelet]

Sorry to reopen the case but it seems the tag still doesn't appear on the Ansible Galaxy, is there an issue with the CI ?

[smichelet]

New issue opened for the missing tag on Ansible Galaxy : https://github.com/ansistrano/deploy/issues/382