podman_unshare become module does not work (asks for sudo password, or Operation not permitted) #545
Description
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
Steps to reproduce the issue:
- Install podman on a fresh Debian 11 host
- Install the latest ansible release on the controller
- Install the
containers.podmancollectionansible-galaxy collection install containers.podman - Create a simple playbook with the following tasks:
- containers.podman.podman_volume:
state: present
name: "{{ item }}"
with_items:
- shaarli-data
- shaarli-cache
tags: podman-shaarli
- name: set permissions/ownership on podman volumes
become: yes
become_method: containers.podman.podman_unshare
ansible.builtin.file:
state: directory
owner: 100
group: 101
path: "{{ item }}"
with_items:
- ~/.local/share/containers/storage/volumes/shaarli-cache
- ~/.local/share/containers/storage/volumes/shaarli-data
tags: podman-shaarli- Run the playbook
$ ansible-playbook playbook.yml --tags=podman-shaarli
Describe the results you received:
PLAY [podman1.xinit.se] ******************************************************
TASK [podman : containers.podman.podman_volume] ***********************************************************
ok: [podman1.xinit.se] => (item=shaarli-data)
ok: [podman1.xinit.se] => (item=shaarli-cache)
TASK [podman : set permissions/ownership on podman volumes] ******************************************************
failed: [podman1.xinit.se] (item=~/.local/share/containers/storage/volumes/shaarli-cache) => {
"ansible_loop_var": "item",
"changed": false,
"item": "~/.local/share/containers/storage/volumes/shaarli-cache",
"rc": 1
}
MSG:
MODULE FAILURE
See stdout/stderr for the exact error
MODULE_STDERR:
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required
failed: [podman1.xinit.se] (item=~/.local/share/containers/storage/volumes/shaarli-data) => {
"ansible_loop_var": "item",
"changed": false,
"item": "~/.local/share/containers/storage/volumes/shaarli-data",
"rc": 1
}
MSG:
MODULE FAILURE
See stdout/stderr for the exact error
MODULE_STDERR:
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required
to retry, use: --limit @/home/live/GIT/ansible-playbook-infra.git/playbook.retry
PLAY RECAP ******************************
podman1.xinit.se : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Thinking that was caused by become: yes assuming become_user: root as the default, I tried setting become_user: "{{ ansible_user }}" in the task that uses become_method: containers.podman.podman_unshare. Different error:
PLAY [podman1.xinit.se] **********************************
TASK [podman : containers.podman.podman_volume] ************************************************
ok: [podman1.xinit.se] => (item=shaarli-data)
ok: [podman1.xinit.se] => (item=shaarli-cache)
TASK [podman : set permissions/ownership on podman volumes] *********************************************************
failed: [podman1.xinit.se] (item=~/.local/share/containers/storage/volumes/shaarli-cache) => {
"ansible_loop_var": "item",
"changed": false,
"gid": 1000,
"group": "deploy",
"item": "~/.local/share/containers/storage/volumes/shaarli-cache",
"mode": "0755",
"owner": "deploy",
"path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-cache",
"size": 4096,
"state": "directory",
"uid": 1000
}
MSG:
chown failed: [Errno 1] Operation not permitted: b'/home/deploy/.local/share/containers/storage/volumes/shaarli-cache'
failed: [podman1.xinit.se] (item=~/.local/share/containers/storage/volumes/shaarli-data) => {
"ansible_loop_var": "item",
"changed": false,
"gid": 1000,
"group": "deploy",
"item": "~/.local/share/containers/storage/volumes/shaarli-data",
"mode": "0755",
"owner": "deploy",
"path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-data",
"size": 4096,
"state": "directory",
"uid": 1000
}
MSG:
chown failed: [Errno 1] Operation not permitted: b'/home/deploy/.local/share/containers/storage/volumes/shaarli-data'
to retry, use: --limit @/home/live/GIT/ansible-playbook-infra.git/playbook.retry
PLAY RECAP ***************************************
podman1.xinit.se : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Describe the results you expected:
become_method: containers.podman.podman_unshare should work as documented in the examples at https://docs.ansible.com/ansible/latest/collections/containers/podman/podman_volume_module.html:
- It should not require setting
become_usermanually/assume thatbecome_user: root - More importantly it does not seem to work at all (
Operation not permitted) even withbecome_userset to the ansible unprivileged user.
Additional information you deem important (e.g. issue happens only occasionally):
Running podman unshare manually works, pointing to a problem specifically with the become module:
deploy@podman1:~$ ls -ld .local/share/containers/storage/volumes/shaarli-{cache,data}
drwxr-xr-x 2 deploy deploy 4096 Feb 2 10:28 .local/share/containers/storage/volumes/shaarli-cache
drwxr-xr-x 2 deploy deploy 4096 Feb 2 10:28 .local/share/containers/storage/volumes/shaarli-data
deploy@podman1:~$ podman unshare chown 100:101 -R .local/share/containers/storage/volumes/shaarli-{cache,data}
deploy@podman1:~$ ls -ld .local/share/containers/storage/volumes/shaarli-{cache,data}
drwxr-xr-x 2 100099 100100 4096 Feb 2 10:28 .local/share/containers/storage/volumes/shaarli-cache
drwxr-xr-x 2 100099 100100 4096 Feb 2 10:28 .local/share/containers/storage/volumes/shaarli-data
Version of the containers.podman collection:
$ ansible-galaxy collection list | grep containers.podman
containers.podman 1.10.1
Output of ansible --version:
ansible [core 2.13.4]
config file = /home/live/GIT/ansible-playbook-infra.git/ansible.cfg
configured module search path = ['/home/live/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/live/.venv/lib/python3.9/site-packages/ansible
ansible collection location = /home/live/GIT/ansible-playbook-infra.git
executable location = /home/live/.venv/bin/ansible
python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110]
jinja version = 3.1.2
libyaml = True
Output of podman version:
deploy@podman1:~$ podman --version
podman version 3.0.1
Output of podman info --debug:
deploy@podman1:~$ podman info --debug
host:
arch: amd64
buildahVersion: 1.19.6
cgroupManager: cgroupfs
cgroupVersion: v2
conmon:
package: 'conmon: /usr/bin/conmon'
path: /usr/bin/conmon
version: 'conmon version 2.0.25, commit: unknown'
cpus: 2
distribution:
distribution: debian
version: "11"
eventLogger: journald
hostname: podman1.xinit.se
idMappings:
gidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
uidmap:
- container_id: 0
host_id: 1000
size: 1
- container_id: 1
host_id: 100000
size: 65536
kernel: 5.10.0-20-amd64
linkmode: dynamic
memFree: 131350528
memTotal: 1023782912
ociRuntime:
name: crun
package: 'crun: /usr/bin/crun'
path: /usr/bin/crun
version: |-
crun version 0.17
commit: 0e9229ae34caaebcb86f1fde18de3acaf18c6d9a
spec: 1.0.0
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL
os: linux
remoteSocket:
path: /run/user/1000/podman/podman.sock
security:
apparmorEnabled: false
capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
rootless: true
seccompEnabled: true
selinuxEnabled: false
slirp4netns:
executable: /usr/bin/slirp4netns
package: 'slirp4netns: /usr/bin/slirp4netns'
version: |-
slirp4netns version 1.0.1
commit: 6a7b16babc95b6a3056b33fb45b74a6f62262dd4
libslirp: 4.4.0
swapFree: 1023131648
swapTotal: 1023406080
uptime: 56m 17.1s
registries: {}
store:
configFile: /home/deploy/.config/containers/storage.conf
containerStore:
number: 0
paused: 0
running: 0
stopped: 0
graphDriverName: vfs
graphOptions: {}
graphRoot: /home/deploy/.local/share/containers/storage
graphStatus: {}
imageStore:
number: 1
runRoot: /run/user/1000/containers
volumePath: /home/deploy/.local/share/containers/storage/volumes
version:
APIVersion: 3.0.0
Built: 0
BuiltTime: Thu Jan 1 01:00:00 1970
GitCommit: ""
GoVersion: go1.15.15
OsArch: linux/amd64
Version: 3.0.1Package info (e.g. output of rpm -q podman or apt list podman):
deploy@podman1:~$ apt list podman
Listing... Done
podman/stable,now 3.0.1+dfsg1-3+deb11u1 amd64 [installed]
Playbok you run with ansible (e.g. content of playbook.yaml):
# playbook.yml
- hosts: podman1.xinit.se
roles:
- podman
# roles/podman/tasks/main.yml
- name: include podman configuration tasks
import_tasks: podman.yml # podman installation tasks, not relevant
become: yes
tags: podman
- name: include shaarli configuration tasks (podman)
import_tasks: podman-shaarli.yml
tags: podman-shaarli
# roles/podman/tasks/podman-shaarli.yml
# see tasks in issue descriptionCommand line and output of ansible run with high verbosity
$ ansible-playbook playbook.yml -vvv --tags=podman-shaarli --limit=podman1.xinit.se
ansible-playbook [core 2.13.4]
config file = /home/live/GIT/ansible-playbook-infra.git/ansible.cfg
configured module search path = ['/home/live/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/live/.venv/lib/python3.9/site-packages/ansible
ansible collection location = /home/live/GIT/ansible-playbook-infra.git
executable location = /home/live/.venv/bin/ansible-playbook
python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110]
jinja version = 3.1.2
libyaml = True
Using /home/live/GIT/ansible-playbook-infra.git/ansible.cfg as config file
host_list declined parsing /home/live/GIT/ansible-playbook-infra.git/inventory.yml as it did not pass its verify_file() method
script declined parsing /home/live/GIT/ansible-playbook-infra.git/inventory.yml as it did not pass its verify_file() method
Parsed /home/live/GIT/ansible-playbook-infra.git/inventory.yml inventory source with yaml plugin
statically imported: /home/live/GIT/ansible-playbook-infra.git/roles/podman/tasks/podman.yml
statically imported: /home/live/GIT/ansible-playbook-infra.git/roles/podman/tasks/podman-shaarli.yml
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
PLAYBOOK: playbook.yml *********************************************************
23 plays in playbook.yml
PLAY [podman1.xinit.se] ********************************************************
META: ran handlers
TASK [podman : containers.podman.podman_volume] ********************************
task path: /home/live/GIT/ansible-playbook-infra.git/roles/podman/tasks/podman-shaarli.yml:1
Using module file /home/live/GIT/ansible-playbook-infra.git/ansible_collections/containers/podman/plugins/modules/podman_volume.py
Pipelining is enabled.
<podman1.xinit.se> ESTABLISH SSH CONNECTION FOR USER: deploy
<podman1.xinit.se> SSH: EXEC ssh -o ControlMaster=auto -o ControlPersist=3600s -o PreferredAuthentications=publickey -o 'IdentityFile="/home/live/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="deploy"' -o ConnectTimeout=10 -o 'ControlPath="/home/live/.ansible/cp/89d9f44442"' podman1.xinit.se '/bin/sh -c '"'"'/usr/bin/python3 && sleep 0'"'"''
<podman1.xinit.se> (0, b'\n{"changed": false, "actions": [], "volume": {"Name": "shaarli-data", "Driver": "local", "Mountpoint": "/home/deploy/.local/share/containers/storage/volumes/shaarli-data/_data", "CreatedAt": "2023-02-02T10:14:54.584361207+01:00", "Labels": {}, "Scope": "local", "Options": {}}, "podman_actions": [], "stdout": "", "stderr": "", "invocation": {"module_args": {"state": "present", "name": "shaarli-data", "recreate": false, "executable": "podman", "debug": false, "label": null, "driver": null, "options": null}}}\n', b'')
ok: [podman1.xinit.se] => (item=shaarli-data) => {
"actions": [],
"ansible_loop_var": "item",
"changed": false,
"invocation": {
"module_args": {
"debug": false,
"driver": null,
"executable": "podman",
"label": null,
"name": "shaarli-data",
"options": null,
"recreate": false,
"state": "present"
}
},
"item": "shaarli-data",
"podman_actions": [],
"volume": {
"CreatedAt": "2023-02-02T10:14:54.584361207+01:00",
"Driver": "local",
"Labels": {},
"Mountpoint": "/home/deploy/.local/share/containers/storage/volumes/shaarli-data/_data",
"Name": "shaarli-data",
"Options": {},
"Scope": "local"
}
}
Using module file /home/live/GIT/ansible-playbook-infra.git/ansible_collections/containers/podman/plugins/modules/podman_volume.py
Pipelining is enabled.
