Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

podman_unshare become module does not work (asks for sudo password, or Operation not permitted) #545

Closed
nodiscc opened this issue Feb 2, 2023 · 11 comments
Closed

podman_unshare become module does not work (asks for sudo password, or Operation not permitted) #545

nodiscc opened this issue Feb 2, 2023 · 11 comments
Labels
needs_info More information about case is required

Comments

@nodiscc
Copy link

nodiscc commented Feb 2, 2023
edited
Loading

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Steps to reproduce the issue:

  1. Install podman on a fresh Debian 11 host
  2. Install the latest ansible release on the controller
  3. Install the containers.podman collection ansible-galaxy collection install containers.podman
  4. Create a simple playbook with the following tasks:
- containers.podman.podman_volume:
    state: present
    name: "{{ item }}"
  with_items:
    - shaarli-data
    - shaarli-cache
  tags: podman-shaarli

- name: set permissions/ownership on podman volumes
  become: yes
  become_method: containers.podman.podman_unshare
  ansible.builtin.file:
    state: directory
    owner: 100
    group: 101
    path: "{{ item }}"
  with_items:
   - ~/.local/share/containers/storage/volumes/shaarli-cache
   - ~/.local/share/containers/storage/volumes/shaarli-data
  tags: podman-shaarli
  1. Run the playbook $ ansible-playbook playbook.yml --tags=podman-shaarli

Describe the results you received:

PLAY [podman1.xinit.se] ******************************************************

TASK [podman : containers.podman.podman_volume] ***********************************************************
ok: [podman1.xinit.se] => (item=shaarli-data)
ok: [podman1.xinit.se] => (item=shaarli-cache)

TASK [podman : set permissions/ownership on podman volumes] ******************************************************
failed: [podman1.xinit.se] (item=~/.local/share/containers/storage/volumes/shaarli-cache) => {
    "ansible_loop_var": "item",
    "changed": false,
    "item": "~/.local/share/containers/storage/volumes/shaarli-cache",
    "rc": 1
}

MSG:

MODULE FAILURE
See stdout/stderr for the exact error


MODULE_STDERR:

sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required

failed: [podman1.xinit.se] (item=~/.local/share/containers/storage/volumes/shaarli-data) => {
    "ansible_loop_var": "item",
    "changed": false,
    "item": "~/.local/share/containers/storage/volumes/shaarli-data",
    "rc": 1
}

MSG:

MODULE FAILURE
See stdout/stderr for the exact error


MODULE_STDERR:

sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required

	to retry, use: --limit @/home/live/GIT/ansible-playbook-infra.git/playbook.retry

PLAY RECAP ******************************
podman1.xinit.se           : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Thinking that was caused by become: yes assuming become_user: root as the default, I tried setting become_user: "{{ ansible_user }}" in the task that uses become_method: containers.podman.podman_unshare. Different error:

PLAY [podman1.xinit.se] **********************************

TASK [podman : containers.podman.podman_volume] ************************************************
ok: [podman1.xinit.se] => (item=shaarli-data)
ok: [podman1.xinit.se] => (item=shaarli-cache)

TASK [podman : set permissions/ownership on podman volumes] *********************************************************
failed: [podman1.xinit.se] (item=~/.local/share/containers/storage/volumes/shaarli-cache) => {
    "ansible_loop_var": "item",
    "changed": false,
    "gid": 1000,
    "group": "deploy",
    "item": "~/.local/share/containers/storage/volumes/shaarli-cache",
    "mode": "0755",
    "owner": "deploy",
    "path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-cache",
    "size": 4096,
    "state": "directory",
    "uid": 1000
}

MSG:

chown failed: [Errno 1] Operation not permitted: b'/home/deploy/.local/share/containers/storage/volumes/shaarli-cache'
failed: [podman1.xinit.se] (item=~/.local/share/containers/storage/volumes/shaarli-data) => {
    "ansible_loop_var": "item",
    "changed": false,
    "gid": 1000,
    "group": "deploy",
    "item": "~/.local/share/containers/storage/volumes/shaarli-data",
    "mode": "0755",
    "owner": "deploy",
    "path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-data",
    "size": 4096,
    "state": "directory",
    "uid": 1000
}

MSG:

chown failed: [Errno 1] Operation not permitted: b'/home/deploy/.local/share/containers/storage/volumes/shaarli-data'
	to retry, use: --limit @/home/live/GIT/ansible-playbook-infra.git/playbook.retry

PLAY RECAP ***************************************
podman1.xinit.se           : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Describe the results you expected:

become_method: containers.podman.podman_unshare should work as documented in the examples at https://docs.ansible.com/ansible/latest/collections/containers/podman/podman_volume_module.html:

  • It should not require setting become_user manually/assume that become_user: root
  • More importantly it does not seem to work at all (Operation not permitted) even with become_user set to the ansible unprivileged user.

Additional information you deem important (e.g. issue happens only occasionally):

Running podman unshare manually works, pointing to a problem specifically with the become module:

deploy@podman1:~$ ls -ld .local/share/containers/storage/volumes/shaarli-{cache,data}
drwxr-xr-x 2 deploy deploy 4096 Feb  2 10:28 .local/share/containers/storage/volumes/shaarli-cache
drwxr-xr-x 2 deploy deploy 4096 Feb  2 10:28 .local/share/containers/storage/volumes/shaarli-data
deploy@podman1:~$ podman unshare chown 100:101 -R .local/share/containers/storage/volumes/shaarli-{cache,data}
deploy@podman1:~$ ls -ld .local/share/containers/storage/volumes/shaarli-{cache,data}
drwxr-xr-x 2 100099 100100 4096 Feb  2 10:28 .local/share/containers/storage/volumes/shaarli-cache
drwxr-xr-x 2 100099 100100 4096 Feb  2 10:28 .local/share/containers/storage/volumes/shaarli-data

Version of the containers.podman collection:

$ ansible-galaxy collection list | grep containers.podman
containers.podman 1.10.1

Output of ansible --version:

ansible [core 2.13.4]
  config file = /home/live/GIT/ansible-playbook-infra.git/ansible.cfg
  configured module search path = ['/home/live/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/live/.venv/lib/python3.9/site-packages/ansible
  ansible collection location = /home/live/GIT/ansible-playbook-infra.git
  executable location = /home/live/.venv/bin/ansible
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110]
  jinja version = 3.1.2
  libyaml = True

Output of podman version:

deploy@podman1:~$ podman --version
podman version 3.0.1

Output of podman info --debug:

deploy@podman1:~$ podman info --debug
host:
  arch: amd64
  buildahVersion: 1.19.6
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: 'conmon: /usr/bin/conmon'
    path: /usr/bin/conmon
    version: 'conmon version 2.0.25, commit: unknown'
  cpus: 2
  distribution:
    distribution: debian
    version: "11"
  eventLogger: journald
  hostname: podman1.xinit.se
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.10.0-20-amd64
  linkmode: dynamic
  memFree: 131350528
  memTotal: 1023782912
  ociRuntime:
    name: crun
    package: 'crun: /usr/bin/crun'
    path: /usr/bin/crun
    version: |-
      crun version 0.17
      commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    selinuxEnabled: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: 'slirp4netns: /usr/bin/slirp4netns'
    version: |-
      slirp4netns version 1.0.1
      commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
      libslirp: 4.4.0
  swapFree: 1023131648
  swapTotal: 1023406080
  uptime: 56m 17.1s
registries: {}
store:
  configFile: /home/deploy/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: vfs
  graphOptions: {}
  graphRoot: /home/deploy/.local/share/containers/storage
  graphStatus: {}
  imageStore:
    number: 1
  runRoot: /run/user/1000/containers
  volumePath: /home/deploy/.local/share/containers/storage/volumes
version:
  APIVersion: 3.0.0
  Built: 0
  BuiltTime: Thu Jan  1 01:00:00 1970
  GitCommit: ""
  GoVersion: go1.15.15
  OsArch: linux/amd64
  Version: 3.0.1

Package info (e.g. output of rpm -q podman or apt list podman):

deploy@podman1:~$ apt list podman
Listing... Done
podman/stable,now 3.0.1+dfsg1-3+deb11u1 amd64 [installed]

Playbok you run with ansible (e.g. content of playbook.yaml):

# playbook.yml
- hosts: podman1.xinit.se
  roles:
    - podman

# roles/podman/tasks/main.yml
- name: include podman configuration tasks
  import_tasks: podman.yml # podman installation tasks, not relevant
  become: yes
  tags: podman

- name: include shaarli configuration tasks (podman)
  import_tasks: podman-shaarli.yml
  tags: podman-shaarli

# roles/podman/tasks/podman-shaarli.yml
# see tasks in issue description

Command line and output of ansible run with high verbosity

$ ansible-playbook playbook.yml -vvv --tags=podman-shaarli --limit=podman1.xinit.se
ansible-playbook [core 2.13.4]
  config file = /home/live/GIT/ansible-playbook-infra.git/ansible.cfg
  configured module search path = ['/home/live/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/live/.venv/lib/python3.9/site-packages/ansible
  ansible collection location = /home/live/GIT/ansible-playbook-infra.git
  executable location = /home/live/.venv/bin/ansible-playbook
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110]
  jinja version = 3.1.2
  libyaml = True
Using /home/live/GIT/ansible-playbook-infra.git/ansible.cfg as config file
host_list declined parsing /home/live/GIT/ansible-playbook-infra.git/inventory.yml as it did not pass its verify_file() method
script declined parsing /home/live/GIT/ansible-playbook-infra.git/inventory.yml as it did not pass its verify_file() method
Parsed /home/live/GIT/ansible-playbook-infra.git/inventory.yml inventory source with yaml plugin
statically imported: /home/live/GIT/ansible-playbook-infra.git/roles/podman/tasks/podman.yml
statically imported: /home/live/GIT/ansible-playbook-infra.git/roles/podman/tasks/podman-shaarli.yml
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: playbook.yml *********************************************************
23 plays in playbook.yml

PLAY [podman1.xinit.se] ********************************************************
META: ran handlers

