Uploaded image for project: 'Ansible Automation Platform RFEs'
  1. Ansible Automation Platform RFEs
  2. AAPRFE-2611

Feature request to add option to toggle enabling or disabling the mounting of `/etc/ssh/ssh_config.d/` directory from host inside container.

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 2.4
    • controller
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      1. What is the nature and description of the request?

      Request: Customer is looking for feature request to add an option to toggle enabling or disabling the mounting of VM's `/etc/ssh/ssh_config.d/`directory inside the container.

      Running ansible navigator command with non root user. Podman mounts the VM's /etc/ssh/ssh_config.d/ is being mounted by default, but with the ownership nobody:nobody which caused ssh to break "Bad owner or permissions on /etc/ssh/ssh_config.d/01-fcommand.conf" on job execution.

      We resolved issue with workaround by having a copy of `/etc/ssh/ssh_config.d` inside the user's home dir, e.g. So that in container the directory permissions will not get mapped as nobody:nobody user that's causing the "Bad owner or permissions on /etc/ssh/ssh_config.d/01-fcommand.conf"

      The user used to run a job with ansible navigtor is not root:
      ~~~
      /// User is not awx

      $ id
      uid=1000(cloud-user) gid=1000(cloud-user) groups=1000(cloud-user),4(adm),1...

      /// Files in /etc/ssh/ssh_config.d/ have the correct ownership and permissions for the host system

      $ ls -laZ /etc/ssh/ssh_config.d/
      total 8
      drwxr-xr-x. 2 root root system_u:object_r:etc_t:s0 28 Jul 3 05:56 .
      drwxr-xr-x. 4 root root system_u:object_r:etc_t:s0 4096 Aug 27 17:01 ..
      rw-rr-. 1 root root system_u:object_r:etc_t:s0 581 Jul 3 05:56 50-redhat.conf

      /// podman maps the exposed contents to nobody:nobody

      $ podman run --rm -ti -v /etc/ssh/ssh_config.d:/etc/ssh/ssh_config.d:O myregistry/ansible-automation-platform-24/ee-minimal-rhel8 ls -laZ /etc/ssh/ssh_config.d/
      total 4
      drwxr-xr-x. 1 nobody nobody system_u:object_r:container_file_t:s0:c664,c716 6 Sep 17 21:55 .
      drwxr-xr-x. 3 root root system_u:object_r:container_file_t:s0:c664,c716 58 May 16 20:28 ..
      rw-rr-. 1 nobody nobody system_u:object_r:container_file_t:s0:c664,c716 581 Jul 3 09:56 50-redhat.conf

      Workaround:

      /// Copy /etc/ssh/ssh_config.d/ to the user's home dir as mysshdir

      $ cp -vr /etc/ssh/ssh_config.d ~/mysshdir
      '/etc/ssh/ssh_config.d' -> '/home/cloud-user/mysshdir'
      '/etc/ssh/ssh_config.d/50-redhat.conf' -> '/home/cloud-user/mysshdir/50-redhat.conf'

      /// The user's copy of ssh_config.d is owned by the user

      $ ls -lZa ~/mysshdir/
      total 8
      drwxr-xr-x. 2 cloud-user cloud-user unconfined_u:object_r:user_home_t:s0 28 Sep 17 17:58 .
      drwx------. 10 cloud-user cloud-user unconfined_u:object_r:user_home_dir_t:s0 4096 Sep 17 17:58 ..
      rw-rr-. 1 cloud-user cloud-user unconfined_u:object_r:user_home_t:s0 581 Sep 17 17:58 50-redhat.conf

      /// Run podman and expose the user's dir instead of the system's /etc/ssh/ssh_config.d/

      $ podman run --rm -ti -v ~/mysshdir:/etc/ssh/ssh_config.d:O myregistry/ansible-automation-platform-24/ee-minimal-rhel8 ls -laZ /etc/ssh/ssh_config.d/
      total 4
      drwxr-xr-x. 1 root root system_u:object_r:container_file_t:s0:c858,c951 6 Sep 17 21:59 .
      drwxr-xr-x. 3 root root system_u:object_r:container_file_t:s0:c858,c951 58 May 16 20:28 ..
      rw-rr-. 1 root root system_u:object_r:container_file_t:s0:c858,c951 581 Sep 17 21:58 50-redhat.conf

      /// This way, we are able to run ssh successfully

      $ podman run --rm -ti -v ~/mysshdir:/etc/ssh/ssh_config.d:O myregistry/ansible-automation-platform-24/ee-minimal-rhel8 ssh myuser@myhost.example.com
      [myuser@myhost ~]$ _
      ~~~~

      1. Why does the customer need this? (List the business requirements here)

      At this moment, there is no solution to having `/etc/ssh/ssh_config.d/` be shared from the host to the container and appear as belonging to uid=0 inside the container, unless you run ansible-navigator as the root user.

      In other words, if we run ansible-navigator as the root user, then uid=0 inside the container will be the same as uid=0 outside the container.

      When running ansible-navigator as a non-root user, then the only way to share `/etc/ssh/ssh_config.d/` and be owned by uid=0,gid=0 inside the container is your current solution:

      ~~~
      --eev /home/ansible-tbu/navigator-ssh_config.d:/etc/ssh/ssh_config.d:O
      ~~~

      Note**: Couldn't find the ansible-navigator under component list when filing the RFE. The primary component of this issue is ansible-navigator.

      1. How would you like to achieve this? (List the functional requirements here)

      Customer is looking for feature request to add an option to toggle enabling or disabling the mounting of VM's `/etc/ssh/ssh_config.d/` directory inside the container to avoid permission issue on job execution with ansible-navigator.

      1. List any affected known dependencies: Doc, UI etc..
        NA
      2. Github Link if any
        NA

              Unassigned Unassigned
              rhn-support-sdale Snehal Dale
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: