Issue with ansible copying file

2
votes

I'm trying to provision a local kubernetes cluster using Vagrant (v2.1.2) and VirtualBox (v5.2.20).

My Vagrantfile uses the ansible_local provisioner to run some ansible playbooks to provision a K8s cluster using kubeadm.

This was all working perfectly a few months back when I ran this, but it's not working anymore. Not sure why it stopped working, but the ansible playbook for the master node fails when I trying to copy the kube config to the vagrant users home dir.

The ansible task that fails is as follows:

- name: Copy kubeconfig for vagrant user
  copy:
     src: /etc/kubernetes/admin.conf
     dest: /home/vagrant/.kube/
     owner: vagrant
     group: vagrant

This is causing the following error: fatal: [master1]: FAILED! => {"msg": "an error occurred while trying to read the file '/etc/kubernetes/admin.conf': [Errno 13] Permission denied: '/etc/kubernetes/admin.conf'"}

The src file does exist. If I ssh into the VM after the failure, I can copy the file with sudo cp /etc/kubernetes/admin.conf /home/vagrant/, but the failure above causes the vagrant provisioning to fail/halt.

FYI., I've tried a few combinatons of things at the play and task levels e.g. become: true, remote_user: root e.g.

---
- hosts: all
  become: true
  tasks:
  ...

... but to no avail.

permissions on admin.conf are as follows:

vagrant@master1:/etc/kubernetes$ ls -al admin.conf
-rw------- 1 root root 5453 Aug  5 14:07 admin.conf

Full master-playbook.yml can be found here.

How do I get ansible to copy the file?

1
ansiblevagrant
Normally the copy module looks at your local host for the file, unless you specify the remote_src flag as an option, at which point it would look at the directory for your remote host for it. So are you running the playbook with root privs? If not, you have a local user account attempting to read a file that only allows that for root. And seeing as you can change the privs for the file on the remote host with the mode option, maybe try opening up the read privileges to other users on that file locally.ebrewer

1 Answers

3
votes

Quoting from copy

src Local path to a file to copy to the remote server.

The play failed because the user who is running the ansible playbook can't read the file at the controller (local path)

permission denied: '/etc/kubernetes/admin.conf'

Use remote_src: yes

remote_src If yes it will go to the remote/target machine for the src

- name: Copy kubeconfig for vagrant user
  copy:
     remote_src: yes
     src: /etc/kubernetes/admin.conf
     dest: /home/vagrant/.kube/
     owner: vagrant
     group: vagrant

From the comment, this seems to be what you want to do

"The src file does exist. If I ssh into the VM after the failure, I can copy the file with sudo cp /etc/kubernetes/admin.conf /home/vagrant/"

This should work if the remote_user at VM is allowed to sudo su and escalation is properly set

- hosts: all
  become: yes
  become_user: root
  become_method: sudo

It would be not enough to allow the *remote_user" sudo cp only. See Can’t limit escalation to certain commands

Privilege escalation permissions have to be general. Ansible does not always use a specific command to do something but runs modules (code) from a temporary file name which changes every time. If you have ‘/sbin/service’ or ‘/bin/chmod’ as the allowed commands this will fail ...