TASK [podman : containers.podman.podman_volume] ********************************
task path: /home/live/GIT/ansible-playbook-infra.git/roles/podman/tasks/podman-shaarli.yml:1
Using module file /home/live/GIT/ansible-playbook-infra.git/ansible_collections/containers/podman/plugins/modules/podman_volume.py
Pipelining is enabled.
<podman1.xinit.se> ESTABLISH SSH CONNECTION FOR USER: deploy
<podman1.xinit.se> SSH: EXEC ssh -o ControlMaster=auto -o ControlPersist=3600s -o PreferredAuthentications=publickey -o 'IdentityFile="/home/live/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="deploy"' -o ConnectTimeout=10 -o 'ControlPath="/home/live/.ansible/cp/89d9f44442"' podman1.xinit.se '/bin/sh -c '"'"'/usr/bin/python3 && sleep 0'"'"''
<podman1.xinit.se> (0, b'\n{"changed": false, "actions": [], "volume": {"Name": "shaarli-data", "Driver": "local", "Mountpoint": "/home/deploy/.local/share/containers/storage/volumes/shaarli-data/_data", "CreatedAt": "2023-02-02T10:14:54.584361207+01:00", "Labels": {}, "Scope": "local", "Options": {}}, "podman_actions": [], "stdout": "", "stderr": "", "invocation": {"module_args": {"state": "present", "name": "shaarli-data", "recreate": false, "executable": "podman", "debug": false, "label": null, "driver": null, "options": null}}}\n', b'')
ok: [podman1.xinit.se] => (item=shaarli-data) => {
    "actions": [],
    "ansible_loop_var": "item",
    "changed": false,
    "invocation": {
        "module_args": {
            "debug": false,
            "driver": null,
            "executable": "podman",
            "label": null,
            "name": "shaarli-data",
            "options": null,
            "recreate": false,
            "state": "present"
        }
    },
    "item": "shaarli-data",
    "podman_actions": [],
    "volume": {
        "CreatedAt": "2023-02-02T10:14:54.584361207+01:00",
        "Driver": "local",
        "Labels": {},
        "Mountpoint": "/home/deploy/.local/share/containers/storage/volumes/shaarli-data/_data",
        "Name": "shaarli-data",
        "Options": {},
        "Scope": "local"
    }
}
Using module file /home/live/GIT/ansible-playbook-infra.git/ansible_collections/containers/podman/plugins/modules/podman_volume.py
Pipelining is enabled.
<podman1.xinit.se> ESTABLISH SSH CONNECTION FOR USER: deploy
<podman1.xinit.se> SSH: EXEC ssh -o ControlMaster=auto -o ControlPersist=3600s -o PreferredAuthentications=publickey -o 'IdentityFile="/home/live/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="deploy"' -o ConnectTimeout=10 -o 'ControlPath="/home/live/.ansible/cp/89d9f44442"' podman1.xinit.se '/bin/sh -c '"'"'/usr/bin/python3 && sleep 0'"'"''
<podman1.xinit.se> (0, b'\n{"changed": false, "actions": [], "volume": {"Name": "shaarli-cache", "Driver": "local", "Mountpoint": "/home/deploy/.local/share/containers/storage/volumes/shaarli-cache/_data", "CreatedAt": "2023-02-02T10:14:55.186748415+01:00", "Labels": {}, "Scope": "local", "Options": {}}, "podman_actions": [], "stdout": "", "stderr": "", "invocation": {"module_args": {"state": "present", "name": "shaarli-cache", "recreate": false, "executable": "podman", "debug": false, "label": null, "driver": null, "options": null}}}\n', b'')
ok: [podman1.xinit.se] => (item=shaarli-cache) => {
    "actions": [],
    "ansible_loop_var": "item",
    "changed": false,
    "invocation": {
        "module_args": {
            "debug": false,
            "driver": null,
            "executable": "podman",
            "label": null,
            "name": "shaarli-cache",
            "options": null,
            "recreate": false,
            "state": "present"
        }
    },
    "item": "shaarli-cache",
    "podman_actions": [],
    "volume": {
        "CreatedAt": "2023-02-02T10:14:55.186748415+01:00",
        "Driver": "local",
        "Labels": {},
        "Mountpoint": "/home/deploy/.local/share/containers/storage/volumes/shaarli-cache/_data",
        "Name": "shaarli-cache",
        "Options": {},
        "Scope": "local"
    }
}

