8000 AWX 9.0.0 bubblewrap needs setuid permission · Issue #5224 · ansible/awx · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

AWX 9.0.0 bubblewrap needs setuid permission #5224

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dmaple-gci opened this issue Nov 4, 2019 · 5 comments
Closed

AWX 9.0.0 bubblewrap needs setuid permission #5224

dmaple-gci opened this issue Nov 4, 2019 · 5 comments
Labels
type:bug

Comments

@dmaple-gci
Copy link
ISSUE TYPE
  • Bug Report
SUMMARY

Error when running jobs. "bwrap: Creating new namespace failed, likely because the kernel does not support user namespaces. bwrap must be installed setuid on such systems."

ENVIRONMENT
  • AWX version: 9.0.0
  • AWX install method: openshift
  • Ansible version: 2.8.5
  • Operating System: CentOS 8.0.1905
  • Web Browser: Any
STEPS TO REPRODUCE

Run SCM Update or Inventory Sync jobs. No other jobs could be tried because they depend on these two.

EXPECTED RESULTS

Jobs complete without error.

ACTUAL RESULTS

bwrap: Creating new namespace failed, likely because the kernel does not support user namespaces. bwrap must be installed setuid on such systems.

ADDITIONAL INFORMATION

Worked around error by running chmod u+s /usr/bin/bwrap in Dockerfile.j2 template. Here's a patch that applies the change:

diff --git a/installer/roles/image_build/templates/Dockerfile.j2 b/installer/roles/image_build/templates/Dockerfile.j2
index 64d7125..da16a47 100644
--- a/installer/roles/image_build/templates/Dockerfile.j2
+++ b/installer/roles/image_build/templates/Dockerfile.j2
@@ -49,6 +49,8 @@ RUN dnf -y update && \
   xmlsec1-openssl-devel \
   dnf-utils

+RUN chmod u+s /usr/bin/bwrap
+
 ADD https://github.com/krallin/tini/releases/download/v0.14.0/tini /tini
 RUN chmod +x /tini
@awxbot awxbot added the type:bug label Nov 4, 2019
@shanemcd
Copy link
Member
shanemcd commented Nov 4, 2019

Thanks for reporting this. I am not sure what changed that would have broken this. Perhaps something upstream with bwrap itself. I've reproduced the error, and I am going to apply and test your patch now.

@dmaple-gci
Copy link
Author

It does appear to be a change in the way the bubblewrap package installs on CentOS 8 and RHEL 8.

shanemcd added a commit to shanemcd/awx that referenced this issue Nov 4, 2019
@shanemcd
Set setuid bit on bwrap
8b53d7c 
Related: ansible#5224
shanemcd added a commit to shanemcd/awx that referenced this issue Nov 4, 2019
@shanemcd shanemcd mentioned this issue Nov 4, 2019
Merged
@shanemcd
Copy link
Member
shanemcd commented Nov 4, 2019

Fix will be included in AWX 9.0.1 which I'm pushing out now.

@shanemcd shanemcd closed this as completed Nov 4, 2019
@philipsd6
Copy link
Contributor

This problem also occurs when building the development image (CONTRIBUTING.md#build-the-base-image)

I will submit a PR to resolve the issue in the development Dockerfile as well.

philipsd6 pushed a commit to philipsd6/awx that referenced this issue Feb 25, 2020
Set setuid bit on bwrap in development Dockerfile
7ae1c7c 
Related: ansible#5224

Signed-off-by: Philip Douglass <philip.douglass@amadeus.com>
@philipsd6 philipsd6 mentioned this issue Feb 25, 2020
Merged
@kaushik4r
Copy link

I still come across this issue while using AWX 11.2.0.

I'm trying to run the pod not using privileged SCC and setting the below within the deployment config of the awx pod -
securityContext: allowPrivilegeEscalation: false

The pod comes up just fine, however the SCM update job fails with the below error -

bwrap: Creating new namespace failed, likely because the kernel does not support user namespaces. bwrap must be installed setuid on such systems.

When i try granting it privileged SCC and set the securityContext to true for privileged access, the SCM update job works just fine. But, I looking to avoid this due to security constraints.

Any suggestions?

@jacobwoffenden jacobwoffenden mentioned this issue Feb 5, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@shanemcd @philipsd6 @kaushik4r @dmaple-gci @awxbot
0