Merge pull request #6875 from ryanpetrello/fix-3472

standardize tasks.py temporary file paths under a single parameter
2026-01-12 02:19:58 -03:30 · 2017-07-05 14:08:06 -04:00 · 2017-07-05 14:08:06 -04:00 · 2adcf89bcb
commit 2adcf89bcb
parent 0d3fc3389d 0a5b9c458b
4 changed files with 12 additions and 9 deletions
--- a/awx/main/isolated/isolated_manager.py
+++ b/awx/main/isolated/isolated_manager.py
@ -154,7 +154,7 @@ class IsolatedManager(object):

        extra_vars = {
            'src': self.private_data_dir,
-            'dest': os.path.split(self.private_data_dir)[0],
+            'dest': settings.AWX_PROOT_BASE_PATH,
        }
        if self.proot_temp_dir:
            extra_vars['proot_temp_dir'] = self.proot_temp_dir
@ -190,7 +190,7 @@ class IsolatedManager(object):
        isolated_ssh_path = None
        try:
            if getattr(settings, 'AWX_ISOLATED_PRIVATE_KEY', None):
-                isolated_ssh_path = tempfile.mkdtemp(prefix='ansible_tower_isolated')
+                isolated_ssh_path = tempfile.mkdtemp(prefix='ansible_tower_isolated', dir=settings.AWX_PROOT_BASE_PATH)
                os.chmod(isolated_ssh_path, stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR)
                isolated_key = os.path.join(isolated_ssh_path, '.isolated')
                ssh_sock = os.path.join(isolated_ssh_path, '.isolated_ssh_auth.sock')
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@ -444,7 +444,7 @@ class BaseTask(Task):
        '''
        Create a temporary directory for job-related files.
        '''
-        path = tempfile.mkdtemp(prefix='ansible_tower_%s_' % instance.pk)
+        path = tempfile.mkdtemp(prefix='ansible_tower_%s_' % instance.pk, dir=settings.AWX_PROOT_BASE_PATH)
        os.chmod(path, stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR)
        return path

@ -481,7 +481,7 @@ class BaseTask(Task):
                # For credentials used with ssh-add, write to a named pipe which
                # will be read then closed, instead of leaving the SSH key on disk.
                if credential.kind in ('ssh', 'scm') and not ssh_too_old:
-                    path = os.path.join(kwargs.get('private_data_dir', tempfile.gettempdir()), name)
+                    path = os.path.join(kwargs['private_data_dir'], name)
                    run.open_fifo_write(path, data)
                    private_data_files['credentials']['ssh'] = path
                # Ansible network modules do not yet support ssh-agent.
@ -682,6 +682,9 @@ class BaseTask(Task):
                    instance = self.update_model(pk)
                    status = instance.status
                    raise RuntimeError('not starting %s task' % instance.status)
+
+            if not os.path.exists(settings.AWX_PROOT_BASE_PATH):
+                raise RuntimeError('AWX_PROOT_BASE_PATH=%s does not exist' % settings.AWX_PROOT_BASE_PATH)
            # Fetch ansible version once here to support version-dependent features.
            kwargs['ansible_version'] = get_ansible_version()
            kwargs['private_data_dir'] = self.build_private_data_dir(instance, **kwargs)
@ -1195,7 +1198,7 @@ class RunProjectUpdate(BaseTask):
            }
        }
        '''
-        handle, self.revision_path = tempfile.mkstemp()
+        handle, self.revision_path = tempfile.mkstemp(dir=settings.AWX_PROOT_BASE_PATH)
        private_data = {'credentials': {}}
        if project_update.credential:
            credential = project_update.credential
@ -1815,7 +1818,7 @@ class RunInventoryUpdate(BaseTask):
        elif src == 'scm':
            args.append(inventory_update.get_actual_source_path())
        elif src == 'custom':
-            runpath = tempfile.mkdtemp(prefix='ansible_tower_launch_')
+            runpath = tempfile.mkdtemp(prefix='ansible_tower_launch_', dir=settings.AWX_PROOT_BASE_PATH)
            handle, path = tempfile.mkstemp(dir=runpath)
            f = os.fdopen(handle, 'w')
            if inventory_update.source_script is None:
--- a/awx/main/utils/common.py
+++ b/awx/main/utils/common.py
@ -612,7 +612,7 @@ def build_proot_temp_dir():
 def wrap_args_with_proot(args, cwd, **kwargs):
    '''
    Wrap existing command line with proot to restrict access to:
-     - /tmp (except for own tmp files)
+     - AWX_PROOT_BASE_PATH (generally, /tmp) (except for own /tmp files)
    For non-isolated nodes:
     - /etc/tower (to prevent obtaining db info or secret key)
     - /var/lib/awx (except for current project)
@ -621,7 +621,7 @@ def wrap_args_with_proot(args, cwd, **kwargs):
    '''
    from django.conf import settings
    new_args = [getattr(settings, 'AWX_PROOT_CMD', 'bwrap'), '--unshare-pid', '--dev-bind', '/', '/']
-    hide_paths = [tempfile.gettempdir()]
+    hide_paths = [settings.AWX_PROOT_BASE_PATH]
    if not kwargs.get('isolated'):
        hide_paths.extend(['/etc/tower', '/var/lib/awx', '/var/log',
                           settings.PROJECTS_ROOT, settings.JOBOUTPUT_ROOT])
--- a/awx/playbooks/run_isolated.yml
+++ b/awx/playbooks/run_isolated.yml
@ -18,7 +18,7 @@
    - name: create a proot/bwrap temp dir (if necessary)
      synchronize:
        src: "{{proot_temp_dir}}"
-        dest: "/tmp"
+        dest: "{{dest}}"
      when: proot_temp_dir is defined

    - name: synchronize job environment with isolated host