Downloading the CoreDNS binary from GitHub requires root permission on Ansible Control host

[phandox]

What happened?
When not specifying the coredns_binary_local_dir, the binary is trying to be downloaded to machine from which Ansible is running, requiring root permission (even when become: false is set up in block).

Did you expect to see some different?
I would expect that when the coredns_binary_local_dir is not specified, the binary is downloaded on target machine and installed there.

How to reproduce it (as minimally and precisely as possible):

1. Do not specify the coredns_binary_local_dir in any vars file
2. Run the playbook with minimal config under non-root user of target machine (with passwordless sudo enabled)

hosts: all
roles:
  - role: cloudalchemy.coredns

Environment

Target machine: Centos 7
Ansible Control machine: Fedora 31

• Role version:

  0.3.1

• Ansible version information:
  ansible 2.9.6
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/luknagy/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/luknagy/.local/share/virtualenvs/homenas-i9vCctaZ/lib/python3.7/site-packages/ansible
  executable location = /home/luknagy/.local/share/virtualenvs/homenas-i9vCctaZ/bin/ansible
  python version = 3.7.6 (default, Jan 30 2020, 09:44:41) [GCC 9.2.1 20190827 (Red Hat 9.2.1-1)]

• Variables:

coredns_version: 1.6.7
coredns_dns_port: 53
coredns_config_file: "Corefile.example.j2"

• Ansible playbook execution Logs:

TASK [cloudalchemy.coredns : Naive assertion of proper DNS port number] **********************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/preflight.yml:2
ok: [homenas] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [cloudalchemy.coredns : Assert usage of systemd as an init system] **********************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/preflight.yml:7
ok: [homenas] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [cloudalchemy.coredns : Check if source Corefile is set] ********************************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/preflight.yml:12
ok: [homenas] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [cloudalchemy.coredns : Get checksum for amd64 architecture] ****************************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/preflight.yml:17
ok: [homenas] => {"ansible_facts": {"coredns_checksum": "ca229f972e5fbb65964998ad7aed78a677884874a023caee1c6551d0ee8e0c1b"}, "changed": false}

TASK [cloudalchemy.coredns : Create the coredns group] ***************************************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/install.yml:2
ok: [homenas] => {"changed": false, "gid": 993, "name": "coredns", "state": "present", "system": true}

TASK [cloudalchemy.coredns : Create the coredns user] ****************************************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/install.yml:8
ok: [homenas] => {"append": true, "changed": false, "comment": "", "group": 100, "groups": "coredns", "home": "/", "move_home": false, "name": "coredns", "shell": "/usr/sbin/nologin", "state": "present", "uid": 997}

TASK [cloudalchemy.coredns : create coredns configuration directories] ***********************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/install.yml:18
ok: [homenas] => (item=/etc/coredns) => {"ansible_loop_var": "item", "changed": false, "gid": 0, "group": "root", "item": "/etc/coredns", "mode": "0755", "owner": "root", "path": "/etc/coredns", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 4096, "state": "directory", "uid": 0}
ok: [homenas] => (item=/etc/coredns/zones) => {"ansible_loop_var": "item", "changed": false, "gid": 0, "group": "root", "item": "/etc/coredns/zones", "mode": "0755", "owner": "root", "path": "/etc/coredns/zones", "secontext": "unconfined_u:object_r:etc_t:s0", "size": 4096, "state": "directory", "uid": 0}

TASK [cloudalchemy.coredns : Download coredns binary to local folder] ************************************
task path: /home/luknagy/.ansible/roles/cloudalchemy.coredns/tasks/install.yml:30
FAILED - RETRYING: Download coredns binary to local folder (5 retries left).
FAILED - RETRYING: Download coredns binary to local folder (4 retries left).
FAILED - RETRYING: Download coredns binary to local folder (3 retries left).
FAILED - RETRYING: Download coredns binary to local folder (2 retries left).
FAILED - RETRYING: Download coredns binary to local folder (1 retries left).
fatal: [homenas -> localhost]: FAILED! => {"attempts": 5, "changed": false, "module_stderr": "sudo: a password is required\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

PLAY RECAP ***********************************************************************************************
homenas                    : ok=37   changed=3    unreachable=0    failed=1    skipped=15   rescued=0    ignored=0   

Anything else we need to know?:

Is this behaviour intentional? I don't see a reason why the binary should be downloaded on control machine when I didn't specify to use version downloaded on the control machine. It makes more sense to let everything happen on remote node (I don't want to provide root password to my machine -> seems like become: false is not respected in block

ansible-coredns/tasks/install.yml

Lines 29 to 61 in 39c5a51

	- block:
	- name: Download coredns binary to local folder
	become: false
	get_url:
	url: "https://github.com/coredns/coredns/releases/download/v{{ coredns_version }}/coredns_{{ coredns_version }}_linux_{{ go_arch }}.tgz"
	dest: "/tmp/coredns_{{ coredns_version }}_linux_{{ go_arch }}.tgz"
	checksum: "sha256:{{ coredns_checksum }}"
	register: _download_binary
	until: _download_binary is succeeded
	retries: 5
	delay: 2
	delegate_to: localhost
	check_mode: false
	- name: Unpack coredns binary
	become: false
	unarchive:
	src: "/tmp/coredns_{{ coredns_version }}_linux_{{ go_arch }}.tgz"
	dest: "/tmp"
	creates: "/tmp/coredns"
	delegate_to: localhost
	check_mode: false
	- name: Propagate coredns binaries
	copy:
	src: "/tmp/coredns"
	dest: "/usr/local/bin/coredns"
	mode: 0750
	owner: "{{ coredns_system_user }}"
	group: "{{ coredns_system_group }}"
	notify: restart coredns
	when: not ansible_check_mode
	when: coredns_binary_local_dir | length == 0

[danielo515]

I'm having the exact same problem. In my case, I don't even have an ssh daemon running locally, so the download task should also run with the flag connection: local.
Did you found a solution that does not involves forking this repo?

[phandox]

No I haven't in the end I didn't use this role. Seems to me that forking would be only option for you and fixing it by yourself as it looks like issues reported here are no longer solved.

[danielo515]

Ok, in my case what I did was to download the binary myself and put it on a local directory.
Not pretty, but at least I don't have to do yaml gymnastics to avoid a problem that should not exist.