You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ideally if specify user in container options; then it should not overwrite forcing to run as root. This is a security issue.
However, its best to let people specify user as root if they want to versus forcing them to.
For instance I add user and make them default user and everything works except when have the wrapper of ansible-navigator/runner specify the user.
On my execution environment yaml I have this that makes it work:
#1539 is the pull that introduced this behavior. I don't disagree that forcing root inside a container even when rootless with Podman via sub-uid is potentially dangerous as they can do anything within the container. It's also somewhat dubious as the code does not check the starting UID to determine if the user is root outside the container as well.
Being limited to Podman it's not as bad as containers running as root with Docker also running as root regardless of who starts the container process. I explore this a bit in #1592 because there are issues with ssh keys in the current setup.
Setting --user for the container runtime is going to need to be determined carefully and to do that it needs to work with the ecosystem like the linked ansible-builder issue in the PR. There needs to be clear guidance on how images should be built so they can be run in ansible-navigator for development and local execution while eventually landing in AWX or AAP2 for production use without requiring separate images while establishing clear security expectations.
Ideally if specify user in container options; then it should not overwrite forcing to run as root. This is a security issue.
However, its best to let people specify user as root if they want to versus forcing them to.
For instance I add user and make them default user and everything works except when have the wrapper of ansible-navigator/runner specify the user.
On my execution environment yaml I have this that makes it work:
options:
package_manager_path: /usr/bin/microdnf
user: "502"
additional_build_steps:
append_final:
- RUN useradd -u 502 -d /runner aapuser
Ive downgraded to ansible-navigator 3.3.0 to have working solution.
The text was updated successfully, but these errors were encountered: