Documentation

18. Bubblewrap functionality and variables

The bubblewrap functionality in Ansible Tower limits which directories on the Tower file system are available for playbooks to see and use during playbook runs. You may find that you need to customize your bubblewrap settings in some cases. To fine tune your usage of bubblewrap, there are certain variables that can be set.

To disable or enable bubblewrap support for running jobs (playbook runs only), ensure you are logged in as the Admin user:

  1. Click the Settings (settings) icon from the left navigation bar.

  2. Click the Jobs tab.

  3. Scroll down until you see “Enable Job Isolation” and change the toggle button selection to OFF to disable bubblewrap support or select ON to enable it.

_images/configure-tower-jobs-disable-proot-job-isolation.png

By default, the Tower will use the system’s tmp directory (/tmp by default) as its staging area. This can be changed in the Job Isolation Execution Path field of the Configure tower screen, or by updating the following entry in the settings file:

AWX_PROOT_BASE_PATH = "/opt/tmp"

If there is other information on the system that is sensitive and should be hidden, you can specify those in the Configure Tower screen in the Paths to Hide to Isolated Jobs or by updating the following entry in the settings file:

AWX_PROOT_HIDE_PATHS = ['/list/of/', '/paths']

If there are any directories that should specifically be exposed, you can specify those in the Configure Tower screen in the Paths to Expose to Isolated Jobs or by updating the following entry in the settings file:

AWX_PROOT_SHOW_PATHS = ['/list/of/', '/paths']

Note

The primary file you may want to add to AWX_PROOT_SHOW_PATHS is /var/lib/awx/.ssh, if your playbooks need to use keys or settings defined there.

If you made changes in the settings file, be sure to restart services with the ansible-tower-service restart command after your changes have been saved.