I think our polluting of / with retry's is from the nightly cron job for ansible changes. I think this will fix it.
[smooge@lockbox01 puppet (master)]$ git diff HEAD diff --git a/modules/scripts/files/ansible-playbook-check-diff.cron b/modules/scripts/files/ansible-playbook-check-diff.cron index 1d06879..eeec65f 100755 --- a/modules/scripts/files/ansible-playbook-check-diff.cron +++ b/modules/scripts/files/ansible-playbook-check-diff.cron @@ -2,6 +2,7 @@ mailto='admin@fedoraproject.org' source /root/sshagent >>/dev/null export ANSIBLE_HOST_KEY_CHECKING=False +export HOME=/root/ #export ANSIBLE_SSH_PIPELINING=False /srv/web/infra/ansible/scripts/ansible-playbook-check-diff |& grep ok=
On Wed, Sep 17, 2014 at 04:38:38PM -0400, R P Herrold wrote:
On Wed, 17 Sep 2014, Stephen John Smoogen wrote:
+export HOME=/root/
so long as you are setting a path, why not set: /tmp/ and so signal that it is readily discardable content?
The files are mode 0644 so if you care that people can read which hosts failed to update you'll want to lock down more than imply /tmp/. Other than that, it seems like a decent idea to auto-reap these since they're coming from a cron job and we aren't going to retry manually.
+1 to setting HOME for the cron job in any case.
-Toshio
On Wed, 17 Sep 2014, Toshio Kuratomi wrote:
The files are mode 0644 so if you care that people can read which hosts failed to update you'll want to lock down more than imply /tmp/. Other than that, it seems like a decent idea to auto-reap these since they're coming from a cron job and we aren't going to retry manually.
or ... (drumroll)
set the umask ?
-- R
On Wed, Sep 17, 2014 at 04:38:38PM -0400, R P Herrold wrote:
On Wed, 17 Sep 2014, Stephen John Smoogen wrote:
+export HOME=/root/
so long as you are setting a path, why not set: /tmp/ and so signal that it is readily discardable content?
This would lead to insecure temp files since /tmp is world-writable.
Regards Till
On 17 September 2014 14:38, R P Herrold herrold@owlriver.com wrote:
On Wed, 17 Sep 2014, Stephen John Smoogen wrote:
+export HOME=/root/
so long as you are setting a path, why not set: /tmp/ and so signal that it is readily discardable content?
That would imply we discard stuff in /tmp/ which we don't normally do :).
In this case, I decided to look at where the script places files normally (if I am logged in via sudo -i and run the script manually these files are supposed to land in /root/ as $HOME is set there.) I figured Principle of Least Surprise should keep it there.
I could set UMASK or something but during a code freeze I would like to keep changes to least amount as I am not sure if UMASK is going to be honoured all the way through the program or if setting UMASK would break items. After the freeze these would be useful items to implement.
I hope that helps explain the reasoning which should have been a comment somewhere.
-- R
infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
On Wed, 17 Sep 2014 15:37:16 -0600 Stephen John Smoogen smooge@gmail.com wrote:
In this case, I decided to look at where the script places files normally (if I am logged in via sudo -i and run the script manually these files are supposed to land in /root/ as $HOME is set there.) I figured Principle of Least Surprise should keep it there.
I could set UMASK or something but during a code freeze I would like to keep changes to least amount as I am not sure if UMASK is going to be honoured all the way through the program or if setting UMASK would break items. After the freeze these would be useful items to implement.
I hope that helps explain the reasoning which should have been a comment somewhere.
It would be nice to have a way to disable these, but perhaps until then, we could put them in /root/retries/ or something and purge that directory from time to time?
kevin
infrastructure@lists.fedoraproject.org
-
Kevin Fenzi -
R P Herrold -
Stephen John Smoogen -
Till Maas -
Toshio Kuratomi