-
Notifications
You must be signed in to change notification settings - Fork 23.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker_swarm_service fails because of default "user: root" #49199
Comments
Hi @fchiacchiaretta, thank you for submitting this issue! |
Files identified in the description: If these files are inaccurate, please update the |
@fchiacchiaretta Thanks for your report!
I put the tasks and logs I used here. @felixfontein Yes, that should solve the idempotency issue; I'm wondering if, considering how the default for a service created without a
|
@dariko the problem with changing the default now is that it breaks backwards compatibility. It probably would have been better if the default would have never been there, but now it's too late. (The root cause for #49078 is essentially the same problem: the Unfortunately I don't have a good idea how to solve this. @gundalow are there any rules/suggestions/... on how to change defaults, which will break backwards incompatibility? Or do you know whom to ask? |
@felixfontein I'm not sure backward compatibility would not be broken, because the implied For reference, here is the related code from |
@dariko doesn't the implied user depend on the image's default user? I don't use |
@felixfontein Thank you, the image's own default user completely slipped my mind 😕 Now I see how backward-compatibility can be broken by changing the module parameter default, and how bad the current default is. Maybe it would be possible to replace it on a eventual future major release? |
That's a good question. I hope @gundalow can answer that or point us to someone who can :) Maybe how about the following:
The main problem is that if we choose a special name which someone (for whatever reason) wants to use as a real username. That's a tough one. I guess Anyway, such a change probably has to wait for Ansible 2.8, but for now we could change the module to treat an empty string as |
@felixfontein I like the idea of a If the @fchiacchiaretta is just about the idempotency I've prepared #49235 which solves it, but he also mentioned a module failure which for now I've been unable to reproduce. |
Hi @dariko
As you reported
I get the same behaviour, but in the first case I have
while in the second If I can have idempotency even specifying a null user, that would be great for now 😄 |
@fchiacchiaretta Ok, it all makes sense. The changes in #49235 should have the module correctly report its changed status when using |
@dariko I made a few tests with both original and updated module, I try to summarize my findings. With updated module, the second run with There is another notable difference in behaviour I noticed: When running the same test with the updated module, the second run resulted in 'ok' status, so the service was left in a broken state, and I had to remove it a deploy it again with Is this the intended behaviour or are we breaking other cases (which I can't see)? |
@fchiacchiaretta The new behaviour is at least consistent, and it is the one I would have expected from the beginning: now having |
In my opinion defaulting to root can be a great security risk where users have built images with a custom user only to have the container run as root by default. I only caught this because the official memcached image refuses to run as root. If it would be considered insecure breaking backwards comparability would be allowed right? https://docs.docker.com/engine/security/security/ |
I think we all fully agree that the current situation isn't good :) I guess we cannot do anything for versions before 2.8 anymore (that's only 2.7.x, since the module wasn't there in 2.6). Having the possibility to write What we can do is break backwards compatibility for 2.8. In general we shouldn't do that, but I think this is one of the situation where it's worth it. We'd have to make sure that this change is mentioned both in the changelog and the porting guide, so increase the chance that people won't miss it. |
SUMMARY
I'm trying to start a service (Traefik Load Balancer) via docker_swarm_service and it fails because of
user: root
being passed by default in the invocation.I can properly start the service if I specify
user: ''
oruser:
(passes as user: null in the invocation), but service declaration is not idempotent, every time I run the deploy I getISSUE TYPE
COMPONENT NAME
docker_swarm_service
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
Control station OS: Fedora 29
Target OS: Debian 8.11 Jessie
Target docker version:
STEPS TO REPRODUCE
Start a traefik service:
EXPECTED RESULTS
I can start a service without specifying user parameter
ACTUAL RESULTS
Service start fails. If I specify
user: ''
oruser:
(passes as user: null in the invocation) it succeeds, but it is not idempotent anymore.Best,
Federico Chiacchiaretta
The text was updated successfully, but these errors were encountered: