Ansible Failed to set permissions on the temporary

Question

I am using ansible to replace the ssh keys for a user on multiple RHEL6 & RHEL7 servers. The task I am running is:

- name: private key   
  copy:
    src: /Users/me/Documents/keys/id_rsa
    dest: ~/.ssh/
    owner: unpriv
    group: unpriv
    mode: 0600
    backup: yes

Two of the hosts that I'm trying to update are giving the following error:

fatal: [host1]: FAILED! => {"failed": true, "msg": "Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user (rc: 1, err: chown: changing ownership of /tmp/ansible-tmp-19/': Operation not permitted\nchown: changing ownership of/tmp/ansible-tmp-19/stat.py': Operation not permitted\n). For information on working around this, see https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user"}

The thing is that these two that are getting the errors are clones of some that are updating just fine. I've compared the sudoers and sshd settings, as well as permissions and mount options on the /tmp directory. They are all the same between the problem hosts and the working ones. Any ideas on what I could check next?

I am running ansible 2.3.1.0 on Mac OS Sierra, if that helps.

Update:

@techraf

I have no idea why this worked on all hosts except for two. Here is the original playbook:

- name: ssh_keys
  hosts: my_hosts
  remote_user: my_user
  tasks:
    - include: ./roles/common/tasks/keys.yml
      become: yes
      become_method: sudo

and original keys.yml:

- name: public key
  copy:
    src: /Users/me/Documents/keys/id_rsab
    dest: ~/.ssh/
    owner: unpriv
    group: unpriv
    mode: 060
    backup: yes

I changed the playbook to:

- name: ssh_keys
  hosts: my_hosts
  remote_user: my_user
  tasks:
    - include: ./roles/common/tasks/keys.yml
      become: yes
      become_method: sudo
      become_user: root

And keys.yml to:

- name: public key
  copy:
    src: /Users/me/Documents/keys/id_rsab
    dest: /home/unpriv/.ssh/
    owner: unpriv
    group: unpriv
    mode: 0600
    backup: yes

And it worked across all hosts.

Answer 1

Try to install ACL on remote host, after that execute ansible script

sudo apt-get install acl

As explained in the doc

when both the connection user and the become_user are unprivileged, the module file is written as the user that Ansible connects as (the remote_user), but the file needs to be readable by the user Ansible is set to become. On POSIX systems, Ansible solves this problem in the following way:

First, if setfacl is installed and available in the remote PATH, and the temporary directory on the remote host is mounted with POSIX.1e filesystem ACL support, Ansible will use POSIX ACLs to share the module file with the second unprivileged user.

Next, if POSIX ACLs are not available or setfacl could not be run, Ansible will attempt to change ownership of the module file using chown for systems which support doing so as an unprivileged user

Answer 2

I'm using ad-hoc and when I got into this problem, adding -b --become-user ANSIBLE_USER to my command fixes my problem. example:

ansible all  -m file -a "path=/etc/s.text state=touch" -b --become-user ansadmin

Of course, before this, I had given Sudo access to the user

If you give Sudo access to your user, you can write like this :

ansible all  -m file -a "path=/var/s.text state=touch"  -b --become-user root

Answer 3

While installing the acl module works there is an alternative.

Add the line below to the defaults section of your ansible.cfg. allow_world_readable_tmpfiles = True

Of better, just add it to the task that needs it with:

  vars:
    allow_world_readable_tmpfiles: true

A similar question with more details is Becoming non root user in ansible fails

Answer 4

You could try something like this:

- name: private key 
  become: true
  become_user: root
  copy:
    src: /Users/me/Documents/keys/id_rsa
    dest: ~/.ssh/
    owner: unpriv
    group: unpriv
    mode: 0600
    backup: yes

Notice the:

become: true
become_user: root

Check the "become" docs for more info