Lookup container uid/gid at runtime

Simplify the Ansible side of Docker container setup, as we don't have to look up the user and group via Ansible modules (that fail in check mode because we weren't doing it right anyway)...

Lookup container uid/gid at runtime
53f7a691 · ale · 4eeab35c · 53f7a691 · 53f7a691
Commit 53f7a691 authored 5 years ago by ale
--- a/roles/docker/tasks/start.yml
+++ b/roles/docker/tasks/start.yml
@@ -9,7 +9,6 @@
 - name: Create container runtime primary group ({{ container_user }})
  group:
    name: "{{ container_user }}"
-  register: container_group_task

 - name: Create container user ({{ container_user }})
  user:
@@ -17,7 +16,6 @@
    group: "{{ container_user }}"
    home: "/var/empty"
    createhome: false
-  register: container_user_task

 - name: Add user {{ container_user }} to the credentials groups
  user:
@@ -30,18 +28,6 @@
  loop_control:
    loop_var: cred

-# Need to find the gid of the credentials group(s) to be used
-# for the --groupadd option to docker run.
- name: Find gids of credentials groups
-  shell: "getent group {{ cred.name }}-credentials | cut -d: -f3"
-  changed_when: False
-  check_mode: no
-  register: container_credentials_groups_gids
-  with_list: "{{ service.service_credentials }}"
-  when: "service.service_credentials is defined"
-  loop_control:
-    loop_var: cred
-
 - name: Configure environment for {{ systemd_service }}
  template:
    src: env.j2

--- a/roles/docker/templates/run.sh.j2
+++ b/roles/docker/templates/run.sh.j2
@@ -44,10 +44,15 @@ opts="$opts --security-opt no-new-privileges --cap-drop all"

 {# User setup #}
 {% if not container.get('root') %}
-{{ opt('user', '%d:%d' % (container_user_task.uid, container_group_task.gid)) }}
-{% if service.service_credentials is defined %}
-{{ opt('group-add', container_credentials_groups_gids.results | map(attribute='stdout') | join(',')) }}
-{% endif %}
+container_uid=$(id -u {{ container_user }})
+container_gid=$(id -g {{ container_user }})
+opts="$opts --user=$container_uid:$container_gid"
+# Add additional groups that the user is a member of.
+for gid in $(id -G {{ container_user }}); do
+    if [ $gid -ne $container_gid ]; then
+        opts="$opts --group-add=$gid"
+    fi
+done
 {% endif %}

 exec /usr/bin/systemd-docker --env run \