AWX requirement of privileged container

Idan_Bidani · October 7, 2018, 4:19am

Hi,

I’m setting up AWX on Openshift for POC(very likely it will be adopted) and I noticed that it requires SCC privileged permissions.
Do you know what features requires this and whether it is possible to deploy without it?

Thanks in advance,
Idan

Christopher_Meyers · October 7, 2018, 1:10pm

https://docs.ansible.com/ansible-tower/latest/html/userguide/security.html

Bubble wrap requires privileged containers and is on by default. You can disable it via the job isolation toggle. I looked to the docs above.

Idan_Bidani · October 8, 2018, 12:35am

Great thank you for clarifying that.

ngonzal · October 8, 2018, 6:33pm

So to confirm, there’s no way to deploy without SCC privileged permissions? My openshift admins wanted some specifics on what permissions were needed before they would allow that (I think they’re looking to create a custom role).

Christopher_Meyers · October 8, 2018, 6:49pm

Idan,

I encourage you to reach out to a Red Hat representative so they can help you POC Tower.

ngonzal,

There is no supported way to deploy without SCC privileged permissions. That being said, I can think of how you can make it work. You need to set privileged: false in installer/roles/kubernetes/templates/deployment.yml.j2

That will get the container deployed. Then you need to disable bubblewrap like I describe above.

Idan_Bidani · October 9, 2018, 7:08pm

Hi Chris,

Thanks for your help, I got AWX deployed successfully on our Openshift.
Like you said, I had to update the deployment.yml.j2 and disable “Job Isolation” and it deployed successfully.
For production deployments we will need to keep that enabled, we will review this later.

ngonzal, you can review my working deployment scripts https://github.com/iplaman/awx/commit/1d396060a94ca2c3f774834dddf4169d84da1a64

Thanks,
Idan

Graham_Neville · December 14, 2018, 8:53pm

Has there been any progress on this?
bubblewrap is something we want to have enabled but it only works with privileged containers which isn't allowed on our cluster.

Has anyone been able to work around this?

matburt · December 17, 2018, 3:28pm

Nothing has changed about this as there’s been no real movement from the bubblewrap team… if that changes or another tool like bwrap comes along then we’ll take another look.

afeller · December 26, 2018, 1:20pm

Hey Chris,

Any sense on appetite to enhance AWX install to conditionalize whether it configures AWX with privileged expectations? (considering whether to PR but don’t want to waste time if project just going to decide not to accept it)

Regards,
Andy

Topic		Replies	Views
Error: Capset failed: Operation not permitted - not privileged AWX in OpenShift AWX Project awx , kubernetes	0	3	December 12, 2018
AWX superuser privileges problem AWX Project awx	1	1	February 5, 2021
AWX Docker less setup AWX Project awx , rhel	5	0	January 4, 2018
Install AWX withouth containers? Get Help awx	3	181	March 27, 2024
AWX Project sync fails with bwrap: capset failed: Operation not permitted AWX Project awx , kubernetes	2	2	April 8, 2020

AWX requirement of privileged container

Related topics