diff --git a/Dockerfile b/Dockerfile index f3e75f989..232332ccf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,6 +10,7 @@ ADD demo/inventory /runner/inventory ADD https://releases.ansible.com/ansible-runner/ansible-runner.el8.repo /etc/yum.repos.d/ansible-runner.repo RUN dnf install -y epel-release && \ dnf install -y ansible-runner python3-pip sudo rsync openssh-clients sshpass glibc-langpack-en git && \ + alternatives --set python /usr/bin/python3 && \ pip3 install ansible && \ chmod +x /bin/tini /bin/entrypoint && \ rm -rf /var/cache/dnf diff --git a/ansible_runner/runner_config.py b/ansible_runner/runner_config.py index 52f866420..dc7d8fab2 100644 --- a/ansible_runner/runner_config.py +++ b/ansible_runner/runner_config.py @@ -596,7 +596,7 @@ def _ensure_path_safe_to_mount(path): # for usage and potential side-effects) _ensure_path_safe_to_mount(self.private_data_dir) - new_args.extend(["-v", "{}:/runner:Z".format(self.private_data_dir)]) + new_args.extend(["-v", "{}:/runner".format(self.private_data_dir)]) if self.cli_execenv_cmd: if self.cli_execenv_cmd == 'playbook': @@ -606,14 +606,14 @@ def _ensure_path_safe_to_mount(path): _ensure_path_safe_to_mount(playbook_file_path) if os.path.isabs(playbook_file_path) and (os.path.dirname(playbook_file_path) != '/'): new_args.extend([ - "-v", "{}:{}:Z".format( + "-v", "{}:{}".format( os.path.dirname(playbook_file_path), os.path.dirname(playbook_file_path), ) ]) else: new_args.extend([ - "-v", "{}:/runner/project/{}:Z".format( + "-v", "{}:/runner/project/{}".format( os.path.dirname(os.path.abspath(playbook_file_path)), os.path.dirname(playbook_file_path), ) @@ -631,48 +631,44 @@ def _ensure_path_safe_to_mount(path): if not inventory_file_path.endswith(',') and not inventory_playbook_share_parent: if os.path.isabs(inventory_file_path) and (os.path.dirname(inventory_file_path) != '/'): new_args.extend([ - "-v", "{}:{}:Z".format( + "-v", "{}:{}".format( os.path.dirname(inventory_file_path), os.path.dirname(inventory_file_path), ) ]) else: new_args.extend([ - "-v", "{}:/runner/project/{}:Z".format( + "-v", "{}:/runner/project/{}".format( os.path.dirname(os.path.abspath(inventory_file_path)), os.path.dirname(inventory_file_path), ) ]) # volume mount ~/.ssh/ and ~/.ansible into the exec env container - new_args.extend(["-v", "{}/.ssh/:/runner/project/.ssh/:Z".format(os.environ['HOME'])]) + new_args.extend(["-v", "{}/.ssh/:/runner/project/.ssh/".format(os.environ['HOME'])]) if not os.path.exists(os.path.join(os.environ['HOME'], '.ansible')): os.mkdir(os.path.join(os.environ['HOME'], '.ansible')) - new_args.extend(["-v", "{}/.ansible:/runner/project/.ansible:z".format(os.environ['HOME'])]) + new_args.extend(["-v", "{}/.ansible:/runner/project/.ansible".format(os.environ['HOME'])]) # volume mount system-wide ssh_known_hosts the exec env container if os.path.exists('/etc/ssh/ssh_known_hosts'): - new_args.extend(["-v", "/etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:z"]) + new_args.extend(["-v", "/etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts"]) # handle ssh-agent "forwarding" into the exec env container new_args.extend( - ["-v", "{}:{}:z".format( + ["-v", "{}:{}".format( os.path.dirname(os.environ['SSH_AUTH_SOCK']), os.path.dirname(os.environ['SSH_AUTH_SOCK']) )] ) new_args.extend(["-e", "SSH_AUTH_SOCK={}".format(os.environ['SSH_AUTH_SOCK'])]) - # container namespace stuff - new_args.extend(["--userns=keep-id"]) - new_args.extend(["--ipc=host"]) - container_volume_mounts = self.container_volume_mounts if container_volume_mounts: for mapping in container_volume_mounts: host_path, container_path = mapping.split(':') _ensure_path_safe_to_mount(host_path) - new_args.extend(["-v", "{}:{}:Z".format(host_path, container_path)]) + new_args.extend(["-v", "{}:{}".format(host_path, container_path)]) env_var_whitelist = ['PROJECT_UPDATE_ID', 'ANSIBLE_CALLBACK_PLUGINS', 'ANSIBLE_STDOUT_CALLBACK'] @@ -684,7 +680,12 @@ def _ensure_path_safe_to_mount(path): new_args.extend(["-e", "AWX_ISOLATED_DATA_DIR={}".format(artifact_dir)]) if 'podman' in self.process_isolation_executable: - new_args.extend(['--quiet']) # docker doesnt support this option + # container namespace stuff + new_args.extend(["--userns=keep-id"]) + new_args.extend(["--ipc=host"]) + + # docker doesnt support this option + new_args.extend(['--quiet']) if 'docker' in self.process_isolation_executable: new_args.extend([f'--user={os.getuid()}']) diff --git a/utils/entrypoint.sh b/utils/entrypoint.sh index 726619b63..1357c022f 100755 --- a/utils/entrypoint.sh +++ b/utils/entrypoint.sh @@ -5,14 +5,10 @@ # require a named user. So if we're in OpenShift, we need to make # one before Ansible runs. if [ `id -u` -ge 500 ] || [ -z "${CURRENT_UID}" ]; then - - cat << EOF > /tmp/passwd +cat << EOF > /etc/passwd root:x:0:0:root:/root:/bin/bash runner:x:`id -u`:`id -g`:,,,:/runner:/bin/bash EOF - - cat /tmp/passwd > /etc/passwd - rm /tmp/passwd fi exec tini -- "${@}"