Avoid Timed out error when umask is 027 or 077

If LXC commands are run with a restrictive umask like 027 or 077, then the root directory of new containers will lack read `r` and access `x` permission for non-root users. The first failure to result from this during `vagrant up` is that the SSH daemon cannot read the crucial file `/home/vagrant/.ssh/authorized_keys` after it drops privileges to the level of the `vagrant` user. The result is the familiar: ``` default: Warning: Authentication failure. Retrying... default: Warning: Authentication failure. Retrying... Timed out while waiting for the machine to boot. This means that Vagrant was unable to communicate with the guest machine within the configured ("config.vm.boot_timeout" value) time period. ``` So we should make sure that we run all LXC commands with a umask that at least does not prevent group and world `r` and `x` bits from being set in newly created files and directories.
2017-01-29 13:53:09 -05:00 · 2017-01-29 13:53:09 -05:00 · 43aa9bfb3e
parent 851f58d42a
commit 43aa9bfb3e
1 changed files with 18 additions and 5 deletions
--- a/lib/vagrant-lxc/sudo_wrapper.rb
+++ b/lib/vagrant-lxc/sudo_wrapper.rb
@ -13,11 +13,24 @@ module Vagrant

      def run(*command)
        options = command.last.is_a?(Hash) ? command.last : {}
-        if @wrapper_path && !options[:no_wrapper]
-          command.unshift @wrapper_path
-          execute *(['sudo'] + command)
-        else
-          execute *(['sudo', '/usr/bin/env'] + command)
+
+        # Avoid running LXC commands with a restrictive umask.
+        # Otherwise disasters occur, like the container root directory
+        # having permissions `rwxr-x---` which prevents the `vagrant`
+        # user from accessing its own home directory; among other
+        # problems, SSH cannot then read `authorized_keys`!
+        old_mask = File.umask
+        File.umask(old_mask & 022)  # allow all `r` and `x` bits
+
+        begin
+          if @wrapper_path && !options[:no_wrapper]
+            command.unshift @wrapper_path
+            execute *(['sudo'] + command)
+          else
+            execute *(['sudo', '/usr/bin/env'] + command)
+          end
+        ensure
+          File.umask(old_mask)
        end
      end