I have a Smart Proxy that I’m trying to use for remote Ansible execution. In line with basic security requirements I have the /tmp directory mounted with the noexec option. While this option in place I get a permission denied message about trying to run /tmp/d24822032-1224002-dgrerw/inventory/hosts
Is there an option somewhere I can set or any other way to get this to work with the /tmp directory mounted with the noexec option?
You should really mention the exact version you are using.
Generally, I would check the docs: 3.11. Configuring Foreman to Use an Alternative Directory to Execute Remote Jobs on Hosts
And I suppose you’ll also want to change it for the remote execution plugin, if you intend to use it, too.
It’s version 3.1. The document you linked to doesn’t address this specific issue - it addresses an issue on the remote host, but with /tmp mounted noexec on the Smart Proxy itself the Smart Proxy is unable to create an inventory. I have yet to see any documentation on that other than this old post on the forums which doesn’t really have a resolution: Error while run any command using Ansible in foreman UI
Sorry, but you really have to be more specific. There is a reason why there is a text template if you start a topic in the support section: it helps to provide the necessary information. You really have to give all the versions involved as well as exact errors messages and log extracts.
Did you change the working directory as I have suggested or not?
Yeah, it still throws the same error. It’s like it doesn’t get to the point where it uses a working directory and using /tmp for inventory is just hardcoded somehow. This is the error:
I stole the output from that other post, but it is the exact same error
Sorry, but I don’t think anyone can really help you like that: you don’t give the general information asked for, you don’t post the logs, you don’t answer questions asked. Then you copy a log extract from someone else which may or maybe the exact same error. I don’t think anyone will really want to conclude anything from the total lack from original information from you trying to figure out what might happen… Sorry.
You can either change the working directory (working_dir option in /etc/foreman-proxy/settings.d/ansible.yml) to some other location or remount /tmp without noexec. Either way, the working directory needs to be on a filesystem mounted without noexec.
Yes, but that should be modified if done following the docs.
Changing /etc/foreman-proxy/settings.d/ansible.yml will only work until the next foreman-installer run. This current setting should be writting into the answers file.
The file is generated from puppet-foreman_proxy/ansible.yml.erb at 1a42903ead90fa9622ac123511e5b5f9eece8f79 · theforeman/puppet-foreman_proxy · GitHub
And it’s my understanding that the foreman-installer option
--foreman-proxy-plugin-ansible-working-dir A directory where the playbooks will be generated.
A tmp directory will be created when left blank (current: "/tmp")
should change it. And that’s the option mentioned in the docs.
Thus, in my option if that path is the issue it would be modified by the foreman-installer option.
That’s why I specifically asked if this has happened or not, but which was never answered.
You can either change the working directory (
working_diroption in/etc/foreman-proxy/settings.d/ansible.yml) to some other location or remount/tmpwithoutnoexec. Either way, the working directory needs to be on a filesystem mounted without noexec.
This makes perfect sense, however regardless of what I set the working_dir option to, I still get the permission denied message when running Ansible roles:
[WARNING]: * Failed to parse /tmp/d20220614-1140-11023hn/inventory/hosts with script plugin: problem running /tmp/d20220614-1140-11023hn/inventory/hosts --list ([Errno 13] Permission denied)
That message does indeed go away if I remount /tmp with the exec option but changing any of the working directories appears to have no effect
You’re right. I must admit I didn’t read the entire thread and still, after all those years, don’t remember the installer options well enough to be able to recommend them from the top of my head.
Have you restarted foreman-proxy service after changing the config files? The service has to be restarted in order for the changes to come into effect
Yes, I did restart the foreman-proxy service. I really can’t tell if I’m doing something wrong or if it just ignores the working_dir options for inventory purposes
As I wrote before, it’s even harder to tell anything, if you don’t go into the specifics. We don’t have access to your servers. We still know nothing about what versions you have installed except foreman 3.1. No idea if it’s with katello or not. Now idea which plugin versions. You don’t say what you have configured. You don’t post the content of /etc/foreman-proxy/settings.d/ansible.yml. It seems you have a separate smart proxy but even for this, you are still completely unclear what you have checked or changed where.
From how I read the core at
I would still say it reads the working_dir setting…
Yep, I tried some of the things I (obviously incorrectly) thought I tried earlier and it works fine now. I probably shouldn’t be messing with configurations at 3am - definitely went to that working_dir setting at least a dozen times last night, but maybe just do things more correctly after sleep. Thanks for the responses
Good to know. But just to make sure: if you modify /etc/foreman-proxy/settings.d/ansible.yml it’ll be overwritten the next time you run foreman-installer. The correct way to set this it with the foreman-installer option. After you run foreman-installer with that option the ansible.yml file should be set up accordingly. If that’s the case, it’s correct and will stay this way. The current foreman-installer settings are saved in the answers file for the scenario…