Podman unshare `Error: please use unshare with rootless`

[Igortorrente]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Following the instruction in the documentation I tried the new podman unshare become_method, but it didn't worked for me.

It seems to be running sudo podman unshare <cmd> under the hood instead of podman unshare <cmd> for some reason.

Steps to reproduce the issue:

1. Create a task with podman unshare

2. Run it

3. Face the error message

Describe the results you received:

failed: [instance] (item=/home/vagrant/containers_cache/redis) => {"ansible_loop_var": "item", "changed": false, "item": "/home/vagrant/containers_cache/redis", "module_stderr": "", "module_stdout": "Error: please use unshare with rootless\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 125}
failed: [instance] (item=/home/vagrant/containers_config/redis/) => {"ansible_loop_var": "item", "changed": false, "item": "/home/vagrant/containers_config/redis/", "module_stderr": "", "module_stdout": "Error: please use unshare with rootless\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 125}

Describe the results you expected:

Success

Or version from ansible-galaxy if installed from galaxy: ansible-galaxy collection list | grep containers.podman

$ ansible-galaxy collection list | grep containers.podman
containers.podman             1.9.4  

Output of ansible --version:

$ ansible --version
ansible [core 2.13.5]
  config file = /home/igor/projects/cloud/Caedrium-Playbooks/ansible.cfg
  configured module search path = ['/home/igor/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/igor/projects/cloud/python3_venv/lib/python3.10/site-packages/ansible
  ansible collection location = /home/igor/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/igor/projects/cloud/python3_venv/bin/ansible
  python version = 3.10.8 (main, Nov  4 2022, 09:21:25) [GCC 12.2.0]
  jinja version = 3.1.2
  libyaml = True

Output of podman version:

$ podman version
Version:      3.0.1
API Version:  3.0.0
Go Version:   go1.15.15
Built:        Thu Jan  1 00:00:00 1970
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.19.6
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: 'conmon: /usr/bin/conmon'
    path: /usr/bin/conmon
    version: 'conmon version 2.0.25, commit: unknown'
  cpus: 4
  distribution:
    distribution: debian
    version: "11"
  eventLogger: journald
  hostname: instance
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.10.0-18-amd64
  linkmode: dynamic
  memFree: 5475975168
  memTotal: 6229622784
  ociRuntime:
    name: crun
    package: 'crun: /usr/bin/crun'
    path: /usr/bin/crun
    version: |-
      crun version 0.17
      commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    selinuxEnabled: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: 'slirp4netns: /usr/bin/slirp4netns'
    version: |-
      slirp4netns version 1.0.1
      commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
      libslirp: 4.4.0
  swapFree: 0
  swapTotal: 0
  uptime: 1m 57.04s
registries: {}
store:
  configFile: /home/vagrant/.config/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: 'fuse-overlayfs: /usr/bin/fuse-overlayfs'
      Version: |-
        fusermount3 version: 3.10.3
        fuse-overlayfs: version 1.4
        FUSE library version 3.10.3
        using FUSE kernel interface version 7.31
  graphRoot: /home/vagrant/.local/share/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 0
  runRoot: /run/user/1000/containers
  volumePath: /home/vagrant/.local/share/containers/storage/volumes
version:
  APIVersion: 3.0.0
  Built: 0
  BuiltTime: Thu Jan  1 00:00:00 1970
  GitCommit: ""
  GoVersion: go1.15.15
  OsArch: linux/amd64
  Version: 3.0.1

Package info (e.g. output of rpm -q podman or apt list podman):

$ apt list podman
Listing... Done
podman/stable,now 3.0.1+dfsg1-3+deb11u1 amd64 [installed]

Playbok you run with ansible (e.g. content of playbook.yaml):

- name: Create all redis folders.
  ansible.builtin.file:
    path: "{{ item }}"
    owner: 104
    group: 104
    state: directory
    mode: 0700
  become_method: containers.podman.podman_unshare
  become: true
  loop:
    - "{{ cache_dir }}/redis"
    - "{{ config_dir }}/redis/"

Additional environment details (AWS, VirtualBox, physical, etc.):

Debian 11 running inside of Vagrant-libvirt VM.

[sshnaidm]

@grzs can you take a look?

[sshnaidm]

@Igortorrente did you try to put become_user: <your_user> in the task?

[grzs]

yes, I will check it out. It should use sudo only if become_user has been set. If not, it tries to change the user namespace of the ansible_user. Do you connect as root? Or it is also possible that the become_user variable has a value set in the inventory, or earlier in the play.

[grzs]

@sshnaidm I've got it. It's not possible to use podman unshare as root because it doesn't make sense. How should we handle it? Simply bypassing it or throwing an error, or extending the documentation?

[grzs]

@Igortorrente did you try to put become_user: <your_user> in the task?

This should work.

[sshnaidm]

@sshnaidm I've got it. It's not possible to use podman unshare as root because it doesn't make sense. How should we handle it? Simply bypassing it or throwing an error, or extending the documentation?

Right now root is the default in

ansible-podman-collections/plugins/become/podman_unshare.py

Lines 19 to 21 in 73af489

	become_user:
	description: User you 'become' to execute the task
	default: root

Maybe worth to remove the default or use current/empty user as its default here?

ansible-podman-collections/plugins/become/podman_unshare.py

Line 133 in 73af489

user = self.get_option('become_user') or ''

[grzs]

oops... for sure, the default has to be anything but root (or no default). I am experimenting with it and creating a PR soon.

[Igortorrente]

@Igortorrente did you try to put become_user: <your_user> in the task?

It works if I also remove the owner/group fields. Otherwise I get this new error:

failed: [instance] (item=/home/vagrant/containers_cache/redis) => {"ansible_loop_var": "item", "changed": false, "gid": 1000, "group": "vagrant", "item": "/home/vagrant/containers_cache/redis", "mode": "0755", "msg": "chown failed: [Errno 1] Operation not permitted: b'/home/vagrant/containers_cache/redis'", "owner": "vagrant", "path": "/home/vagrant/containers_cache/redis", "size": 4096, "state": "directory", "uid": 1000

[grzs]

@Igortorrente I suppose it's how podman unshare works. With podman unshare you can work with files in a specific user namespace, but it's not a permission elevation method from the host side, like sudo. It means that you still work as your unprivileged user, the only difference is that it maps user and group ids for you, like if you were in the container. Therefore the safe way is to use numeric ids instead of names, because names can be mapped to different numeric id on the host and in the container. With podman unshare (in rootless mode) you become the root user of the user namespace (and the container).
Let's assume that you have a container with a bind mount /home/vagrant/wd:/mnt/wd, and you want to set its owner to foo (uid 1000) in the container. Then you can do it by 'podman unshare chown 1000 /home/vagrant/wd' from the host by user vagrant. But it will fail if you try to do this with another user, who has no rights to change ownership of the above directory.
In your case it seems that the vagrant user is not permitted to change ownership of directory /home/vagrant/containers_cache/redis, and podman unshare is indifferent in that sense.
I hope I understood your problem and could make it clear.

[Igortorrente]

Yeah, we have the exact same permissions as the the user that is running the podman unshare command.

What is strange is that vagrant user owns {{ cache_dir }} (and therefore have permission) and it should have permission(under podman unshare) to the redis folder as well. My understand about the ansible.builtin.file is that I'm running:

(vagrant) $ podman unshare mkdir {{ cache_dir }}/redis
(vagrant) $ podman unshare chown 104:104 {{ cache_dir }}/redis
(vagrant) $ podman unshare chmod 0700 {{ cache_dir }}/redis

Which works (I tried here). But it doesn't work within ansible for some reason

[grzs]

Yeah, we have the exact same permissions as the the user that is running the podman unshare command.

What is strange is that vagrant user owns {{ cache_dir }} (and therefore have permission) and it should have permission(under podman unshare) to the redis folder as well. My understand about the ansible.builtin.file is that I'm running:

(vagrant) $ podman unshare mkdir {{ cache_dir }}/redis
(vagrant) $ podman unshare chown 104:104 {{ cache_dir }}/redis
(vagrant) $ podman unshare chmod 0700 {{ cache_dir }}/redis

@Igortorrente Can you paste the -vvv verbose output here?

[grzs]

@Igortorrente I tested it and encountered the same issue if group did not set correctly. Since you connected as root, all the files (and dirs) you create will belong to group 'root' by default. The problem is that from a mapped user namespace root is nobody:nogroup. The safest way if you connect as root is to set become_user at the play level, and set become_method to podman_unshare at the specific task where you need it.

[grzs]

Example playbook:

---
- hosts: test_host
  become: yes
  become_user: vagrant
  vars:
    test_dir: "/home/vagrant/test"
  tasks:
  - name: creating a file
    ansible.builtin.file:
      state: touch
      path: "{{ test_dir }}/foo"
  - name: chown a file with unshare
    become_method: containers.podman.podman_unshare
    ansible.builtin.file:
      state: file
      path: "{{ test_dir }}/foo"
      owner: 1000
  - name: checking uid of file 'foo'
    ansible.builtin.file:
      state: file
      path: "{{ test_dir }}/foo"
    register: foo
  - ansible.builtin.debug:
      var: foo.uid

output:

TASK [creating a file] ***********************
changed: [test_host]

TASK [chown a file with unshare] *************
changed: [test_host]

TASK [checking uid of file 'foo'] ************
ok: [test_host]

TASK [ansible.builtin.debug] *****************
ok: [test_host] => {
    "foo.uid": "166535"
}