Getting started
Subordinate UID/GID range for root
Linux user namespaces
can be used to create unprivileged LXC or Docker containers which don't use
normal UID/GID ranges of the host system. These "subordinate" UID/GID ranges
are configured in the /etc/subuid
and /etc/subgid
databases
respectively.
Unfortunately, Debian by default does not reserve a subordinate UID/GID range
for the root
account. In conjunction with the system automatically creating
subUID/subGID ranges for new user accounts created on a host this might cause
creation of the root
subUID/subGID ranges difficult. To avoid this issue,
the debops.root_account
Ansible role will reserve a defined set of UID/GID
ranges for the root
account which can then be used to, for example, create
unprivileged LXC containers.
Example inventory
The debops.root_account
role is included by default in the
common.yml
DebOps playbook; you don't need to do anything to have it
executed.
If you don’t want to let debops.root_account
manage the root account, you
can do this with the following setting in your inventory:
root_account__enabled: False
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.root_account
role:
---
- name: Manage root system account
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_all_hosts', 'debops_service_root_account' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: root_account
tags: [ 'role::root_account', 'skip::root_account' ]