search

cloudalchemy / ansible-coredns

Ansible provisioning of CoreDNS
MIT License
29 stars 19 forks source link

Downloading the CoreDNS binary from GitHub requires root permission on Ansible Control host #37

Open phandox opened 4 years ago

phandox commented 4 years ago

What happened? When not specifying the coredns_binary_local_dir, the binary is trying to be downloaded to machine from which Ansible is running, requiring root permission (even when become: false is set up in block).

Did you expect to see some different? I would expect that when the coredns_binary_local_dir is not specified, the binary is downloaded on target machine and installed there.

How to reproduce it (as minimally and precisely as possible):

  1. Do not specify the coredns_binary_local_dir in any vars file
  2. Run the playbook with minimal config under non-root user of target machine (with passwordless sudo enabled) 
    hosts: all
roles:
- role: cloudalchemy.coredns

Environment

Target machine: Centos 7 Ansible Control machine: Fedora 31

TASK [cloudalchemy.coredns : Naive assertion of proper DNS port number] **********************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/preflight.yml:2
ok: [homenas] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [cloudalchemy.coredns : Assert usage of systemd as an init system] **********************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/preflight.yml:7
ok: [homenas] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [cloudalchemy.coredns : Check if source Corefile is set] ********************************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/preflight.yml:12
ok: [homenas] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [cloudalchemy.coredns : Get checksum for amd64 architecture] ****************************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/preflight.yml:17
ok: [homenas] => {"ansible_facts": {"coredns_checksum": "ca229f972e5fbb65964998ad7aed78a677884874a023caee1c6551d0ee8e0c1b"}, "changed": false}

TASK [cloudalchemy.coredns : Create the coredns group] ***************************************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/install.yml:2
ok: [homenas] => {"changed": false, "gid": 993, "name": "coredns", "state": "present", "system": true}

TASK [cloudalchemy.coredns : Create the coredns user] ****************************************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/install.yml:8
ok: [homenas] => {"append": true, "changed": false, "comment": "", "group": 100, "groups": "coredns", "home": "/", "move_home": false, "name": "coredns", "shell": "/usr/sbin/nologin", "state": "present", "uid": 997}

TASK [cloudalchemy.coredns : create coredns configuration directories] ***********************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/install.yml:18
ok: [homenas] => (item=/etc/coredns) => {"ansible_loop_var": "item", "changed": false, "gid": 0, "group": "root", "item": "/etc/coredns", "mode": "0755", "owner": "root", "path": "/etc/coredns", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 4096, "state": "directory", "uid": 0}
ok: [homenas] => (item=/etc/coredns/zones) => {"ansible_loop_var": "item", "changed": false, "gid": 0, "group": "root", "item": "/etc/coredns/zones", "mode": "0755", "owner": "root", "path": "/etc/coredns/zones", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 4096, "state": "directory", "uid": 0}

TASK [cloudalchemy.coredns : Download coredns binary to local folder] ************************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/install.yml:30
FAILED - RETRYING: Download coredns binary to local folder (5 retries left).
FAILED - RETRYING: Download coredns binary to local folder (4 retries left).
FAILED - RETRYING: Download coredns binary to local folder (3 retries left).
FAILED - RETRYING: Download coredns binary to local folder (2 retries left).
FAILED - RETRYING: Download coredns binary to local folder (1 retries left).
fatal: [homenas -> localhost]: FAILED! => {"attempts": 5, "changed": false, "module_stderr": "sudo: a password is required\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

PLAY RECAP ***********************************************************************************************
homenas                    : ok=37   changed=3    unreachable=0    failed=1    skipped=15   rescued=0    ignored=0

Anything else we need to know?:

Is this behaviour intentional? I don't see a reason why the binary should be downloaded on control machine when I didn't specify to use version downloaded on the control machine. It makes more sense to let everything happen on remote node (I don't want to provide root password to my machine -> seems like become: false is not respected in block https://github.com/cloudalchemy/ansible-coredns/blob/39c5a514e2d0ce005d7aff625f90fdbd4d726a6c/tasks/install.yml#L29-L61

danielo515 commented 4 years ago

I'm having the exact same problem. In my case, I don't even have an ssh daemon running locally, so the download task should also run with the flag connection: local. Did you found a solution that does not involves forking this repo?

phandox commented 4 years ago

No I haven't in the end I didn't use this role. Seems to me that forking would be only option for you and fixing it by yourself as it looks like issues reported here are no longer solved.

danielo515 commented 4 years ago

Ok, in my case what I did was to download the binary myself and put it on a local directory. Not pretty, but at least I don't have to do yaml gymnastics to avoid a problem that should not exist.