[BUG] Cannot fetch "gossip encryption key"

Question

[BUG] Cannot fetch "gossip encryption key"

HanXHX opened this issue a year ago · comments

Hi,

I tried your role with my vagrant setup but it crashes (single node).

$ ansible --version
ansible [core 2.14.2]
  config file = None
  configured module search path = ['/home/triplestack/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.10/dist-packages/ansible
  ansible collection location = /home/triplestack/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.10.6 (main, Mar 10 2023, 10:55:28) [GCC 11.3.0] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

vars:

consul_iface: eth1
consul_node_role: server
consul_bootstrap_expect: true
consul_group_name: 'consul'

Raw output:

TASK [consul : Create temporary file to receive gossip encryption key] *********
task path: /home/triplestack/.ansible/roles/consul/tasks/nix.yml:134
changed: [consul1] => {"changed": true, "gid": 0, "group": "root", "mode": "0600", "owner": "root", "path": "/tmp/ansible.eca0g20e", "size": 0, "state": "file", "uid": 0}

TASK [consul : Generate gossip encryption key] *********************************
task path: /home/triplestack/.ansible/roles/consul/tasks/nix.yml:139
changed: [consul1] => {"changed": true, "cmd": "PATH=/usr/local/bin:$PATH consul keygen > /tmp/ansible.eca0g20e", "delta": "0:00:00.020346", "end": "2023-05-19 08:07:09.055333", "msg": "", "rc": 0, "start": "2023-05-19 08:07:09.034987", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}

TASK [consul : Fetch key locally to share with other nodes] ********************
task path: /home/triplestack/.ansible/roles/consul/tasks/nix.yml:143
fatal: [consul1]: FAILED! => {"changed": false, "msg": "file is not readable: /tmp/ansible.eca0g20e"}

TASK [consul : Clean up temporary file] ****************************************
task path: /home/triplestack/.ansible/roles/consul/tasks/nix.yml:151
--- before
+++ after
@@ -1,4 +1,4 @@
 {
     "path": "/tmp/ansible.eca0g20e",
-    "state": "file"
+    "state": "absent"
 }

changed: [consul1] => {"changed": true, "path": "/tmp/ansible.eca0g20e", "state": "absent"}

I think this due to settings who can fail togethers:

Log as standard user + become with sudo
tempfile module is used as root and is not read accessible. But Ansible doc says "In case you need to make them world-accessible you need to use ansible.builtin.file module." => https://github.com/ansible-community/ansible-consul/blob/27ece2ada238ff7cf9293c229eeed19286190e95/tasks/nix.yml#L135
But fetch module is used with standard user (become = no): https://github.com/ansible-community/ansible-consul/blob/27ece2ada238ff7cf9293c229eeed19286190e95/tasks/nix.yml#L143-L145C17

Cheers,

Emilien

Nik Reiman · Answer 1 · Fri May 19 2023 23:23:51 GMT+0800 (China Standard Time)

Good point. Sorry, I hadn't noticed this since in my projects I am not including this role with become: true. See #555.