vm_infra role throws 'permission denied' when run from AWX

[ggatward]

SUMMARY

Playbook to provision oVirt VM runs successfully when run from Ansible CLI, but same playbook fails with a permission denied error in the ovirt_vm task when run via AWX.

COMPONENT NAME

ovirt.ovirt.vm_infra role, suspect the ovirt_vm module

STEPS TO REPRODUCE

Host: CentOS-8 (python36) with Ansible 2.9.15, ovirt-engine-sdk-python 4.4.4, ovirt-ansible-collection 1.2.1
AWX: 14.1.0 (docker-compose install), custom virtualenv with python36, ansible 2.9.15, ovirt-engine-sdk-python 4.4.4
docker-compose.txt

Have tried the latest SDK from pip (4.4.7) as well, no change. Need to use a custom venv in AWX as the default environment only has SDK version 4.3.

Sample Playbook used:

- name: oVirt ansible collection
  hosts: localhost
  connection: local
  collections:
    - ovirt.ovirt
  vars_files:
    - vault.yml

  vars:
    vms:
      - name: c7_test1
        template: CentOS-7-x86_64-GenericCloud-2003
        cores: 2
        memory: 4GiB
        nics:
          - name: eth0
            network: Lab
        disks:
          - name: CentOS-7-x86_64-GenericCloud-2003
            size: 30GiB
            name_prefix: false
            interface: virtio_iscsi
        type: server
        cloud_init:
          dns_servers: '8.8.8.8 8.8.4.4'
          host_name: c7_test1.example.com
          custom_script: |
            users:
              - name: ansible
                groups: wheel
        cloud_init_nics:
          - nic_name: eth0
            nic_boot_protocol: static
            nic_ip_address: 172.22.4.66
            nic_netmask: 255.255.255.0
            nic_gateway: 172.22.4.1
            nic_on_boot: True

  tasks:
    - block:
        - name: Obtain SSO token with using username/password credentials
          ovirt.ovirt.ovirt_auth:
            url: https://testengine.lab.example.com/ovirt-engine/api
            username: admin@internal
            password: "{{ vault_ovirt_admin_password }}"

        - import_role:
            name: ovirt.ovirt.vm_infra

      always:
        - name: Always revoke the SSO token
          ovirt_auth:
            state: absent
            ovirt_auth: "{{ ovirt_auth }}"

EXPECTED RESULTS

VM is provisioned in oVirt both via Ansible CLI and also when run from AWX

ACTUAL RESULTS

VM provisioning successful when run via CLI, but fails from AWX with the output below

TASK [ovirt.ovirt.vm_infra : Wait for VMs to be added] *************************
task path: /tmp/awx_67_3yzkbikp/requirements_collections/ansible_collections/ovirt/ovirt/roles/vm_infra/tasks/vm_state_present.yml:8
Using module file /opt/venv/test2/lib/python3.6/site-packages/ansible/modules/utilities/logic/async_status.py
Pipelining is enabled.
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c '/opt/venv/test1/bin/python && sleep 0'
failed: [localhost] (item={'started': 1, 'finished': 0, 'ansible_job_id': '387694935680.1896', 'results_file': '/var/lib/awx/.ansible_async/387694935680.1896', 'changed': False, 'failed': False}) => {
    "ansible_job_id": "387694935680.1896",
    "ansible_loop_var": "item",
    "attempts": 1,
    "changed": false,
    "cmd": "/tmp/ansible-tmp-1605164139.2402353-1885-54477151523365/AnsiballZ_ovirt_vm.py",
    "finished": 1,
    "invocation": {
        "module_args": {
            "_async_dir": "/var/lib/awx/.ansible_async",
            "jid": "387694935680.1896",
            "mode": "status"
        }
    },
    "item": {
        "ansible_job_id": "387694935680.1896",
        "changed": false,
        "failed": false,
        "finished": 0,
        "results_file": "/var/lib/awx/.ansible_async/387694935680.1896",
        "started": 1
    },
    "msg": "[Errno 13] Permission denied: '/tmp/ansible-tmp-1605164139.2402353-1885-54477151523365/AnsiballZ_ovirt_vm.py'",
    "outdata": "",
    "stderr": "",
    "stderr_lines": []
}
Read vars_file 'vault.yml'

Full debug output of this job attached
job_67.txt

[mnecas]

I know it's a late response so probably not that helpful but try changing the async_dir.