(alternative proposal) update how callback plugin gets copied and added to job container

[TheRealHaoLiu]

alternative proposal for issue #1088

when in containerized environment

• always copy callback plugin to private_data_dir/artifacts/{job_id}/callback
• appending to ANSIBLE_CALLBACK_PLUGINS with the runner callback plugin location (from private_data/artifacts)
• remove utils.callback_mount due to unused method

Co-Authored-By: Alan Rominger arominge@redhat.com
Signed-off-by: Hao Liu haoli@redhat.com

[shanemcd]

if not followed by an else is kinda breaking my brain. How about we just flip these conditions? if self.containerized ... else.

[TheRealHaoLiu]

amended

[AlanCoding]

I tested this and saw:

drwxrwxrwx. 3 alancoding alancoding 4096 May  2 15:53 callback

These permissions are going to set off alarm bells. We probably need to pre-create the directory so we can set specific permissions. Practically, we'd probably copy from above in this same file

ansible-runner/ansible_runner/config/_base.py

Line 138 in 8174803

os.makedirs(self.artifact_dir, exist_ok=True, mode=0o700)

but os.mkdir might be preferable here.

[TheRealHaoLiu]

discussed with @AlanCoding about the topic, the copytree inherited the file permission of the parent ansible-runner installation... so long as the permission for the original install is good the copied version would be good as well

[AlanCoding]

Great work! You knocked out the tests really fast. I ran the demo project, and wanted to paste this for illustration.

(env) [alancoding@alan-red-hat ansible-runner]$ tree demo/artifacts/
demo/artifacts/
└── 84f49826-4f12-4ae6-a6f1-228bea672e96
    ├── ansible_version.txt
    ├── callback
    │   ├── awx_display.py
    │   ├── __init__.py
    │   └── __pycache__
    │       ├── awx_display.cpython-310.pyc
    │       └── awx_display.cpython-38.pyc
    ├── command
    ├── env.list
    ├── fact_cache
    │   └── localhost
    ├── job_events
    │   ├── 10-1e52863e-d222-7606-33ef-000000000008.json
    │   ├── 11-262c7ff0-11b9-40df-9530-a1693ca2a7e1.json
    │   ├── 12-8f0623ab-18bb-4d15-981c-dda5113e370e.json
    │   ├── 13-01d48534-f9b4-4e80-95ff-e920de186441.json
    │   ├── 1-d15d3349-848d-4aaf-8694-044629cede74.json
    │   ├── 2-58e4bf62-44db-4116-b370-fe126162d433.json
    │   ├── 3-52d7c10a-8c6c-49d1-90d5-b1fce26ba649.json
    │   ├── 4-84ae27a4-3a7d-4b66-9dd0-67382aede5ce.json
    │   ├── 5-889ad32d-64e5-4dba-bcef-48b8a1a3b204.json
    │   ├── 6-1e52863e-d222-7606-33ef-000000000006.json
    │   ├── 7-1e52863e-d222-7606-33ef-00000000000c.json
    │   ├── 8-c5d488f2-d157-4958-a572-eeafbea5d564.json
    │   └── 9-c1174640-7275-432a-a4e9-8ecfcbd56ec6.json
    ├── rc
    ├── status
    ├── stderr
    └── stdout

This requires:

diff --git a/demo/env/settings b/demo/env/settings
index 693b1d3..32e7b82 100644
--- a/demo/env/settings
+++ b/demo/env/settings
@@ -2,3 +2,5 @@
 idle_timeout: 600
 job_timeout: 3600
 pexpect_timeout: 10
+process_isolation: true
+process_isolation_executable: podman

This has an aesthetic consequence for users, and we might need to consider adding a blurb in the docs to give them confidence that this is intended.

If we can accept this added folder, then I believe this is a more maintainable pattern moving forward. It makes sense to me that we would cut a copy for every run (every job ident), because we don't want to assume that every job is ran by the same ansible-runner install.

For testing - I think we may need to consider the possibility that someone re-runs the same private_data_dir & ident. If we try to re-copy, I'm unclear what will happen. To spitball an expectation - I would prefer that we delete the existing folder.

[AlanCoding]

Code-wise, this looks complete at the moment. We might want some docs changes, since this touches the artifacts folder. I would consider back-porting to release_2.2, because I anticipate others having the same problems you had.

[Akasurde]

Suggested change

	# when containerized, copy the callback dir to $pirvate_data_dir/artifacts/<job_id>/callback
	# when containerized, copy the callback dir to $private_data_dir/artifacts/<job_id>/callback

[Akasurde]

Suggested change

	# than append to env['Ansible_CALLBACK_PLUGINS'] with the copyied location.
	# than append to env['ANSIBLE_CALLBACK_PLUGINS'] with the copied location.

[Akasurde]

Code-wise, this looks complete at the moment. We might want some docs changes, since this touches the artifacts folder. I would consider back-porting to release_2.2, because I anticipate others having the same problems you had.

same here.

[eqrx]

Looks good to me except for the typos @Akasurde mentioned. thank you for your work :)

[TheRealHaoLiu]

commit amended with fix to type

[Akasurde]

Suggested change

	# than append to env['ANSIBLE_CALLBACK_PLUGINS'] with the copyied location.
	# then append to env['ANSIBLE_CALLBACK_PLUGINS'] with the copied location.

[Akasurde]

Suggested change

	# if callback dir already exist (on repeat execution with same ident), remove it first.
	# if callback dir already exists (on repeat execution with the same ident), remove it first.

[eqrx]

Only two typos left :) Code looks great, thank you!

[TheRealHaoLiu]

Only two typos left :) Code looks great, thank you!

I gotta go find me a good vscode plugin >.<

[TheRealHaoLiu]

commit amended with fix to grammatical error

[eqrx]

Only two typos left :) Code looks great, thank you!

I gotta go find me a good vscode plugin >.<

no worries .... I do that all the time :D Luckily shrews still puts up with me