ward exec ansible-sync: become/sudo tasks fail under the cli-guard jail (no_new_privs) #447
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/infrastructure#447
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
With the brew-prefix bug fixed (ward#546),
ward exec ansible-sync local=1now runs clean through the homebrew role (0 source builds) and fails on the firstbecome/sudo task, because ward's jail setsno_new_privsand sudo cannot escalate inside it.Symptom
The uid 65534 (nobody) and the no-new-privs flag are the cli-guard jail's doing (userns identity map +
PR_SET_NO_NEW_PRIVSbefore the seccomp denylist). Any ansible task withbecome: truehits this.Why it was hidden
Every prior
ward exec ansible-syncfailed earlier, at the homebrew source-build wall (netpbm wanting svn). Now that homebrew is bottle-clean, the play reaches the privileged tasks and this surfaces. So it is pre-existing, not new.Options
ansible-syncverb to run outside the jail (CLIGUARD_NO_SANDBOX=1). ansible-sync does system-level convergence (writes /etc/hosts, manages systemd, etc.) that fundamentally needs privilege escalation the sandbox denies. As a bonus this also sidesteps the brew overlay entirely (real symlink -> correct prefix), so it is a viable interim unblock even before the ward#546 release lands.becomefor this verb (keep-caps / allow setuid), which is a larger cli-guard change and weakens the sandbox.Recommended: opt
ansible-syncout of the jail. Verified locally that a jail-free run converges without the brew bug or the sudo failure.Filed while unblocking
ward exec ansible-syncon kai-server.