Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#689 broke SSH key features when running EE as the process isolation #1396

Open
reenberg opened this issue Sep 16, 2024 · 0 comments
Open

#689 broke SSH key features when running EE as the process isolation #1396

reenberg opened this issue Sep 16, 2024 · 0 comments
Labels
needs_triage New item that needs to be triaged

Comments

@reenberg
Copy link

The runner docs seems to indicate that when run using an EE, then it should mount in the SSH agent and/or the host users ~/.ssh (as long as it is not symlinked). Ref: Using Runner with Execution Environments — Ansible Runner Documentation 1

However when running a playbook that is present inside the EE, against a target, then it fails to authenticate. Adding the debug flag indicates that the runner in fact doesn’t add any mount options when executing podman, that would handle any SSH keys.

I have been trying to get my head around the intent of the code, but it's really hard to match the docs to the code and trying to guess what is intentional and what is dead code or code waiting(?) to be moved over to ansible-navigator.

Anyways, i think i have found two issues?

  1. Both runner.py and _base.py defines the handle_command_wrap function. However, the version in runner.py#L415 explicitly sets BaseExecutionMode.NONE as the execution mode, when calling wrap_args_for_containerization, regardless of the self.execution_mode being set earlier based on the actual execution mode defined through the CLI options.

  2. In Refactoring and purging playbook and ad-hoc commands #689, the wrap_args_for_containerization function in _base.py got refactored, and quite a substantial part of this functions logic got wrapped in the following if statement:

    ansible-runner/src/ansible_runner/config/_base.py

    Lines 516 to 519 in 1bad459

    # For run() and run_async() API value of base execution_mode is 'BaseExecutionMode.NONE'
    # and the container volume mounts are handled separately using 'container_volume_mounts'
    # hence ignore additional mount here
    if execution_mode != BaseExecutionMode.NONE:

    effectively ensuring that none of that code will ever(?) be executed, as the execution mode is enforced to be NONE as per finding 1 above. Specifically it skips the call to the _handle_automounts function, which seems to be responsible for trying to handle SSH credentials.

Besides this, isn't it kind of defeating the purpose of the container isolation, when using --ipc=host? I assume this is primarily to allow access to the ssh-agent socket?
@github-actions github-actions bot added the needs_triage New item that needs to be triaged label Sep 16, 2024
@reenberg reenberg changed the title #689 broke features in containerization #689 broke SSH key features when running EE as the process isolation Sep 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs_triage New item that needs to be triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@reenberg