<podman1.xinit.se> ESTABLISH SSH CONNECTION FOR USER: deploy
<podman1.xinit.se> SSH: EXEC ssh -o ControlMaster=auto -o ControlPersist=3600s -o PreferredAuthentications=publickey -o 'IdentityFile="/home/live/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="deploy"' -o ConnectTimeout=10 -o 'ControlPath="/home/live/.ansible/cp/89d9f44442"' podman1.xinit.se '/bin/sh -c '"'"'/usr/bin/python3 && sleep 0'"'"''
<podman1.xinit.se> (0, b'\n{"changed": false, "actions": [], "volume": {"Name": "shaarli-cache", "Driver": "local", "Mountpoint": "/home/deploy/.local/share/containers/storage/volumes/shaarli-cache/_data", "CreatedAt": "2023-02-02T10:14:55.186748415+01:00", "Labels": {}, "Scope": "local", "Options": {}}, "podman_actions": [], "stdout": "", "stderr": "", "invocation": {"module_args": {"state": "present", "name": "shaarli-cache", "recreate": false, "executable": "podman", "debug": false, "label": null, "driver": null, "options": null}}}\n', b'')
ok: [podman1.xinit.se] => (item=shaarli-cache) => {
"actions": [],
"ansible_loop_var": "item",
"changed": false,
"invocation": {
"module_args": {
"debug": false,
"driver": null,
"executable": "podman",
"label": null,
"name": "shaarli-cache",
"options": null,
"recreate": false,
"state": "present"
}
},
"item": "shaarli-cache",
"podman_actions": [],
"volume": {
"CreatedAt": "2023-02-02T10:14:55.186748415+01:00",
"Driver": "local",
"Labels": {},
"Mountpoint": "/home/deploy/.local/share/containers/storage/volumes/shaarli-cache/_data",
"Name": "shaarli-cache",
"Options": {},
"Scope": "local"
}
}
TASK [podman : set permissions/ownership on podman volumes] ********************
task path: /home/live/GIT/ansible-playbook-infra.git/roles/podman/tasks/podman-shaarli.yml:8
Using module file /home/live/.venv/lib/python3.9/site-packages/ansible/modules/file.py
Pipelining is enabled.
<podman1.xinit.se> ESTABLISH SSH CONNECTION FOR USER: deploy
<podman1.xinit.se> SSH: EXEC ssh -o ControlMaster=auto -o ControlPersist=3600s -o PreferredAuthentications=publickey -o 'IdentityFile="/home/live/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="deploy"' -o ConnectTimeout=10 -o 'ControlPath="/home/live/.ansible/cp/89d9f44442"' podman1.xinit.se '/bin/sh -c '"'"'/usr/bin/python3 && sleep 0'"'"''
<podman1.xinit.se> (1, b'\n{"path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-cache", "failed": true, "msg": "chown failed: [Errno 1] Operation not permitted: b\'/home/deploy/.local/share/containers/storage/volumes/shaarli-cache\'", "exception": " File \\"/tmp/user/1000/ansible_ansible.builtin.file_payload_2za_6uqp/ansible_ansible.builtin.file_payload.zip/ansible/module_utils/basic.py\\", line 833, in set_owner_if_different\\n os.lchown(b_path, uid, -1)\\n", "uid": 100099, "gid": 100100, "owner": "100099", "group": "100100", "mode": "0755", "state": "directory", "size": 4096, "invocation": {"module_args": {"state": "directory", "owner": "100", "group": "101", "path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-cache", "recurse": false, "force": false, "follow": true, "modification_time_format": "%Y%m%d%H%M.%S", "access_time_format": "%Y%m%d%H%M.%S", "unsafe_writes": false, "_original_basename": null, "_diff_peek": null, "src": null, "modification_time": null, "access_time": null, "mode": null, "seuser": null, "serole": null, "selevel": null, "setype": null, "attributes": null}}}\n', b'')
<podman1.xinit.se> Failed to connect to the host via ssh:
The full traceback is:
File "/tmp/user/1000/ansible_ansible.builtin.file_payload_2za_6uqp/ansible_ansible.builtin.file_payload.zip/ansible/module_utils/basic.py", line 833, in set_owner_if_different
os.lchown(b_path, uid, -1)
failed: [podman1.xinit.se] (item=~/.local/share/containers/storage/volumes/shaarli-cache) => {
"ansible_loop_var": "item",
"changed": false,
"gid": 100100,
"group": "100100",
"invocation": {
"module_args": {
"_diff_peek": null,
"_original_basename": null,
"access_time": null,
"access_time_format": "%Y%m%d%H%M.%S",
"attributes": null,
"follow": true,
"force": false,
"group": "101",
"mode": null,
"modification_time": null,
"modification_time_format": "%Y%m%d%H%M.%S",
"owner": "100",
"path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-cache",
"recurse": false,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"src": null,
"state": "directory",
"unsafe_writes": false
}
},
"item": "~/.local/share/containers/storage/volumes/shaarli-cache",
"mode": "0755",
"owner": "100099",
"path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-cache",
"size": 4096,
"state": "directory",
"uid": 100099
}
MSG:
chown failed: [Errno 1] Operation not permitted: b'/home/deploy/.local/share/containers/storage/volumes/shaarli-cache'
Using module file /home/live/.venv/lib/python3.9/site-packages/ansible/modules/file.py
Pipelining is enabled.
