Uploaded image for project: 'Ansible Automation Platform RFEs'
  1. Ansible Automation Platform RFEs
  2. AAPRFE-1382

ansible-navigator loose acess to the mounted shared directory as container is setting "nobody" permission for rootless user.

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 2.4
    • ansible-dev-tools
    • False
    • Hide

      None

      Show
      None
    • False

      We require a feature enhancement to enable rootless users to access mounted directories when they are part of the associated group, even if it's set as a secondary group. Currently, when a user is part of the group as a secondary group, container permissions default to "nobody," restricting access. However, if the user is part of the group as the primary group, the container recognizes them.

      This limitation is impacting the functionality of Ansible Navigator, as rootless users are unable to access the mounted directory. Therefore, we seek a solution that allows rootless users to effectively access mounted directories when they are members of the appropriate group, irrespective of their group status.

       

      Steps to reproduce:

      If I create a /evidences folder with below ownership and permission:

      [rhel@code-server ~]$ ls -ld /evidences
      drwxrwx---. 2 rhel rhel 6 Apr 29 15:17 /evidences

      and then create a new user "ken" and set rhel as secondary group like below:

      [rhel@code-server ~]$ id ken
      uid=1008(ken) gid=1009(ken) groups=1009(ken),1002(rhel)

      and then run podman command via ken user:

      [ken@code-server ~]$ podman run --security-opt label=disable -v /evidences:/evidences:rw -it registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel8 /bin/bash
      bash-4.4# ls -ld /evidences
      drwxr-xr-x. 2 nobody nobody 6 Apr 29 15:17 /evidences
      then it shows nobody:nobody as container ownership.

      If I set rhel group as primary group of ken user then it will show me below container permissions:

      [ken@code-server ~]$ podman run --security-opt label=disable -v /evidences:/evidences:rw -it registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel8 /bin/bash
      bash-4.4# ls -ld /evidences
      drwxr-xr-x. 2 nobody root 6 Apr 29 15:17 /evidences

      which is expected as user should be nobody as the user ownership is with rhel but as the ken is part of group "rhel" so container assigned root permissions but the same is not applicable with secondary group.
      The challenge is that when running ansible outside of a container the user that runs the playbook has access to the shared directory but when running the same playbook using ansible-navigator we lose access to the mounted shared directory. It is not always possible to grant access to 'others' as directory may contain sensitive data.
       

              rht-tima Tim Appnel
              rhn-support-nchugh Neha Chugh
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: