unprivileged user interaction / root password

[azrdev]

I'm looking for an image to be used as-is for running ansible playbooks inside gitlab-CI (with docker runner).
Gitlab does not have a possibility to specify the user a given job is run with inside the container: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/2750

Since it uses a different image for doing the repo checkout and artifact placement before a job runs, these files will then belong to the default user of that helper image: 0/root. Which makes them read-only or inaccessible to the UID=1000 picked up from the ansible images.

Possible solutions:

1. have a gitlab-CI option to specify the UID: see issue linked above
2. default this image to uid=0/root
3. have a means of local privilege escalation (passwordless sudo, or su with a known password) -- this was explicitly rejected for the awx-ee image(s) Elevated privileges / root password ansible/awx-ee#89

Since the images here are explicitly meant for CI use (as opposed to e.g. the awx-ee), can we make this possible?

[felixfontein]

Are you talking about the images in ansible-test/, or about the ones in execution-environments/?

The former are meant for CI, but not for what you have in mind. They are meant to be used with the --docker option of ansible-test.

The latter are meant to run ansible-core in them, but they are regular EEs (for end-users) and not aimed at CI. They are meant to be used with ansible-navigator or ansible-runner though, similar to awx-ee.

[azrdev]

I was trying ghcr.io/ansible-community/community-ee-base:latest

[azrdev]

apparently 2. is a possible solution since gitlab 16.5 https://gitlab.com/gitlab-org/gitlab/-/merge_requests/137907 -- using the following syntax:

jobname:
  image:
    name: ghcr.io/ansible-community/community-ee-base:latest
    docker:
      user: "root"

I just successfully ran ansible in a CI job as root.

Edit: using docker executor this works, but not using kubernetes.