Force execution of root via podman - make optional perhaps default if not specified.

[matthewdaclark]

Ideally if specify user in container options; then it should not overwrite forcing to run as root. This is a security issue.
However, its best to let people specify user as root if they want to versus forcing them to.

For instance I add user and make them default user and everything works except when have the wrapper of ansible-navigator/runner specify the user.

On my execution environment yaml I have this that makes it work:

options:
package_manager_path: /usr/bin/microdnf
user: "502"

additional_build_steps:
append_final:
- RUN useradd -u 502 -d /runner aapuser

Ive downgraded to ansible-navigator 3.3.0 to have working solution.

[timway]

#1539 is the pull that introduced this behavior. I don't disagree that forcing root inside a container even when rootless with Podman via sub-uid is potentially dangerous as they can do anything within the container. It's also somewhat dubious as the code does not check the starting UID to determine if the user is root outside the container as well.

Being limited to Podman it's not as bad as containers running as root with Docker also running as root regardless of who starts the container process. I explore this a bit in #1592 because there are issues with ssh keys in the current setup.

Setting --user for the container runtime is going to need to be determined carefully and to do that it needs to work with the ecosystem like the linked ansible-builder issue in the PR. There needs to be clear guidance on how images should be built so they can be run in ansible-navigator for development and local execution while eventually landing in AWX or AAP2 for production use without requiring separate images while establishing clear security expectations.