Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Action modules fail when running with local connection + become #675

Open
mnaser opened this issue Jan 26, 2024 · 4 comments
Open

Action modules fail when running with local connection + become #675

mnaser opened this issue Jan 26, 2024 · 4 comments
Labels
verified The issue is reproduced

Comments

@mnaser
Copy link
Contributor

mnaser commented Jan 26, 2024

SUMMARY

When using the Kubernetes modules with connection_type set to local, and become set to true, the modules fail if the kubeconfig path is not accessible by the user running Ansible.

For example, I set kubeconfig to /etc/kubernetes/admin.conf, my task has become set to true and I am running the playbook as the user ubuntu.

It will try to read /etc/kubernetes/admin.conf and fail.

<instance> ESTABLISH LOCAL CONNECTION FOR USER: ubuntu
<instance> EXEC /bin/sh -c 'echo ~ubuntu && sleep 0'
<instance> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/ubuntu/.ansible/tmp `"&& mkdir "` echo /home/ubuntu/.ansible/tmp/ansible-tmp-1706304878.054976-76269-160918441885252 `" && echo ansible-tmp-1706304878.054976-76269-160918441885252="` echo /home/ubuntu/.ansible/tmp/ansible-tmp-1706304878.054976-76269-160918441885252 `" ) && sleep 0'
<instance> EXEC /bin/sh -c 'rm -f -r /home/ubuntu/.ansible/tmp/ansible-tmp-1706304878.054976-76269-160918441885252/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
  File "/home/ubuntu/.cache/pypoetry/virtualenvs/atmosphere-NEvTTHEY-py3.10/lib/python3.10/site-packages/ansible/parsing/dataloader.py", line 377, in get_real_file
    with open(to_bytes(real_path), 'rb') as f:
PermissionError: [Errno 13] Permission denied: b'/etc/kubernetes/admin.conf'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/ubuntu/.ansible/collections/ansible_collections/kubernetes/core/plugins/action/k8s_cluster_info.py", line 352, in run
    self.get_kubeconfig(kubeconfig, remote_transport, new_module_args)
  File "/home/ubuntu/.ansible/collections/ansible_collections/kubernetes/core/plugins/action/k8s_cluster_info.py", line 320, in get_kubeconfig
    configs.append(self._loader.get_real_file(config, decrypt=True))
  File "/home/ubuntu/.cache/pypoetry/virtualenvs/atmosphere-NEvTTHEY-py3.10/lib/python3.10/site-packages/ansible/parsing/dataloader.py", line 397, in get_real_file
    raise AnsibleParserError("an error occurred while trying to read the file '%s': %s" % (to_native(real_path), to_native(e)), orig_exc=e)
ansible.errors.AnsibleParserError: an error occurred while trying to read the file '/etc/kubernetes/admin.conf': [Errno 13] Permission denied: b'/etc/kubernetes/admin.conf'. [Errno 13] Permission denied: b'/etc/kubernetes/admin.conf'
fatal: [instance]: FAILED! => {
    "changed": false,
    "msg": "an error occurred while trying to read the file '/etc/kubernetes/admin.conf': [Errno 13] Permission denied: b'/etc/kubernetes/admin.conf'. [Errno 13] Permission denied: b'/etc/kubernetes/admin.conf'"
}
ISSUE TYPE
  • Bug Report
COMPONENT NAME

kubernetes.core.k8s_cluster_info

ANSIBLE VERSION
ansible [core 2.14.2]
  config file = None
  configured module search path = ['/home/ubuntu/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ubuntu/.cache/pypoetry/virtualenvs/atmosphere-NEvTTHEY-py3.10/lib/python3.10/site-packages/ansible
  ansible collection location = /home/ubuntu/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ubuntu/.cache/pypoetry/virtualenvs/atmosphere-NEvTTHEY-py3.10/bin/ansible
  python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/home/ubuntu/.cache/pypoetry/virtualenvs/atmosphere-NEvTTHEY-py3.10/bin/python)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
# /home/ubuntu/.ansible/collections/ansible_collections
Collection      Version
--------------- -------
kubernetes.core 2.4.0
CONFIGURATION
CONFIG_FILE() = None
OS / ENVIRONMENT
STEPS TO REPRODUCE
- name: Reproducer
  hosts: localhost
  become: true
  connection: local
  tasks:
    - name: Get cluster information
      kubernetes.core.k8s_cluster_info:
        kubeconfig: /etc/kubernetes/admin.conf
EXPECTED RESULTS

