Qubes-Ansible - remote_user option fails on management qube #9938
Description
Qubes OS release
Qubes OS 4.2
Brief summary
Using the remote_user option with the qubes connection module fails on management qubes.
Steps to reproduce
- Setup a management qube,
mgmtvm, as described in thequbes-ansibleREADME. - Create
workvmwith the tagcreated-by-mgtvm. - Run the following playbook on
mgmtvm:
---
- name: Run as non-default user
hosts: workvm
connection: qubes
gather_facts: false
remote_user: root
tasks:
- name: Run whoami
ansible.builtin.command:
cmd: whoami
register: whoami_result
changed_when: falseExpected behavior
This play should run successfully. The value of whoami_result.stdout should be "root".
Actual behavior
This play fails:
mgmtvm$ ansible-playbook -vvvv whoami.yml
...
PLAY [Run as non-default user] *************************************************
TASK [Run whoami] **************************************************************
task path: /home/user/repos/qubes-ansible-site/test.yml:17
CMD IS: /bin/sh -c 'echo ~root && sleep 0'
CMD: /bin/sh -c 'echo ~root && sleep 0'
Local cmd: [b'qvm-run', b'--pass-io', b'--service', b'-u', b'root', b'workvm', b'qubes.VMShell']
<workvm> RUN [b'qvm-run', b'--pass-io', b'--service', b'-u', b'root', b'workvm', b'qubes.VMShell']
CMD IS: /bin/sh -c 'echo "`pwd`" && sleep 0'
CMD: /bin/sh -c 'echo "`pwd`" && sleep 0'
Local cmd: [b'qvm-run', b'--pass-io', b'--service', b'-u', b'root', b'workvm', b'qubes.VMShell']
<workvm> RUN [b'qvm-run', b'--pass-io', b'--service', b'-u', b'root', b'workvm', b'qubes.VMShell']
CMD IS: /bin/sh -c '( umask 77 && mkdir -p "` echo ~/.ansible/tmp `"&& mkdir "` echo ~/.ansible/tmp/ansible-tmp-1746123395.3617954-1938-162267415462773 `" && echo ansible-tmp-1746123395.3617954-1938-162267415462773="` echo ~/.ansible/tmp/ansible-tmp-1746123395.3617954-1938-162267415462773 `" ) && sleep 0'
CMD: /bin/sh -c '( umask 77 && mkdir -p "` echo ~/.ansible/tmp `"&& mkdir "` echo ~/.ansible/tmp/ansible-tmp-1746123395.3617954-1938-162267415462773 `" && echo ansible-tmp-1746123395.3617954-1938-162267415462773="` echo ~/.ansible/tmp/ansible-tmp-1746123395.3617954-1938-162267415462773 `" ) && sleep 0'
Local cmd: [b'qvm-run', b'--pass-io', b'--service', b'-u', b'root', b'workvm', b'qubes.VMShell']
<workvm> RUN [b'qvm-run', b'--pass-io', b'--service', b'-u', b'root', b'workvm', b'qubes.VMShell']
fatal: [workvm]: UNREACHABLE! => {
"changed": false,
"msg": "Failed to create temporary directory. In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in \"/tmp\", for more error information use -vvv. Failed command was: ( umask 77 && mkdir -p \"` echo ~/.ansible/tmp `\"&& mkdir \"` echo ~/.ansible/tmp/ansible-tmp-1746123395.3617954-1938-162267415462773 `\" && echo ansible-tmp-1746123395.3617954-1938-162267415462773=\"` echo ~/.ansible/tmp/ansible-tmp-1746123395.3617954-1938-162267415462773 `\" ), exited with result 1, stderr output: Traceback (most recent call last):\n File \"/usr/bin/qvm-run\", line 5, in <module>\n sys.exit(main())\n ~~~~^^\n File \"/usr/lib/python3.13/site-packages/qubesadmin/tools/qvm_run.py\", line 331, in main\n proc, copy_proc, local_proc = run_command_single(args, vm)\n ~~~~~~~~~~~~~~~~~~^^^^^^^^^^\n File \"/usr/lib/python3.13/site-packages/qubesadmin/tools/qvm_run.py\", line 209, in run_command_single\n proc = vm.run_service(service,\n user=args.user,\n **run_kwargs)\n File \"/usr/lib/python3.13/site-packages/qubesadmin/vm/__init__.py\", line 273, in run_service\n return self.app.run_service(self._method_dest, service, **kwargs)\n ~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/usr/lib/python3.13/site-packages/qubesadmin/app.py\", line 935, in run_service\n raise ValueError(\n 'non-default user not possible for calls from VM')\nValueError: non-default user not possible for calls from VM\n",
"unreachable": true
}
PLAY RECAP *********************************************************************
workvm : ok=0 changed=0 unreachable=1 failed=0 skipped=0 rescued=0 ignored=0 Additional information
It looks like the --user option of qvm-run simply isn't supported on domU qubes:
mgmtvm$ qvm-run --pass-io --service --user user workvm qubes.VMShell
Traceback (most recent call last):
File "/usr/bin/qvm-run", line 5, in <module>
sys.exit(main())
~~~~^^
File "/usr/lib/python3.13/site-packages/qubesadmin/tools/qvm_run.py", line 331, in main
proc, copy_proc, local_proc = run_command_single(args, vm)
~~~~~~~~~~~~~~~~~~^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/qubesadmin/tools/qvm_run.py", line 209, in run_command_single
proc = vm.run_service(service,
user=args.user,
**run_kwargs)
File "/usr/lib/python3.13/site-packages/qubesadmin/vm/__init__.py", line 273, in run_service
return self.app.run_service(self._method_dest, service, **kwargs)
~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/site-packages/qubesadmin/app.py", line 935, in run_service
raise ValueError(
'non-default user not possible for calls from VM')
ValueError: non-default user not possible for calls from VM