diff --git a/.README.html b/.README.html index 232fcf52..bb98af72 100644 --- a/.README.html +++ b/.README.html @@ -243,13 +243,13 @@

Users, groups, subuid, subgid

  • They must be already present on the system - the role will not create the users or groups - the role will exit with an error if a non-existent user or group is specified
    • -
  • They must already exist in /etc/subuid and -/etc/subgid, or are otherwise provided by your identity +
  • The user must already exist in /etc/subuid and +/etc/subgid, or otherwise be provided by your identity management system - the role will exit with an error if a specified user -is not present in /etc/subuid, or if a specified group is -not in /etc/subgid. The role uses getsubids to -check the user and group if available, or checks the files directly if -getsubids is not available.
    • +is not present in /etc/subuid and /etc/subgid. +The role uses getsubids to check the user and group if +available, or checks the files directly if getsubids is not +available.

    Role Variables

    podman_kube_specs

    @@ -273,13 +273,12 @@

    podman_kube_specs

    podman_run_as_user value will be used. Otherwise, root will be used. NOTE: The user must already exist - the role will not create one. The user must be present in -/etc/subuid. +/etc/subuid and /etc/subgid.
  • run_as_group - Use this to specify a per-pod group. If you do not specify this, then the global default podman_run_as_group value will be used. Otherwise, root will be used. NOTE: The group must already exist - the -role will not create one. The group must be present in -/etc/subgid.
    • +role will not create one.
  • systemd_unit_scope - The scope to use for the systemd unit. If you do not specify this, then the global default podman_systemd_unit_scope will be used. Otherwise, the @@ -498,13 +497,12 @@

    podman_run_as_user

    can also specify per-container username with run_as_user in podman_kube_specs. NOTE: The user must already exist - the role will not create one. The user must be present in -/etc/subuid.

    +/etc/subuid and /etc/subgid.

    podman_run_as_group

    This is the name of the group to use for all rootless containers. You can also specify per-container group name with run_as_group in podman_kube_specs. NOTE: The group must already exist - -the role will not create one. The group must be present in -/etc/subgid.

    +the role will not create one.

    podman_systemd_unit_scope

    This is systemd scope to use by default for all systemd units. You can also specify per-container scope with @@ -650,17 +648,16 @@

    podman_credential_files

    podman_run_as_user value will be used. Otherwise, root will be used. NOTE: The user must already exist - the role will not create one. The user must be present in -/etc/subuid. NOTE: This is used as the user for the -$HOME directory if file is not specified, and -as the owner of the file. If you want the owner of the file to be -different than the user used for $HOME, specify -file as an absolute path.
    • +/etc/subuid and /etc/subgid. NOTE: This is +used as the user for the $HOME directory if +file is not specified, and as the owner of the file. If you +want the owner of the file to be different than the user used for +$HOME, specify file as an absolute path.
  • run_as_group - Use this to specify a per-credential file group. If you do not specify this, then the global default podman_run_as_group value will be used. Otherwise, root will be used. NOTE: The group must already exist - the -role will not create one. The group must be present in -/etc/subgid.
    • +role will not create one.
  • mode - The mode of the file - default is "0600".
    • @@ -796,15 +793,15 @@

    podman_version

    {% endif %}

    podman_subuid_info, podman_subgid_info

    -

    The role needs to ensure any users and groups are present in the -subuid and subgid information. Once it extracts this data, it will be -available in podman_subuid_info and -podman_subgid_info. These are dicts. The key is the user or -group name, and the value is a dict with two fields:

    +

    The role needs to ensure any users are present in the subuid and +subgid information. Once it extracts this data, it will be available in +podman_subuid_info and podman_subgid_info. +These are dicts. The key is the user name, and the value is a +dict with two fields:

    podman_subuid_info,
   "/var/lib/db":
     mode: "0777"
     owner: "{{ 1001 + podman_subuid_info['dbuser']['start'] - 1 }}"
-    group: "{{ 1001 + podman_subgid_info['dbgroup']['start'] - 1 }}"
    + group: "{{ 2001 + podman_subgid_info['dbuser']['start'] - 1 }}"

    Where 1001 is the uid for user dbuser, and -1001 is the gid for group dbgroup.

    +2001 is the gid for the group you want to use.

    NOTE: depending on the namespace used by your containers, you might not be able to use the subuid and subgid information, which comes from getsubids if available, or diff --git a/CHANGELOG.md b/CHANGELOG.md index 78b22cb8..d1a38f3b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,17 @@ Changelog ========= +[1.6.3] - 2024-09-03 +-------------------- + +### Bug Fixes + +- fix: subgid maps user to gids, not group to gids (#178) + +### Other Changes + +- ci: Add tags to TF workflow, allow more [citest bad] formats (#177) + [1.6.2] - 2024-08-21 --------------------