ansible-navigator
ansible-navigator copied to clipboard
ansible
Running ansible-navigator from a non-root account causes error
ISSUE TYPE
- Bug Report
SUMMARY
There is an issue with ansible-navigator or possibly podman when using the su or su - switching from the root user to an unprivileged user and attempting to run the ansible-navigator command.
ANSIBLE-NAVIGATOR VERSION
ansible-navigator 2.2.0
CONFIGURATION
ansible-navigator:
execution-environment:
image: ansible-automation-platform-22/ee-supported-rhel8:latest
pull:
policy: missing
playbook-artifact:
enable: false
LOG FILE
https://gist.github.com/noelmiller/410131a2ffc51e756bef00dcd8e9af0f
STEPS TO REPRODUCE
- Connect to ansible control node server using root account using ssh:
ssh root@control-node - Do one of the following to switch to the unprivileged user account:
su usersu - usersu --login user
- Navigate to directory with relevant ansible-navigator.yml config
- Run ansible-navigator (or any subcommand)
- You will receive the error I listed above
EXPECTED RESULTS
Expect the interactive ansible-navigator tui to appear, but instead I get the error below.
ACTUAL RESULTS
-------------------------------------------------------------------------------------------
Execution environment image and pull policy overview
-------------------------------------------------------------------------------------------
Execution environment image name: ansible-automation-platform-22/ee-supported-rhel8:latest
Execution environment image tag: latest
Execution environment pull arguments: None
Execution environment pull policy: missing
Execution environment pull needed: True
-------------------------------------------------------------------------------------------
Updating the execution environment
-------------------------------------------------------------------------------------------
Running the command: podman pull ansible-automation-platform-22/ee-supported-rhel8:latest
WARN[0000] RunRoot is pointing to a path (/run/user/1000/containers) which is not writable. Most likely podman will fail.
Error: default OCI runtime "crun" not found: invalid argument
Error: Execution environment pull failed
Hint: Check the execution environment image name, connectivity to and
permissions for the registry, and try again
ADDITIONAL INFORMATION
This could be an issue with podman itself, I did find another resolved github issue talking about switching user from root to unprivileged user here: https://github.com/containers/podman/issues/8052
Update
I did some additional testing today and I think this is an issue with podman itself and not necessarily ansible-navigator.
Podman Version
podman version 4.4.1
OS Version
Red Hat Enterprise Linux release 9.1 (Plow)
STEPS TO REPRODUCE
- Connect to ansible control node server using root account using ssh: ssh root@control-node
- Do one of the following to switch to the unprivileged user account:
- su user
- su - user
- su --login user
- Run
podman run docker.io/hello-world
Expected Results
Trying to pull docker.io/library/hello-world:latest...
Getting image source signatures
Copying blob 719385e32844 done
Copying config 9c7a54a9a4 done
Writing manifest to image destination
Storing signatures
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
Actual Results
When running after su user
ERRO[0000] XDG_RUNTIME_DIR directory "/run/user/0" is not owned by the current user
When running after su - user
WARN[0000] RunRoot is pointing to a path (/run/user/1000/containers) which is not writable. Most likely podman will fail. Error: default OCI runtime "crun" not found: invalid argument
When running after su --login user
WARN[0000] RunRoot is pointing to a path (/run/user/1000/containers) which is not writable. Most likely podman will fail. Error: default OCI runtime "crun" not found: invalid argument
One more additional thing I will add.
When you login directly over SSH as the unprivileged user, it does map the XDG_RUNTIME_DIR correctly and the container will pull or run properly.
ssh user@ansible-control-node
echo $XDG_RUNTIME_DIR
/run/user/1000
podman run docker.io/hello-world
Trying to pull docker.io/library/hello-world:latest...
Getting image source signatures
Copying blob 719385e32844 done
Copying config 9c7a54a9a4 done
Writing manifest to image destination
Storing signatures
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
When doing a su user from the root user, it does not map the XDG_RUNTIME_DIR correctly. It is mapped to the root user's value.
echo $XDG_RUNTIME_DIR
/run/user/0
When doing a su - user from the root user, it does not map the XDG_RUNTIME_DIR at all, it's completely blank
echo $XDG_RUNTIME_DIR
When doing a su --login user from the root user, it does not map the XDG_RUNTIME_DIR at all, it's completely blank
echo $XDG_RUNTIME_DIR
If you attempt to map the XDG_RUNTIME_DIR manually, it still gives a similar error
XDG_RUNTIME_DIR=/run/user/1000
echo $XDG_RUNTIME_DIR
/run/user/1000
podman run docker.io/hello-world
WARN[0000] Failed to get rootless runtime dir for DefaultAPIAddress: lstat /run/user/1000: no such file or directory
WARN[0000] RunRoot is pointing to a path (/run/user/1000/containers) which is not writable. Most likely podman will fail.
Error: default OCI runtime "crun" not found: invalid argument
Final update and I will take a break from troubleshooting this. It appears to me that it is potentially a problem with the su command and how it interacts with environment variables related to podman.
I just did a test where I have 2 unprivileged users (bob and sally) and I use the su, su - [username] commands to switch between those users and it mimics the issues I was having from switching from the root account to a user account where it does not properly remap the XDG_RUNTIME_DIR variable (among other things probably)
When doing a su sally from the bob user, it does not map the XDG_RUNTIME_DIR correctly. It is mapped to the bob user's value.
echo $XDG_RUNTIME_DIR
/run/user/1001 # bob's value
When doing a su - sally from the bob user, it does not map the XDG_RUNTIME_DIR at all, it's completely blank
echo $XDG_RUNTIME_DIR
It appears the podman team is aware of this bug and looking for a better way to warn users of the potential pitfall of using su or sudo to run rootless podman: https://github.com/containers/podman/issues/14603
I personally would like to understand why there can't be a permanent fix for this issue or what is preventing su working properly with podman