Open KajdeMunter opened 5 years ago
Can you provide more details about ansible-container usage-scenario?
In it's present state it is rather logically to use it to build images and push to some registry, while handle their deployment with some other workflow.
Can you provide more details about ansible-container usage-scenario?
In it's present state it is rather logically to use it to build images and push to some registry, while handle their deployment with some other workflow.
I am trying to prevent any kind of privilege escalation on my host. I want my containers to run on an unprivileged user but there are processes within the container that need to run as root. Also I want to be able to write to files while developing.
Here is more of my container.yml if that helps
version: "2"
volumes:
app-data:
docker: {}
db-data:
docker: {}
session-data:
docker: {}
defaults:
SERVER_NAME: servername
APP_ROOT: /var/www/html
HTTP_PORT: 80
HTTPS_PORT: 443
USER_UID: 9002
GROUP_GID: 9002
RELEASE: '0.2'
settings:
conductor:
base: alpine:3.5
project_name: projectname
vault_password_file: '../vaultpwd'
vault_files:
- vault.yml
services:
code:
from: alpine:latest
roles:
- role: users
users:
- user: developer
group: developer
shell: /bin/sh
uid: "{{ USER_UID }}"
gid: "{{ GROUP_GID }}"
- role: checkout
git_repo_uri: git@bitbucket.org:repo
git_checkout_dest: "{{ APP_ROOT }}"
git_private_key_file: "/run/secrets/git/private_key"
git_checkout_dest_owner: developer
git_checkout_dest_group: developer
working_dir: "{{ APP_ROOT }}"
# entrypoint: ["tail", "-f", "/dev/null"]
entrypoint: ["docker-entrypoint.sh", "/bin/sh", "-c"]
# TODO fix the command below to directly use {{ git_private_key_file }} when the secrets are correctly mounted
command: ['install -m 0400 -D {{ git_private_key_file }} ~/.ssh/id_rsa && (ssh-add || (eval `ssh-agent` && ssh-add)) && ((git reset --hard origin/master && git pull) || (rm -rf ./src/ && git clone {{ git_repo_uri }} ./))']
volumes:
- "app-data:{{ APP_ROOT }}"
secrets:
git:
- source: git_private_key
target: private_key
uid: "{{ USER_UID }}"
gid: "{{ GROUP_GID }}"
mode: 04400
dev_overrides:
volumes:
- "${PWD}:{{ APP_ROOT }}:delegated"
command: ['git pull']
......
My understanding, that current concept requires privileged mode, may be @j00bar can join the thread for the short explanation
ISSUE TYPE
container.yml
OS / ENVIRONMENT
SUMMARY
ansible-container build
fails when using user namespaces. The conductor container is being run privileged but we cannot adduserns_mode: "host"
to the conductor."privileged mode is incompatible with user namespaces. You must run the container in the host namespace when running privileged mode".
STEPS TO REPRODUCE
Enable userns remap on the daemon: https://docs.docker.com/engine/security/userns-remap/#enable-userns-remap-on-the-daemon
Run:
EXPECTED RESULTS
ansible-container build
executes succesfullyACTUAL RESULTS