3

I have a project that utilizes Molecule for testing, and I've configured my molecule.yml file to use an unprivileged user (already created on the image pushed to a registry) named molecule during provisioning:

provisioner:
  name: ansible
  connection_options:
    ansible_ssh_user: molecule

I added a small playbook that reproduces the error on Github Actions https://github.com/staticdev/nix-playbook/tree/feature/enable-flakes, it basically install nix package manager with [Ableton/nix role].

When I run molecule test locally, everything works as expected and the provisioning process executes with the molecule user. However, when I push my code to GitHub and trigger the same command in a GitHub Actions workflow, it runs the test with a user named runner, causing issues in my tests.

Why does this override occur specifically in the GA environment and is there a way to bypass or override this behavior? I tried to find something in GA documentation and searching on internet but found nothing relevant.

UPDATE: the initial config I was previously trying an is old way to configure it (below) but new way it the one I am trying now (above). They both work locally but not on GitHub Actions.

provisioner:
  name: ansible
  config_options:
    defaults:
      remote_user: molecule
staticdev
  • 2,950
  • 8
  • 42
  • 66
  • That's the default user. Did you try try adding a new user and test with that? – Azeem Jul 16 '23 at 16:45
  • @Azeem sorry, but it is not clear to me what you are suggesting. I believe you are saying `runner` is the default user for Github Actions. I added the user `molecule` to the image, but when I run it uses the `runner` user. I need to find a way to replace this GA user. – staticdev Jul 16 '23 at 19:53
  • Yes, I was pointing out that the `runner` is the default user. I was suggesting that you might be able to add a new user, switch to that, and then test. Also, please include your relevant workflow in your question. I'm not well-versed with ansible but I believe it's similar to chef. If you could add more context that'd be helpful to fix the issue. Thanks! – Azeem Jul 17 '23 at 04:14
  • @Azeem do you know an option on GA to change this default user that run the command? – staticdev Jul 17 '23 at 07:26
  • AFAIK, you may add new user, switch to it, and the next commands should under that user. You can try this. However, binding to a specific user doesn't sound good. – Azeem Jul 17 '23 at 07:48
  • I add the user already in the test docker images I use. So I want to execute provisioning already with this user. – staticdev Jul 17 '23 at 08:42
  • Right. If you could share a [minimal, reproducible example](https://stackoverflow.com/help/minimal-reproducible-example) as a public repo, that'd be very helpful to understand and debug this issue. – Azeem Jul 17 '23 at 09:39
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/254526/discussion-between-staticdev-and-azeem). – staticdev Jul 17 '23 at 13:41
  • see https://github.com/Ableton/ansible-role-nix/blob/main/defaults/main.yml#L9 https://github.com/staticdev/nix-playbook/actions/runs/5595438272/jobs/10231306398#step:7:876 https://docs.ansible.com/ansible/latest/reference_appendices/special_variables.html#connection-variables https://ansible.readthedocs.io/projects/molecule/examples/#docker-with-non-privileged-user – deric4 Jul 20 '23 at 09:11

1 Answers1

2

The reason for the error is that the provisioner user (molecule) path was not the default path for the ansible role that I was using but a fallback path. In my test machine I do not have a XDG_CONFIG_HOME set, so it works. But GitHub Actions sets it to use runner user path to do the configs instead of the user I create for molecule images.

The way to bypass it is by forcing GitHub Actions to clean the value of XDG_CONFIG_HOME when running molecule, then everything works:

    - name: Run Molecule tests
      run: molecule test
      env:
        PY_COLORS: "1"
        ANSIBLE_FORCE_COLOR: "1"
        MOLECULE_DISTRO: ${{ matrix.distro }}
        XDG_CONFIG_HOME: ""
staticdev
  • 2,950
  • 8
  • 42
  • 66