run_occ: Failed to set permissions when becoming an unprvileged user

[jbicha]

Controller is running ansible .deb built from today's 2.2-stable branch (pre-2.2.1) Host is Ubuntu 16.10. (I had to set owncloud__distribution_version: '16.04' since the repo doesn't support 16.10 yet.)

TASK [debops.owncloud : Run given occ commands] ********************************
fatal: [server.example.com]: FAILED! => {"failed": true, "msg": "Failed to set permissions
on the temporary files Ansible needs to create when becoming an unprivileged user
(rc: 1, err: chown: changing ownership of '/tmp/ansible-tmp-1484374434.41-197434920671735/':
Operation not permitted\nchown: changing ownership of
'/tmp/ansible-tmp-1484374434.41-197434920671735 command.py': Operation not
permitted\n). For information on working around this, see
https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}

I tried to work around this by commenting out the become_user line. But then I got this:

fatal: [server.example.com]: FAILED! => {"failed": true, "msg": "the field 'args' has an invalid value ([u'role::owncloud:occ_config', u'role::owncloud:config', u'role::owncloud', u'role::owncloud:config', u'role::owncloud', u'role::owncloud:config', u'role::owncloud']), and could not be converted to an dict. Error was: No JSON object could be decoded\n\nThe error appears to have been in '/home/jeremy/.local/share/debops/debops-playbooks/roles/debops.owncloud/tasks/run_occ.yml': line 59, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: Convert occ output into Ansible data structure\n ^ here\n"}

[ypid]

Have not tested with Ubuntu > 14.04. Also, I think when you are using Ubuntu as server, you would want to go with the LTS versions?

But it looks like a Ansible issue to me. Can you try with other releases like 2.1.x for example?

[drybjed]

This is due to Ansible trying to securely change the user context without compromising the security - ie. create files, then change their ownership, then run them. It's usually done with ACLs these days, unless your filesystem does not have them enabled (see the documentation for more details).

I'm assuming that you are doing this in an LXD container and it restricts ACL support in the filesystem, evident by "Operation not permitted". You could check if you can allow ACLs in a given container for this to work.

[jbicha]

@ypid I have the same issue with 2.1.1. But if y'all are going to suggest 2.1.1, you should revert the PHP commit that doesnt' work with 2.1.1!

@drybjed Thanks. Yeah, it works when I run it on a VPS. I guess lxd is causing me some problems; maybe I'll need to learn vagrant then. I tried adding this to .debops.cfg but it didn't help

[ansible defaults]
;allow_world_readable_tmpfiles = True

[ypid]

@drybjed I thought we would maintain compatibility with Ansbile 2.1.x for a while. I did not update to https://github.com/debops/ansible-php/commit/cafda8dab yet and I see that it would break compatibility. I like Ansible 2.1.x so far :wink:

@drybjed Right on with the permission issues. Interesting.

[drybjed]

@ypid Yeah, we should probably revert the check change for the time being.

@jbicha Did you write that option in the .debops.cfg file commented out? Remove the ; and check if this option shows up in the generated ansible.cfg configuration file.

[jbicha]

lol, oh that's what the semicolon is for!

[ypid]

@jbicha Does it work for you now?

[jbicha]

@ypid Probably, I haven't run debops recently.