bug: Commit b4592b4 breaks remote data mount points. #201
Description
Restricted remote mount points, in which the root user is squashed, break with commit b4592b4.
Reproduction
- Machine with NFS mounted data directories, squashing root user.
- Role applied
TASK [l3d.gitea : Create config and data directory] *****************************************************************************************************************************************************************
ok: [xgit.REDACTED.com] => (item=/etc/gitea)
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: PermissionError: [Errno 1] Operation not permitted: b'/srv/git/home'
failed: [xgit.REDACTED.com] (item=/srv/git/home) => {
"ansible_loop_var": "item",
"changed": false,
"item": "/srv/git/home",
"rc": 1
}
MSG:
MODULE FAILURE: No start of json char found
See stdout/stderr for the exact error
MODULE_STDOUT:
Traceback (most recent call last):
File "/tmp/ansible-tmp-1743694498.2359667-24165-59021978186212/AnsiballZ_file.py", line 107, in <module>
_ansiballz_main()
File "/tmp/ansible-tmp-1743694498.2359667-24165-59021978186212/AnsiballZ_file.py", line 99, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/tmp/ansible-tmp-1743694498.2359667-24165-59021978186212/AnsiballZ_file.py", line 47, in invoke_module
runpy.run_module(mod_name='ansible.modules.file', init_globals=dict(_module_fqn='ansible.modules.file', _modlib_path=modlib_path),
File "<frozen runpy>", line 226, in run_module
File "<frozen runpy>", line 98, in _run_module_code
File "<frozen runpy>", line 88, in _run_code
File "/tmp/ansible_ansible.builtin.file_payload_sy_a80do/ansible_ansible.builtin.file_payload.zip/ansible/modules/file.py", line 990, in <module>
File "/tmp/ansible_ansible.builtin.file_payload_sy_a80do/ansible_ansible.builtin.file_payload.zip/ansible/modules/file.py", line 976, in main
File "/tmp/ansible_ansible.builtin.file_payload_sy_a80do/ansible_ansible.builtin.file_payload.zip/ansible/modules/file.py", line 681, in ensure_directory
File "/tmp/ansible_ansible.builtin.file_payload_sy_a80do/ansible_ansible.builtin.file_payload.zip/ansible/module_utils/basic.py", line 1100, in set_fs_attributes_if_different
File "/tmp/ansible_ansible.builtin.file_payload_sy_a80do/ansible_ansible.builtin.file_payload.zip/ansible/module_utils/basic.py", line 860, in set_mode_if_different
PermissionError: [Errno 1] Operation not permitted: b'/srv/git/home'
...
Root Cause
Originally, these permissions were applied with relative changes using symbolic permissions (u=,g=,o=...). Octal mode plows permissions, resulting in attempting to explicitly apply permissions regardless of whether or not they are already correct. Existing locations are not checked for correctness before applying task.
As the role uses become this sets the task to use the local root user. Because this data location is a remote mount; the root user is mapped to nobody/nogroup, effectively locking the task out of modifying permissions, resulting in the stackdump.
Resolution
Remote mount points require additional nuanced consideration. There are a few suggestions:
- Use
ansible.builtin.statand check the list directories for correctness before plowing. This will prevent remote data mount location errors with no other changes to the role. - Provide the option to disable forced directory/data creation (effectively allowing the user to disable
directory.yml).
My preference is #1. This is the easiest to implement with minimal changes.