Using ansible delegate_to with docker: permission denied

Question

I would like to execute a command inside a container of a machine I manage with ansible.

This is possible with the delegate_to command (see https://stackoverflow.com/a/41626257/458274):

- name: Add container to inventory
  add_host:
    name: mycontainer
    ansible_connection: docker
  changed_when: false

- name: Do something in container
  delegate_to: mycontainer
  raw: echo "hello world"

However, the user I'm using has no permission to access /var/run/docker.sock. I could fix this by adding the user to the docker group, but I feel that this is a bad security practice, since any program running with this user account could now gain root permission without a password.

Using become does not work either, since it will be delegated to the container, too.

How can I use delegate_to, but switch to another user first?

Answer 1

If you want to execute commands in a container, then you will need to provide some sort of communication with the docker daemon.

Ignoring ansible for a moment, you can talk to the docker daemon in 2 modes:

• via a unix socket /var/run/docker.sock
• via a tcp port (defaults to 2375).

So your alternative, if not using the Unix socket, would be to use the TCP connection. Pick your poison ;-)