mitogen-hq / mitogen

Distributed self-replicating programs in Python
https://mitogen.networkgenomics.com/
BSD 3-Clause "New" or "Revised" License
2.34k stars 199 forks source link

os.chdir fails if the sudo/become user lacks adequate permissions to chdir prior to task #636

Open msaladna opened 5 years ago

msaladna commented 5 years ago

fatal: [localhost]: FAILED! => { "msg": "Unexpected failure during module execution.", "stdout": "" }

* **If reporting any kind of problem with Ansible, please include the Ansible
  version along with output of "ansible-config dump --only-changed".**

ansible-config dump --only-changed

DEFAULT_STRATEGY(/usr/local/apnscp/resources/playbooks/ansible.cfg) = mitogen_linear DEFAULT_STRATEGY_PLUGIN_PATH(/usr/local/apnscp/resources/playbooks/ansible.cfg) = [u'/usr/lib/python2.7/site-packages/ansible_mitogen/plugins/strategy']


**Sample play to reproduce the behavior:**
```yaml
---
- hosts: localhost
  gather_facts: no
  tasks:
    - name: Become bug
      become_user: postgres
      become: True
      postgresql_user: name=testuser password=abc db=template1 encrypted=yes
      register: user_changed

Verification of the permissions:

sudo -u postgres ls -la /usr/local/apnscp/resources/playbooks/
ls: cannot access /usr/local/apnscp/resources/playbooks/: Permission denied

Then if we change permissions to allow access by user "postgres":

chmod 711 /usr/local/apnscp/
sudo -u postgres ls -la /usr/local/apnscp/resources/playbooks/
# ls succeeds

Likewise the play completes as expected:

changed: [localhost] => {
    "changed": true, 
    "invocation": {
        "module_args": {
            "ca_cert": null, 
            "conn_limit": null, 
            "db": "template1", 
            "encrypted": true, 
            "expires": null, 
            "fail_on_user": true, 
            "login_host": "", 
            "login_password": "", 
            "login_unix_socket": "", 
            "login_user": "postgres", 
            "name": "testuser", 
            "no_password_changes": false, 
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", 
            "port": 5432, 
            "priv": null, 
            "role_attr_flags": "", 
            "session_role": null, 
            "ssl_mode": "prefer", 
            "state": "present", 
            "user": "testuser"
        }
    }, 
    "queries": [
        "CREATE USER \"testuser\" WITH ENCRYPTED PASSWORD %(password)s "
    ], 
    "user": "testuser"
}
zswanson commented 5 years ago

Seeing this same issue using ansible 2.8 and mitogen 0.2.8; in our case though we're running ansible/mitogen during an AWS user-data script, so it runs as root. The file task fails when we used become_user to switch to a local service account. In our case we can work around it since the become_user wasn't a necessary step for the execution, so we just removed it.

@dw this is actually becoming a pretty major error, it impacts multiple tasks in our playbooks, and we cannot roll back to 0.2.7 because it isn't compatible with ansible 2.8

Looks to be related to the fix from #591

rrauenza commented 2 years ago

I think I've just hit this as well ... is there a workaround?

My use case is this.. and I think I found a workaround for me:

- name: do something       
      become_user: "{{ lookup('env', 'USER') }}"  # https://github.com/mitogen-hq/mitogen/issues/636
      become: true                                                                        
      command:                                                                            
        chdir: /tmp                                                                       
        cmd: my_command
      delegate_to: 127.0.0.1  # Run this locally (where you issued ansible from)          

This runs local to where I issued the ansible command per delegate_to, so I just become the user who issues the ansible command as a workaround.