Fix broken password-based SSH (#1013)

shanemcd · web-flow · commit 1ab1ed5905b9 · 2022-03-08T14:28:14.000Z
Fix broken password-based SSH Fallout from the recent changes in #999. I came up with the solution here after piecing together info in comments from @sivel and @jborean93. (thanks!) Users who tried to use SSH w/ a login password were seeing: <ec2-44-203-148-21.compute-1.amazonaws.com> SSH: EXEC sshpass -d8 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'User="testuser"' -o ConnectTimeout=10 -o ControlPath=/var/lib/awx/.ansible/cp/6abb5dc2c2 ec2-44-203-148-21.compute-1.amazonaws.com '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo ~/.ansible/tmp `"&& mkdir "` echo ~/.ansible/tmp/ansible-tmp-1646413970.94-16-215594703579950 `" && echo ansible-tmp-1646413970.94-16-215594703579950="` echo ~/.ansible/tmp/ansible-tmp-1646413970.94-16-215594703579950 `" ) && sleep 0'"'"'' <ec2-44-203-148-21.compute-1.amazonaws.com> (3, '', "Failed to change pseudo terminal's permission: Operation not permitted\n") <ec2-44-203-148-21.compute-1.amazonaws.com> Failed to connect to the host via ssh: Failed to change pseudo terminal's permission: Operation not permitted ec2-44-203-148-21.compute-1.amazonaws.com | UNREACHABLE! => { "changed": false, "msg": "Failed to create temporary directory.In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in \"/tmp\", for more error information use -vvv. Failed command was: ( umask 77 && mkdir -p \"` echo ~/.ansible/tmp `\"&& mkdir \"` echo ~/.ansible/tmp/ansible-tmp-1646413970.94-16-215594703579950 `\" && echo ansible-tmp-1646413970.94-16-215594703579950=\"` echo ~/.ansible/tmp/ansible-tmp-1646413970.94-16-215594703579950 `\" ), exited with result 3", "unreachable": true } Critical part being Failed to change pseudo terminal's permission: Operation not permitted. Reviewed-by: David Shrewsbury <None>
diff --git a/ansible_runner/config/runner.py b/ansible_runner/config/runner.py
@@ -339,7 +339,7 @@ def wrap_args_for_sandbox(self, args):
         new_args.extend([
             '--die-with-parent',
             '--unshare-pid',
-            '--dev', '/dev',
+            '--dev-bind', '/dev', 'dev',
             '--proc', '/proc',
             '--dir', '/tmp',
             '--ro-bind', '/bin', '/bin',
diff --git a/test/unit/config/test_runner.py b/test/unit/config/test_runner.py
@@ -563,7 +563,7 @@ def test_bwrap_process_isolation_defaults(mocker):
         'bwrap',
         '--die-with-parent',
         '--unshare-pid',
-        '--dev', '/dev',
+        '--dev-bind', '/dev', 'dev',
         '--proc', '/proc',
         '--dir', '/tmp',
         '--ro-bind', '/bin', '/bin',
@@ -616,7 +616,7 @@ def isfile(self, path):
         'bwrap',
         '--die-with-parent',
         '--unshare-pid',
-        '--dev', '/dev',
+        '--dev-bind', '/dev', 'dev',
         '--proc', '/proc',
         '--dir', '/tmp',
         '--ro-bind', '/bin', '/bin',
@@ -654,7 +654,7 @@ def test_process_isolation_settings(mocker, tmp_path):
         'not_bwrap',
         '--die-with-parent',
         '--unshare-pid',
-        '--dev', '/dev',
+        '--dev-bind', '/dev', 'dev',
         '--proc', '/proc',
         '--dir', '/tmp',
         '--ro-bind', '/bin', '/bin',
