Add support for CRI-O user namespaces (#8268)

* add support for cri-o user namespaces * comply with yamllint rules
2026-03-07 02:27:43 +03:00 · 2021-12-20 15:37:25 +01:00
parent c59407f105
commit f01f7c54aa
4 changed files with 45 additions and 0 deletions
--- a/roles/container-engine/cri-o/tasks/main.yaml
+++ b/roles/container-engine/cri-o/tasks/main.yaml
@@ -182,6 +182,20 @@
  notify: restart crio
  when: http_proxy is defined or https_proxy is defined

+- name: Configure the uid/gid space for user namespaces
+  lineinfile:
+    path: '{{ item.path }}'
+    line: '{{ item.entry }}'
+    regex: '^\s*{{ crio_remap_user }}:'
+    state: '{{ "present" if crio_remap_enable | bool else "absent" }}'
+  loop:
+    - path: /etc/subuid
+      entry: '{{ crio_remap_user }}:{{ crio_subuid_start }}:{{ crio_subuid_length }}'
+    - path: /etc/subgid
+      entry: '{{ crio_remap_user }}:{{ crio_subgid_start }}:{{ crio_subgid_length }}'
+  loop_control:
+    label: '{{ item.path }}'
+
 - name: Ensure crio service is started and enabled
  service:
    name: crio