issues when using container_run_as_user other than root

[creich]

while writing a playbook in which i tried to use the config option 'container_run_as_user' i encountered several issues with file permissions. you can reproduce those by simply using the lighttpd example from the readme.

simply running everything with super powers (like setup become above everything) neither works, nor does it look very clean! i propose to introduce a more fine granular setup of become rules within the given scripts.

[ikke-t]

Hi,

my host didn't support non-root users in my use case when I did this part. So it is very likely there are bad paths there. So any improvement is welcome. Unfortunately I can't work on any of this in few upcoming weeks, so if you get the stuff working and test it, just please send a PR.

Excellent that you tried it. Thanks.

Another thing I know is missing from there, setting of subuid and subgid for the given user. If those are not set, it won't work.

[creich]

you're right. subuids and subgids are necessary. i could put it into the tasks/main.yaml

should i create a separate PR for the first problem and take the subuid / subgid topic into another issue? or would you prefer to have it both in this one PR?

[ikke-t]

I wonder how the subuid/subguid should be handled? As it's a bit out of scope of each individual pod setup/playbook. Perhaps it would be best if the role checks that sub[gu]id file includes user's name in case pods are to be run as user?

Is setting the range out of scope of this ansible role, as that's user wide setting, not pod wide setting? As if we have pod specific playbooks, they might have different id range between themselves.

I propose: If the id is missing from /etc/sub[gu]id while trying to run as non root, the role would error out and point the problem being caused by missing id? At first thought that seems like proper solution to me.

[elervik]

Looking past subuid & subguid, in the single service template you store the pid & cid file to /run (%t) directory. It is a directory owned by root and non root user cant write into it unless added to root group. I believe changing the permissions (ie. adding the user to root group or giving specific permission to write to the directory is not the way to go.

Maybe consider replacing %t with %T, writing the pid & cid files to the OS tmp dir. (%T - either /tmp or the path "$TMPDIR", "$TEMP" or "$TMP" are set to).

[elervik]

note: there are differences in the various OS's and how they resolve the specifiers if at all. Im running into trouble with centos7 & bionic while centos8 & xenial works fine with %T

[ikke-t]

I noticed the same when I just added the rootless bits. And FYI, this is always to be run with ansible become enabled. Even though the container is rootless, the management of them isn't.

Please try, here ia an example playbook which worked for me: https://github.com/ikke-t/ansible-podman-examples/blob/master/run-container-homeassistant-podman.yml

[ikke-t]

I tested my changes on rootless branch, which I merged today to master. Rootless containers now work for me on RHEL8.3 and Fedora-IoT. Commit: https://github.com/ikke-t/podman-container-systemd/commit/3d03115a0df0d2e1bfae9cb854a8f0688b655733