Greetings!
I've been implementing ansible-runner in a project of mine.
Note: I am aware that process-isolation can (also) be used to tackle this problem - but the feature described below could be a nice addition to ansible-runner. In addition to this - the process-isolation adds an dependency on some containerization technology that would not be needed if we can simply switch the user-context.
Background:
We are running a service that executes ansible-runner in multiple threads.
To protect some service-related secrets I looked into running ansible-runner as dedicated user.
Feature:
The python3 subprocess module would allow us to do so using the user parameter.
If user is not None, the setreuid() system call will be made in the child process prior to the execution of the subprocess
This argument could (simply) be added/passed-through here: https://github.com/ansible/ansible-runner/blob/2.3.6/ansible_runner/runner.py#L229
The docs of run_subprocess show:
The other arguments are the same as for the Popen constructor
Greetings!
I've been implementing ansible-runner in a project of mine.
Note: I am aware that process-isolation can (also) be used to tackle this problem - but the feature described below could be a nice addition to ansible-runner. In addition to this - the process-isolation adds an dependency on some containerization technology that would not be needed if we can simply switch the user-context.
Background:
We are running a service that executes ansible-runner in multiple threads.
To protect some service-related secrets I looked into running ansible-runner as dedicated user.
Feature:
The python3 subprocess module would allow us to do so using the
userparameter.This argument could (simply) be added/passed-through here: https://github.com/ansible/ansible-runner/blob/2.3.6/ansible_runner/runner.py#L229
The docs of
run_subprocessshow: