ansible-role-docker-rootless icon indicating copy to clipboard operation
ansible-role-docker-rootless copied to clipboard

Published 20 hours ago verified publisher icon konstruktoid

Role always requires to be executed by a 'sudoer'(at least on Ubuntu/Debian) since the first thing it does is running 'apt update'

Open vladzcloudius opened this issue 6 months ago • 7 comments

Playbook:

---
- hosts: localhost
  any_errors_fatal: true
  vars:
    docker_rootful: false
    docker_rootful_enabled: false

  tasks:
    - name: Include the konstruktoid.docker_rootless role
      ansible.builtin.import_role:
        name: konstruktoid.docker_rootless

STDOUT:

ansible-playbook [core 2.17.11]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/kuku/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /home/kuku/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible-playbook
  python version = 3.10.12 (main, Feb  4 2025, 14:57:36) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True
Using /etc/ansible/ansible.cfg as config file
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
statically imported: /home/kuku/.ansible/roles/konstruktoid.docker_rootless/tasks/pre.yml
statically imported: /home/kuku/.ansible/roles/konstruktoid.docker_rootless/tasks/manage_user.yml
statically imported: /home/kuku/.ansible/roles/konstruktoid.docker_rootless/tasks/docker_install_rootful.yml
statically imported: /home/kuku/.ansible/roles/konstruktoid.docker_rootless/tasks/docker_service_rootful.yml
statically imported: /home/kuku/.ansible/roles/konstruktoid.docker_rootless/tasks/docker_install_rootless.yml
statically imported: /home/kuku/.ansible/roles/konstruktoid.docker_rootless/tasks/docker_service.yml
statically imported: /home/kuku/.ansible/roles/konstruktoid.docker_rootless/tasks/docker_compose.yml
statically imported: /home/kuku/.ansible/roles/konstruktoid.docker_rootless/tasks/bashrc.yml
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: install_rootless_docker.yml ******************************************************************************************************************************************************************************
1 plays in ./install_rootless_docker.yml

PLAY [localhost] ***************************************************************************************************************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************************************************************************************************
task path: /home/kuku/install_rootless_docker.yml:2
ok: [localhost]

TASK [konstruktoid.docker_rootless : Run apt update] ***************************************************************************************************************************************************************
task path: /home/kuku/.ansible/roles/konstruktoid.docker_rootless/tasks/pre.yml:7
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "sudo: a password is required\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

PLAY RECAP *********************************************************************************************************************************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

The code that fails:

Image

So, at least a README.md update is required.

P.S. Love your work! Thank you!

vladzcloudius avatar May 14 '25 21:05 vladzcloudius

Thank you for the kind words @vladzcloudius!

And you are correct, the pre and manage_user tasks require become since it creates a user and installs packages. I'll update the role later tonight so the use of those tasks becomes optional.

konstruktoid avatar May 15 '25 11:05 konstruktoid

I merged https://github.com/konstruktoid/ansible-role-docker-rootless/pull/585 and you should be able to run it with --skip-tags privileged now

konstruktoid avatar May 15 '25 21:05 konstruktoid

I merged #585 and you should be able to run it with --skip-tags privileged now

Thanks. Ideally the Role would identify itself that it can't execute privileged tasks.

vladzcloudius avatar May 16 '25 19:05 vladzcloudius

How would it do that? And the roles needs to have the option of installing required packages, creating the user and such since it should be possible to run in on a new system.

konstruktoid avatar May 16 '25 21:05 konstruktoid

How would it do that? And the roles needs to have the option of installing required packages, creating the user and such since it should be possible to run in on a new system.

There are many ways. For example: try to run a simple command that requires sudo, e.g. ls /root using become: true and ignore_errors: true and then analyze the result of the execution.

Try running this as a sudoer and as not a sudoer:

---

- hosts: localhost
  gather_facts: no
  tasks:
  - name: apply the configuration data to scylla-manager-agent.yaml
    shell: |
      ls -al /root
    register: _result
    become: true
    ignore_errors: true

  - name: Verify that we were run by a sudoer
    fail:
      msg: "We are executed not by a sudoer!"
    when: _result.failed

  - debug:
      msg: "We are executed by a sudoer!"

On top of that, you may also add certain variables that would make the Role error out if sudoer permissions were expected but not provided, e.g. install_dependencies: <true|false> or create_users: <true|false>.

Doing sanity checking early in the play before you do any system state change is a nice thing in general and will also remove an otherwise cumbersome error-handling and roll-backs in the Role along the way.

vladzcloudius avatar May 16 '25 22:05 vladzcloudius

Sure that's one way to do it, and then set it as a fact. Well, perhaps not using ignore_errors (https://ansible.readthedocs.io/projects/lint/rules/ignore-errors/), but I also feel it's kind of a messy way to do it. For example if you have sudo permissions but don't actually want to install everything and so on.

Since people haven't (obviously) brought it up earlier, I haven't given this much thought, but I think to replace the privileged tag with variables is the way forward.

konstruktoid avatar May 16 '25 22:05 konstruktoid

https://github.com/konstruktoid/ansible-role-docker-rootless/pull/587 has been merged, with three new variables:

configure_sysctl: true
create_docker_user: true
install_dependencies: true

konstruktoid avatar May 19 '25 20:05 konstruktoid