-
Notifications
You must be signed in to change notification settings - Fork 2
/
prepare-rootless.yml
56 lines (50 loc) · 1.6 KB
/
prepare-rootless.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
---
- name: "{{ type }} '{{ item.name }}' - Add group '{{ run_as_group }}'"
group:
name: "{{ run_as_group }}"
# TODO: handle an existing user which should not be added to the group
- name: "{{ type }} '{{ item.name }}' - Add user '{{ run_as_user }}'"
user:
name: "{{ run_as_user }}"
group: "{{ run_as_group }}"
password: '!'
shell: /bin/bash
- name: "{{ type }} '{{ item.name }}' - Add specified subuids"
ansible.builtin.lineinfile:
path: /etc/subuid
regexp: "^{{ run_as_user }}:.*"
line: "{{ run_as_user }}:{{ run_user_subid }}"
owner: root
group: root
mode: 0644
when: run_user_subid is defined
- name: "{{ type }} '{{ item.name }}' - Add specified subgids"
ansible.builtin.lineinfile:
path: /etc/subgid
regexp: "^{{ run_as_user }}:.*"
line: "{{ run_as_user }}:{{ run_user_subid }}"
owner: root
group: root
mode: 0644
when: run_user_subid is defined
- name: "{{ type }} '{{ item.name }}' - Check for user '{{ run_as_user }}' subuid"
lineinfile:
path: /etc/subuid
regexp: '^{{ run_as_user }}:.*$'
state: absent
check_mode: "yes"
changed_when: false
register: subuid
failed_when: not subuid.found
# NOTE: subgids are actually for users and not groups
# https://man7.org/linux/man-pages/man5/subgid.5.html
- name: "{{ type }} '{{ item.name }}' - Check for group '{{ run_as_group }}' subgid"
lineinfile:
path: /etc/subgid
regexp: '^{{ run_as_group }}:.*$'
state: absent
check_mode: "yes"
changed_when: false
register: subgid
failed_when: not subgid.found
# TODO: add subids if user wants to automatically