Running as inexistent non-root user in Docker container

19 views
Skip to first unread message

Luca Pireddu

unread,
Feb 11, 2019, 11:08:41 AM2/11/19
to Ansible Project
Hello,

I'm wondering if anyone can help me run ansible as an inexistent user in a docker container.

I'm trying to build a docker container image that runs ansible as a non-root user.  It therefore runs the ansible process with the UID and GID of the user who launched the container.  This user doesn't exist within the container image, but permissions and temporary spaces are configured so that ansible has a place to write temporary files etc.  This specific container image I'm working on runs kubespray to deploy kubernetes on a set of nodes.

I'm running into a problem since Ansible tries to get the username of the running process through the uid.  The first place where it fails is 

lib/ansible/playbook/play_context.py:433:            new_info.remote_user = pwd.getpwuid(os.getuid()).pw_name

This of course doesn't work because the password database doesn't container the UID I'm using.  Patching this line exposes other places where the code is written assuming that an account exists for the process' current UID.

Does anyone see a solution to this problem?  I don't think ansible should really need a local account to do its thing.  Moreover, it could also use `getpass.getuser()`, which is smarter about how it gets the login name (it also checks the relevant environment variables).

Thanks in advance,

Luca

Pshem Kowalczyk

unread,
Feb 11, 2019, 1:45:29 PM2/11/19
to Ansible Project
Hi,

Why not simply create a dedicated ansible user inside the container? 

kind regards
Pshem


--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/49bccafb-df57-49a5-a153-4286b4258d51%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Luca Pireddu

unread,
Feb 11, 2019, 2:34:57 PM2/11/19
to Ansible Project
Hi!

On Monday, February 11, 2019 at 7:45:29 PM UTC+1, Pshem Kowalczyk wrote:
Hi,

Why not simply create a dedicated ansible user inside the container? 

kind regards
Pshem


I have some other things packaged within the same container image (terraform and some template generating code) that need to write to the calling user's directory (which is mounted into the container).  Those files should be generated as owned by the calling user, which wouldn't happen if I use a static user inside the container.  If I can't find a solution to run as any user then I'll probably use your suggestion and split the tools into two separate images.

Thanks,

Luca

Reply all
Reply to author
Forward
0 new messages