TASK [podman : set permissions/ownership on podman volumes] ********************
task path: /home/live/GIT/ansible-playbook-infra.git/roles/podman/tasks/podman-shaarli.yml:8
Using module file /home/live/.venv/lib/python3.9/site-packages/ansible/modules/file.py
Pipelining is enabled.
<podman1.xinit.se> ESTABLISH SSH CONNECTION FOR USER: deploy
<podman1.xinit.se> SSH: EXEC ssh -o ControlMaster=auto -o ControlPersist=3600s -o PreferredAuthentications=publickey -o 'IdentityFile="/home/live/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="deploy"' -o ConnectTimeout=10 -o 'ControlPath="/home/live/.ansible/cp/89d9f44442"' podman1.xinit.se '/bin/sh -c '"'"'/usr/bin/python3 && sleep 0'"'"''
<podman1.xinit.se> (1, b'\n{"path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-cache", "failed": true, "msg": "chown failed: [Errno 1] Operation not permitted: b\'/home/deploy/.local/share/containers/storage/volumes/shaarli-cache\'", "exception": "  File \\"/tmp/user/1000/ansible_ansible.builtin.file_payload_2za_6uqp/ansible_ansible.builtin.file_payload.zip/ansible/module_utils/basic.py\\", line 833, in set_owner_if_different\\n    os.lchown(b_path, uid, -1)\\n", "uid": 100099, "gid": 100100, "owner": "100099", "group": "100100", "mode": "0755", "state": "directory", "size": 4096, "invocation": {"module_args": {"state": "directory", "owner": "100", "group": "101", "path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-cache", "recurse": false, "force": false, "follow": true, "modification_time_format": "%Y%m%d%H%M.%S", "access_time_format": "%Y%m%d%H%M.%S", "unsafe_writes": false, "_original_basename": null, "_diff_peek": null, "src": null, "modification_time": null, "access_time": null, "mode": null, "seuser": null, "serole": null, "selevel": null, "setype": null, "attributes": null}}}\n', b'')
<podman1.xinit.se> Failed to connect to the host via ssh: 
The full traceback is:
  File "/tmp/user/1000/ansible_ansible.builtin.file_payload_2za_6uqp/ansible_ansible.builtin.file_payload.zip/ansible/module_utils/basic.py", line 833, in set_owner_if_different
    os.lchown(b_path, uid, -1)
failed: [podman1.xinit.se] (item=~/.local/share/containers/storage/volumes/shaarli-cache) => {
    "ansible_loop_var": "item",
    "changed": false,
    "gid": 100100,
    "group": "100100",
    "invocation": {
        "module_args": {
            "_diff_peek": null,
            "_original_basename": null,
            "access_time": null,
            "access_time_format": "%Y%m%d%H%M.%S",
            "attributes": null,
            "follow": true,
            "force": false,
            "group": "101",
            "mode": null,
            "modification_time": null,
            "modification_time_format": "%Y%m%d%H%M.%S",
            "owner": "100",
            "path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-cache",
            "recurse": false,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": null,
            "state": "directory",
            "unsafe_writes": false
        }
    },
    "item": "~/.local/share/containers/storage/volumes/shaarli-cache",
    "mode": "0755",
    "owner": "100099",
    "path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-cache",
    "size": 4096,
    "state": "directory",
    "uid": 100099
}

MSG:

chown failed: [Errno 1] Operation not permitted: b'/home/deploy/.local/share/containers/storage/volumes/shaarli-cache'
Using module file /home/live/.venv/lib/python3.9/site-packages/ansible/modules/file.py
Pipelining is enabled.
<podman1.xinit.se> ESTABLISH SSH CONNECTION FOR USER: deploy
<podman1.xinit.se> SSH: EXEC ssh -o ControlMaster=auto -o ControlPersist=3600s -o PreferredAuthentications=publickey -o 'IdentityFile="/home/live/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="deploy"' -o ConnectTimeout=10 -o 'ControlPath="/home/live/.ansible/cp/89d9f44442"' podman1.xinit.se '/bin/sh -c '"'"'/usr/bin/python3 && sleep 0'"'"''
<podman1.xinit.se> (1, b'\n{"path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-data", "failed": true, "msg": "chown failed: [Errno 1] Operation not permitted: b\'/home/deploy/.local/share/containers/storage/volumes/shaarli-data\'", "exception": "  File \\"/tmp/user/1000/ansible_ansible.builtin.file_payload_5wvc3rve/ansible_ansible.builtin.file_payload.zip/ansible/module_utils/basic.py\\", line 833, in set_owner_if_different\\n    os.lchown(b_path, uid, -1)\\n", "uid": 100099, "gid": 100100, "owner": "100099", "group": "100100", "mode": "0755", "state": "directory", "size": 4096, "invocation": {"module_args": {"state": "directory", "owner": "100", "group": "101", "path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-data", "recurse": false, "force": false, "follow": true, "modification_time_format": "%Y%m%d%H%M.%S", "access_time_format": "%Y%m%d%H%M.%S", "unsafe_writes": false, "_original_basename": null, "_diff_peek": null, "src": null, "modification_time": null, "access_time": null, "mode": null, "seuser": null, "serole": null, "selevel": null, "setype": null, "attributes": null}}}\n', b'')
<podman1.xinit.se> Failed to connect to the host via ssh: 
The full traceback is:
  File "/tmp/user/1000/ansible_ansible.builtin.file_payload_5wvc3rve/ansible_ansible.builtin.file_payload.zip/ansible/module_utils/basic.py", line 833, in set_owner_if_different
    os.lchown(b_path, uid, -1)
failed: [podman1.xinit.se] (item=~/.local/share/containers/storage/volumes/shaarli-data) => {
    "ansible_loop_var": "item",
    "changed": false,
    "gid": 100100,
    "group": "100100",
    "invocation": {
        "module_args": {
            "_diff_peek": null,
            "_original_basename": null,
            "access_time": null,
            "access_time_format": "%Y%m%d%H%M.%S",
            "attributes": null,
            "follow": true,
            "force": false,
            "group": "101",
            "mode": null,
            "modification_time": null,
            "modification_time_format": "%Y%m%d%H%M.%S",
            "owner": "100",
            "path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-data",
            "recurse": false,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": null,
            "state": "directory",
            "unsafe_writes": false
        }
    },
    "item": "~/.local/share/containers/storage/volumes/shaarli-data",
    "mode": "0755",
    "owner": "100099",
    "path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-data",
    "size": 4096,
    "state": "directory",
    "uid": 100099
}

MSG:

chown failed: [Errno 1] Operation not permitted: b'/home/deploy/.local/share/containers/storage/volumes/shaarli-data'
	to retry, use: --limit @/home/live/GIT/ansible-playbook-infra.git/playbook.retry

PLAY RECAP *********************************************************************
podman1.xinit.se           : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Additional environment details (AWS, VirtualBox, physical, etc.):

  • Controller and host running Debian 11
  • Controller on physical machine/desktop
  • Host running in KVM VM (libvirt)
  • ansible installed in virtualenv via pip3
  • trying to test/implement this procedure through ansible
@sshnaidm
Copy link
Member

sshnaidm commented Feb 2, 2023

@grzs would you like to take a look?
@nodiscc please use the latest code from the repo, it was a fix recently in #529

@grzs
Copy link
Contributor

grzs commented Feb 2, 2023

@grzs would you like to take a look? @nodiscc please use the latest code from the repo, it was a fix recently in #529

Yes, I'll check it out tomorrow.

@sshnaidm
Copy link
Member

@nodiscc did you try the latest code from master?

@sshnaidm sshnaidm added the needs_info More information about case is required label Feb 11, 2023
@nodiscc
Copy link
Author

nodiscc commented Mar 1, 2023

@nodiscc did you try the latest code from master?

Sorry, I did not have the time to do so yet. I will try to check with the latest code from master in the coming weeks.

@nodiscc
Copy link
Author

nodiscc commented Apr 13, 2023
edited
Loading

I can still reproduce this after installing the collection from git master (I think I followed the correct installation procedure, please correct me if not):

$ cat requirements.yml
collections:
  - ...
  - name: containers.podman
    source: git+https://github.com/containers/ansible-podman-collections
    type: git
    version: master
$ cat roles/shaarli-podman/tasks/shaarli-podman.yml
- containers.podman.podman_volume:
    state: present
    name: "{{ item }}"
  with_items:
    - shaarli-data
    - shaarli-cache

- name: set permissions/ownership on podman volumes
  become: yes
  become_method: containers.podman.podman_unshare
  become_user: "{{ ansible_user }}"
  ansible.builtin.file:
    state: directory
    owner: 100
    group: 101
    path: "{{ item }}"
  with_items:
   - ~/.local/share/containers/storage/volumes/shaarli-cache
   - ~/.local/share/containers/storage/volumes/shaarli-data
$ ansible-galaxy collection install --force -r requirements.yml
...
Installing 'containers.podman:1.10.1' to '/home/live/GIT/ansible-playbook-infra.git/ansible_collections/containers/podman'
Skipping '/home/live/.ansible/tmp/ansible-local-61852glbjwz4/tmp0g9knzl5/ansible-podman-collectionselasoavn/ci' for collection build
Skipping '/home/live/.ansible/tmp/ansible-local-61852glbjwz4/tmp0g9knzl5/ansible-podman-collectionselasoavn/contrib' for collection build
Skipping '/home/live/.ansible/tmp/ansible-local-61852glbjwz4/tmp0g9knzl5/ansible-podman-collectionselasoavn/galaxy.yml' for collection build
Skipping '/home/live/.ansible/tmp/ansible-local-61852glbjwz4/tmp0g9knzl5/ansible-podman-collectionselasoavn/.gitignore' for collection build
Skipping '/home/live/.ansible/tmp/ansible-local-61852glbjwz4/tmp0g9knzl5/ansible-podman-collectionselasoavn/.github' for collection build
Skipping '/home/live/.ansible/tmp/ansible-local-61852glbjwz4/tmp0g9knzl5/ansible-podman-collectionselasoavn/galaxy.yml.in' for collection build
Skipping '/home/live/.ansible/tmp/ansible-local-61852glbjwz4/tmp0g9knzl5/ansible-podman-collectionselasoavn/.git' for collection build
Created collection for containers.podman:1.10.1 at /home/live/GIT/ansible-playbook-infra.git/ansible_collections/containers/podman
containers.podman:1.10.1 was installed successfully

$ ansible-galaxy collection list | grep containers.podman
Found installed collection containers.podman:1.10.1 at '/home/live/GIT/ansible-playbook-infra.git/.venv/lib/python3.9/site-packages/ansible_collections/containers/podman'
containers.podman             1.10.1 
Found installed collection containers.podman:1.10.1 at '/home/live/GIT/ansible-playbook-infra.git/ansible_collections/containers/podman'
containers.podman 1.10.1 

