File tree Expand file tree Collapse file tree 5 files changed +32
-2
lines changed
molecule/unattended_upgrades Expand file tree Collapse file tree 5 files changed +32
-2
lines changed Original file line number Diff line number Diff line change 1+ # SPDX-FileCopyrightText: Helmholtz-Zentrum Dresden-Rossendorf (HZDR)
2+ #
3+ # SPDX-License-Identifier: Apache-2.0
4+
5+ # Dockerfile for testing privilege escalation with non-root user
6+ # This ensures the role properly uses 'become: true' directives
7+
8+ FROM {{ item.image }}
9+
10+ # Create ansible user with sudo permissions
11+ ENV ANSIBLE_USER=ansible \
12+ SUDO_GROUP=sudo \
13+ DEBIAN_FRONTEND=noninteractive
14+
15+ # Create non-root user with sudo access
16+ RUN set -xe \
17+ && groupadd -r ${ANSIBLE_USER} \
18+ && useradd -m -g ${ANSIBLE_USER} ${ANSIBLE_USER} \
19+ && usermod -aG ${SUDO_GROUP} ${ANSIBLE_USER} \
20+ && sed -i "/^%${SUDO_GROUP}/s/ALL\$/NOPASSWD:ALL/g" /etc/sudoers
21+
22+ # NOTE: Do not switch to non-root user here - systemd must run as root
23+ # Ansible will connect as the ansible user via ansible_user inventory variable
Original file line number Diff line number Diff line change 77# Play to create and provision instance.
88- name : " Converge"
99 hosts : " all"
10+ become : false
1011 tasks :
1112 - name : " Include unattended_upgrades role"
1213 ansible.builtin.include_role :
Original file line number Diff line number Diff line change @@ -11,14 +11,16 @@ driver:
1111platforms :
1212 - name : " instance1"
1313 image : " ${MOLECULE_IMAGE:-ghcr.io/hifis-net/ubuntu-systemd:24.04}"
14- pre_build_image : true
14+ pre_build_image : false
15+ dockerfile : " Dockerfile.j2"
1516 privileged : true
1617 override_command : false
1718 systemd : true
1819 tty : true
1920 - name : " instance2"
2021 image : " ${MOLECULE_IMAGE:-ghcr.io/hifis-net/ubuntu-systemd:24.04}"
21- pre_build_image : true
22+ pre_build_image : false
23+ dockerfile : " Dockerfile.j2"
2224 privileged : true
2325 override_command : false
2426 systemd : true
@@ -31,6 +33,7 @@ provisioner:
3133 hosts :
3234 all :
3335 vars :
36+ ansible_user : " ansible"
3437 ubuntu_defaults :
3538 - ' Unattended-Upgrade::Allowed-Origins:: "${distro_id}:${distro_codename}";'
3639 - ' Unattended-Upgrade::Allowed-Origins:: "${distro_id}:${distro_codename}-security";'
Original file line number Diff line number Diff line change 77# Play to install dependencies.
88- name : " Prepare"
99 hosts : " all"
10+ become : true
1011 tasks :
1112 - name : " Install dependencies"
1213 ansible.builtin.apt :
Original file line number Diff line number Diff line change 6060 with_items : " {{ debian_defaults }}"
6161
6262 - name : " Dry run unattended-upgrades"
63+ become : true
6364 ansible.builtin.command : " /usr/bin/unattended-upgrades --dry-run"
6465 register : " dry_run"
6566 failed_when : " dry_run.rc != 0"
6667 changed_when : false
6768
6869 - name : " Verify custom apt-daily timers" # noqa command-instead-of-shell
70+ become : true
6971 when : " unattended_systemd_timer_override"
7072 ansible.builtin.shell :
7173 cmd : " {{ item }}"
You can’t perform that action at this time.
0 commit comments