tripleo

Deployment Failed With Permission Denied when /tmp is mounted with noexec flag

Bug #1897430 reported by Zhu Shengli on 2020-09-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Triaged	High	Unassigned	tripleo xena-3

Bug Description

Description
===========
Deployment failed with permission denied error during executing TASK [tripleo-keystone-resources : Create admin and service projects].

```
[Errno 13] Permission denied: '/tmp/ansible-tripleo-admin/ansible-tmp-1600869521.9836748-14081-71570802572665/AnsiballZ_os_project.py'
```

Actually exec permission bit of the python script mentioned in the error message is well configured, but the `/tmp` is mounted with `noexec` flag on my Undercloud because of security requirement, so it's not executable.

```
$ mount | grep /tmp
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime,seclabel)
```

Steps to reproduce
==================

1. mount /tmp with `noexec` flag
2. openstack deploy.

Expected result
===============
Deployed successfully.

Actual result
=============
Failed.

Environment
===========
OSP16

Logs & Configs
==============

```
2020-09-23 21:58:41,709 p=303 u=mistral | TASK [tripleo-keystone-resources : Create admin and service projects] **********
2020-09-23 21:58:41,710 p=303 u=mistral | Wednesday 23 September 2020 21:58:41 +0800 (0:00:02.169) 1:05:18.181 ***
2020-09-23 21:58:41,849 p=303 u=mistral | included: /usr/share/ansible/roles/tripleo-keystone-resources/tasks/projects.yml for undercloud
2020-09-23 21:58:41,930 p=303 u=mistral | TASK [tripleo-keystone-resources : Async creation of Keystone project] *********
2020-09-23 21:58:41,931 p=303 u=mistral | Wednesday 23 September 2020 21:58:41 +0800 (0:00:00.220) 1:05:18.402 ***
2020-09-23 21:58:42,925 p=303 u=mistral | changed: [undercloud] => (item=admin) => {"ansible_job_id": "764312968366.957080", "ansible_loop_var": "tripleo_keystone_resources_project", "changed": true, "finished": 0, "results_file": "/root/.ansible_async/764312968366.957080", "started": 1, "tripleo_keystone_resources_project": "admin"}
2020-09-23 21:58:43,640 p=303 u=mistral | changed: [undercloud] => (item=service) => {"ansible_job_id": "400271196630.957308", "ansible_loop_var": "tripleo_keystone_resources_project", "changed": true, "finished": 0, "results_file": "/root/.ansible_async/400271196630.957308", "started": 1, "tripleo_keystone_resources_project": "service"}
2020-09-23 21:58:43,734 p=303 u=mistral | TASK [tripleo-keystone-resources : Check Keystone project status] **************
2020-09-23 21:58:43,734 p=303 u=mistral | Wednesday 23 September 2020 21:58:43 +0800 (0:00:01.803) 1:05:20.206 ***
2020-09-23 21:58:44,158 p=303 u=mistral | failed: [undercloud] (item={'started': 1, 'finished': 0, 'ansible_job_id': '764312968366.957080', 'results_file': '/root/.ansible_async/764312968366.957080', 'changed': True, 'failed': False, 'tripleo_keystone_resources_project': 'admin', 'ansible_loop_var': 'tripleo_keystone_resources_project'}) => {"ansible_job_id": "764312968366.957080", "ansible_loop_var": "tripleo_keystone_resources_project_async_result_item", "attempts": 1, "changed": false, "cmd": "/tmp/ansible-tripleo-admin/ansible-tmp-1600869521.9836748-14081-71570802572665/AnsiballZ_os_project.py", "finished": 1, "msg": "[Errno 13] Permission denied: '/tmp/ansible-tripleo-admin/ansible-tmp-1600869521.9836748-14081-71570802572665/AnsiballZ_os_project.py'", "outdata": "", "stderr": "", "stderr_lines": [], "tripleo_keystone_resources_project_async_result_item": {"ansible_job_id": "764312968366.957080", "ansible_loop_var": "tripleo_keystone_resources_project", "changed": true, "failed": false, "finished": 0, "results_file": "/root/.ansible_async/764312968366.957080", "started": 1, "tripleo_keystone_resources_project": "admin"}}
2020-09-23 21:58:44,413 p=303 u=mistral | failed: [undercloud] (item={'started': 1, 'finished': 0, 'ansible_job_id': '400271196630.957308', 'results_file': '/root/.ansible_async/400271196630.957308', 'changed': True, 'failed': False, 'tripleo_keystone_resources_project': 'service', 'ansible_loop_var': 'tripleo_keystone_resources_project'}) => {"ansible_job_id": "400271196630.957308", "ansible_loop_var": "tripleo_keystone_resources_project_async_result_item", "attempts": 1, "changed": false, "cmd": "/tmp/ansible-tripleo-admin/ansible-tmp-1600869522.929629-14081-134095923524494/AnsiballZ_os_project.py", "finished": 1, "msg": "[Errno 13] Permission denied: '/tmp/ansible-tripleo-admin/ansible-tmp-1600869522.929629-14081-134095923524494/AnsiballZ_os_project.py'", "outdata": "", "stderr": "", "stderr_lines": [], "tripleo_keystone_resources_project_async_result_item": {"ansible_job_id": "400271196630.957308", "ansible_loop_var": "tripleo_keystone_resources_project", "changed": true, "failed": false, "finished": 0, "results_file": "/root/.ansible_async/400271196630.957308", "started": 1, "tripleo_keystone_resources_project": "service"}}
```

See original description

Tags:

Zhu Shengli (akarei) on 2020-09-27

summary:	- Ansible Task Permission Denied when /tmp is mounted with noexec flag + Ansible Task Failed With Permission Denied when /tmp is mounted with + noexec flag
tags:	added: tripleo
tags:	added: tripleo-common
summary:	- Ansible Task Failed With Permission Denied when /tmp is mounted with + Deployment Failed With Permission Denied when /tmp is mounted with noexec flag
description:	updated

Revision history for this message

Zhu Shengli (akarei) wrote on 2020-09-27:

I found that the `ansible_remote_tmp` is set as `/tmp/ansible-${USER}` for fixing an issue.

https://review.opendev.org/#/c/577544

As far as I know the variable(in the `inventory.yaml`) takes the highest precedence for ansible configuration, so I guess there is no way I can override it? Is that possible to make `ansible_remote_tmp` configurable or add a condition for covering the `noexec` corner case?

Alex Schultz (alex-schultz) on 2020-09-28

Changed in tripleo:
status:	New → Triaged
importance:	Undecided → High
milestone:	none → victoria-rc1

Marios Andreou (marios-b) on 2020-11-03

Changed in tripleo:
milestone:	victoria-rc1 → wallaby-1

Marios Andreou (marios-b) on 2020-12-08

Changed in tripleo:
milestone:	wallaby-1 → wallaby-2

Marios Andreou (marios-b) on 2021-01-29

Changed in tripleo:
milestone:	wallaby-2 → wallaby-3

Marios Andreou (marios-b) on 2021-03-17

Changed in tripleo:
milestone:	wallaby-3 → wallaby-rc1

Marios Andreou (marios-b) on 2021-05-06

Changed in tripleo:
milestone:	wallaby-rc1 → xena-1

Marios Andreou (marios-b) on 2021-06-22

Changed in tripleo:
milestone:	xena-1 → xena-2

Marios Andreou (marios-b) on 2021-07-21

Changed in tripleo:
milestone:	xena-2 → xena-3

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.