Set TMPDIR globally in Ansible to use Docker with noexec flag on /tmp

Question

For security reasons, we have /tmp mounted with noexec-flag. Since docker need the exec-flag, running any docker-compose command like docker-compose --version would result in the following error:

docker-compose: error while loading shared libraries: libz.so.1: failed to map segment from shared object

This could be fixed on the CLI by setting the TMPDIR env variable to a local path like the home directory. But in Ansible this doesn't work, since it's not spawning a login shell. We got an Ansible playbook with a lot of docker-compose cli calls and they ignore TMPDIR exported in e.g. /etc/environment.

It only works when specifying TMPDIR as environment variable with an absolute path like this:

- name: Check if all applications are is running
  shell: |
    docker-compose ps | grep Up | wc -l
  changed_when: running.stdout != item.services_num
  register: running
  with_items:
    - "{{ docker_applications }}"
  environment:
    TMPDIR: /home/myuser

Since this results in many code changes and overhead, I'm searching how to set this globally. remote_tmp should be able to fix this, so I set it in ansible.cfg:

[defaults]
remote_tmp = /home/myuser

This doesn't work and I can't find the directive in the Ansible 2.9, 2.8 or 2.9 docs.

Answer 1

I found a workaround that allows to specifiy the env variable using an ansible variable at playbook level like this:

- name: Setting custom TMPDIR for docker
  hosts: all
  environment: 
    TMPDIR: "{{ tmp_dir }}"
  vars:
    tmp_dir: /home/myuser
    # Verify that it works by making a negative test with the wrong temp dir that results in libz.so.1 segment failed error
    #tmp_dir: /tmp
  tasks:
    - name: Test tmpdir
      shell: "echo $TMPDIR; docker-compose --version

It's important to specify an absolute path. tmp_dir: ~ doesn't work. Even better would be fetching the home directory from Ansibles variables:

- name: Setting custom TMPDIR for docker
  hosts: all
  environment: 
    TMPDIR: "{{ ansible_env.HOME }}"
  tasks:
    - name: Test tmpdir
      shell: "echo $TMPDIR; docker-compose --version"

This avoids manually maintaining system-specific paths at all, so it could be easily re-used.

It's still not a perfect solution, but at least we can set this just for the main playbook instead of having tons of environment directives for each task.