From fb2e011c9f9fbd6f85c81f2604ccaba4ea6b6b9a Mon Sep 17 00:00:00 2001
From: Rich Megginson Users, groups, subuid, subgid
/etc/subuid
and
-/etc/subgid
, or are otherwise provided by your identity
+/etc/subuid
and
+/etc/subgid
, or otherwise be provided by your identity
management system - the role will exit with an error if a specified user
-is not present in /etc/subuid
, or if a specified group is
-not in /etc/subgid
. The role uses getsubids
to
-check the user and group if available, or checks the files directly if
-getsubids
is not available./etc/subuid
and /etc/subgid
.
+The role uses getsubids
to check the user and group if
+available, or checks the files directly if getsubids
is not
+available.
Role Variables
podman_kube_specs
@@ -273,13 +273,12 @@ podman_kube_specs
podman_run_as_user
value will be used. Otherwise,
root
will be used. NOTE: The user must already exist - the
role will not create one. The user must be present in
-/etc/subuid
.
+/etc/subuid
and /etc/subgid
.
run_as_group
- Use this to specify a per-pod group. If
you do not specify this, then the global default
podman_run_as_group
value will be used. Otherwise,
root
will be used. NOTE: The group must already exist - the
-role will not create one. The group must be present in
-/etc/subgid
.systemd_unit_scope
- The scope to use for the systemd
unit. If you do not specify this, then the global default
podman_systemd_unit_scope
will be used. Otherwise, the
@@ -498,13 +497,12 @@ podman_run_as_user
can also specify per-container username with run_as_user
in
podman_kube_specs
. NOTE: The user must already exist - the
role will not create one. The user must be present in
-/etc/subuid
.
/etc/subuid
and /etc/subgid
.
This is the name of the group to use for all rootless containers. You
can also specify per-container group name with run_as_group
in podman_kube_specs
. NOTE: The group must already exist -
-the role will not create one. The group must be present in
-/etc/subgid
.
This is systemd scope to use by default for all systemd units. You can also specify per-container scope with @@ -650,17 +648,16 @@
podman_run_as_user
value will be used. Otherwise,
root
will be used. NOTE: The user must already exist - the
role will not create one. The user must be present in
-/etc/subuid
. NOTE: This is used as the user for the
-$HOME
directory if file
is not specified, and
-as the owner of the file. If you want the owner of the file to be
-different than the user used for $HOME
, specify
-file
as an absolute path.
+/etc/subuid
and /etc/subgid
. NOTE: This is
+used as the user for the $HOME
directory if
+file
is not specified, and as the owner of the file. If you
+want the owner of the file to be different than the user used for
+$HOME
, specify file
as an absolute path.
run_as_group
- Use this to specify a per-credential
file group. If you do not specify this, then the global default
podman_run_as_group
value will be used. Otherwise,
root
will be used. NOTE: The group must already exist - the
-role will not create one. The group must be present in
-/etc/subgid
.mode
- The mode of the file - default is
"0600"
.The role needs to ensure any users and groups are present in the
-subuid and subgid information. Once it extracts this data, it will be
-available in podman_subuid_info
and
-podman_subgid_info
. These are dicts. The key is the user or
-group name, and the value is a dict
with two fields:
The role needs to ensure any users are present in the subuid and
+subgid information. Once it extracts this data, it will be available in
+podman_subuid_info
and podman_subgid_info
.
+These are dicts. The key is the user name, and the value is a
+dict
with two fields:
start
- the start of the id range for that user or
-group, as an int
range
- the id range for that user or group, as an
+start
- the start of the id range for that user, as an
+int
range
- the id range for that user, as an
int
podman_subuid_info, "/var/lib/db": mode: "0777" owner: "{{ 1001 + podman_subuid_info['dbuser']['start'] - 1 }}" - group: "{{ 1001 + podman_subgid_info['dbgroup']['start'] - 1 }}"
Where 1001
is the uid for user dbuser
, and
-1001
is the gid for group dbgroup
.
2001
is the gid for the group you want to use.
NOTE: depending on the namespace used by your
containers, you might not be able to use the subuid and subgid
information, which comes from getsubids
if available, or
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 78b22cb8..d1a38f3b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,17 @@
Changelog
=========
+[1.6.3] - 2024-09-03
+--------------------
+
+### Bug Fixes
+
+- fix: subgid maps user to gids, not group to gids (#178)
+
+### Other Changes
+
+- ci: Add tags to TF workflow, allow more [citest bad] formats (#177)
+
[1.6.2] - 2024-08-21
--------------------