tripleo

tripleo_create_admin creates a user with wrong permissions in the $HOME dir

Bug #1917856 reported by Francesco Pantano
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
In Progress
High
Francesco Pantano
tripleo wallaby-3

Bug Description

When the standalone job is run, during the ceph provisioning the playbook [1] is run with the purpose of creating the ceph-admin user, used later in the process by cephadm.
However, during the execution of [2], the resulting user has wrong permissions in the generated $HOME dir.

As per my tests on the useradd module, using the TripleO provided inventory I find the following:

- hosts: overcloud
  become: true
  tasks:
    - name: create user
      user:
        name: test

[root@standalone ~]# ls -ldZ /home/*
drwx------. 2 qemu qemu unconfined_u:object_r:user_home_dir_t:s0 62 Mar 3 10:44 /home/qemu
drwx------. 2 1001 1002 unconfined_u:object_r:user_home_dir_t:s0 62 Mar 3 13:16 /home/test
[root@standalone ~]# getent group | grep test
test:x:1003:
[root@standalone ~]# getent passwd | grep test
test:x:1002:1003::/home/test:/bin/bash
[root@standalone ~]#
"""

But .... running the same playbook with: hosts: localhost OR hosts: overcloud the home directory is created w/o issues.

"""

- hosts: overcloud
  become: true
  tasks:
    - name: create user
      user:
         name: test1
[root@standalone ~]# ls -ldZ /home/*
drwx------. 2 qemu qemu unconfined_u:object_r:user_home_dir_t:s0 62 Mar 3 10:44 /home/qemu
drwx------. 2 1001 1002 unconfined_u:object_r:user_home_dir_t:s0 62 Mar 3 13:16 /home/test
drwx------. 2 test1 test1 unconfined_u:object_r:user_home_dir_t:s0 62 Mar 3 13:18 /home/test1

There are no other places in the code where permissions are changed/modified, so it's safe having a task to make sure the HOME dir is created with the right permissions and the user can use it.

[1] https://github.com/openstack/tripleo-ansible/blob/master/tripleo_ansible/playbooks/cli-enable-ssh-admin.yaml

[2] https://github.com/openstack/tripleo-ansible/blob/master/tripleo_ansible/roles/tripleo_create_admin/tasks/create_user.yml#L18

Francesco Pantano (fmount)
Changed in tripleo:
assignee: nobody → Francesco Pantano (fmount)
Revision history for this message
John Fulton (jfulton-org) wrote :

https://review.opendev.org/c/openstack/tripleo-ansible/+/778624

Changed in tripleo:
status: New → In Progress
importance: Undecided → High
milestone: none → wallaby-3
Revision history for this message
Alex Schultz (alex-schultz) wrote :

Sounds like an ansible bug specifically around the local connection vs doing stuff via ssh

Revision history for this message
John Fulton (jfulton-org) wrote :

I think the root cause of this bug is the same as this one so I marked it as a duplicate.

 https://bugs.launchpad.net/tripleo/+bug/1918188

Even with the following fixing patch which has no merged we still hit similar issues from the same root cause.

 https://review.opendev.org/c/openstack/tripleo-ansible/+/778624

I think the following will resolve it though even after 778624 is reverted.

 https://review.opendev.org/c/openstack/tripleo-ansible/+/779358

I propose we revert 778624 and see if it works in CI after 779358 merges and if so, merge the revert.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-ansible 3.1.0

This issue was fixed in the openstack/tripleo-ansible 3.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to tripleo-ansible (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/846530

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.