$ ansible-playbook playbook.yml --tags=podman-shaarli
...
TASK [shaarli-podman : set permissions/ownership on podman volumes] ************************************************************************************************************************************************************************************************************
task path: /home/live/GIT/ansible-playbook-infra.git/roles/shaarli-podman/tasks/shaarli-podman.yml:8
Using module file /home/live/playbooks/default/.venv/lib/python3.9/site-packages/ansible/modules/file.py
Pipelining is enabled.
<podman1.xinit.se> ESTABLISH SSH CONNECTION FOR USER: deploy
<podman1.xinit.se> SSH: EXEC ssh -o ControlMaster=auto -o ControlPersist=3600s -o PreferredAuthentications=publickey -o 'IdentityFile="/home/live/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="deploy"' -o ConnectTimeout=10 -o 'ControlPath="/home/live/.ansible/cp/89d9f44442"' podman1.xinit.se '/bin/sh -c '"'"'/usr/bin/python3 && sleep 0'"'"''
<podman1.xinit.se> (1, b'\n{"path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-cache", "failed": true, "msg": "chown failed: [Errno 1] Operation not permitted: b\'/home/deploy/.local/share/containers/storage/volumes/shaarli-cache\'", "exception": "  File \\"/tmp/user/1000/ansible_ansible.builtin.file_payload_m1guu5if/ansible_ansible.builtin.file_payload.zip/ansible/module_utils/basic.py\\", line 833, in set_owner_if_different\\n    os.lchown(b_path, uid, -1)\\n", "uid": 100099, "gid": 100100, "owner": "100099", "group": "100100", "mode": "0755", "state": "directory", "size": 4096, "invocation": {"module_args": {"state": "directory", "owner": "100", "group": "101", "path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-cache", "recurse": false, "force": false, "follow": true, "modification_time_format": "%Y%m%d%H%M.%S", "access_time_format": "%Y%m%d%H%M.%S", "unsafe_writes": false, "_original_basename": null, "_diff_peek": null, "src": null, "modification_time": null, "access_time": null, "mode": null, "seuser": null, "serole": null, "selevel": null, "setype": null, "attributes": null}}}\n', b'')
<podman1.xinit.se> Failed to connect to the host via ssh: 
The full traceback is:
  File "/tmp/user/1000/ansible_ansible.builtin.file_payload_m1guu5if/ansible_ansible.builtin.file_payload.zip/ansible/module_utils/basic.py", line 833, in set_owner_if_different
    os.lchown(b_path, uid, -1)
failed: [podman1.xinit.se] (item=~/.local/share/containers/storage/volumes/shaarli-cache) => {
    "ansible_loop_var": "item",
    "changed": false,
    "gid": 100100,
    "group": "100100",
    "invocation": {
        "module_args": {
            "_diff_peek": null,
            "_original_basename": null,
            "access_time": null,
            "access_time_format": "%Y%m%d%H%M.%S",
            "attributes": null,
            "follow": true,
            "force": false,
            "group": "101",
            "mode": null,
            "modification_time": null,
            "modification_time_format": "%Y%m%d%H%M.%S",
            "owner": "100",
            "path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-cache",
            "recurse": false,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": null,
            "state": "directory",
            "unsafe_writes": false
        }
    },
    "item": "~/.local/share/containers/storage/volumes/shaarli-cache",
    "mode": "0755",
    "owner": "100099",
    "path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-cache",
    "size": 4096,
    "state": "directory",
    "uid": 100099
}

MSG:

