Implements https://trello.com/c/1NJKBOex - Add support for using proot to run jobs in isolated environment.

awx/main/tasks.py

@@ -14,6 +14,7 @@ import pipes
 import re
 import shutil
 import stat
+import subprocess
 import tempfile
 import time
 import traceback
@@ -304,6 +305,67 @@ class BaseTask(Task):
             args = ['ssh-agent', 'sh', '-c', cmd]
         return args
 
+    def should_use_proot(self, instance, **kwargs):
+        '''
+        Return whether this task should use proot.
+        '''
+        return False
+
+    def check_proot_installed(self):
+        '''
+        Check that proot is installed.
+        '''
+        cmd = [getattr(settings, 'AWX_PROOT_CMD', 'proot'), '--version']
+        try:
+            proc = subprocess.Popen(cmd, stdout=subprocess.PIPE,
+                                    stderr=subprocess.PIPE)
+            result = proc.communicate()
+            return bool(proc.returncode == 0)
+        except (OSError, ValueError):
+            return False
+
+    def build_proot_temp_dir(self, instance, **kwargs):
+        '''
+        Create a temporary directory for proot to use.
+        '''
+        path = tempfile.mkdtemp(prefix='ansible_tower_proot_')
+        os.chmod(path, stat.S_IRUSR|stat.S_IWUSR|stat.S_IXUSR)
+        return path
+
+    def wrap_args_with_proot(self, args, cwd, **kwargs):
+        '''
+        Wrap existing command line with proot to restrict access to:
+         - /etc/tower (to prevent obtaining db info or secret key)
+         - /var/lib/awx (except for current project)
+         - /var/log/tower
+         - /tmp (except for own tmp files)
+        '''
+        new_args = [getattr(settings, 'AWX_PROOT_CMD', 'proot'), '-r', '/']
+        hide_paths = ['/etc/tower', '/var/lib/awx', '/var/log/tower',
+                      tempfile.gettempdir(), settings.PROJECTS_ROOT,
+                      settings.JOBOUTPUT_ROOT]
+        hide_paths.extend(getattr(settings, 'AWX_PROOT_HIDE_PATHS', None) or [])
+        for path in sorted(set(hide_paths)):
+            if not os.path.exists(path):
+                continue
+            if os.path.isdir(path):
+                new_path = tempfile.mkdtemp(dir=kwargs['proot_temp_dir'])
+                os.chmod(new_path, stat.S_IRUSR|stat.S_IWUSR|stat.S_IXUSR)
+            else:
+                handle, new_path = tempfile.mkstemp(dir=kwargs['proot_temp_dir'])
+                os.close(handle)
+                os.chmod(new_path, stat.S_IRUSR|stat.S_IWUSR)
+            new_args.extend(['-b', '%s:%s' % (new_path, path)])
+        show_paths = [cwd, kwargs['private_data_dir']]
+        show_paths.extend(getattr(settings, 'AWX_PROOT_SHOW_PATHS', None) or [])
+        for path in sorted(set(show_paths)):
+            if not os.path.exists(path):
+                continue
+            new_args.extend(['-b', '%s:%s' % (path, path)])
+        new_args.extend(['-w', cwd])
+        new_args.extend(args)
+        return new_args
+
     def build_args(self, instance, **kwargs):
         raise NotImplementedError
 
@@ -415,6 +477,12 @@ class BaseTask(Task):
                 os.makedirs(settings.JOBOUTPUT_ROOT)
             stdout_filename = os.path.join(settings.JOBOUTPUT_ROOT, str(uuid.uuid1()) + ".out")
             stdout_handle = codecs.open(stdout_filename, 'w', encoding='utf-8')
+            if self.should_use_proot(instance, **kwargs):
+                if not self.check_proot_installed():
+                    raise RuntimeError('proot is not installed')
+                kwargs['proot_temp_dir'] = self.build_proot_temp_dir(instance, **kwargs)
+                args = self.wrap_args_with_proot(args, cwd, **kwargs)
+                safe_args = self.wrap_args_with_proot(safe_args, cwd, **kwargs)
             instance = self.update_model(pk, job_args=json.dumps(safe_args),
                                          job_cwd=cwd, job_env=safe_env, result_stdout_file=stdout_filename)
             status = self.run_pexpect(instance, args, cwd, env, kwargs['passwords'], stdout_handle)
@@ -427,11 +495,16 @@ class BaseTask(Task):
                     shutil.rmtree(kwargs['private_data_dir'], True)
                 except OSError:
                     pass
+            if kwargs.get('proot_temp_dir', ''):
                 try:
-                    stdout_handle.flush()
-                    stdout_handle.close()
-                except Exception:
+                    shutil.rmtree(kwargs['proot_temp_dir'], True)
+                except OSError:
                     pass
+            try:
+                stdout_handle.flush()
+                stdout_handle.close()
+            except Exception:
+                pass
         instance = self.update_model(pk, status=status, result_traceback=tb,
                                      output_replacements=output_replacements)
         self.post_run_hook(instance, **kwargs)
@@ -658,6 +731,12 @@ class RunJob(BaseTask):
         d[re.compile(r'^Vault password:\s*?$', re.M)] = 'vault_password'
         return d
 
+    def should_use_proot(self, instance, **kwargs):
+        '''
+        Return whether this task should use proot.
+        '''
+        return getattr(settings, 'AWX_PROOT_ENABLED', False)
+
     def post_run_hook(self, job, **kwargs):
         '''
         Hook for actions to run after job/task has completed.

