[WARNING] Ansible is in a world writable directory

Bug #1807703 reported by Sorin Sbarnea on 2018-12-10
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
High
Sorin Sbarnea

Bug Description

Among our build logs there are lots of messages like below:

[WARNING] Ansible is in a world writable directory (/home/zuul/src/git.openstack.org/openstack/tripleo-quickstart), ignoring it as an ansible.cfg source.
2018-12-10 11:58:22.137763 | primary |

This kind of message sould not be treated just as a warning because it has serious implications because Ansible will skip loading the ansible.cfg for this reason, meaning that our code will not use it, allowing introduction of invalid changes to the file.

This error by itself undelines a likely bad configuration for default CI user permission which allow other users to edit files created by the zuul user, something that should never be true.

It may be possible that someone added a 777 to the folder by mistake but I suspect this may be at user level.

Does zuul have an incorrect umask?

https://logs.rdoproject.org/02/623202/4/openstack-check/tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset053/4ce25ea/job-output.txt.gz#_2018-12-10_11_58_19_996877

https://review.rdoproject.org/app/kibana#/discover?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-7d,mode:quick,to:now))&_a=(columns:!(_source),index:'logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'message:%22Ansible%20is%20in%20a%20world%20writable%20directory%22')),sort:!('@timestamp',desc))

http://logstash.openstack.org/#dashboard/file/logstash.json?query=message%3A%5C%22%5BWARNING%5D%20Ansible%20is%20in%20a%20world%20writable%20directory%5C%22

Note: rdoproject kibana reports errors related to zuul user but openstack logstash reports ones related to stack user which makes me believe this errors are caused by two similar bugs, one caused by *rdo* zuul config and another one related to undercloud stack user umask. Unrelated but with similar outcomes, ansible.cfg not being loaded.

Sorin Sbarnea (ssbarnea) on 2018-12-10
description: updated
Sorin Sbarnea (ssbarnea) wrote :

I found one of the sources: https://github.com/openstack-infra/zuul-jobs/blob/master/roles/fetch-zuul-cloner/tasks/main.yaml#L24

Also affects the rdo fork of zuul cloner which has the same code.

Changed in tripleo:
assignee: nobody → Sorin Sbarnea (ssbarnea)
importance: Undecided → Medium
Sorin Sbarnea (ssbarnea) wrote :

It seems that this become a blocker for https://bugs.launchpad.net/tripleo/+bug/1807703 because it prevents implementation of a workaround which requires adding a new value to ansible.cfg.

Due to this I will raise its priority.

Changed in tripleo:
status: New → Triaged
importance: Medium → High
wes hayutin (weshayutin) on 2018-12-19
Changed in tripleo:
milestone: none → stein-2
Changed in tripleo:
milestone: stein-2 → stein-3
Sorin Sbarnea (ssbarnea) on 2019-02-07
Changed in tripleo:
status: Triaged → Fix Released
Sorin Sbarnea (ssbarnea) on 2019-04-17
Changed in tripleo:
status: Fix Released → Triaged
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers