fail to create container when ansible-runner is installed in /usr

[TheRealHaoLiu]

When using process_isolation_executable (in this specific case podman) via ansible-runner run and ansible-runner worker
ansible-runner will mount ansible_runner/display_callback/callback on the host to /home/runner/.ansible/plugins/callback in the container

ansible-runner/ansible_runner/config/_base.py

Lines 508 to 509 in c143c07

	mount_paths = callback_mount(copy_if_needed=True)
	self._update_volume_mount_paths(new_args, mount_paths[0], dst_mount_path=mount_paths[1], labels=":Z")

When ansible-runner is installed in /usr directory (in this specific case /usr/lib/python3.9/site-packages/ansible_runner) ansible-runner fail to create container due to not able to mount from /usr directory (forbidden by podman)

ansible-runner/ansible_runner/utils/__init__.py

Line 73 in c143c07

host_path = os.path.join(get_plugin_dir(), *rel_path)

copy_if_needed param does not trigger due if /usr directory is own by current user (when running as root)

error log:

Error: error preparing container 382fd4e33f875ba82753d6c1969d2caa4c32a38045ac1faed66948c04507cc85 for attach: relabeling content in /usr is not allowed

job_args

podman run
  --rm
  --tty
  --interactive 
  --workdir /runner/project 
  --env-file /var/lib/awx/job_execution/awx_59_1l624cim/artifacts/59/env.list 
  --quiet 
  --name ansible_runner_59 
  --user=root
  --network slirp4netns:enable_ipv6=true 
  -v /var/lib/awx/job_execution/awx_59_1l624cim/:/runner/:Z 
  -v /usr/lib/python3.9/site-packages/ansible_runner/display_callback/callback/:/home/runner/.ansible/plugins/callback/:Z 
  -v /etc/pki/ca-trust/:/etc/pki/ca-trust/:O 
  -v /usr/share/pki/:/usr/share/pki/:O 
  -v /var/lib/awx/projects/_6__demo_project/:/var/lib/awx/projects/_6__demo_project/:z 
  -v /var/lib/awx/projects/.__awx_cache/_6__demo_project/:/var/lib/awx/projects/.__awx_cache/_6__demo_project/:z 
  brew.registry.redhat.io/rh-osbs/ansible-automation-platform-22-ee-supported-rhel8@sha256:472c8b36f517c7d074d3ef3487f128e18baa8b363ea18da4a299ef9ac52566f9 
  ansible-playbook -t update_git,install_roles,install_collections 
    -i /runner/inventory/hosts 
    -e @/runner/env/extravars project_update.yml

offending line that cause podman run failure

   -v /usr/lib/python3.9/site-packages/ansible_runner/display_callback/callback/:/home/runner/.ansible/plugins/callback/:Z 

[TheRealHaoLiu]

additional context:
I am currently working on deploying and running containerized receptor (in execution environment image) on VM directly and allowing the containerized receptor to spawn container on the host itself (by mounting in podman socket and adding podman-remote to receptor container)

when operating in this mode even if i'm not running as root /usr/lib/python3.9/site-packages/ansible_runner/display_callback/callback/ will be copy to the /tmp directory within the container

/tmp directory is not shared between the receptor container and host thus host will not be able to access the copied callback directory

In my opinion there are 2 changes needed here

1. enhance the conditional check for if copy is needed (perhaps check if it start with /usr)
2. move the copied callback plugin into a directory that's shared with the host such as $private_data_dir/artifacts