Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access to an external network from podman executed container and certyfication (docker-compose installation) #11552

Open
pitman123 opened this issue Jan 18, 2022 · 1 comment
Open

Access to an external network from podman executed container and certyfication (docker-compose installation) #11552

pitman123 opened this issue Jan 18, 2022 · 1 comment
Labels
component:api

Comments

@pitman123
Copy link

ISSUE TYPE
  • Feature Idea
SUMMARY

Installation method: docker-compose
AWX version: 19.5.0

After installing AWX and starting the template, executing the configuration on the external machine to which the tools_awx_1 container was accessed, it turned out that it was not possible to connect to this machine via ssh. Podman awx_ee container did not have access to this machine. The same with ca, which was on the docker container.

My quick workaround:
I added additional options in build_execution_environment_params method for contianer_options. I added for run docker --network=host flags and volume with ca.

file: awx/awx/main/tasks.py

`

def build_execution_environment_params(self, instance, private_data_dir):

    if settings.IS_K8S:
        return {}

    image = instance.execution_environment.image
    params = {
        "container_image": image,
        "process_isolation": True,
        "process_isolation_executable": "podman",  # need to provide, runner enforces default via argparse
        "container_options": ['--user=root', "--network=host", "--volume=/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt"],
    }

    if instance.execution_environment.credential:
        cred = instance.execution_environment.credential
        if all([cred.has_input(field_name) for field_name in ('host', 'username', 'password')]):
            host = cred.get_input('host')
            username = cred.get_input('username')
            password = cred.get_input('password')
            verify_ssl = cred.get_input('verify_ssl')
            params['container_auth_data'] = {'host': host, 'username': username, 'password': password, 'verify_ssl': verify_ssl}
        else:
            raise RuntimeError('Please recheck that your host, username, and password fields are all filled.')

    pull = instance.execution_environment.pull
    if pull:
        params['container_options'].append(f'--pull={pull}')

    if settings.AWX_ISOLATION_SHOW_PATHS:
        params['container_volume_mounts'] = []
        for this_path in settings.AWX_ISOLATION_SHOW_PATHS:
            # Using z allows the dir to mounted by multiple containers
            # Uppercase Z restricts access (in weird ways) to 1 container at a time
            params['container_volume_mounts'].append(f'{this_path}:{this_path}:z')
    return params

`

Is there a better solution? So as not to change the internal code of the application?
@shanemcd
Copy link
Member

Thank you for the feedback. We have talked about adding a settings option for "podman run" options, and this sounds like a completely valid use case.

@discostur discostur mentioned this issue Jun 18, 2024
Closed
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component:api
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shanemcd @mabashian @pitman123