I will use lxc for molecule, and one of the steps is to be able to spin up lxc containers on the local host.
I want them to be unprivileged, and also spun up by an unprivileged user.
The latter is seems not to be an option due to some cgroupsv2 issue and systemd. It can be done from the command line using “systemd-run” magic, but the lxc ansible module does not support that. (please correct me if I am wrong).
So the code include “become: true” for the lxc part. And as long as I am doing passwordless sudo for all commands, this works.
Nobody should want password less sudo for all commands, me included.
My question is
- Can I make unprivileged containers using lxc without “become: true”?
- How can I set up sudo so ansible is limited to some selected group of commands?
links or suggestions are welcome.
Example code
- name: Test spin up of lxc containers
hosts: all
connection: local
gather_facts: false
become: false
tasks:
- name: Containers exist
become: true
community.general.lxc_container:
name: "{{ inventory_hostname }}"
container_log: true
template: download
state: started
template_options: --release bookworm --dist debian --arch amd64