containers.podman.podman_unshare become – Run tasks using podman unshare

Note

This become plugin is part of the containers.podman collection (version 1.18.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install containers.podman.

To use it in a playbook, specify: containers.podman.podman_unshare.

New in containers.podman 1.9.0

Synopsis

• This become plugins allows your remote/login user to execute commands in its container user namespace. Official documentation: https://docs.podman.io/en/latest/markdown/podman-unshare.1.html

Parameters

Parameter	Comments
become_exe string	Sudo executable Default: "sudo" Configuration: INI entries: [privilege_escalation] become_exe = sudo [sudo_become_plugin] executable = sudo Environment variable: ANSIBLE_BECOME_EXE Environment variable: ANSIBLE_SUDO_EXE Variable: ansible_become_exe Variable: ansible_sudo_exe
become_pass string	Password to pass to sudo Configuration: INI entry: [sudo_become_plugin] password = VALUE Environment variable: ANSIBLE_BECOME_PASS Environment variable: ANSIBLE_SUDO_PASS Variable: ansible_become_password Variable: ansible_become_pass Variable: ansible_sudo_pass
become_user string	User you ‘become’ to execute the task (‘root’ is not a valid value here). Configuration: INI entries: [privilege_escalation] become_user = VALUE [sudo_become_plugin] user = VALUE Environment variable: ANSIBLE_BECOME_USER Environment variable: ANSIBLE_SUDO_USER Variable: ansible_become_user Variable: ansible_sudo_user

Note

Configuration entries listed above for each entry type (Ansible variable, environment variable, and so on) have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up. The entry types are also ordered by precedence from low to high priority order. For example, an ansible.cfg entry (further up in the list) is overwritten by an Ansible variable (further down in the list).

Examples

- name: checking uid of file 'foo'
  ansible.builtin.stat:
    path: "{{ test_dir }}/foo"
  register: foo
- ansible.builtin.debug:
    var: foo.stat.uid
# The output shows that it's owned by the login user
# ok: [test_host] => {
#     "foo.stat.uid": "1003"
# }

- name: mounting the file to an unprivileged container and modifying its owner
  containers.podman.podman_container:
    name: chmod_foo
    image: alpine
    rm: true
    volume:
    - "{{ test_dir }}:/opt/test:z"
    command: chown 1000 /opt/test/foo

# Now the file 'foo' is owned by the container uid 1000,
# which is mapped to something completaly different on the host.
# It creates a situation when the file is unaccessible to the host user (uid 1003)
# Running stat again, debug output will be like this:
# ok: [test_host] => {
#     "foo.stat.uid": "328679"
# }

- name: running stat in modified user namespace
  become_method: containers.podman.podman_unshare
  become: true
  ansible.builtin.stat:
    path: "{{ test_dir }}/foo"
  register: foo
# By gathering file stats with podman_ushare
# we can see the uid set in the container:
# ok: [test_host] => {
#     "foo.stat.uid": "1000"
# }

- name: resetting file ownership with podman unshare
  become_method: containers.podman.podman_unshare
  become: true
  ansible.builtin.file:
    state: file
    path: "{{ test_dir }}/foo"
    owner: 0  # in a modified user namespace host uid is mapped to 0
# If we run stat and debug with 'become: false',
# we can see that the file is ours again:
# ok: [test_host] => {
#     "foo.stat.uid": "1003"
# }

Authors

• Janos Gerzson (@grzs)

Collection links

• Issue Tracker
• Repository (Sources)