0

I'm experimenting with podman rootless. Users in containers get assigned a subuid / subgid space from the host. Files created or updated from a user in the container environment belong to the user id space, that doesn't exist on the host.

That's where I'm currently stuck. I can calculate the subuid with ansible and ease access to the container owned files with ACL, but I can't get ansible to write out a jinja template and chown it to a user that doesn't exist on the host. I also don't want to workaround by creating a dummy user with a matching UID on the host, since that would probably undermine the security advantages / the rootless concept.

Here the task:

- name: copy hass main config to storage
  become: yes
  template:
    src: configuration.yaml.j2
    dest: "{{ hass_data_dir }}/configuration.yaml"
    owner: "{{ stat_container_base_dir }}.uid"
    group: "{{ stat_container_base_dir }}.gid"
    mode: 0640

and the error message when running the task.

TASK [server/smarthome/homeassistant/podman : copy hass main config to storage] ************************************************************************************************************************
fatal: [odroid]: FAILED! => 
    changed: false
    checksum: 20c59b4a12d4ebe52a3dd191a80a5091d8e6dc0c
    gid: 0
    group: root
    mode: '0640'
    msg: 'chown failed: failed to look up user {''changed'': False, ''stat'': {''exists'':
        True, ''path'': ''/home/homeassistant/container'', ''mode'': ''0770'', ''isdir'':
        True, ''ischr'': False, ''isblk'': False, ''isreg'': False, ''isfifo'': False,
        ''islnk'': False, ''issock'': False, ''uid'': 363147, ''gid'': 362143, ''size'':
        4096, ''inode'': 4328211, ''dev'': 45826, ''nlink'': 3, ''atime'': 1669416005.068732,

I tried to find help in the modules documentation at: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/template_module.html

My ansible version is: ansible [core 2.13.1]

As you can see in the error message, ansible is missing a user with UID 363147 on the host.

Is there any way to circumvent the test if a user exists in ansible.builtin.template and similar modules, that allow user assignment with owner: and group:?

The only workaround I found was using command, but with the need for templates, complexity will increase when I'd have to parse jinja templates without the ansible template module.

I would appreciate if I missed an existing option or would like to create a pull request for an option like:

ignore_usercheck: true or validate_user: false

Hope you can help me out here :)

tdoe
  • 11
  • 1
  • 2
  • *The only workaround I found was using command* I think you may have some luck _omitting_ the target user from that `template:` step, or even picking one that does exist, and then _separately_ doing the `chown` task, whether via the `file:` or if it suffers similarly, then falling back to `command: chown ...`. I agree with you I wish there were more controls, but my suspicion is it won't be fixed anytime soon – mdaniel Nov 30 '22 at 02:36

1 Answers1

0

After all this was only a misleading error message, not a missing feature in Ansible.

I tested with the debug module and found out, that the values of stat have to be accessed from inside the curly brackets.

- name: debug
  debug:
    msg: "{{ stat_container_base_dir.stat.uid }}"

What Ansible got, was the whole string content of stat, not just the UID.
User ID's that don't exist on the host can be assigned.

β.εηοιτ.βε
  • 33,893
  • 13
  • 69
  • 83
tdoe
  • 11
  • 1
  • 2