Allow overriding podman user ID with --container-option (#2079) (#2080)

mwilck · alisonlhart · web-flow · commit 06acb199f893 · 2026-01-28T17:21:02.000-05:00
* feat: allow overriding podman user ID with --container-option (#2079) ansible-navigator hard-codes `--user=root` for podman, even if the user has set a different user id with a command line option like `--container-option="--user=$UID"`. Check the list of container options passed by the user, and avoid setting `--user` if the user has already done so. This allows running an EE with `--userns=keep-id --user=$UID"`, which is necessary in order to access th DBus session bus. To make this actually work, additional container options are necessary. If `--userns=keep-id` is set and the user in question doesn't exist in the container, podman automatically adds an /etc/passwd entry setting HOME to the container's workdir, which causes the EE's ssh setup to fail. To fix that, the `--passwd-entry` option must be passed to podman (see containers/podman#13616), using a user-writable directory that should exist and must be mounted into the container in the default HOME location (/home/runner). The user's actual home directory can't be used for this purpose, because SELinux prevents relabeling it. Sample command line: CONT_HOME=/tmp/runner mkdir -p "$CONT_HOME" python3 -m ansible_navigator run test.yml \ --execution-environment-image ee_with_keyring:latest \ --pull-policy missing \ --mode stdout \ -i inventory \ --eev "/run/user/$UID/bus:/run/user/$UID/bus" \ --penv DBUS_SESSION_BUS_ADDRESS \ --container-options="--userns=keep-id" \ --container-options="--user=$UID" \ --container-options="--security-opt=label=disable" \ --eev "$CONT_HOME:/home/runner" \ --container-options=--passwd-entry='$USERNAME:x:$UID:0:$NAME:/home/runner:/bin/sh' * Add -u checks and tests * Pre-commit fixes --------- Co-authored-by: Alison Hart <alhart@redhat.com>
diff --git a/.config/dictionary.txt b/.config/dictionary.txt
@@ -48,9 +48,11 @@ maxsplit
 mergeable
 mkdocstrings
 mqueue              # https://github.com/ansible/ansible-runner/issues/984
+myuser
 myproject
 netcommon           # Ansible network collection, seen in tests and README
 netconf
+nofile
 nonblocking
 oldmask
 oneline
diff --git a/src/ansible_navigator/runner/base.py b/src/ansible_navigator/runner/base.py
@@ -105,9 +105,13 @@ def __init__(
 
         container_options = container_options or []
 
-        # when the ce is podman, set the container user to root
+        # when the ce is podman, set the container user to root unless already specified
         if self._ce == "podman":
-            container_options.append("--user=root")
+            has_user_flag = any(
+                opt.startswith(("--user", "-u=", "-u ")) or opt == "-u" for opt in container_options
+            )
+            if not has_user_flag:
+                container_options.append("--user=root")
 
         # Fix SSH agent socket when running Docker on macOS.
         if sys.platform == "darwin" and self._ce == "docker":
diff --git a/tests/unit/runner/test_base.py b/tests/unit/runner/test_base.py
@@ -67,3 +67,132 @@ def test_ssh_agent_options_order(monkeypatch: pytest.MonkeyPatch) -> None:
     assert "--test" in opts
     # Assert that SSH agent fix options are set first to allow overriding them.
     assert opts[2] == "--test"
+
+
+def test_podman_user_root_default() -> None:
+    """Test that podman sets --user=root by default."""
+    base = Base(
+        container_engine="podman",
+        execution_environment=True,
+    )
+
+    opts = base._runner_args.get("container_options") or []
+
+    assert "--user=root" in opts
+
+
+@pytest.mark.parametrize(
+    "user_option",
+    (
+        "--user=myuser",
+        "--user",
+        "-u",
+        "-u=myuser",
+    ),
+)
+def test_podman_user_override(user_option: str) -> None:
+    """Test that podman respects user-provided --user or -u options.
+
+    Args:
+        user_option: The user option to test
+    """
+    base = Base(
+        container_engine="podman",
+        execution_environment=True,
+        container_options=[user_option],
+    )
+
+    opts = base._runner_args.get("container_options") or []
+
+    assert "--user=root" not in opts
+    assert user_option in opts
+
+
+def test_podman_user_override_with_other_options() -> None:
+    """Test that podman respects --user when mixed with other options."""
+    base = Base(
+        container_engine="podman",
+        execution_environment=True,
+        container_options=["--volume=/tmp:/tmp", "--user=custom", "--env=TEST=1"],
+    )
+
+    opts = base._runner_args.get("container_options") or []
+
+    assert "--user=root" not in opts
+    assert "--user=custom" in opts
+    assert "--volume=/tmp:/tmp" in opts
+    assert "--env=TEST=1" in opts
+
+
+def test_docker_no_user_root() -> None:
+    """Test that docker does not set --user=root."""
+    base = Base(
+        container_engine="docker",
+        execution_environment=True,
+    )
+
+    opts = base._runner_args.get("container_options") or []
+
+    assert "--user=root" not in opts
+
+
+def test_podman_other_u_flags_dont_match() -> None:
+    """Test that other flags starting with -u don't prevent --user=root."""
+    base = Base(
+        container_engine="podman",
+        execution_environment=True,
+        container_options=["--ulimit=nofile:1024", "-unknown"],
+    )
+
+    opts = base._runner_args.get("container_options") or []
+
+    # --user=root should be added because neither --ulimit nor -unknown are user flags
+    assert "--user=root" in opts
+    assert "--ulimit=nofile:1024" in opts
+    assert "-unknown" in opts
+
+
+def test_podman_user_space_separated() -> None:
+    """Test that space-separated user flags are detected (as separate list items)."""
+    # When passed as --container-options="-u myuser", the parser may split into ["-u", "myuser"]
+    base = Base(
+        container_engine="podman",
+        execution_environment=True,
+        container_options=["-u", "myuser"],  # Space-separated, two list items
+    )
+
+    opts = base._runner_args.get("container_options") or []
+
+    assert "--user=root" not in opts
+    assert "-u" in opts
+    assert "myuser" in opts
+
+
+def test_podman_user_long_space_separated() -> None:
+    """Test that space-separated --user flags are detected (as separate list items)."""
+    base = Base(
+        container_engine="podman",
+        execution_environment=True,
+        container_options=["--user", "myuser"],  # Space-separated, two list items
+    )
+
+    opts = base._runner_args.get("container_options") or []
+
+    assert "--user=root" not in opts
+    assert "--user" in opts
+    assert "myuser" in opts
+
+
+def test_podman_user_quoted_with_space() -> None:
+    """Test detection when user passes quoted string with space (edge case)."""
+    # Edge case: if someone passes --co "-u myuser" as a single quoted argument
+    base = Base(
+        container_engine="podman",
+        execution_environment=True,
+        container_options=["-u myuser"],  # Single item with space inside
+    )
+
+    opts = base._runner_args.get("container_options") or []
+
+    assert "--user=root" not in opts
+    assert "-u myuser" in opts
