ptoal/toallab-automation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update roles

Browse Source
This commit is contained in:
Patrick Toal
2021-04-20 12:14:42 -04:00
parent 8005080b8b
commit 595021d449
131 changed files with 4144 additions and 3018 deletions
Download Patch File Download Diff File Expand all files Collapse all files

275
roles/ikke_t.podman_container_systemd/tasks/main.yml
View File

@@ -1,5 +1,48 @@
---
- name: prepare rootless stuff if needed
block:
- name: get user information
user:
name: "{{ container_run_as_user }}"
check_mode: true
register: user_info
- name: set systemd dir if user is not root
set_fact:
service_files_dir: "{{ user_info.home }}/.config/systemd/user"
systemd_scope: user
changed_when: false
- name: ensure systemd files directory exists if user not root
file:
path: "{{ service_files_dir }}"
state: directory
owner: "{{ container_run_as_user }}"
group: "{{ container_run_as_group }}"
when: container_run_as_user != "root"
- name: "Find uid of user"
command: "id -u {{ container_run_as_user }}"
register: container_run_as_uid
check_mode: false # Run even in check mode, to avoid fail with --check.
changed_when: false
- name: set systemd runtime dir
set_fact:
xdg_runtime_dir: "/run/user/{{ container_run_as_uid.stdout }}"
changed_when: false
- name: set systemd scope to system if needed
set_fact:
systemd_scope: system
service_files_dir: '/etc/systemd/system'
xdg_runtime_dir: "/run/user/{{ container_run_as_uid.stdout }}"
when: container_run_as_user == "root"
changed_when: false
- name: check if service file exists already
stat:
path: "{{ service_files_dir }}/{{ service_name }}"
@@ -8,99 +51,95 @@
- name: do tasks when "{{ service_name }}" state is "running"
block:
- name: Check for user namespace support in kernel
stat:
path: /proc/sys/kernel/unprivileged_userns_clone
register: unprivileged_userns_clone
changed_when: false
- name: Allow unprivileged users on Debian
sysctl:
name: kernel.unprivileged_userns_clone
value: '1'
state: present
sysctl_file: /etc/sysctl.d/userns.conf
sysctl_set: true
when:
- ansible_distribution == 'Debian'
- unprivileged_userns_clone.stat.exists
- name: Install rootless dependencies on Debian-based
package:
name: "{{ podman_dependencies_rootless }}"
state: present
when:
- ansible_os_family == 'Debian'
- container_run_as_user != 'root'
- name: ensure podman is installed
package:
name: podman
state: installed
state: present
when: not skip_podman_install
- name: check user exists
user:
name: "{{ container_run_as_user }}"
- name: check if user is in subuid file
lineinfile:
line: '\1'
path: /etc/subuid
regexp: "^({{ container_run_as_user }}:.*)"
backrefs: yes
check_mode: yes
register: uid_has
ignore_errors: true
when: container_run_as_user != 'root'
- name: check if group is in subgid file
lineinfile:
line: '\1'
path: /etc/subgid
regexp: "^({{ container_run_as_group }}:.*)"
backrefs: yes
check_mode: yes
register: gid_has
ignore_errors: true
when: container_run_as_group != 'root'
- name: ensure user is in subuid file, if it was missing
lineinfile:
path: /etc/subuid
regexp: "^{{ container_run_as_user }}:.*"
line: "{{ container_run_as_user }}:305536:65536"
create: yes
mode: '0644'
owner: root
group: root
when: uid_has.changed and container_run_as_user != 'root'
- name: ensure group is in subgid file, if it was missing
lineinfile:
path: /etc/subgid
regexp: "^{{ container_run_as_group }}:.*"
line: "{{ container_run_as_group }}:305536:65536"
create: yes
mode: '0644'
owner: root
group: root
when: gid_has.changed and container_run_as_group != 'root'
- name: Check subuid & subgid
import_tasks: check_subid.yml
- name: running single container, get image Id if it exists and we are root
# XXX podman doesn't work through sudo for non root users, so skip preload if user
# XXX podman doesn't work through sudo for non root users,
# so skip preload if user
# https://github.com/containers/libpod/issues/5570
# command: podman inspect -f {{.Id}} "{{ container_image }}"
command: "podman image inspect -f '{{ '{{' }}.Id{{ '}}' }}' {{ container_image }}"
command: "podman image inspect -f '{{ '{{' }}.Id{{ '}}' }}' {{ item }}"
register: pre_pull_id
ignore_errors: yes
when: container_image is defined and container_run_as_user == 'root'
ignore_errors: true
when:
- container_image_list is defined
- container_image_list | length == 1
- container_run_as_user == 'root'
with_items: "{{ container_image_list }}"
- name: running single container, ensure we have up to date container image
command: "podman pull {{ container_image }}"
become: yes
containers.podman.podman_image:
name: "{{ item }}"
force: true
username: "{{ container_image_user | default(omit) }}"
password: "{{ container_image_password | default(omit) }}"
notify: restart service
become: true
become_user: "{{ container_run_as_user }}"
when: container_image is defined and container_run_as_user == 'root'
when:
- container_image_list is defined
- container_image_list | length == 1
- container_run_as_user == 'root'
with_items: "{{ container_image_list }}"
- name: running single container, get image Id if it exists
command: "podman image inspect -f '{{ '{{' }}.Id{{ '}}' }}' {{ container_image }}"
become: yes
command:
"podman image inspect -f '{{ '{{' }}.Id{{ '}}' }}' {{ item }}"
become: true
become_user: "{{ container_run_as_user }}"
register: post_pull_id
when: container_image is defined and container_run_as_user == 'root'
- name: force restart after image change