<podman1.xinit.se> ESTABLISH SSH CONNECTION FOR USER: deploy
<podman1.xinit.se> SSH: EXEC ssh -o ControlMaster=auto -o ControlPersist=3600s -o PreferredAuthentications=publickey -o 'IdentityFile="/home/live/.ssh/id_rsa"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="deploy"' -o ConnectTimeout=10 -o 'ControlPath="/home/live/.ansible/cp/89d9f44442"' podman1.xinit.se '/bin/sh -c '"'"'/usr/bin/python3 && sleep 0'"'"''
<podman1.xinit.se> (1, b'\n{"path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-data", "failed": true, "msg": "chown failed: [Errno 1] Operation not permitted: b\'/home/deploy/.local/share/containers/storage/volumes/shaarli-data\'", "exception": " File \\"/tmp/user/1000/ansible_ansible.builtin.file_payload_5wvc3rve/ansible_ansible.builtin.file_payload.zip/ansible/module_utils/basic.py\\", line 833, in set_owner_if_different\\n os.lchown(b_path, uid, -1)\\n", "uid": 100099, "gid": 100100, "owner": "100099", "group": "100100", "mode": "0755", "state": "directory", "size": 4096, "invocation": {"module_args": {"state": "directory", "owner": "100", "group": "101", "path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-data", "recurse": false, "force": false, "follow": true, "modification_time_format": "%Y%m%d%H%M.%S", "access_time_format": "%Y%m%d%H%M.%S", "unsafe_writes": false, "_original_basename": null, "_diff_peek": null, "src": null, "modification_time": null, "access_time": null, "mode": null, "seuser": null, "serole": null, "selevel": null, "setype": null, "attributes": null}}}\n', b'')
<podman1.xinit.se> Failed to connect to the host via ssh:
The full traceback is:
File "/tmp/user/1000/ansible_ansible.builtin.file_payload_5wvc3rve/ansible_ansible.builtin.file_payload.zip/ansible/module_utils/basic.py", line 833, in set_owner_if_different
os.lchown(b_path, uid, -1)
failed: [podman1.xinit.se] (item=~/.local/share/containers/storage/volumes/shaarli-data) => {
"ansible_loop_var": "item",
"changed": false,
"gid": 100100,
"group": "100100",
"invocation": {
"module_args": {
"_diff_peek": null,
"_original_basename": null,
"access_time": null,
"access_time_format": "%Y%m%d%H%M.%S",
"attributes": null,
"follow": true,
"force": false,
"group": "101",
"mode": null,
"modification_time": null,
"modification_time_format": "%Y%m%d%H%M.%S",
"owner": "100",
"path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-data",
"recurse": false,
"selevel": null,
"serole": null,
"setype": null,
"seuser": null,
"src": null,
"state": "directory",
"unsafe_writes": false
}
},
"item": "~/.local/share/containers/storage/volumes/shaarli-data",
"mode": "0755",
"owner": "100099",
"path": "/home/deploy/.local/share/containers/storage/volumes/shaarli-data",
"size": 4096,
"state": "directory",
"uid": 100099
}
MSG:
chown failed: [Errno 1] Operation not permitted: b'/home/deploy/.local/share/containers/storage/volumes/shaarli-data'
to retry, use: --limit @/home/live/GIT/ansible-playbook-infra.git/playbook.retry
PLAY RECAP *********************************************************************
podman1.xinit.se : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Additional environment details (AWS, VirtualBox, physical, etc.):
- Controller and host running Debian 11
- Controller on physical machine/desktop
- Host running in KVM VM (libvirt)
- ansible installed in virtualenv via pip3
- trying to test/implement this procedure through ansible