Use inventory and env private_data_dir subfolders

This avoids writing files to the top level of the ansible-runner private_data_dir Inventory is moved to be in the standard "inventory" folder Credential related files are moved inside of the "env" folder Also pre-create these folders when preparing for a job run With this, args is the only top-level file still remaining
2026-01-12 18:40:01 -03:30 · 2020-09-16 20:35:27 -04:00 · 2020-09-16 20:35:27 -04:00 · f59da78328
commit f59da78328
parent 117bb07f0d
3 changed files with 13 additions and 12 deletions
--- a/awx/main/models/credential/init.py
+++ b/awx/main/models/credential/init.py
@ -493,7 +493,7 @@ class CredentialType(CommonModelNameNotUnique):

        for file_label, file_tmpl in file_tmpls.items():
            data = sandbox_env.from_string(file_tmpl).render(**namespace)
-            _, path = tempfile.mkstemp(dir=private_data_dir)
+            _, path = tempfile.mkstemp(dir=os.path.join(private_data_dir, 'env'))
            with open(path, 'w') as f:
                f.write(data)
            os.chmod(path, stat.S_IRUSR | stat.S_IWUSR)
@ -526,7 +526,7 @@ class CredentialType(CommonModelNameNotUnique):
                extra_vars[var_name] = sandbox_env.from_string(tmpl).render(**namespace)

            def build_extra_vars_file(vars, private_dir):
-                handle, path = tempfile.mkstemp(dir=private_dir)
+                handle, path = tempfile.mkstemp(dir=os.path.join(private_dir, 'env'))
                f = os.fdopen(handle, 'w')
                f.write(safe_dump(vars))
                f.close()
--- a/awx/main/models/credential/injectors.py
+++ b/awx/main/models/credential/injectors.py
@ -25,7 +25,7 @@ def gce(cred, env, private_data_dir):
        env['GCE_PROJECT'] = project
    json_cred['token_uri'] = 'https://oauth2.googleapis.com/token'

-    handle, path = tempfile.mkstemp(dir=private_data_dir)
+    handle, path = tempfile.mkstemp(dir=os.path.join(private_data_dir, 'env'))
    f = os.fdopen(handle, 'w')
    json.dump(json_cred, f, indent=2)
    f.close()
@ -96,7 +96,7 @@ def _openstack_data(cred):


 def openstack(cred, env, private_data_dir):
-    handle, path = tempfile.mkstemp(dir=private_data_dir)
+    handle, path = tempfile.mkstemp(dir=os.path.join(private_data_dir, 'env'))
    f = os.fdopen(handle, 'w')
    openstack_data = _openstack_data(cred)
    yaml.safe_dump(openstack_data, f, default_flow_style=False, allow_unicode=True)
@ -111,7 +111,7 @@ def kubernetes_bearer_token(cred, env, private_data_dir):
    env['K8S_AUTH_API_KEY'] = cred.get_input('bearer_token', default='')
    if cred.get_input('verify_ssl') and 'ssl_ca_cert' in cred.inputs:
        env['K8S_AUTH_VERIFY_SSL'] = 'True'
-        handle, path = tempfile.mkstemp(dir=private_data_dir)
+        handle, path = tempfile.mkstemp(dir=os.path.join(private_data_dir, 'env'))
        with os.fdopen(handle, 'w') as f:
            os.chmod(path, stat.S_IRUSR | stat.S_IWUSR)
            f.write(cred.get_input('ssl_ca_cert'))
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@ -873,11 +873,12 @@ class BaseTask(object):

        path = tempfile.mkdtemp(prefix='awx_%s_' % instance.pk, dir=pdd_wrapper_path)
        os.chmod(path, stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR)
-        runner_project_folder = os.path.join(path, 'project')
-        if not os.path.exists(runner_project_folder):
-            # Ansible Runner requires that this directory exists.
-            # Specifically, when using process isolation
-            os.mkdir(runner_project_folder)
+        # Ansible runner requires that project exists,
+        # and we will write files in the other folders without pre-creating the folder
+        for subfolder in ('project', 'inventory', 'env'):
+            runner_subfolder = os.path.join(path, subfolder)
+            if not os.path.exists(runner_subfolder):
+                os.mkdir(runner_subfolder)
        return path

    def build_private_data_files(self, instance, private_data_dir):
@ -921,7 +922,7 @@ class BaseTask(object):
                # Instead, ssh private key file is explicitly passed via an
                # env variable.
                else:
-                    handle, path = tempfile.mkstemp(dir=private_data_dir)
+                    handle, path = tempfile.mkstemp(dir=os.path.join(private_data_dir, 'env'))
                    f = os.fdopen(handle, 'w')
                    f.write(data)
                    f.close()
@ -2460,7 +2461,7 @@ class RunInventoryUpdate(BaseTask):
        if injector is not None:
            content = injector.inventory_contents(inventory_update, private_data_dir)
            # must be a statically named file
-            inventory_path = os.path.join(private_data_dir, injector.filename)
+            inventory_path = os.path.join(private_data_dir, 'inventory', injector.filename)
            with open(inventory_path, 'w') as f:
                f.write(content)
            os.chmod(inventory_path, stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR)