Awx: Docker Installation: permission error with credentials.py in awx_web

Created on 8 Apr 2019  路  10Comments  路  Source: ansible/awx
ISSUE TYPE
  • Bug Report
COMPONENT NAME

  • Installer
SUMMARY


After running the install.yml playbook as a regular user, it will progress a bit then fail. When we run immediately following this failure with sudo it succeeds. If we just run with sudo in the first place it fails with an error in the awx_web logs: PermissionError: [Errno 13] Permission denied: '/etc/tower/conf.d/credentials.py'

ENVIRONMENT
  • AWX version: 4.0.0
  • AWX install method: docker on linux
  • Ansible version: 2.7.9
  • Operating System: CentOS 7.6.1810 (core)
  • Web Browser: NA (Though using Chrome I can connect but only see Internal Server Error)
STEPS TO REPRODUCE

  1. Create a target system using CentOS 7, updated to latest, with a user (sudoer)
  2. Install the prerequisites as described in the Install Guide, I used these tasks:
- name: add the node repo
  yum_repository:
    name: node_repos
    state: present
    description: A description was required...
    file: node_repos
    baseurl: https://rpm.nodesource.com/pub_8.x/el/7/x86_64/
    enabled: yes
    sslverify: yes
    gpgcheck: no
  become: yes

- name: install prerequisite packages
  package:
    name: "{{ item }}"
  with_items:
  - epel-release # required to install pip
  - ansible # required to install AWX
  - docker # required to run the AWX containers
  - make
  - git # required to clone the AWX source
  - nodejs # requires the node repo, includes npm 6
  - python2-pip # required for pip module
  - python-virtualenv # required for pip module
  - python-setuptools # required for pip module
  become: yes

- name: install prerequisite python modules
  pip:
    name: "{{ item }}"
  with_items:
  - docker
  - docker-compose
  become: yes

- name: start the required services
  service:
    name: "{{ item }}"
    state: started
    enabled: yes
  with_items:
  - docker
  become: yes
  1. Clone the repo
  2. Navigate to the installer folder of the cloned repo
  3. Run the playbook, either with sudo (sudo ansible-playbook -i inventory install.yml) or by becoming root first
  4. Check the awx_web logs and spot the permission error.

Alternatively, here is how I was able to get this to work, following all the same steps up until 5:

...

  1. Run the playbook with ansible-playbook -i inventory install.yml
    This will run through until the starting container step, where it will fail with the following:
TASK [local_docker : Start the containers] **************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error connecting: Error while fetching server API version: ('Connection aborted.', error(13, 'Permission denied'))"}
 [WARNING]: Could not create retry file '/opt/awx-source/installer/install.retry'.
[Errno 13] Permission denied: u'/opt/awx-source/installer/install.retry'
  1. Run the playbook with sudo ansible-playbook -i inventory install.yml
    This will complete and AWX will begin going through its first time setup successfully
EXPECTED RESULTS


I would expect the install.yml playbook to complete without error and start the AWX web app.

ACTUAL RESULTS


Permissions error either running the playbook without root (kind of expected), or in the awx_web logs after running as root. Apparently, root user is unable to access the credentials.py file within the awx_web container.

ADDITIONAL INFORMATION


I was attempting to install AWX with an ansible playbook. I've cloned this playbook for review here in case the mistake lies in my attempt to replicate the installation process through a playbook.

Worth noting that I am a total noob with docker, the only reason I use it is for AWX... so it is entirely possible that I've missed something simple.

I initially thought that this was just an issue with my playbook, but after looking into it further it appears to be an issue with the installer and running as root (or using the ansible "become" option). I do not understand why this is failing, but it does seem to be a bug.

installer bug
Source
picture Kickimanjaro

Most helpful comment

Have you set selinux to permissive? (sudo setenforce permissive)

picture lijok on 15 Apr 2019
👍3

All 10 comments

Issue appears to be related to how I called the install.yml playbook within my playbook. When run manually on the system, it works. My apologies.

If anyone wants to chime in to help out, though, this is the task that I had that seems to be the issue:

- name: install AWX
  command: ansible-playbook -i inventory install.yml
  args:
    chdir: /opt/awx-source/installer
  become: yes
Kickimanjaro picture Kickimanjaro on 8 Apr 2019

I was wrong that the problem was only with my playbook. I believe I have narrowed down the symptoms, at least, and updated the original post with reproducible steps that do not require my playbook which illustrate the problem.

Kickimanjaro picture Kickimanjaro on 8 Apr 2019

Have you set selinux to permissive? (sudo setenforce permissive)

lijok picture lijok on 15 Apr 2019
👍3

Thank you, @lijok, selinux was set to enforcing. When I changed it to permissive the install worked as documented.

Kickimanjaro picture Kickimanjaro on 17 Apr 2019

I'm also trying to do this with the command: ansible-playbook -i inventory install.yml with root. Whenever I run this command I also get this PermissionError: [Errno 13] Permission denied: '/etc/tower/conf.d/credentials.py'
I also set selinux to permissive, but nothing is working.
Any help is appreciated.

fmoghimi picture fmoghimi on 17 Apr 2019

@fmoghimi
To confirm, when you type "getenforce", what does it print?
What environment are you running? (see environment section in the first post up top)

lijok picture lijok on 17 Apr 2019

@lijok When i type getenforce, i get Enforcing.

Environment

  • AWX version 4.0.0

  • Ansible version 2.7.10

  • Operating system: CentOS Linux release 7.6.1810 (Core)

fmoghimi picture fmoghimi on 17 Apr 2019

@fmoghimi

When i type getenforce, i get Enforcing.

That means you haven't set selinux to permissive
If you used "setenforce permissive", after a restart it will go back to enforcing
If you set selinux by modifying /etc/selinux/config, you need to reboot your os for changes to take effect

This is what your /etc/selinux/config should look like
```# This file controls the state of SELinux on the system.

SELINUX= can take one of these three values:

enforcing - SELinux security policy is enforced.

permissive - SELinux prints warnings instead of enforcing.

disabled - No SELinux policy is loaded.

SELINUX=permissive

SELINUXTYPE= can take one of three values:

targeted - Targeted processes are protected,

minimum - Modification of targeted policy. Only selected processes are protected.

mls - Multi Level Security protection.

SELINUXTYPE=targeted

lijok picture lijok on 17 Apr 2019

To add to what lijok has said, if you wish to modify selinux with an ansible task you would do something like:

- name: set selinux to permissive
  selinux:
    policy: targeted
    state: permissive
  become: yes

I think we should add a note about this selinux issue/potential conflict in the installation documentation. If I have time later today, or later this week, I will try to add that in.

Kickimanjaro picture Kickimanjaro on 17 Apr 2019

Thank you guys for the answers, can't believe I forgot to reboot. I'll try again at work tomorrow and see if it works!

fmoghimi picture fmoghimi on 17 Apr 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gamuniz picture gamuniz  路  3Comments
FloThinksPi picture FloThinksPi  路  3Comments
grahamn-gr picture grahamn-gr  路  3Comments
agaffney picture agaffney  路  3Comments
darkaxl picture darkaxl  路  3Comments