diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index e14c0bb8..bb9355e5 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,7 +1,7 @@ { "name": "ansible-dev-container-codespaces", "image": "ghcr.io/ansible/community-ansible-dev-tools:latest", - "containerUser": "podman", + "containerUser": "root", "runArgs": [ "--security-opt", "seccomp=unconfined", diff --git a/.devcontainer/docker/devcontainer.json b/.devcontainer/docker/devcontainer.json index 18b5ef34..60648f1a 100644 --- a/.devcontainer/docker/devcontainer.json +++ b/.devcontainer/docker/devcontainer.json @@ -1,7 +1,7 @@ { "name": "ansible-dev-container-docker", "image": "ghcr.io/ansible/community-ansible-dev-tools:latest", - "containerUser": "podman", + "containerUser": "root", "runArgs": [ "--security-opt", "seccomp=unconfined", diff --git a/.devcontainer/podman/devcontainer.json b/.devcontainer/podman/devcontainer.json index 30327b46..8b198f09 100644 --- a/.devcontainer/podman/devcontainer.json +++ b/.devcontainer/podman/devcontainer.json @@ -14,9 +14,7 @@ "--security-opt", "apparmor=unconfined", "--userns=host", - "--hostname=ansible-dev-container", - "--volume", - "ansible-dev-tools-container-storage:/var/lib/containers" + "--hostname=ansible-dev-container" ], "customizations": { "vscode": { diff --git a/docs/container.md b/docs/container.md index e9ff9a2d..bf5725f7 100644 --- a/docs/container.md +++ b/docs/container.md @@ -96,7 +96,6 @@ podman run -it --rm \ --user=root \ --userns=host \ -e SSH_AUTH_SOCK=$SSH_AUTH_SOCK \ - -v ansible-dev-tools-container-storage:/var/lib/containers \ -v $HOME/.gitconfig:/root/.gitconfig \ -v $PWD:/workdir \ -v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK \ @@ -111,7 +110,6 @@ Note: - This command will mount the current directory to `/workdir` in the container - The SSH agent socket is also mounted to the container to allow for SSH key forwarding. - The user's `.gitconfig` is mounted to the container to allow for git operations. -- The `ansible-dev-tools-container-storage` volume is mounted to the container to store the nested container images on the host. ### Signing git commits (SSH) diff --git a/final/Containerfile b/final/Containerfile index 9bc081f1..5ffb20f7 100644 --- a/final/Containerfile +++ b/final/Containerfile @@ -54,20 +54,10 @@ python3-wheel \ && microdnf clean all \ && ln -s /usr/bin/vim /usr/bin/vi -RUN useradd podman; \ - echo -e "podman:1:999\npodman:1001:64535" > /etc/subuid; \ - echo -e "podman:1:999\npodman:1001:64535" > /etc/subgid; - ARG _REPO_URL="https://raw.githubusercontent.com/containers/image_build/main/podman" ADD $_REPO_URL/containers.conf /etc/containers/containers.conf -ADD $_REPO_URL/podman-containers.conf /home/podman/.config/containers/containers.conf - -RUN mkdir -p /home/podman/.local/share/containers && \ - chown podman:podman -R /home/podman && \ - chmod 644 /etc/containers/containers.conf -# this is done by ansible-builder when changing user and workdir -RUN chgrp 0 /home/podman && chmod -R ug+rwx /home/podman +RUN chmod 644 /etc/containers/containers.conf # Copy & modify the defaults to provide reference if runtime changes needed. # Changes here are required for running with fuse-overlay storage inside container. @@ -80,7 +70,6 @@ RUN sed -e 's|^#mount_program|mount_program|g' \ # Note VOLUME options must always happen after the chown call above # RUN commands can not modify existing volumes VOLUME /var/lib/containers -VOLUME /home/podman/.local/share/containers RUN mkdir -p /var/lib/shared/overlay-images \ /var/lib/shared/overlay-layers \ @@ -125,8 +114,6 @@ RUN \ mkdir -p ~/.ansible/roles /usr/share/ansible/roles /etc/ansible/roles && \ git config --system --add safe.directory / -# The dev container for docker runs as podman -RUN chsh -s $(which zsh) podman # The dev container for docker runs as root RUN chsh -s $(which zsh) root @@ -136,10 +123,7 @@ python3 -m pip install argcomplete activate-global-python-argcomplete EOF -# Install oh-my-zsh for both users -USER podman -RUN sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" - +# Install oh-my-zsh USER root RUN sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" @@ -158,11 +142,9 @@ RUN set -ex \ && rpm -qa \ && uname -a -# Make a workdir usable by either the podman or root user -RUN mkdir -p /workdir && chown podman:podman /workdir +# Make a workdir usable by the root user +RUN mkdir -p /workdir -# Set the default user to podman, this will be overridden in the podman dev container -USER podman WORKDIR /workdir ENTRYPOINT ["/opt/builder/bin/entrypoint", "dumb-init"] CMD ["zsh"] diff --git a/tests/conftest.py b/tests/conftest.py index 1e758985..48335dce 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -256,7 +256,6 @@ def pytest_sessionfinish(session: pytest.Session) -> None: --security-opt "label=disable" --security-opt "seccomp=unconfined" -v $PWD:/workdir - -v ansible-dev-tools-container-test-storage-podman:/var/lib/containers """ PODMAN_CMD = """ --user=root diff --git a/tests/integration/test_container.py b/tests/integration/test_container.py index 554a593d..0c758787 100644 --- a/tests/integration/test_container.py +++ b/tests/integration/test_container.py @@ -57,7 +57,7 @@ def test_container_in_container( exec_container: The container executor. """ podman_run_container = exec_container( - "podman run -i --rm -d -e ANSIBLE_DEV_TOOLS_CONTAINER=1" + "podman run -i --rm -d -e ANSIBLE_DEV_TOOLS_CONTAINER=1 --user=root" " -e ANSIBLE_FORCE_COLOR=0 --name ghcr_io_ansible_community_ansible_dev_tools_latest" " ghcr.io/ansible/community-ansible-dev-tools:latest bash", ) @@ -93,8 +93,6 @@ def test_user_shell(exec_container: Callable[[str], subprocess.CompletedProcess[ """ result = exec_container("cat /etc/passwd | grep root | grep zsh") assert result.returncode == 0, "zsh not found in /etc/passwd" - result = exec_container("cat /etc/passwd | grep podman | grep zsh") - assert result.returncode == 0, "zsh not found in /etc/passwd" @pytest.mark.container()