12:28 p.m.
On 6/15/23 09:54, Chris Evich wrote:
I still haven't tried (since it seems really really hacky)
setting
`ansible_python_interpreter` to a wrapper script that execs `podman
unshare /usr/bin/python3 "$(a)"`. In theory this would work for Ansible
`template` tasks, as the config files would be rendered INSIDE the
user-namespace rather than outside.
I realize this is a really old thread, but is a tricky thing I finally
took time to experiment with. So I thought I'd share what I discovered.
As a reminder of the problem: How can you template files into a
rootless-podman volume on a host where you don't have root, and w/o
flapping[0] or needing to fuss with the user-namespaced ownership?
Assuming `/tmp/template.j2` exists with some test content (left up to
your imagination), here's a playbook that demonstrates a possible solution:
---cut playbook---
- hosts: localhost
connection: local # no ssh required
become: false # Don't sudo to root
tasks:
- name: User-namespaced tasks
vars:
# N/B: assumed to already exist on the inventory host
ansible_python_interpreter: '/tmp/unshare_python3.sh'
block:
- name: A testdir exists
file:
path: /tmp/testdir
state: directory
owner: 12345
group: 54321
- name: Render testfile into testdir
template:
src: '/tmp/template.j2'
dest: /tmp/testdir/testfile
owner: 54321
group: 12345
---cut playbook---
And the wrapper script that makes the magic happen.
---cut /tmp/unshare_python3.sh wrapper---
#!/bin/sh
exec /usr/bin/podman unshare $(type -p python3) "$@"
---cut /tmp/unshare_python3.sh wrapper---
After running the playbook, with a `/etc/sub{uid,gid}` entry of:
`cevich:100000:65536`
I end up with:
```
$ ls -la /tmp/testdir
total 4
drwxr-xr-x. 2 112344 154320 60 Aug 11 12:46 .
drwxrwxrwt. 56 root root 1160 Aug 11 13:02 ..
-rw-r--r--. 1 154320 112344 49 Aug 11 12:46 testfile
```
But a key thing to note is what happens when you run the playbook more
than once. Ansible will NOT needlessly "fix" the user-namespaced
owner/group due to it not matching the `ansible_user` `UID:GID`.
Hmmm...maybe I should write a blog on this?
[0]: Flapping - Given the same inputs & conditions, an operation that's
executed multiple times but doesn't always yield the same result.
---
Chris Evich (he/him), RHCA III
Senior Quality Assurance Engineer
If there's a "hard-way", I'm the first one to implement it.