New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tasks fails with a permission denied on /tmp at start #492
Comments
I'm hitting the same issue - reproducing this should be easy - It happens right after the installation even with the demo credentials/project/inventory:
Some more context from the awx-celery log
|
hello friends , |
IIUC, the openshift containers run as user 'awx' and drop privileges by design. |
Using the latest AWX from github, running the bog-standard inventory & install.yml (docker-based install) this problem is NOT reproducible (demo playbook works fine). This issue must be related specifically to usage under openshift. |
I've hit this issue also. This core problem is that whilst Docker allows containers to run as root, for reasons of security OpenShift forces best-practice by default and ensures that containers are run with uid != 0. This minimises the risk of container to host breakout attacks and makes multi-tenant environments more secure. So I would suggest that the bug is valid in both cases as AWX should follow best-practice and run as a non-root user unless there is a hard requirement otherwise. |
+1 |
+1
|
+1 (running the dockers in AWS ECS) |
+1 As a workaround I have created a new serviceaccount inside the project and added a scc for this SA:
I've then added an annotation to my deployement:
And also added the serviceaccount and securityContext to the container template:
|
Can confirm the issue. I'm running the
With the following passwd-root:
Obviously not an ideal solution and the core issue needs to be fixed instead. |
Confirming the above problem on Openshift and AWX 1.0.1.167. Any ETA for a fix for this issue? |
Hey folks, sorry this fell through the cracks a little bit. Taking a look at this now. |
This is now fixed by #657 |
SUMMARY
After having successfully deployed AWX on an Openshift cluster following this blog post (https://developers.redhat.com/blog/2017/10/16/guide-starting-use-awx-top-openshift-upstream-red-hat-ansible-tower/); we are unable to start a deployement. The fetch of the playbook is failing on a "permission denied on /tmp"
ENVIRONMENT
STEPS TO REPRODUCE
Define a new deployement.
We have a user dedicated to ansible on targeted hosts and are sudoers NOPASSWD.
The fetch of the of the repo seems to work as the Project name appear with a green point on the task detail.
EXPECTED RESULTS
The task should start and working correctly
ACTUAL RESULTS
The task hang in error with the following trace :
ADDITIONAL INFORMATION
The same scenario is being run correctly on an Ansible Tower (evaluation mode) version 3.1.3
The text was updated successfully, but these errors were encountered: