Ansible-runner run, User SSH key / SSH agent not mounting inside EE

I have build an EE, and I am now trying to use it through ansible-runner, but it seriously seems like ansible-runner is not ment to be used manually.

I am currently using version 2.4.0 of ansible runner in on a RHEL8 box using podman, and I have created a Runner input directory structure, which seems to work:

.
├── env
│   ├── cmdline
│   └── settings
├── inventory
│   └── inventory-test.yml
├── poetry.lock
├── project
├── pyproject.toml
└── README.md

$ cat env/settings 
---
container_image: localhost/my-ee:latest
process_isolation: true
rotate_artifacts: 5

I can use this to ping localhost

$ ansible-runner run -m ping --hosts localhost .
localhost | SUCCESS => {
    "changed": false,
    "ping": "pong"
} 

The runner docs seems to indicate that when run using an EE, then it should mount in the SSH agent and/or the host users ~/.ssh (as long as it is not symlinked). Ref: Using Runner with Execution Environments — Ansible Runner Documentation

However when running a playbook that is present inside the EE, against a target, then it fails to authenticate. Adding the debug flag indicates that the runner in fact doesn’t add any mount options when executing podman, that would handle any SSH keys.

Looking at the runner code, seems to cooporate this in the wrap_args_for_containerization() function:

        # For run() and run_async() API value of base execution_mode is 'BaseExecutionMode.NONE'
        # and the container volume mounts are handled separately using 'container_volume_mounts'
        # hence ignore additional mount here
        if execution_mode != BaseExecutionMode.NONE:

Ref: ansible-runner/src/ansible_runner/config/_base.py#L516-L519

As far as I can gather, then when running ansible-runner run then the BaseExecutionMode is in fact NONE, and thus all the code inside this if statement is skipped, and thus no mounting of either the users ~/.ssh nor the SSH_AUTH_SOCK is done:

This is a snippet of the output, when running with the --debug flag

sandbox disabled
containerization enabled
env:
  ....
command: podman run --rm --tty --interactive --workdir /runner/project -v /home/user/src/project/ansible-test-runner/:/runner/:Z --env-file /home/user/src/project/ansible-test-runner/artifacts/87671a22-d89a-4668-8f20-dd6d0d97bc4c/env.list --quiet --name ansible_runner_87671a22-d89a-4668-8f20-dd6d0d97bc4c localhost/my-ee:latest ansible --user root -i /runner/inventory -m ping localhost

So given the comment in the code, which runner command is this intended to actually work with? It doesn’t seem to make much sense that it would mount in ~/.ssh for the transmit/worker/process commands?

What is the expected way of running an EE manually on a server, without copying/adding a “permanent” ssh key in the env/ssh_key file?

Also, if i am not mistaken, then the code that would have added mount options for these parths, is missing the label=":Z", so even if it would have added those mount options to podman, it would likely not work anyway?

  • ansible-runner/src/ansible_runner/config/_base.py#L681
  • ansible-runner/src/ansible_runner/config/_base.py#L687

My impression was that ansible-navigator was a user-facing way to use EEs from the command line. I don’t know whether the things you’re asking for are better implemented there though, since I don’t really use EEs :slight_smile: But maybe it’s worth a try?

1 Like

That would explain… I have just always found navigator too “heavy”.

And it seemed that ansible-builder was build with podman as the primary/default container engine, so I kind of expected ansible-runner to be the same nice experience.

I gave navigator a try, and I stick with my initial comment. It is way to bloated, when one just needs to execute an EE in a simple way.

I spent a few hours looking at the runner code, and I opened the following issue for anyone else reading this: ansible-runner#1396

The conclusion is that it is likely way easier to just manually run Podman, as the runner 2.x code seems quite broken with regards to EE’s (confirmed by seeing some of the other issues raised).
I wouldn’t even know where to start submitting a PR, to fix some of the stuff, as it is kind of uncertain what the correct behaviour actually is, and what is new or old code (e.g., RunnerConfig vs CommandConfig).