Execution Environment built with user:0: what are the security implications for podman containers?

jpmens · September 12, 2023, 11:58am

There’s a solved ansible-navigator issue #1448 regarding an error when running ansible-navigator in that it reports “ERROR! Invalid callback for stdout specified: awx_display”.

I am seeing the same error using ansible-runner with process_isolation: true.

head -4 env/settings
---
process_isolation: true
process_isolation_executable: podman
container_image: quay.io/ansible/awx-ee

$ ansible-runner run . -p demo.yml
[WARNING]: Unable to parse /runner/inventory/hosts as an inventory source
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: error in 'jsonfile' cache plugin while trying to create cache dir
/runner/artifacts/7c4f751e-9bcf-4676-9d99-e581b7cc2738/fact_cache : b"[Errno
13] Permission denied:
'/runner/artifacts/7c4f751e-9bcf-4676-9d99-e581b7cc2738/fact_cache'"
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'
ERROR! Invalid callback for stdout specified: awx_display

I think I’ve worked around it by building a custom EE with options.user: '0', which is going to mean do everything as root, possibly/probably a pretty bad idea, but I wanted to at least once experience runner with isolation.

Could somebody who has a lot more container experience than myself (and I promise that’s not something hard to have) explain the ramifications of running a podman container with root privileges within said container?

gwmngilfen · September 15, 2023, 10:00am

@Andersson007 do you have any idea how to answer this? I know you’ve been doing a lot with EE’s recently

cidrblock · September 15, 2023, 1:23pm

Hey there @jpmens,

We talked about this when that navigator bug came up and with the following PR. Where we landed was because podman is running in user space the only risk as root was inside the container. Running as root inside the container could give the root user inside the container privielged access to resources inside the container including volume mounts.

From the context of navigator execution inside the container is limited to only several commands and the user is in control of the volume mounts with the exception of the “automatic” mounts, which are all intended to be read/write anyway so there wasn’t a concern there.

I would ideally, container would be constructed such that root was not required, in this case the resulting image from builder required it and no major risk was involved.

Given the ephemeral nature of the container we did exactly what you found to work: Set user to root with podman by cidrblock · Pull Request #1539 · ansible/ansible-navigator · GitHub

I am admittedly not an expert here, but I thought some additional information about the navigator issue might provide some context.

-Brad

jpmens · September 16, 2023, 8:25am

Thank you, @cidrblock !

Topic		Replies	Views
Running containers and building images in AWX-EE AWX Project awx , ee	3	173	July 29, 2022
Are containerized Remote Execution Nodes possible? Get Help awx , ee	9	777	July 29, 2024
Ansible-navigator and docker with "Isolate containers with a user namespace" Get Help ansible-navigator , docker	0	184	April 24, 2024
Can not start ansible-navigator container in podman on mac os Get Help awx , devtools , ansible-navigator , ee	0	125	July 3, 2024
Help needed for error with ansible-test and podman Get Help ansible-test , podman	4	819	November 2, 2023

Execution Environment built with user:0: what are the security implications for podman containers?

Related topics