Ansible provisioner creating directory named after my local user

[borenstein]

Note: also posted to Stack Overflow in case this is my own stupidity instead of a bug.

Overview of the Issue

While emulating the Packer documentation to perform privileged tasks with the ansible provisioner and the amazon-ebs builder, an unexpected directory gets created.

The minimal example below does perform a privileged apt update, but it also creates the empty directory /home/ubuntu/~myusername, where myusername is my local username on my desktop. The directory name does actually contain the tilde.

If I try adding become_user: ubuntu to diagnose.yml, the directory does not get created, but Ansible is unable to perform apt update.

Reproduction Steps

serverfault_example.json

{
  "builders": [
    {
      "type": "amazon-ebs",
      "region": "us-east-1",
      "source_ami": "ami-085925f297f89fce1",
      "instance_type": "t3.micro",
      "ssh_username": "ubuntu",
      "ami_name": "serverfault-example"
    }
  ],
  "provisioners": [
    {
      "type": "ansible",
      "playbook_file": "./diagnose.yml"
    }
  ]
}

diagnose.yml

---

- name: Debugging user directory problem
  hosts: default
  become: true

  tasks:
    - apt:
        update_cache: yes

(Note: ami-085925f297f89fce1 is the current official AMI for Ubuntu 18.04 on an EBS-backed x86 computer in the us-east-1 region.)

Packer version

Packer v1.5.5 (running on OSX 10.14.6)

From packer version

Log Fragments and crash.log files

As written above, Packer runs successfully with no errors. If I add become_user: ubuntu to diagnose.yml, I get the following:

==> amazon-ebs: Executing Ansible: ansible-playbook --extra-vars packer_build_name=amazon-ebs packer_builder_type=amazon-ebs -o IdentitiesOnly=yes -i /var/folders/5m/gx10g4792c3g83wp8v5vx6pc0000gn/T/packer-provisioner-ansible936234880 /Volumes/dmz/github/infrastructure/etl/ami/diagnose.yml -e ansible_ssh_private_key_file=/var/folders/5m/gx10g4792c3g83wp8v5vx6pc0000gn/T/ansible-key974663525
    amazon-ebs:
    amazon-ebs: PLAY [Debugging user directory problem] ****************************************
    amazon-ebs:
    amazon-ebs: TASK [Gathering Facts] *********************************************************
    amazon-ebs: ok: [default]
    amazon-ebs:
    amazon-ebs: TASK [apt] *********************************************************************
    amazon-ebs: fatal: [default]: FAILED! => {"changed": false, "msg": "Failed to lock apt for exclusive operation"}
    amazon-ebs:
    amazon-ebs: PLAY RECAP *********************************************************************
    amazon-ebs: default                    : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
    amazon-ebs:
==> amazon-ebs: Provisioning step had errors: Running the cleanup provisioner, if present...
==> amazon-ebs: Terminating the source AWS instance...
==> amazon-ebs: Cleaning up any extra volumes...
==> amazon-ebs: No volumes to clean up, skipping
==> amazon-ebs: Deleting temporary security group...
==> amazon-ebs: Deleting temporary keypair...
Build 'amazon-ebs' errored: Error executing Ansible: Non-zero exit status: exit status 2

[unacceptable]

Yeah, this is super annoying! 😕

I am seeing the same thing with packer v1.5.6 and ansible 2.9.6.

[SwampDragons]

What happens if you set https://www.packer.io/docs/provisioners/ansible/#user?

[unacceptable]

I can confirm that setting that variable removes the ~/~client_user dir on the remote host. This but should still be patched though IMHO.

Additionally, there is still a .ansible directory under that remote user's home which is not ideal for machine images.

[unacceptable]

The total remediation that I did on this from my end was:

diff --git a/build.pkr.hcl b/build.pkr.hcl
index f86b6c4..670a522 100644
--- a/build.pkr.hcl
+++ b/build.pkr.hcl
@@ -5,9 +5,17 @@ build {

   provisioner "ansible" {
     playbook_file = "./ansible/playbook.yaml"
+    user          = "ec2-user"

     # extra_arguments = [
     #   "-vvv"
     # ]
   }
+
+  # Cleanup after https://github.com/hashicorp/packer/issues/9118
+  provisioner "shell" {
+    inline = [
+      "rm -rf /home/ec2-user/.ansible"
+    ]
+  }
 }

It's kinda sloppy IMHO, but it seems to get my image up to the standard that I expect.

[SwampDragons]

The username issue is documented behavior, so it's not something I think we're likely to change, especaily since it will break the behavior for many currently-working configs in a non-obvious way.

I think it does make sense to try to clean up the .ansible folder left behind by the ansible provisioner, though -- this would probably be a fairly straightforward first contribution for a community member. I'll open a separate issue for that enhancement.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.