Change default container user to root (#364)

* Change default container user to root * Continuing to use upstream image for the time being * Change default container user to root * Continuing to use upstream image for the time being
ansible · Sep 17, 2024 · 7d6a2b9 · 7d6a2b9
1 parent 765c16c
commit 7d6a2b9
Show file tree

Hide file tree

Showing 7 changed files with 8 additions and 33 deletions.
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -1,7 +1,7 @@
 {
   "name": "ansible-dev-container-codespaces",
   "image": "ghcr.io/ansible/community-ansible-dev-tools:latest",
-  "containerUser": "podman",
+  "containerUser": "root",
   "runArgs": [
     "--security-opt",
     "seccomp=unconfined",

diff --git a/.devcontainer/docker/devcontainer.json b/.devcontainer/docker/devcontainer.json
@@ -1,7 +1,7 @@
 {
   "name": "ansible-dev-container-docker",
   "image": "ghcr.io/ansible/community-ansible-dev-tools:latest",
-  "containerUser": "podman",
+  "containerUser": "root",
   "runArgs": [
     "--security-opt",
     "seccomp=unconfined",

diff --git a/.devcontainer/podman/devcontainer.json b/.devcontainer/podman/devcontainer.json
@@ -14,9 +14,7 @@
     "--security-opt",
     "apparmor=unconfined",
     "--userns=host",
-    "--hostname=ansible-dev-container",
-    "--volume",
-    "ansible-dev-tools-container-storage:/var/lib/containers"
+    "--hostname=ansible-dev-container"
   ],
   "customizations": {
     "vscode": {

diff --git a/docs/container.md b/docs/container.md
@@ -96,7 +96,6 @@ podman run  -it --rm \
  --user=root \
  --userns=host \
  -e SSH_AUTH_SOCK=$SSH_AUTH_SOCK \
- -v ansible-dev-tools-container-storage:/var/lib/containers \
  -v $HOME/.gitconfig:/root/.gitconfig \
  -v $PWD:/workdir \
  -v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK \
@@ -111,7 +110,6 @@ Note:
 - This command will mount the current directory to `/workdir` in the container
 - The SSH agent socket is also mounted to the container to allow for SSH key forwarding.
 - The user's `.gitconfig` is mounted to the container to allow for git operations.
-- The `ansible-dev-tools-container-storage` volume is mounted to the container to store the nested container images on the host.
 
 ### Signing git commits (SSH)
 

diff --git a/final/Containerfile b/final/Containerfile
@@ -54,20 +54,10 @@ python3-wheel \
     && microdnf clean all \
     && ln -s /usr/bin/vim /usr/bin/vi
 
-RUN useradd podman; \
-        echo -e "podman:1:999\npodman:1001:64535" > /etc/subuid; \
-        echo -e "podman:1:999\npodman:1001:64535" > /etc/subgid;
-
 ARG _REPO_URL="https://raw.githubusercontent.com/containers/image_build/main/podman"
 ADD $_REPO_URL/containers.conf /etc/containers/containers.conf
-ADD $_REPO_URL/podman-containers.conf /home/podman/.config/containers/containers.conf
-
-RUN mkdir -p /home/podman/.local/share/containers && \
-        chown podman:podman -R /home/podman && \
-        chmod 644 /etc/containers/containers.conf
 
-# this is done by ansible-builder when changing user and workdir
-RUN chgrp 0 /home/podman && chmod -R ug+rwx /home/podman
+RUN chmod 644 /etc/containers/containers.conf
 
 # Copy & modify the defaults to provide reference if runtime changes needed.
 # Changes here are required for running with fuse-overlay storage inside container.
@@ -80,7 +70,6 @@ RUN sed -e 's|^#mount_program|mount_program|g' \
 # Note VOLUME options must always happen after the chown call above
 # RUN commands can not modify existing volumes
 VOLUME /var/lib/containers
-VOLUME /home/podman/.local/share/containers
 
 RUN mkdir -p /var/lib/shared/overlay-images \
                 /var/lib/shared/overlay-layers \
@@ -125,8 +114,6 @@ RUN \
 mkdir -p ~/.ansible/roles /usr/share/ansible/roles /etc/ansible/roles && \
 git config --system --add safe.directory /
 
-# The dev container for docker runs as podman
-RUN chsh -s $(which zsh) podman
 # The dev container for docker runs as root
 RUN chsh -s $(which zsh) root
 
@@ -136,10 +123,7 @@ python3 -m pip install argcomplete
 activate-global-python-argcomplete
 EOF
 
-# Install oh-my-zsh for both users
-USER podman
-RUN sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
-
+# Install oh-my-zsh
 USER root
 RUN sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)"
 
@@ -158,11 +142,9 @@ RUN set -ex \
 && rpm -qa \
 && uname -a
 
-# Make a workdir usable by either the podman or root user
-RUN mkdir -p /workdir && chown podman:podman /workdir
+# Make a workdir usable by the root user
+RUN mkdir -p /workdir
 
-# Set the default user to podman, this will be overridden in the podman dev container
-USER podman
 WORKDIR /workdir
 ENTRYPOINT ["/opt/builder/bin/entrypoint", "dumb-init"]
 CMD ["zsh"]
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -256,7 +256,6 @@ def pytest_sessionfinish(session: pytest.Session) -> None:
  --security-opt "label=disable"
  --security-opt "seccomp=unconfined"
  -v $PWD:/workdir
- -v ansible-dev-tools-container-test-storage-podman:/var/lib/containers
 """
 
 PODMAN_CMD = """ --user=root

diff --git a/tests/integration/test_container.py b/tests/integration/test_container.py
@@ -57,7 +57,7 @@ def test_container_in_container(
         exec_container: The container executor.
     """
     podman_run_container = exec_container(
-        "podman run -i --rm -d -e ANSIBLE_DEV_TOOLS_CONTAINER=1"
+        "podman run -i --rm -d -e ANSIBLE_DEV_TOOLS_CONTAINER=1 --user=root"
         " -e ANSIBLE_FORCE_COLOR=0 --name ghcr_io_ansible_community_ansible_dev_tools_latest"
         " ghcr.io/ansible/community-ansible-dev-tools:latest bash",
     )
@@ -93,8 +93,6 @@ def test_user_shell(exec_container: Callable[[str], subprocess.CompletedProcess[
     """
     result = exec_container("cat /etc/passwd | grep root | grep zsh")
     assert result.returncode == 0, "zsh not found in /etc/passwd"
-    result = exec_container("cat /etc/passwd | grep podman | grep zsh")
-    assert result.returncode == 0, "zsh not found in /etc/passwd"
 
 
 @pytest.mark.container()