debug: msg="image has changed"
changed_when: True
notify: restart service
ignore_errors: true
when:
- container_image_list is defined
- container_image_list | length == 1
- container_run_as_user == 'root'
- container_image is defined
- pre_pull_id.stdout != post_pull_id.stdout
- pre_pull_id is succeeded
# XXX remove above comparison if future podman tells image changed.
with_items: "{{ container_image_list }}"
- name: seems we use several container images, ensure all are up to date
command: "podman pull {{ item }}"
become: yes
containers.podman.podman_image:
name: "{{ item }}"
force: true
username: "{{ container_image_user | default(omit) }}"
password: "{{ container_image_password | default(omit) }}"
become: true
become_user: "{{ container_run_as_user }}"
when: container_image_list is defined
when: container_image_list is defined and container_image_list | length > 1
with_items: "{{ container_image_list }}"
- name: if running pod, ensure configuration file exists
@@ -110,11 +149,25 @@
when: container_pod_yaml is defined
- name: fail if pod configuration file is missing
fail:
msg: "Error: Asking to run pod, but pod definition yaml file is missing: {{ container_pod_yaml }}"
msg: >
"Error: Asking to run pod, but pod definition yaml file is missing: "
"{{ container_pod_yaml }}"
when:
- container_pod_yaml is defined
- not pod_file.stat.exists
- name: Check if user is lingering
stat:
path: "/var/lib/systemd/linger/{{ container_run_as_user }}"
register: user_lingering
when: container_run_as_user != "root"
- name: Enable lingering is needed
command: "loginctl enable-linger {{ container_run_as_user }}"
when:
- container_run_as_user != "root"
- not user_lingering.stat.exists
- name: "create systemd service file for container: {{ container_name }}"
template:
src: systemd-service-single.j2
@@ -122,9 +175,12 @@
owner: root
group: root
mode: 0644
notify: reload systemctl
notify:
- reload systemctl
- start service
- enable service
register: service_file
when: container_image is defined
when: container_image_list is defined and container_image_list | length == 1
- name: "create systemd service file for pod: {{ container_name }}"
template:
@@ -136,24 +192,13 @@
notify:
- reload systemctl
- start service
- enable service
register: service_file
when: container_image_list is defined
- name: ensure "{{ service_name }}" is enabled at boot, and systemd reloaded
systemd:
name: "{{ service_name }}"
enabled: yes
daemon_reload: yes
- name: ensure "{{ service_name }}" is running
service:
name: "{{ service_name }}"
state: started
when: not service_file_before_template.stat.exists
when: container_image_list is defined and container_image_list | length > 1
- name: "ensure {{ service_name }} is restarted due config change"
debug: msg="config has changed:"
changed_when: True
changed_when: true
notify: restart service
when:
- service_file_before_template.stat.exists
@@ -169,14 +214,32 @@
fw_state: enabled
when: container_state == "running"
- name: set firewall ports state to disabled when container state is not running
- name: disable firewall ports state when container state is not running
set_fact:
fw_state: disabled
when: container_state != "running"
- name: ensure firewalld is installed
tags: firewall
package: name=firewalld state=installed
package: name=firewalld state=present
when: ansible_pkg_mgr != "atomic_container"
- name: ensure firewalld is installed (on fedora-iot)
tags: firewall
command: >-
rpm-ostree install --idempotent --unchanged-exit-77
--allow-inactive firewalld
register: ostree
failed_when: not ( ostree.rc == 77 or ostree.rc == 0 )
changed_when: ostree.rc != 77
when: ansible_pkg_mgr == "atomic_container"
- name: reboot if new stuff was installed
reboot:
reboot_timeout: 300
when:
- ansible_pkg_mgr == "atomic_container"
- ostree.rc != 77
- name: ensure firewall service is running
tags: firewall
@@ -186,11 +249,14 @@
tags: firewall
firewalld:
port: "{{ item }}"
permanent: yes
immediate: yes
permanent: true
immediate: true
state: "{{ fw_state }}"
with_items: "{{ container_firewall_ports }}"
- name: Force all notified handlers to run at this point
meta: flush_handlers
when: container_firewall_ports is defined
@@ -198,17 +264,29 @@
block:
- name: ensure "{{ service_name }}" is disabled at boot
service:
become: true
become_user: "{{ container_run_as_user }}"
# become_method: machinectl
environment:
XDG_RUNTIME_DIR: "{{ xdg_runtime_dir }}"
systemd:
name: "{{ service_name }}"
enabled: false
scope: "{{ systemd_scope }}"
when:
- service_file_before_template.stat.exists
- name: ensure "{{ service_name }}" is stopped
service:
become: true
become_user: "{{ container_run_as_user }}"
# become_method: machinectl
environment:
XDG_RUNTIME_DIR: "{{ xdg_runtime_dir }}"
systemd:
name: "{{ service_name }}"
state: stopped
enabled: no
enabled: false
scope: "{{ systemd_scope }}"
when:
- service_file_before_template.stat.exists
@@ -218,6 +296,21 @@
state: absent
notify: reload systemctl
- name: Force all notified handlers to run at this point
meta: flush_handlers
- name: Check if user is lingering
stat:
path: "/var/lib/systemd/linger/{{ container_run_as_user }}"
register: user_lingering
when: container_run_as_user != "root"
- name: Disable lingering (are we sure we want to do this always?)
command: "loginctl disable-linger {{ container_run_as_user }}"
when:
- container_run_as_user != "root"
- user_lingering.stat.exists
- name: clean up pod configuration file
file:
path: "{{ container_pod_yaml }}"