/ home / containers / containers.podman / 1.12.1 / become / podman_unshare

containers.podman.podman_unshare (1.12.1) — become

Run tasks using podman unshare

| "added in version" 1.9.0 of containers.podman"

Authors: Janos Gerzson (@grzs)

Install collection

Install with ansible-galaxy collection install containers.podman:==1.12.1

Add to requirements.yml

  collections:
    - name: containers.podman
      version: 1.12.1

Description

This become plugins allows your remote/login user to execute commands in its container user namespace. Official documentation: https://docs.podman.io/en/latest/markdown/podman-unshare.1.html

Usage examples

Scanned by Steampunk Spotter

- name: checking uid of file 'foo'
  ansible.builtin.stat:
    path: "{{ test_dir }}/foo"
  register: foo

Scanned by Steampunk Spotter

- ansible.builtin.debug:
    var: foo.stat.uid

Scanned by Steampunk Spotter

# The output shows that it's owned by the login user
# ok: [test_host] => {
#     "foo.stat.uid": "1003"
# }

- name: mounting the file to an unprivileged container and modifying its owner
  containers.podman.podman_container:
    name: chmod_foo
    image: alpine
    rm: true
    volume:
    - "{{ test_dir }}:/opt/test:z"
    command: chown 1000 /opt/test/foo

Scanned by Steampunk Spotter

# Now the file 'foo' is owned by the container uid 1000,
# which is mapped to something completaly different on the host.
# It creates a situation when the file is unaccessible to the host user (uid 1003)
# Running stat again, debug output will be like this:
# ok: [test_host] => {
#     "foo.stat.uid": "328679"
# }

- name: running stat in modified user namespace
  become_method: containers.podman.podman_unshare
  become: true
  ansible.builtin.stat:
    path: "{{ test_dir }}/foo"
  register: foo

Scanned by Steampunk Spotter

# By gathering file stats with podman_ushare
# we can see the uid set in the container:
# ok: [test_host] => {
#     "foo.stat.uid": "1000"
# }

- name: resetting file ownership with podman unshare
  become_method: containers.podman.podman_unshare
  become: true
  ansible.builtin.file:
    state: file
    path: "{{ test_dir }}/foo"
    owner: 0  # in a modified user namespace host uid is mapped to 0

Inputs

    
become_exe:
    default: sudo
    description: Sudo executable
    env:
    - name: ANSIBLE_BECOME_EXE
    - name: ANSIBLE_SUDO_EXE
    ini:
    - key: become_exe
      section: privilege_escalation
    - key: executable
      section: sudo_become_plugin
    vars:
    - name: ansible_become_exe
    - name: ansible_sudo_exe

become_pass:
    description: Password to pass to sudo
    env:
    - name: ANSIBLE_BECOME_PASS
    - name: ANSIBLE_SUDO_PASS
    ini:
    - key: password
      section: sudo_become_plugin
    required: false
    vars:
    - name: ansible_become_password
    - name: ansible_become_pass
    - name: ansible_sudo_pass

become_user:
    description: User you 'become' to execute the task ('root' is not a valid value here).
    env:
    - name: ANSIBLE_BECOME_USER
    - name: ANSIBLE_SUDO_USER
    ini:
    - key: become_user
      section: privilege_escalation
    - key: user
      section: sudo_become_plugin
    vars:
    - name: ansible_become_user
    - name: ansible_sudo_user