containers / containers.podman / 1.12.1 / become / podman_unshare Run tasks using podman unshare | "added in version" 1.9.0 of containers.podman" Authors: Janos Gerzson (@grzs)containers.podman.podman_unshare (1.12.1) — become
Install with ansible-galaxy collection install containers.podman:==1.12.1
collections: - name: containers.podman version: 1.12.1
This become plugins allows your remote/login user to execute commands in its container user namespace. Official documentation: https://docs.podman.io/en/latest/markdown/podman-unshare.1.html
- name: checking uid of file 'foo' ansible.builtin.stat: path: "{{ test_dir }}/foo" register: foo
- ansible.builtin.debug: var: foo.stat.uid
# The output shows that it's owned by the login user # ok: [test_host] => { # "foo.stat.uid": "1003" # } - name: mounting the file to an unprivileged container and modifying its owner containers.podman.podman_container: name: chmod_foo image: alpine rm: true volume: - "{{ test_dir }}:/opt/test:z" command: chown 1000 /opt/test/foo
# Now the file 'foo' is owned by the container uid 1000, # which is mapped to something completaly different on the host. # It creates a situation when the file is unaccessible to the host user (uid 1003) # Running stat again, debug output will be like this: # ok: [test_host] => { # "foo.stat.uid": "328679" # } - name: running stat in modified user namespace become_method: containers.podman.podman_unshare become: true ansible.builtin.stat: path: "{{ test_dir }}/foo" register: foo
# By gathering file stats with podman_ushare # we can see the uid set in the container: # ok: [test_host] => { # "foo.stat.uid": "1000" # } - name: resetting file ownership with podman unshare become_method: containers.podman.podman_unshare become: true ansible.builtin.file: state: file path: "{{ test_dir }}/foo" owner: 0 # in a modified user namespace host uid is mapped to 0
become_exe: default: sudo description: Sudo executable env: - name: ANSIBLE_BECOME_EXE - name: ANSIBLE_SUDO_EXE ini: - key: become_exe section: privilege_escalation - key: executable section: sudo_become_plugin vars: - name: ansible_become_exe - name: ansible_sudo_exe become_pass: description: Password to pass to sudo env: - name: ANSIBLE_BECOME_PASS - name: ANSIBLE_SUDO_PASS ini: - key: password section: sudo_become_plugin required: false vars: - name: ansible_become_password - name: ansible_become_pass - name: ansible_sudo_pass become_user: description: User you 'become' to execute the task ('root' is not a valid value here). env: - name: ANSIBLE_BECOME_USER - name: ANSIBLE_SUDO_USER ini: - key: become_user section: privilege_escalation - key: user section: sudo_become_plugin vars: - name: ansible_become_user - name: ansible_sudo_user