No crash

ACTUAL RESULTS
ansible-playbook [core 2.14.2]
  config file = /home/ubuntu/.cache/molecule/atmosphere/octavia/ansible.cfg
  configured module search path = ['/home/ubuntu/.cache/pypoetry/virtualenvs/atmosphere-NEvTTHEY-py3.10/lib/python3.10/site-packages/molecule/provisioner/ansible/plugins/modules', '/home/ubuntu/.cache/pypoetry/virtualenvs/atmosphere-NEvTTHEY-py3.10/lib/python3.10/site-packages/molecule_plugins/vagrant/modules', '/home/ubuntu/.cache/molecule/atmosphere/octavia/library', '/home/ubuntu/atmosphere/library', '/home/ubuntu/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ubuntu/.cache/pypoetry/virtualenvs/atmosphere-NEvTTHEY-py3.10/lib/python3.10/site-packages/ansible
  ansible collection location = /home/ubuntu/.cache/molecule/atmosphere/octavia/collections:/home/ubuntu/.ansible/collections:/usr/share/ansible/collections:/etc/ansible/collections
  executable location = /home/ubuntu/.cache/pypoetry/virtualenvs/atmosphere-NEvTTHEY-py3.10/bin/ansible-playbook
  python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/home/ubuntu/.cache/pypoetry/virtualenvs/atmosphere-NEvTTHEY-py3.10/bin/python)
  jinja version = 3.1.2
  libyaml = True
Using /home/ubuntu/.cache/molecule/atmosphere/octavia/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /home/ubuntu/.cache/molecule/atmosphere/octavia/inventory/ansible_inventory.yml as it did not pass its verify_file() method
script declined parsing /home/ubuntu/.cache/molecule/atmosphere/octavia/inventory/ansible_inventory.yml as it did not pass its verify_file() method
Parsed /home/ubuntu/.cache/molecule/atmosphere/octavia/inventory/ansible_inventory.yml inventory source with yaml plugin
Loading collection kubernetes.core from /home/ubuntu/.ansible/collections/ansible_collections/kubernetes/core
Loading callback plugin default of type stdout, v2.0 from /home/ubuntu/.cache/pypoetry/virtualenvs/atmosphere-NEvTTHEY-py3.10/lib/python3.10/site-packages/ansible/plugins/callback/default.py
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
1 plays in /home/ubuntu/atmosphere/molecule/octavia/converge.yml

PLAYBOOK: converge.yml *********************************************************
Positional arguments: /home/ubuntu/atmosphere/molecule/octavia/converge.yml
verbosity: 4
connection: smart
timeout: 10
become_method: sudo
tags: ('all',)
skip_tags: ('notest', 'molecule-notest')
inventory: ('/home/ubuntu/.cache/molecule/atmosphere/octavia/inventory',)
forks: 50

PLAY [localhost] ***************************************************************

TASK [Gathering Facts] *********************************************************
task path: /home/ubuntu/atmosphere/molecule/octavia/converge.yml:40
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: ubuntu
<127.0.0.1> EXEC /bin/sh -c 'echo ~ubuntu && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/ubuntu/.ansible/tmp `"&& mkdir "` echo /home/ubuntu/.ansible/tmp/ansible-tmp-1706305363.682487-77528-127190288374012 `" && echo ansible-tmp-1706305363.682487-77528-127190288374012="` echo /home/ubuntu/.ansible/tmp/ansible-tmp-1706305363.682487-77528-127190288374012 `" ) && sleep 0'
Using module file /home/ubuntu/.cache/pypoetry/virtualenvs/atmosphere-NEvTTHEY-py3.10/lib/python3.10/site-packages/ansible/modules/setup.py
<127.0.0.1> PUT /home/ubuntu/.ansible/tmp/ansible-local-775232mwgno45/tmpcj_lharc TO /home/ubuntu/.ansible/tmp/ansible-tmp-1706305363.682487-77528-127190288374012/AnsiballZ_setup.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/ubuntu/.ansible/tmp/ansible-tmp-1706305363.682487-77528-127190288374012/ /home/ubuntu/.ansible/tmp/ansible-tmp-1706305363.682487-77528-127190288374012/AnsiballZ_setup.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'sudo -H -S -n  -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-fcqdhosiddhswujuxwxynzlouoluieri ; /home/ubuntu/.cache/pypoetry/virtualenvs/atmosphere-NEvTTHEY-py3.10/bin/python /home/ubuntu/.ansible/tmp/ansible-tmp-1706305363.682487-77528-127190288374012/AnsiballZ_setup.py'"'"' && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/ubuntu/.ansible/tmp/ansible-tmp-1706305363.682487-77528-127190288374012/ > /dev/null 2>&1 && sleep 0'
ok: [localhost]

