Execution Environment built with user:0: what are the security implications for podman containers?

There’s a solved ansible-navigator issue #1448 regarding an error when running ansible-navigator in that it reports “ERROR! Invalid callback for stdout specified: awx_display”.

I am seeing the same error using ansible-runner with process_isolation: true.

head -4 env/settings
---
process_isolation: true
process_isolation_executable: podman
container_image: quay.io/ansible/awx-ee

$ ansible-runner run . -p demo.yml
[WARNING]: Unable to parse /runner/inventory/hosts as an inventory source
[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: error in 'jsonfile' cache plugin while trying to create cache dir
/runner/artifacts/7c4f751e-9bcf-4676-9d99-e581b7cc2738/fact_cache : b"[Errno
13] Permission denied:
'/runner/artifacts/7c4f751e-9bcf-4676-9d99-e581b7cc2738/fact_cache'"
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'
ERROR! Invalid callback for stdout specified: awx_display

I think I’ve worked around it by building a custom EE with options.user: '0', which is going to mean do everything as root, possibly/probably a pretty bad idea, but I wanted to at least once experience runner with isolation.

Could somebody who has a lot more container experience than myself (and I promise that’s not something hard to have) explain the ramifications of running a podman container with root privileges within said container?

@Andersson007 do you have any idea how to answer this? I know you’ve been doing a lot with EE’s recently

Hey there @jpmens,

We talked about this when that navigator bug came up and with the following PR. Where we landed was because podman is running in user space the only risk as root was inside the container. Running as root inside the container could give the root user inside the container privielged access to resources inside the container including volume mounts.

From the context of navigator execution inside the container is limited to only several commands and the user is in control of the volume mounts with the exception of the “automatic” mounts, which are all intended to be read/write anyway so there wasn’t a concern there.

I would ideally, container would be constructed such that root was not required, in this case the resulting image from builder required it and no major risk was involved.

Given the ephemeral nature of the container we did exactly what you found to work: Set user to root with podman by cidrblock · Pull Request #1539 · ansible/ansible-navigator · GitHub

I am admittedly not an expert here, but I thought some additional information about the navigator issue might provide some context.

-Brad

Thank you, @cidrblock !

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.