2018-12-10 14:23:23 |
Sorin Sbarnea |
description |
Among our build logs there are lots of messages like below:
[WARNING] Ansible is in a world writable directory (/home/zuul/src/git.openstack.org/openstack/tripleo-quickstart), ignoring it as an ansible.cfg source.
2018-12-10 11:58:22.137763 | primary |
This kind of message sould not be treated just as a warning because it has serious implications because Ansible will skip loading the ansible.cfg for this reason, meaning that our code will not use it, allowing introduction of invalid changes to the file.
This error by itself undelines a likely bad configuration for default CI user permission which allow other users to edit files created by the zuul user, something that should never be true.
It may be possible that someone added a 777 to the folder by mistake but I suspect this may be at user level.
Does zuul have an incorrect umask?
https://logs.rdoproject.org/02/623202/4/openstack-check/tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset053/4ce25ea/job-output.txt.gz#_2018-12-10_11_58_19_996877
http://logstash.openstack.org/#dashboard/file/logstash.json?query=message%3A%5C%22%5BWARNING%5D%20Ansible%20is%20in%20a%20world%20writable%20directory%5C%22 |
Among our build logs there are lots of messages like below:
[WARNING] Ansible is in a world writable directory (/home/zuul/src/git.openstack.org/openstack/tripleo-quickstart), ignoring it as an ansible.cfg source.
2018-12-10 11:58:22.137763 | primary |
This kind of message sould not be treated just as a warning because it has serious implications because Ansible will skip loading the ansible.cfg for this reason, meaning that our code will not use it, allowing introduction of invalid changes to the file.
This error by itself undelines a likely bad configuration for default CI user permission which allow other users to edit files created by the zuul user, something that should never be true.
It may be possible that someone added a 777 to the folder by mistake but I suspect this may be at user level.
Does zuul have an incorrect umask?
https://logs.rdoproject.org/02/623202/4/openstack-check/tripleo-ci-centos-7-ovb-3ctlr_1comp-featureset053/4ce25ea/job-output.txt.gz#_2018-12-10_11_58_19_996877
https://review.rdoproject.org/app/kibana#/discover?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-7d,mode:quick,to:now))&_a=(columns:!(_source),index:'logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'message:%22Ansible%20is%20in%20a%20world%20writable%20directory%22')),sort:!('@timestamp',desc))
http://logstash.openstack.org/#dashboard/file/logstash.json?query=message%3A%5C%22%5BWARNING%5D%20Ansible%20is%20in%20a%20world%20writable%20directory%5C%22
Note: rdoproject kibana reports errors related to zuul user but openstack logstash reports ones related to stack user which makes me believe this errors are caused by two similar bugs, one caused by *rdo* zuul config and another one related to undercloud stack user umask. Unrelated but with similar outcomes, ansible.cfg not being loaded. |
|