TL;DR

Does podman need the privileged container (aka root) mode to provide safe runtime environment for Ansible Molecule tests in GitLab CI/CD execution environment as mandatory setup option? If not, what could be a meaningful alternative?

If the construct is feasible: is there at least one up to date working implementation available as open source? If not: is here a way between privileged and non-privileged by reducing kernel capabilities set – what do we really need?

What are these tools, and what are they good for?

• Ansible allows for idempotent, reproducible, automated OS environment configuration, remote and also local, using a standardized macro language which translates internally to Python and system shell operation. The ecosystem (Community Collections, Ansible Galaxy) provides a component library aka “roles”. Known alternatives are for example Puppet, Chef, Salt.

• Ansible molecule is an Ansible-native test framework to develop and validate Ansible roles. For this, it needs an execution environment, earlier “drivers”, recently this has become more abstract and flexible, but anyway the idea is that you could test your configuration set captured by the role you are developing in an emulated environment like a Docker container or other tool. Here as you will see, Podman is an interesting option.

• GitLab Runner is a software component to deploy runtime environment for GitLab’s CI/CD workflow language automating build and deployment processes. A source for security concerns can be the Docker runner mode (aka “executor”), so often if you do not need a privileged context for the container runtime you make builds and deployments, in many cases you can take for example the Kaniko image as [Docker] container image build environment and maybe also Crane. There is no Podman executor, but it offers a Docker-compatible system socket.

• Podman allows to launch containers without daemon and also without privileged mode (but it could get it as well). That makes it an interesting candidate for the Ansible Molecule test environment.

Why this combination?

Together, Ansible molecule and Podman could provide neat, efficient and secure Ansible role development and validation environment, just the DevOps loop without needing real infrastructure.

What is the problem?

Due to the complexity of the setup, I have been doing some research for existing implementations – of course as an Ansible role i.e. I could just install this environment setup – and I have found several, but it’s not quite clear to me, whether it is really possible to implement this without a privileged container option.

Which implementations exist already?

Best I am able to found seems to be this one:

• https://gitlab.com/osci/ansible-role-gitlabci-runner (however, it does not run through completely yet)

One further well-developed and up to date implementation seems to be:

• https://github.com/zedr/gitlab_runner (however – “Container still needs to run privileged”)