containers.podman.podman_unshare become – Run tasks using podman unshare

Note

This become plugin is part of the containers.podman collection (version 1.11.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install containers.podman.

To use it in a playbook, specify: containers.podman.podman_unshare.

New in containers.podman 1.9.0

Synopsis

Parameters

Parameter

Comments

become_exe

string

Sudo executable

Default: "sudo"

Configuration:

  • INI entries:

    [privilege_escalation]
    become_exe = sudo
    
    [sudo_become_plugin]
    executable = sudo
    
  • Environment variable: ANSIBLE_BECOME_EXE

  • Environment variable: ANSIBLE_SUDO_EXE

  • Variable: ansible_become_exe

  • Variable: ansible_sudo_exe

become_pass

string

Password to pass to sudo

Configuration:

  • INI entry:

    [sudo_become_plugin]
    password = VALUE
    
  • Environment variable: ANSIBLE_BECOME_PASS

  • Environment variable: ANSIBLE_SUDO_PASS

  • Variable: ansible_become_password

  • Variable: ansible_become_pass

  • Variable: ansible_sudo_pass

become_user

string

User you ‘become’ to execute the task (‘root’ is not a valid value here).

Configuration:

  • INI entries:

    [privilege_escalation]
    become_user = VALUE
    
    [sudo_become_plugin]
    user = VALUE
    
  • Environment variable: ANSIBLE_BECOME_USER

  • Environment variable: ANSIBLE_SUDO_USER

  • Variable: ansible_become_user

  • Variable: ansible_sudo_user

Examples

- name: checking uid of file 'foo'
  ansible.builtin.stat:
    path: "{{ test_dir }}/foo"
  register: foo
- ansible.builtin.debug:
    var: foo.stat.uid
# The output shows that it's owned by the login user
# ok: [test_host] => {
#     "foo.stat.uid": "1003"
# }

- name: mounting the file to an unprivileged container and modifying its owner
  containers.podman.podman_container:
    name: chmod_foo
    image: alpine
    rm: true
    volume:
    - "{{ test_dir }}:/opt/test:z"
    command: chown 1000 /opt/test/foo

# Now the file 'foo' is owned by the container uid 1000,
# which is mapped to something completaly different on the host.
# It creates a situation when the file is unaccessible to the host user (uid 1003)
# Running stat again, debug output will be like this:
# ok: [test_host] => {
#     "foo.stat.uid": "328679"
# }

- name: running stat in modified user namespace
  become_method: containers.podman.podman_unshare
  become: true
  ansible.builtin.stat:
    path: "{{ test_dir }}/foo"
  register: foo
# By gathering file stats with podman_ushare
# we can see the uid set in the container:
# ok: [test_host] => {
#     "foo.stat.uid": "1000"
# }

- name: resetting file ownership with podman unshare
  become_method: containers.podman.podman_unshare
  become: true
  ansible.builtin.file:
    state: file
    path: "{{ test_dir }}/foo"
    owner: 0  # in a modified user namespace host uid is mapped to 0
# If we run stat and debug with 'become: false',
# we can see that the file is ours again:
# ok: [test_host] => {
#     "foo.stat.uid": "1003"
# }

Authors

  • Janos Gerzson (@grzs)

Hint

Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.