containers.podman.podman_unshare become – 使用 podman unshare 运行任务

注意

此 become 插件是 containers.podman 集合 (版本 1.16.2) 的一部分。

如果您使用的是 ansible 包,则可能已安装此集合。它不包含在 ansible-core 中。要检查它是否已安装,请运行 ansible-galaxy collection list

要安装它,请使用: ansible-galaxy collection install containers.podman

要在剧本中使用它,请指定: containers.podman.podman_unshare

containers.podman 1.9.0 中的新增功能

摘要

参数

参数

注释

become_exe

字符串

Sudo 可执行文件

默认值: "sudo"

配置

  • INI 条目

    [privilege_escalation]
become_exe = sudo

    [sudo_become_plugin]
executable = sudo

  • 环境变量:ANSIBLE_BECOME_EXE

  • 环境变量:ANSIBLE_SUDO_EXE

  • 变量:ansible_become_exe

  • 变量:ansible_sudo_exe

become_pass

字符串

传递给 sudo 的密码

配置

  • INI 条目

    [sudo_become_plugin]
password = VALUE

  • 环境变量:ANSIBLE_BECOME_PASS

  • 环境变量:ANSIBLE_SUDO_PASS

  • 变量:ansible_become_password

  • 变量:ansible_become_pass

  • 变量:ansible_sudo_pass

become_user

字符串

您“成为”以执行任务的用户(“root”此处不是有效值)。

配置

  • INI 条目

    [privilege_escalation]
become_user = VALUE

    [sudo_become_plugin]
user = VALUE

  • 环境变量:ANSIBLE_BECOME_USER

  • 环境变量:ANSIBLE_SUDO_USER

  • 变量:ansible_become_user

  • 变量:ansible_sudo_user

示例

- name: checking uid of file 'foo'
  ansible.builtin.stat:
    path: "{{ test_dir }}/foo"
  register: foo
- ansible.builtin.debug:
    var: foo.stat.uid
# The output shows that it's owned by the login user
# ok: [test_host] => {
#     "foo.stat.uid": "1003"
# }

- name: mounting the file to an unprivileged container and modifying its owner
  containers.podman.podman_container:
    name: chmod_foo
    image: alpine
    rm: true
    volume:
    - "{{ test_dir }}:/opt/test:z"
    command: chown 1000 /opt/test/foo

# Now the file 'foo' is owned by the container uid 1000,
# which is mapped to something completaly different on the host.
# It creates a situation when the file is unaccessible to the host user (uid 1003)
# Running stat again, debug output will be like this:
# ok: [test_host] => {
#     "foo.stat.uid": "328679"
# }

- name: running stat in modified user namespace
  become_method: containers.podman.podman_unshare
  become: true
  ansible.builtin.stat:
    path: "{{ test_dir }}/foo"
  register: foo
# By gathering file stats with podman_ushare
# we can see the uid set in the container:
# ok: [test_host] => {
#     "foo.stat.uid": "1000"
# }

- name: resetting file ownership with podman unshare
  become_method: containers.podman.podman_unshare
  become: true
  ansible.builtin.file:
    state: file
    path: "{{ test_dir }}/foo"
    owner: 0  # in a modified user namespace host uid is mapped to 0
# If we run stat and debug with 'become: false',
# we can see that the file is ours again:
# ok: [test_host] => {
#     "foo.stat.uid": "1003"
# }

作者

  • Janos Gerzson (@grzs)

提示

每种条目类型的配置条目具有从低到高的优先级顺序。例如,列表中较低的变量将覆盖列表中较高的变量。