awx/main/tests/tasks.py

@@ -3,6 +3,7 @@
 
 # Python
 from distutils.version import StrictVersion as Version
+import json
 import os
 import shutil
 import tempfile
@@ -139,6 +140,51 @@ TEST_ASYNC_NOWAIT_PLAYBOOK = '''
     poll: 0
 '''
 
+TEST_PROOT_PLAYBOOK = '''
+- name: test proot environment
+  hosts: test-group
+  gather_facts: false
+  connection: local
+  tasks:
+  - name: list projects directory
+    command: ls -1 "{{ projects_root }}"
+    register: projects_ls
+  - name: check that only one project directory is visible
+    assert:
+      that:
+      - "projects_ls.stdout_lines|length == 1"
+      - "projects_ls.stdout_lines[0] == '{{ project_path }}'"
+  - name: list job output directory
+    command: ls -1 "{{ joboutput_root }}"
+    register: joboutput_ls
+  - name: check that we see an empty job output directory
+    assert:
+      that:
+      - "not joboutput_ls.stdout"
+  - name: check for other project path
+    stat: path={{ other_project_path }}
+    register: other_project_stat
+  - name: check that other project path was not found
+    assert:
+      that:
+      - "not other_project_stat.stat.exists"
+  - name: check for temp path
+    stat: path={{ temp_path }}
+    register: temp_stat
+  - name: check that temp path was not found
+    assert:
+      that:
+      - "not temp_stat.stat.exists"
+  - name: try to run a tower-manage command
+    command: tower-manage validate
+    ignore_errors: true
+    register: tower_manage_validate
+  - name: check that tower-manage command failed
+    assert:
+      that:
+      - "tower_manage_validate|failed"
+'''
+
 TEST_PLAYBOOK_WITH_ROLES = '''
 - name: test with roles
   hosts: test-group
@@ -1283,3 +1329,48 @@ class RunJobTest(BaseCeleryTest):
         job = Job.objects.get(pk=job.pk)
         self.check_job_result(job, 'successful')
         self.check_job_events(job, 'ok', 1, 3, has_roles=True)
+
+    def test_run_job_with_proot(self):
+        # Enable proot for this test.
+        settings.AWX_PROOT_ENABLED = True
+        # Hide local settings path.
+        settings.AWX_PROOT_HIDE_PATHS = [os.path.join(settings.BASE_DIR, 'settings')]
+        # Create another project alongside the one we're using to verify it
+        # is hidden. 
+        self.create_test_project(TEST_PLAYBOOK)
+        other_project_path = self.project.local_path
+        # Create a temp directory that should not be visible to the playbook.
+        temp_path = tempfile.mkdtemp()
+        self._temp_paths.append(temp_path)
+        # Create our test project and job template.
+        self.create_test_project(TEST_PROOT_PLAYBOOK)
+        project_path = self.project.local_path
+        job_template = self.create_test_job_template()
+        extra_vars = {
+            'projects_root': settings.PROJECTS_ROOT,
+            'joboutput_root': settings.JOBOUTPUT_ROOT,
+            'project_path': project_path,
+            'other_project_path': other_project_path,
+            'temp_path': temp_path,
+        }
+        job = self.create_test_job(job_template=job_template, verbosity=3,
+                                   extra_vars=json.dumps(extra_vars))
+        self.assertEqual(job.status, 'new')
+        self.assertFalse(job.passwords_needed_to_start)
+        self.assertTrue(job.signal_start())
+        job = Job.objects.get(pk=job.pk)
+        self.check_job_result(job, 'successful')
+
+    def test_run_job_with_proot_not_installed(self):
+        # Enable proot for this test, specify invalid proot cmd.
+        settings.AWX_PROOT_ENABLED = True
+        settings.AWX_PROOT_CMD = 'PR00T'
+        self.create_test_project(TEST_PLAYBOOK)
+        job_template = self.create_test_job_template()
+        job = self.create_test_job(job_template=job_template)
+        self.assertEqual(job.status, 'new')
+        self.assertFalse(job.passwords_needed_to_start)
+        self.assertTrue(job.signal_start())
+        job = Job.objects.get(pk=job.pk)
+        self.assertEqual(job.status, 'error')
+

awx/settings/defaults.py

@@ -5,6 +5,7 @@ import os
 import sys
 import glob
 from datetime import timedelta
+import tempfile
 
 # Update this module's local settings from the global settings module.
 from django.conf import global_settings
@@ -313,6 +314,18 @@ AWX_TASK_ENV = {}
 # Flag to enable/disable updating hosts M2M when saving job events.
 CAPTURE_JOB_EVENT_HOSTS = False
 
+# Enable proot support for running jobs (playbook runs only).
+AWX_PROOT_ENABLED = False
+
+# Command/path to proot.
+AWX_PROOT_CMD = 'proot'
+
+# Additional paths to hide from jobs using proot.
+AWX_PROOT_HIDE_PATHS = []
+
+# Additional paths to show for jobs using proot.
+AWX_PROOT_SHOW_PATHS = []
+
 # Not possible to get list of regions without authenticating, so use this list
 # instead (based on docs from:
 # http://docs.rackspace.com/loadbalancers/api/v1.0/clb-devguide/content/Service_Access_Endpoints-d1e517.html)