You are reading an unmaintained version of the Ansible documentation. Unmaintained Ansible versions can contain unfixed security vulnerabilities (CVE). Please upgrade to a maintained version. See the latest Ansible documentation.

containers.podman.podman_unshare become – Run tasks using podman unshare

Note

This become plugin is part of the containers.podman collection (version 1.11.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install containers.podman.

To use it in a playbook, specify: containers.podman.podman_unshare.

New in containers.podman 1.9.0

Synopsis

• This become plugins allows your remote/login user to execute commands in its container user namespace. Official documentation: https://docs.podman.io/en/latest/markdown/podman-unshare.1.html

Parameters

Parameter	Comments
become_exe string	Sudo executable Default: "sudo" Configuration: INI entries: [privilege_escalation] become_exe = sudo [sudo_become_plugin] executable = sudo Environment variable: ANSIBLE_BECOME_EXE Environment variable: ANSIBLE_SUDO_EXE Variable: ansible_become_exe Variable: ansible_sudo_exe
become_pass string	Password to pass to sudo Configuration: INI entry: [sudo_become_plugin] password = VALUE Environment variable: ANSIBLE_BECOME_PASS Environment variable: ANSIBLE_SUDO_PASS Variable: ansible_become_password Variable: ansible_become_pass Variable: ansible_sudo_pass
become_user string	User you ‘become’ to execute the task (‘root’ is not a valid value here). Configuration: INI entries: [privilege_escalation] become_user = VALUE [sudo_become_plugin] user = VALUE Environment variable: ANSIBLE_BECOME_USER Environment variable: ANSIBLE_SUDO_USER Variable: ansible_become_user Variable: ansible_sudo_user

Examples

- name: checking uid of file 'foo'
  ansible.builtin.stat:
    path: "{{ test_dir }}/foo"
  register: foo
- ansible.builtin.debug:
    var: foo.stat.uid
# The output shows that it's owned by the login user
# ok: [test_host] => {
#     "foo.stat.uid": "1003"
# }

- name: mounting the file to an unprivileged container and modifying its owner
  containers.podman.podman_container:
    name: chmod_foo
    image: alpine
    rm: true
    volume:
    - "{{ test_dir }}:/opt/test:z"
    command: chown 1000 /opt/test/foo

# Now the file 'foo' is owned by the container uid 1000,
# which is mapped to something completaly different on the host.
# It creates a situation when the file is unaccessible to the host user (uid 1003)
# Running stat again, debug output will be like this:
# ok: [test_host] => {
#     "foo.stat.uid": "328679"
# }

- name: running stat in modified user namespace
  become_method: containers.podman.podman_unshare
  become: true
  ansible.builtin.stat:
    path: "{{ test_dir }}/foo"
  register: foo
# By gathering file stats with podman_ushare
# we can see the uid set in the container:
# ok: [test_host] => {
#     "foo.stat.uid": "1000"
# }

- name: resetting file ownership with podman unshare
  become_method: containers.podman.podman_unshare
  become: true
  ansible.builtin.file:
    state: file
    path: "{{ test_dir }}/foo"
    owner: 0  # in a modified user namespace host uid is mapped to 0
# If we run stat and debug with 'become: false',
# we can see that the file is ours again:
# ok: [test_host] => {
#     "foo.stat.uid": "1003"
# }

Authors

• Janos Gerzson (@grzs)

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.

Collection links

• Issue Tracker
• Repository (Sources)