External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-12 03:47:36 -02:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7200 from ryanpetrello/fix-7183

Browse Source 
use a named pipe for isolated secret passthrough (not stdin)
This commit is contained in:
Ryan Petrello
2017-07-20 13:47:06 -04:00
committed by GitHub
parent d04a9a98b6 d42ea31f75
commit b11fabd981
3 changed files with 14 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
awx/main/isolated/isolated_manager.py
View File

@@ -4,7 +4,6 @@ import codecs
import StringIO import StringIO
import json import json
import os import os
import re
import shutil import shutil
import stat import stat
import tempfile import tempfile
@@ -150,6 +149,13 @@ class IsolatedManager(object):
secrets['ssh_key_data'] = buff.getvalue() secrets['ssh_key_data'] = buff.getvalue()
os.remove(self.ssh_key_path) os.remove(self.ssh_key_path)
# write the entire secret payload to a named pipe
# the run_isolated.yml playbook will use a lookup to read this data
# into a variable, and will replicate the data into a named pipe on the
# isolated instance
secrets_path = os.path.join(self.private_data_dir, 'env')
run.open_fifo_write(secrets_path, base64.b64encode(json.dumps(secrets)))
self.build_isolated_job_data() self.build_isolated_job_data()
extra_vars = { extra_vars = {
@@ -172,9 +178,6 @@ class IsolatedManager(object):
logger.debug('Starting job on isolated host with `run_isolated.yml` playbook.') logger.debug('Starting job on isolated host with `run_isolated.yml` playbook.')
status, rc = IsolatedManager.run_pexpect( status, rc = IsolatedManager.run_pexpect(
args, self.awx_playbook_path(), self.management_env, buff, args, self.awx_playbook_path(), self.management_env, buff,
expect_passwords={
re.compile(r'Secret:\s*?$', re.M): base64.b64encode(json.dumps(secrets))
},
idle_timeout=self.idle_timeout, idle_timeout=self.idle_timeout,
job_timeout=settings.AWX_ISOLATED_LAUNCH_TIMEOUT, job_timeout=settings.AWX_ISOLATED_LAUNCH_TIMEOUT,
pexpect_timeout=5 pexpect_timeout=5
@@ -216,7 +219,9 @@ class IsolatedManager(object):
'- /project/.svn', '- /project/.svn',
'- /project/.hg', '- /project/.hg',
# don't rsync job events that are in the process of being written # don't rsync job events that are in the process of being written
'- /artifacts/job_events/*-partial.json.tmp' '- /artifacts/job_events/*-partial.json.tmp',
# rsync can't copy named pipe data - we're replicating this manually ourselves in the playbook
'- /env'
] ]
for filename, data in ( for filename, data in (

3
awx/main/tests/unit/isolated/test_expect.py
View File

@@ -163,7 +163,8 @@ def test_build_isolated_job_data(private_data_dir, rsa_key):
'- /project/.git', '- /project/.git',
'- /project/.svn', '- /project/.svn',
'- /project/.hg', '- /project/.hg',
'- /artifacts/job_events/*-partial.json.tmp' '- /artifacts/job_events/*-partial.json.tmp',
'- /env'
]) ])

6
awx/playbooks/run_isolated.yml
View File

@@ -8,10 +8,8 @@
- name: Prepare data, dispatch job in isolated environment. - name: Prepare data, dispatch job in isolated environment.
hosts: all hosts: all
gather_facts: false gather_facts: false
vars_prompt: vars:
- prompt: "Secret" secret: "{{ lookup('pipe', 'cat ' + src + '/env') }}"
name: "secret"
private: yes
tasks: tasks: