tripleo

permission error when linking tripleo-inventory in config-download ceph-ansible subdirecotry

Bug #1912103 reported by John Fulton
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
tripleo
Fix Committed
High
John Fulton
tripleo wallaby-2

Bug Description

During a non-standalone deployment using tripleo's current main branch of an undercloud built 1/17/21 the deployment failed shortly after:

"Use --start-at-task 'External deployment step 1' to resume from this task"

with the following error:

2021-01-17 16:13:59.276148 | 2442017e-2e6f-7fad-6035-000000005952 | FATAL | symbolic link to tripleo inventory from ceph-ansible work directory | undercloud | error={"changed": false, "msg": "Error while
 linking: [Errno 13] Permission denied: b'/home/stack/config-download/oc0/tripleo-ansible-inventory.yaml' -> b'/home/stack/config-download/oc0/ceph-ansible/inventory.yml'", "path": "/home/stack/config-downloa
d/oc0/ceph-ansible/inventory.yml"}

inspection of config-download's permissions for stack oc0 show:

ls -lhtr /home/stack/config-download/oc0
...
-rwxr-x---. 1 stack stack 6.6K Jan 17 16:01 ansible-playbook-command.sh
drwx------. 2 stack stack 80 Jan 17 16:02 group_vars
drwxr-xr-x. 5 tripleo-admin root 79 Jan 17 16:23 ceph-ansible
...

Revision history for this message
John Fulton (jfulton-org) wrote :

The way config-download is being run these days results in /home/stack/config-download/<STACK> being owned by stack:stack. The following task in tripleo_ansible/roles/tripleo_ceph_work_dir/tasks/prepare.yml creates /home/stack/config-download/<STACK>/ceph-ansible

  become: true
  file:
    path: "{{ item }}"
    state: directory
    owner: "{{ ansible_user }}"

The become results in this directory belonging to the group root and it would belong to the user root unless the ansible_user variable wasn't set. By simply removing the become and redeploying the directory has the preferred permission of stack:stack so the become is not necessary and introduces this bug.

Note that the tripleo_ceph_work_dir role is executed when the following part of deploy_steps_playbook.yaml runs:

  tasks:
    - name: External deployment step 1
      delegate_to: localhost
      run_once: true
      debug:
        msg: Use --start-at-task 'External deployment step 1' to resume from this task
    - include_tasks: "external_deploy_steps_tasks_step1.yaml"
      when:
        - "'external_deploy_steps_tasks_step1.yaml' is exists"

where external_deploy_steps_tasks_step1.yaml does:

include_role: tripleo_ceph_work_dir
tasks_from: prepare.yml

So when it's run it has delegate_to: localhost.

Revision history for this message
John Fulton (jfulton-org) wrote :

In progress https://review.opendev.org/c/openstack/tripleo-ansible/+/771150

Changed in tripleo:
status: Triaged → In Progress
Revision history for this message
John Fulton (jfulton-org) wrote :

I believe CI didn't discover this issue becuase it runs using the standalone as root. We have seen this sort of thing before:

 https://github.com/openstack/tripleo-ansible/commit/67c4a4f58e9b8af07c277b1f6c20fa7af116eaf7

Revision history for this message
John Fulton (jfulton-org) wrote :

https://review.opendev.org/c/openstack/tripleo-ansible/+/771150 merged

Changed in tripleo:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-ansible 3.0.0

This issue was fixed in the openstack/tripleo-ansible 3.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.