ansible-community / images

Ansible container image definitions meant for ansible-test and Execution Environments
GNU General Public License v3.0
14 stars 12 forks source link

unprivileged user interaction / root password #71

Open azrdev opened 10 months ago

azrdev commented 10 months ago

I'm looking for an image to be used as-is for running ansible playbooks inside gitlab-CI (with docker runner). Gitlab does not have a possibility to specify the user a given job is run with inside the container: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/2750

Since it uses a different image for doing the repo checkout and artifact placement before a job runs, these files will then belong to the default user of that helper image: 0/root. Which makes them read-only or inaccessible to the UID=1000 picked up from the ansible images.

Possible solutions:

  1. have a gitlab-CI option to specify the UID: see issue linked above
  2. default this image to uid=0/root
  3. have a means of local privilege escalation (passwordless sudo, or su with a known password) -- this was explicitly rejected for the awx-ee image(s) https://github.com/ansible/awx-ee/issues/89

Since the images here are explicitly meant for CI use (as opposed to e.g. the awx-ee), can we make this possible?

felixfontein commented 10 months ago

Are you talking about the images in ansible-test/, or about the ones in execution-environments/?

The former are meant for CI, but not for what you have in mind. They are meant to be used with the --docker option of ansible-test.

The latter are meant to run ansible-core in them, but they are regular EEs (for end-users) and not aimed at CI. They are meant to be used with ansible-navigator or ansible-runner though, similar to awx-ee.

azrdev commented 9 months ago

I was trying ghcr.io/ansible-community/community-ee-base:latest

azrdev commented 1 month ago

apparently 2. is a possible solution since gitlab 16.5 https://gitlab.com/gitlab-org/gitlab/-/merge_requests/137907 -- using the following syntax:

jobname:
  image:
    name: ghcr.io/ansible-community/community-ee-base:latest
    docker:
      user: "root"

I just successfully ran ansible in a CI job as root.

Edit: using docker executor this works, but not using kubernetes.