def test_containerization_settings(tmp_path, runtime, mocker):
mocker.patch('os.path.isdir', return_value=True)
mocker.patch('os.path.exists', return_value=True)
mock_containerized = mocker.patch(
'ansible_runner.runner_config.RunnerConfig.containerized',
new_callable=mocker.PropertyMock)
mock_containerized.return_value = True
rc = RunnerConfig(tmp_path)
rc.ident = 'foo'
rc.playbook = 'main.yaml'
rc.command = 'ansible-playbook'
rc.process_isolation = True
rc.process_isolation_executable = runtime
rc.container_image = 'my_container'
rc.container_volume_mounts = ['/host1:/container1', '/host2:/container2']
rc.prepare()
extra_container_args = []
if runtime == 'podman':
extra_container_args = ['--quiet']
else:
extra_container_args = [f'--user={os.getuid()}']
expected_command_start = [runtime, 'run', '--rm', '--tty', '--interactive', '--workdir', '/runner/project'] + \
['-v', '{}/:/runner/:Z'.format(rc.private_data_dir)] + \
['-v', '/host1/:/container1/', '-v', '/host2/:/container2/'] + \
['--env-file', '{}/env.list'.format(rc.artifact_dir)] + \
extra_container_args + \
['--name', 'ansible_runner_foo'] + \
['my_container', 'ansible-playbook', '-i', '/runner/inventory/hosts', 'main.yaml']
assert expected_command_start == rc.command
def test_bwrap_process_isolation_defaults(mocker):
mocker.patch('os.makedirs', return_value=True)
rc = RunnerConfig('/')
rc.artifact_dir = '/tmp/artifacts'
rc.playbook = 'main.yaml'
rc.command = 'ansible-playbook'
rc.process_isolation = True
rc.process_isolation_executable = 'bwrap'
path_exists = mocker.patch('os.path.exists')
path_exists.return_value = True
rc.prepare()
assert rc.command == [
'bwrap',
'--die-with-parent',
'--unshare-pid',
'--dev-bind',
'/',
'/',
'--proc',
'/proc',
'--bind',
'/',
'/',
'--chdir',
'/project',
'ansible-playbook',
'-i',
'/inventory',
'main.yaml',
]
def test_process_isolation_settings(mocker, tmp_path):
mocker.patch('os.path.isdir', return_value=False)
mocker.patch('os.path.exists', return_value=True)
mocker.patch('os.makedirs', return_value=True)
rc = RunnerConfig('/')
rc.artifact_dir = tmp_path.joinpath('artifacts').as_posix()
rc.playbook = 'main.yaml'
rc.command = 'ansible-playbook'
rc.process_isolation = True
rc.process_isolation_executable = 'not_bwrap'
rc.process_isolation_hide_paths = ['/home', '/var']
rc.process_isolation_show_paths = ['/usr']
rc.process_isolation_ro_paths = ['/venv']
rc.process_isolation_path = tmp_path.as_posix()
mocker.patch('os.path.exists', return_value=True)
rc.prepare()
print(rc.command)
assert rc.command[0:8] == [
'not_bwrap',
'--die-with-parent',
'--unshare-pid',
'--dev-bind',
'/',
'/',
'--proc',
'/proc',
]
# hide /home
assert rc.command[8] == '--bind'
assert 'ansible_runner_pi' in rc.command[9]
assert rc.command[10] == os.path.realpath('/home') # needed for Mac
# hide /var
assert rc.command[11] == '--bind'
assert 'ansible_runner_pi' in rc.command[12]
assert rc.command[13] == '/var' or rc.command[13] == '/private/var'
# read-only bind
assert rc.command[14:17] == ['--ro-bind', '/venv', '/venv']
# root bind
assert rc.command[17:20] == ['--bind', '/', '/']
# show /usr
assert rc.command[20:23] == ['--bind', '/usr', '/usr']
# chdir and ansible-playbook command
assert rc.command[23:] == [
'--chdir', '/project', 'ansible-playbook', '-i', '/inventory',
'main.yaml'
]
def test_bwrap_process_isolation_and_directory_isolation(
mocker, patch_private_data_dir, tmp_path):
def mock_exists(path):
if path == "/project":
return False
return True
class MockArtifactLoader:
def __init__(self, base_path):
self.base_path = base_path
def load_file(self, path, objtype=None, encoding='utf-8'):
raise ConfigurationError
def isfile(self, path):
return False
mocker.patch('ansible_runner.config.runner.os.makedirs', return_value=True)
mocker.patch('ansible_runner.config.runner.os.chmod', return_value=True)
mocker.patch('ansible_runner.config.runner.os.path.exists', mock_exists)
mocker.patch('ansible_runner.config._base.ArtifactLoader',
new=MockArtifactLoader)
artifact_path = tmp_path / 'artifacts'
artifact_path.mkdir()
rc = RunnerConfig('/')
rc.artifact_dir = tmp_path / 'artifacts'
rc.directory_isolation_path = tmp_path / 'dirisolation'
rc.playbook = 'main.yaml'
rc.command = 'ansible-playbook'
rc.process_isolation = True
rc.process_isolation_executable = 'bwrap'
rc.prepare()
assert rc.command == [
'bwrap',
'--die-with-parent',
'--unshare-pid',
'--dev-bind',
'/',
'/',
'--proc',
'/proc',
'--bind',
'/',
'/',
'--chdir',
os.path.realpath(rc.directory_isolation_path),
'ansible-playbook',
'-i',
'/inventory',
'main.yaml',
]