Skip to content

Commit

Permalink
refactor: use getsubids to check subuid and subgid
Browse files Browse the repository at this point in the history
Use the command `getsubids` to check the subuid and subgid if
available.  This allows the use of identity management to provide
the subuid and subgid.

Signed-off-by: Rich Megginson <[email protected]>
  • Loading branch information
richm committed Jul 26, 2023
1 parent d481bcb commit 38111be
Show file tree
Hide file tree
Showing 3 changed files with 57 additions and 32 deletions.
9 changes: 6 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,12 @@ restrictions:
* They must be already present on the system - the role will not create the
users or groups - the role will exit with an error if a non-existent user or
group is specified
* They must already exist in `/etc/subuid` and `/etc/subgid` - the role will
exit with an error if a specified user is not present in `/etc/subuid`, or if
a specified group is not in `/etc/subgid`
* They must already exist in `/etc/subuid` and `/etc/subgid`, or are otherwise
provided by your identity management system - the role will exit with an error
if a specified user is not present in `/etc/subuid`, or if a specified group
is not in `/etc/subgid`. The role uses `getsubids` to check the user and
group if available, or checks the files directly if `getsubids` is not
available.

## Role Variables

Expand Down
75 changes: 47 additions & 28 deletions tasks/handle_user_group.yml
Original file line number Diff line number Diff line change
Expand Up @@ -38,38 +38,57 @@
__podman_group_name: "{{ ansible_facts['getent_group'].keys() |
list | first }}"

- name: Check if user is in subuid file
find:
path: /etc
pattern: subuid
use_regex: true
contains: "^{{ __podman_user }}:.*$"
register: __podman_uid_line_found
when: __podman_user not in ["root", "0"]
- name: See if getsubids exists
stat:
path: /usr/bin/getsubids
register: __podman_stat_getsubids

- name: Fail if user not in subuid file
fail:
msg: >
The given podman user [{{ __podman_user }}] is not in the
/etc/subuid file - cannot continue
# does not work for root
- name: Use getsubids if available
when:
- __podman_user not in ["root", "0"]
- not __podman_uid_line_found.matched
- __podman_stat_getsubids.stat.exists
block:
- name: Check user with getsubids
command: getsubids {{ __podman_user | quote }}
changed_when: false

- name: Check if group is in subgid file
find:
path: /etc
pattern: subgid
use_regex: true
contains: "^{{ __podman_group_name }}:.*$"
register: __podman_gid_line_found
when: __podman_group not in ["root", "0"]
- name: Check group with getsubids
command: getsubids -g {{ __podman_group_name | quote }}
changed_when: false

- name: Fail if group not in subgid file
fail:
msg: >
The given podman group [{{ __podman_group_name }}] is not in the
/etc/subgid file - cannot continue
- name: Check subuid, subgid files if no getsubids
when:
- not __podman_stat_getsubids.stat.exists
- __podman_user not in ["root", "0"]
- __podman_group not in ["root", "0"]
- not __podman_gid_line_found.matched
block:
- name: Check if user is in subuid file
find:
path: /etc
pattern: subuid
use_regex: true
contains: "^{{ __podman_user }}:.*$"
register: __podman_uid_line_found

- name: Fail if user not in subuid file
fail:
msg: >
The given podman user [{{ __podman_user }}] is not in the
/etc/subuid file - cannot continue
when: not __podman_uid_line_found.matched

- name: Check if group is in subgid file
find:
path: /etc
pattern: subgid
use_regex: true
contains: "^{{ __podman_group_name }}:.*$"
register: __podman_gid_line_found

- name: Fail if group not in subgid file
fail:
msg: >
The given podman group [{{ __podman_group_name }}] is not in the
/etc/subgid file - cannot continue
when: not __podman_gid_line_found.matched
5 changes: 4 additions & 1 deletion vars/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,10 @@
# Put the role's internal variables here that are not distribution specific.
# You can override these by defining the same variable with a different
# value in a platform/version specific file in vars/
__podman_packages: [podman]
# shadow-utils-subid for getsubids
__podman_packages:
- podman
- shadow-utils-subid

# Default values to use when creating host directories for bind mounts
# User can override these in podman_host_directories
Expand Down

0 comments on commit 38111be

Please sign in to comment.