I'm experimenting with podman rootless. Users in containers get assigned a subuid / subgid space from the host. Files created or updated from a user in the container environment belong to the user id space, that doesn't exist on the host.
That's where I'm currently stuck. I can calculate the subuid with ansible and ease access to the container owned files with ACL, but I can't get ansible to write out a jinja template and chown it to a user that doesn't exist on the host. I also don't want to workaround by creating a dummy user with a matching UID on the host, since that would probably undermine the security advantages / the rootless concept.
Here the task:
- name: copy hass main config to storage
become: yes
template:
src: configuration.yaml.j2
dest: "{{ hass_data_dir }}/configuration.yaml"
owner: "{{ stat_container_base_dir }}.uid"
group: "{{ stat_container_base_dir }}.gid"
mode: 0640
and the error message when running the task.
TASK [server/smarthome/homeassistant/podman : copy hass main config to storage] ************************************************************************************************************************
fatal: [odroid]: FAILED! =>
changed: false
checksum: 20c59b4a12d4ebe52a3dd191a80a5091d8e6dc0c
gid: 0
group: root
mode: '0640'
msg: 'chown failed: failed to look up user {''changed'': False, ''stat'': {''exists'':
True, ''path'': ''/home/homeassistant/container'', ''mode'': ''0770'', ''isdir'':
True, ''ischr'': False, ''isblk'': False, ''isreg'': False, ''isfifo'': False,
''islnk'': False, ''issock'': False, ''uid'': 363147, ''gid'': 362143, ''size'':
4096, ''inode'': 4328211, ''dev'': 45826, ''nlink'': 3, ''atime'': 1669416005.068732,
I tried to find help in the modules documentation at: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/template_module.html
My ansible version is: ansible [core 2.13.1]
As you can see in the error message, ansible is missing a user with UID 363147 on the host.
Is there any way to circumvent the test if a user exists in ansible.builtin.template and similar modules, that allow user assignment with owner: and group:?
The only workaround I found was using command, but with the need for templates, complexity will increase when I'd have to parse jinja templates without the ansible template module.
I would appreciate if I missed an existing option or would like to create a pull request for an option like:
ignore_usercheck: true or validate_user: false
Hope you can help me out here :)
After all this was only a misleading error message, not a missing feature in Ansible.
I tested with the debug module and found out, that the values of
stathave to be accessed from inside the curly brackets.What Ansible got, was the whole string content of
stat, not just the UID.User ID's that don't exist on the host can be assigned.