chown failed: [Errno 1] Operation not permitted: b'/home/deploy/.local/share/containers/storage/volumes/shaarli-cache'
Using module file /home/live/playbooks/default/.venv/lib/python3.9/site-packages/ansible/modules/file.py
Pipelining is enabled.
<podman1.xinit.se> ESTABLISH SSH CONNECTION FOR USER: deploy
<podman1.xinit.se> SSH: EXEC ssh -o ControlMaster=auto -o ControlPersist=3600s -o PreferredAuthentications=publickey -o 'IdentityFile="/home/live/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="deploy"' -o ConnectTimeout=10 -o 'ControlPath="/home/live/.ansible/cp/89d9f44442"' podman1.xinit.se '/bin/sh -c '"'"'/usr/bin/python3 && sleep 0'"'"''
<podman1.xinit.se> (1, b'\n{"path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-data", "failed": true, "msg": "chown failed: [Errno 1] Operation not permitted: b\'/home/deploy/.local/share/containers/storage/volumes/shaarli-data\'", "exception": "  File \\"/tmp/user/1000/ansible_ansible.builtin.file_payload_w6ukbigg/ansible_ansible.builtin.file_payload.zip/ansible/module_utils/basic.py\\", line 833, in set_owner_if_different\\n    os.lchown(b_path, uid, -1)\\n", "uid": 100099, "gid": 100100, "owner": "100099", "group": "100100", "mode": "0755", "state": "directory", "size": 4096, "invocation": {"module_args": {"state": "directory", "owner": "100", "group": "101", "path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-data", "recurse": false, "force": false, "follow": true, "modification_time_format": "%Y%m%d%H%M.%S", "access_time_format": "%Y%m%d%H%M.%S", "unsafe_writes": false, "_original_basename": null, "_diff_peek": null, "src": null, "modification_time": null, "access_time": null, "mode": null, "seuser": null, "serole": null, "selevel": null, "setype": null, "attributes": null}}}\n', b'')
<podman1.xinit.se> Failed to connect to the host via ssh: 
The full traceback is:
  File "/tmp/user/1000/ansible_ansible.builtin.file_payload_w6ukbigg/ansible_ansible.builtin.file_payload.zip/ansible/module_utils/basic.py", line 833, in set_owner_if_different
    os.lchown(b_path, uid, -1)
failed: [podman1.xinit.se] (item=~/.local/share/containers/storage/volumes/shaarli-data) => {
    "ansible_loop_var": "item",
    "changed": false,
    "gid": 100100,
    "group": "100100",
    "invocation": {
        "module_args": {
            "_diff_peek": null,
            "_original_basename": null,
            "access_time": null,
            "access_time_format": "%Y%m%d%H%M.%S",
            "attributes": null,
            "follow": true,
            "force": false,
            "group": "101",
            "mode": null,
            "modification_time": null,
            "modification_time_format": "%Y%m%d%H%M.%S",
            "owner": "100",
            "path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-data",
            "recurse": false,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": null,
            "state": "directory",
            "unsafe_writes": false
        }
    },
    "item": "~/.local/share/containers/storage/volumes/shaarli-data",
    "mode": "0755",
    "owner": "100099",
    "path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-data",
    "size": 4096,
    "state": "directory",
    "uid": 100099
}

MSG:

chown failed: [Errno 1] Operation not permitted: b'/home/deploy/.local/share/containers/storage/volumes/shaarli-data'
	to retry, use: --limit @/home/live/GIT/ansible-playbook-infra.git/playbook.retry

Can you also reproduce it with the example tasks I provided?

@grzs
Copy link
Contributor

grzs commented Apr 14, 2023

I am trying to understand what's going on, in the output I can't see podman unshare used

@nodiscc
Copy link
Author

nodiscc commented Apr 14, 2023
edited
Loading

in the output I can't see podman unshare used

Me neither, is it supposed to show something specific in the output? (Do you have an example of a working task that uses podman unshare?) The task is definitely called as documented in https://docs.ansible.com/ansible/latest/collections/containers/podman/podman_unshare_become.html :

- name: set permissions/ownership on podman volumes
  become: yes
  become_method: containers.podman.podman_unshare
...

@grzs
Copy link
Contributor

grzs commented Apr 14, 2023
edited
Loading

@nodiscc Until I dive deeper, I paste my output of 'file' module I ran just now with this become plugin. You can see where become plugin stepped in, the line before the phrase "Escalation succeeded":