TASK [Get cluster information] *************************************************
task path: /home/ubuntu/atmosphere/molecule/octavia/converge.yml:44
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: ubuntu
<127.0.0.1> EXEC /bin/sh -c 'echo ~ubuntu && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/ubuntu/.ansible/tmp `"&& mkdir "` echo /home/ubuntu/.ansible/tmp/ansible-tmp-1706305364.9378667-77642-32858875030556 `" && echo ansible-tmp-1706305364.9378667-77642-32858875030556="` echo /home/ubuntu/.ansible/tmp/ansible-tmp-1706305364.9378667-77642-32858875030556 `" ) && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /home/ubuntu/.ansible/tmp/ansible-tmp-1706305364.9378667-77642-32858875030556/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
  File "/home/ubuntu/.cache/pypoetry/virtualenvs/atmosphere-NEvTTHEY-py3.10/lib/python3.10/site-packages/ansible/parsing/dataloader.py", line 377, in get_real_file
    with open(to_bytes(real_path), 'rb') as f:
PermissionError: [Errno 13] Permission denied: b'/etc/kubernetes/admin.conf'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/ubuntu/.ansible/collections/ansible_collections/kubernetes/core/plugins/action/k8s_cluster_info.py", line 352, in run
    self.get_kubeconfig(kubeconfig, remote_transport, new_module_args)
  File "/home/ubuntu/.ansible/collections/ansible_collections/kubernetes/core/plugins/action/k8s_cluster_info.py", line 320, in get_kubeconfig
    configs.append(self._loader.get_real_file(config, decrypt=True))
  File "/home/ubuntu/.cache/pypoetry/virtualenvs/atmosphere-NEvTTHEY-py3.10/lib/python3.10/site-packages/ansible/parsing/dataloader.py", line 397, in get_real_file
    raise AnsibleParserError("an error occurred while trying to read the file '%s': %s" % (to_native(real_path), to_native(e)), orig_exc=e)
ansible.errors.AnsibleParserError: an error occurred while trying to read the file '/etc/kubernetes/admin.conf': [Errno 13] Permission denied: b'/etc/kubernetes/admin.conf'. [Errno 13] Permission denied: b'/etc/kubernetes/admin.conf'
fatal: [localhost]: FAILED! => {
    "changed": false,
    "msg": "an error occurred while trying to read the file '/etc/kubernetes/admin.conf': [Errno 13] Permission denied: b'/etc/kubernetes/admin.conf'. [Errno 13] Permission denied: b'/etc/kubernetes/admin.conf'"
}
@abikouo abikouo added the verified The issue is reproduced label Feb 23, 2024
@abikouo
Copy link
Contributor

abikouo commented Feb 23, 2024

The issue is reproductible, however I am wondering if this is not intended, because using the ansible.builtin.copy module we are reaching to the same issue

- copy:
     src: /etc/kubernetes/admin.conf
     dest: '{{ dest }}'
  become: true

Here is the output

TASK [copy] **************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "an error occurred while trying to read the file '/etc/kubernetes/admin.conf': [Errno 13] Permission denied: b'/etc/kubernetes/admin.conf'. [Errno 13] Permission denied: b'/etc/kubernetes/admin.conf'"}

@mnaser
Copy link
Contributor Author

mnaser commented Apr 2, 2024

It seems like there is a weird overall behaviour with action modules not being executed as root.. I feel like maybe this is an Ansible bug?

@OttaviaB
Copy link
Contributor

OttaviaB commented Apr 3, 2024

Hello,
we are having the same problem: we want to run the module kubernets.core.k8s_info on localhost using a kubeconfig that is only readable by root (we do not want to run the whole playbook as root though). Setting become: true does not have the desired behaviour (as in this issue's description).

In my opinion, this is not an Ansible bug.

This behaviour is fine with the copy module, since copy works from "local" to "remote" and expects by default the source to be found locally. become directives do not work on "local". You can work around that with copy by doing something like this:

---
- hosts: all
  gather_facts: false
  tasks:
    - name: Copy
      ansible.builtin.copy:
        src: /root/test.txt
        dest: /root/text-copy.txt
        remote_src: true
      become: true
      delegate_to: localhost

Specifically: remote_src: true forces Ansible to take the source from "remote" (which in this case is still localhost due to delegate_to) and apply the become directives.

k8s_info should always look for the kubeconfig on "remote", which is why this behaviour suprises me.

@mnaser
Copy link
Contributor Author

mnaser commented Apr 12, 2024

I think this is because there is a part of this module that runs as an action module (which run locally), that part is the one that breaks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
verified The issue is reproduced
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mnaser @OttaviaB @abikouo