Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rootless container deployment fails when placing systemd unit file #58

Open
benblasco opened this issue Aug 8, 2022 · 7 comments
Open

Rootless container deployment fails when placing systemd unit file #58

benblasco opened this issue Aug 8, 2022 · 7 comments

Comments

@benblasco
Copy link

I am trying to deploy a rootless container and have encountered the following issue during the deployment:

TASK [ikke_t.podman_container_systemd : create systemd service file for container: jenkins] *****************************
fatal: [localhost]: FAILED! => {"changed": false, "checksum": "630539e436b8ae828bcba4e209bcb97e0879d356", "gid": 1000, "group": "bblasco", "mode": "0644", "msg": "chown failed: [Errno 1] Operation not permitted: b'/home/bblasco/.config/systemd/user/jenkins-container-pod-bblasco.service'", "owner": "bblasco", "path": "/home/bblasco/.config/systemd/user/jenkins-container-pod-bblasco.service", "secontext": "unconfined_u:object_r:systemd_unit_file_t:s0", "size": 826, "state": "file", "uid": 1000}

It looks like the task is hard coded to become the container_run_as_user and then attempts to change the ownership of the file to root:root, which is incorrect for a rootless container. See line 198 here: https://github.com/ikke-t/podman-container-systemd/blob/master/tasks/main.yml

  - name: "create systemd service file for container: {{ container_name }}"
    template:
      src: systemd-service-single.j2
      dest: "{{ service_files_dir }}/{{ service_name }}"
      owner: root
      group: root
      mode: 0644
    become: true
    become_user: "{{ container_run_as_user }}"

I have been playing around with changing the owner and group to the relevant variables but the playbook still bombs out here. Is there a problem with switching to container_run_as_user and the underlying chown/chgrp?

Info about my system
@ikke-t
Copy link
Owner

ikke-t commented Aug 8, 2022

I left the fike ownership to root at the time when I created these. I thought it would be better the service user is not able to modify the files. I thought there is no need for such, so security wise why should it be owned by such service user.

But this pops up every now and then, so perhaps it would be better to make it optional. If you are willing, please create a PR with an option for the service user to own the config files.

In such a way that the file owner would then alternatively be the container user or root.

@benblasco
Copy link
Author

benblasco commented Aug 8, 2022 via email

@ikke-t
Copy link
Owner

ikke-t commented Aug 8, 2022

do you run playbook with elevated privileges? It requires them.

@benblasco
Copy link
Author

Yes, tried with and without. current playbook status:

- name: ensure jenkins container is running
  hosts: localhost
  connection: local
  become: yes

The error still reads:

TASK [ikke_t.podman_container_systemd : create systemd service file for container: jenkins] *****************************
fatal: [localhost]: FAILED! => {"changed": false, "checksum": "630539e436b8ae828bcba4e209bcb97e0879d356", "gid": 1000, "group": "bblasco", "mode": "0644", "msg": "chown failed: [Errno 1] Operation not permitted: b'/home/bblasco/.config/systemd/user/jenkins-container-pod-bblasco.service'", "owner": "bblasco", "path": "/home/bblasco/.config/systemd/user/jenkins-container-pod-bblasco.service", "secontext": "unconfined_u:object_r:systemd_unit_file_t:s0", "size": 826, "state": "file", "uid": 1000}

The unit file actually does get created and placed correctly, but I think the module still tries to force the ownership and permissions. I have been scratching my head at this one.

@ikke-t
Copy link
Owner

ikke-t commented Aug 10, 2022

what does the directory look permission wise? ls -laZ?

@ikke-t
Copy link
Owner

ikke-t commented Aug 10, 2022

mine looks like this:

ikke@fediot ~]$ sudo ls -laZ ../grafana/.config/systemd/user
total 24
drwxr-xr-x. 5 grafana grafana unconfined_u:object_r:config_home_t:s0       4096 Jul 18 08:51 .
drwxr-xr-x. 3 grafana grafana unconfined_u:object_r:config_home_t:s0       4096 Dec 29  2020 ..
drwxr-xr-x. 2 grafana grafana unconfined_u:object_r:systemd_unit_file_t:s0 4096 Jan 24  2021 default.target.wants
-rw-r--r--. 1 root    root    unconfined_u:object_r:systemd_unit_file_t:s0  910 Jul  6 22:23 grafana-container-pod-grafana.service
drwxr-xr-x. 2 grafana grafana unconfined_u:object_r:systemd_unit_file_t:s0 4096 Jan 24  2021 multi-user.target.wants
drwxr-xr-x. 2 grafana grafana unconfined_u:object_r:systemd_unit_file_t:s0 4096 Apr 24  2021 timers.target.wants

@benblasco
Copy link
Author

benblasco commented Aug 12, 2022
edited
Loading

Hi, sorry for the slow reply! Looks like the SELinux contexts and directory perms are all the same.

[bblasco@micro ansible-podman-examples]$ ls -laZ /home/bblasco/.config/systemd/user/
total 4
drwxr-xr-x. 2 bblasco bblasco unconfined_u:object_r:config_home_t:s0        51 Aug  8 14:12 .
drwxr-xr-x. 3 bblasco bblasco unconfined_u:object_r:config_home_t:s0        18 Aug  8 08:52 ..
-rw-r--r--. 1 bblasco bblasco unconfined_u:object_r:systemd_unit_file_t:s0 826 Aug  8 14:12 jenkins-container-pod-bblasco.service
[bblasco@micro ansible-podman-examples]$

@c-erb c-erb mentioned this issue Aug 22, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ikke-t @benblasco