TASK [chown a file with unshare] ***********************************************************************************************************************************************
task path: /Users/grzs/devel/ansible/podman_test.yml:23
<10.0.0.1> ESTABLISH SSH CONNECTION FOR USER: grzs
<10.0.0.1> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="grzs"' -o ConnectTimeout=10 -o ControlPath=/Users/grzs/.ansible/cp/c2b9da0aa6 10.0.0.1 '/bin/sh -c '"'"'echo ~grzs && sleep 0'"'"''
<10.0.0.1> (0, b'/home/grzs\n', b'')
<10.0.0.1> ESTABLISH SSH CONNECTION FOR USER: grzs
<10.0.0.1> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="grzs"' -o ConnectTimeout=10 -o ControlPath=/Users/grzs/.ansible/cp/c2b9da0aa6 10.0.0.1 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /home/grzs/.ansible/tmp `"&& mkdir "` echo /home/grzs/.ansible/tmp/ansible-tmp-1681494313.218902-85805-118512800497671 `" && echo ansible-tmp-1681494313.218902-85805-118512800497671="` echo /home/grzs/.ansible/tmp/ansible-tmp-1681494313.218902-85805-118512800497671 `" ) && sleep 0'"'"''
<10.0.0.1> (0, b'ansible-tmp-1681494313.218902-85805-118512800497671=/home/grzs/.ansible/tmp/ansible-tmp-1681494313.218902-85805-118512800497671\n', b'')
Using module file /Users/grzs/devel/ansible/venv38/lib/python3.8/site-packages/ansible/modules/file.py
<10.0.0.1> PUT /Users/grzs/.ansible/tmp/ansible-local-857768ois_j8_/tmpmdeywtb6 TO /home/grzs/.ansible/tmp/ansible-tmp-1681494313.218902-85805-118512800497671/AnsiballZ_file.py
<10.0.0.1> SSH: EXEC sftp -b - -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="grzs"' -o ConnectTimeout=10 -o ControlPath=/Users/grzs/.ansible/cp/c2b9da0aa6 '[10.0.0.1]'
<10.0.0.1> (0, b'sftp> put /Users/grzs/.ansible/tmp/ansible-local-857768ois_j8_/tmpmdeywtb6 /home/grzs/.ansible/tmp/ansible-tmp-1681494313.218902-85805-118512800497671/AnsiballZ_file.py\n', b'')
<10.0.0.1> ESTABLISH SSH CONNECTION FOR USER: grzs
<10.0.0.1> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="grzs"' -o ConnectTimeout=10 -o ControlPath=/Users/grzs/.ansible/cp/c2b9da0aa6 10.0.0.1 '/bin/sh -c '"'"'chmod u+x /home/grzs/.ansible/tmp/ansible-tmp-1681494313.218902-85805-118512800497671/ /home/grzs/.ansible/tmp/ansible-tmp-1681494313.218902-85805-118512800497671/AnsiballZ_file.py && sleep 0'"'"''
<10.0.0.1> (0, b'', b'')
<10.0.0.1> ESTABLISH SSH CONNECTION FOR USER: grzs
<10.0.0.1> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="grzs"' -o ConnectTimeout=10 -o ControlPath=/Users/grzs/.ansible/cp/c2b9da0aa6 -tt 10.0.0.1 '/bin/sh -c '"'"'podman unshare /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-wedeaptfqofwyawajvaqoatgjufilvtg ; /usr/bin/python3 /home/grzs/.ansible/tmp/ansible-tmp-1681494313.218902-85805-118512800497671/AnsiballZ_file.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Escalation succeeded
<10.0.0.1> (0, b'\r\n{"path": "/home/grzs/test/foo", "changed": true, "diff": {"before": {"path": "/home/grzs/test/foo", "owner": 0, "group": 0}, "after": {"path": "/home/grzs/test/foo", "owner": 1000, "group": 1000}}, "uid": 1000, "gid": 1000, "owner": "grzs", "group": "grzs", "mode": "0664", "state": "file", "size": 0, "invocation": {"module_args": {"state": "file", "path": "/home/grzs/test/foo", "owner": "1000", "group": "1000", "recurse": false, "force": false, "follow": true, "modification_time_format": "%Y%m%d%H%M.%S", "access_time_format": "%Y%m%d%H%M.%S", "unsafe_writes": false, "_original_basename": null, "_diff_peek": null, "src": null, "modification_time": null, "access_time": null, "mode": null, "seuser": null, "serole": null, "selevel": null, "setype": null, "attributes": null}}}\r\n', b'Shared connection to 10.0.0.1 closed.\r\n')
<10.0.0.1> ESTABLISH SSH CONNECTION FOR USER: grzs
<10.0.0.1> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="grzs"' -o ConnectTimeout=10 -o ControlPath=/Users/grzs/.ansible/cp/c2b9da0aa6 10.0.0.1 '/bin/sh -c '"'"'rm -f -r /home/grzs/.ansible/tmp/ansible-tmp-1681494313.218902-85805-118512800497671/ > /dev/null 2>&1 && sleep 0'"'"''
<10.0.0.1> (0, b'', b'')
changed: [test_host] => {
    "changed": true,
    "diff": {
        "after": {
            "group": 1000,
            "owner": 1000,
            "path": "/home/grzs/test/foo"
        },
        "before": {
            "group": 0,
            "owner": 0,
            "path": "/home/grzs/test/foo"
        }
    },
    "gid": 1000,
    "group": "grzs",
    "invocation": {
        "module_args": {
            "_diff_peek": null,
            "_original_basename": null,
            "access_time": null,
            "access_time_format": "%Y%m%d%H%M.%S",
            "attributes": null,
            "follow": true,
            "force": false,
            "group": "1000",
            "mode": null,
            "modification_time": null,
            "modification_time_format": "%Y%m%d%H%M.%S",
            "owner": "1000",
            "path": "/home/grzs/test/foo",
            "recurse": false,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": null,
            "state": "file",
            "unsafe_writes": false
        }
    },
    "mode": "0664",
    "owner": "grzs",
    "path": "/home/grzs/test/foo",
    "size": 0,
    "state": "file",
    "uid": 1000
}

@grzs
Copy link
Contributor

grzs commented Apr 14, 2023

... and the corresponding task:

  - name: chown a file with unshare
    become_method: containers.podman.podman_unshare
    become: yes
    ansible.builtin.file:
      state: file
      path: "{{ test_dir }}/foo"
      owner: 1000
      group: 1000

@grzs
Copy link
Contributor

grzs commented Apr 14, 2023

The problem can be that ansible_user is root. Podman unshare can't run by root. #529 #530

@nodiscc
Copy link
Author

nodiscc commented Sep 28, 2023

This was caused by become_user: "{{ ansible_user }}". With task definition (removed the become_user directive) I no longer get the error:

- name: set permissions/ownership on podman volumes
  become: yes
  become_method: containers.podman.podman_unshare
    ansible.builtin.file:
    state: directory
    owner: 100
    group: 101
    path: "{{ item }}"
  with_items:
   - ~/.local/share/containers/storage/volumes/shaarli-cache
   - ~/.local/share/containers/storage/volumes/shaarli-data

@nodiscc nodiscc closed this as completed Sep 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs_info More information about case is required
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nodiscc @sshnaidm @grzs