--- - name: check if service file exists already stat: path: "{{ service_files_dir }}/{{ service_name }}" register: service_file_before_template - name: do tasks when "{{ service_name }}" state is "running" block: - name: ensure podman is installed package: name: podman state: installed when: not skip_podman_install - name: check user exists user: name: "{{ container_run_as_user }}" - name: check if user is in subuid file lineinfile: line: '\1' path: /etc/subuid regexp: "^({{ container_run_as_user }}:.*)" backrefs: yes check_mode: yes register: uid_has ignore_errors: true when: container_run_as_user != 'root' - name: check if group is in subgid file lineinfile: line: '\1' path: /etc/subgid regexp: "^({{ container_run_as_group }}:.*)" backrefs: yes check_mode: yes register: gid_has ignore_errors: true when: container_run_as_group != 'root' - name: ensure user is in subuid file, if it was missing lineinfile: path: /etc/subuid regexp: "^{{ container_run_as_user }}:.*" line: "{{ container_run_as_user }}:305536:65536" create: yes mode: '0644' owner: root group: root when: uid_has.changed and container_run_as_user != 'root' - name: ensure group is in subgid file, if it was missing lineinfile: path: /etc/subgid regexp: "^{{ container_run_as_group }}:.*" line: "{{ container_run_as_group }}:305536:65536" create: yes mode: '0644' owner: root group: root when: gid_has.changed and container_run_as_group != 'root' - name: running single container, get image Id if it exists and we are root # XXX podman doesn't work through sudo for non root users, so skip preload if user # https://github.com/containers/libpod/issues/5570 # command: podman inspect -f {{.Id}} "{{ container_image }}" command: "podman image inspect -f '{{ '{{' }}.Id{{ '}}' }}' {{ container_image }}" register: pre_pull_id ignore_errors: yes when: container_image is defined and container_run_as_user == 'root' - name: running single container, ensure we have up to date container image command: "podman pull {{ container_image }}" become: yes become_user: "{{ container_run_as_user }}" when: container_image is defined and container_run_as_user == 'root' - name: running single container, get image Id if it exists command: "podman image inspect -f '{{ '{{' }}.Id{{ '}}' }}' {{ container_image }}" become: yes become_user: "{{ container_run_as_user }}" register: post_pull_id when: container_image is defined and container_run_as_user == 'root' - name: force restart after image change debug: msg="image has changed" changed_when: True notify: restart service when: - container_run_as_user == 'root' - container_image is defined - pre_pull_id.stdout != post_pull_id.stdout - pre_pull_id is succeeded # XXX remove above comparison if future podman tells image changed. - name: seems we use several container images, ensure all are up to date command: "podman pull {{ item }}" become: yes become_user: "{{ container_run_as_user }}" when: container_image_list is defined with_items: "{{ container_image_list }}" - name: if running pod, ensure configuration file exists stat: path: "{{ container_pod_yaml }}" register: pod_file when: container_pod_yaml is defined - name: fail if pod configuration file is missing fail: msg: "Error: Asking to run pod, but pod definition yaml file is missing: {{ container_pod_yaml }}" when: - container_pod_yaml is defined - not pod_file.stat.exists - name: "create systemd service file for container: {{ container_name }}" template: src: systemd-service-single.j2 dest: "{{ service_files_dir }}/{{ service_name }}" owner: root group: root mode: 0644 notify: reload systemctl register: service_file when: container_image is defined - name: "create systemd service file for pod: {{ container_name }}" template: src: systemd-service-pod.j2 dest: "{{ service_files_dir }}/{{ service_name }}" owner: root group: root mode: 0644 notify: - reload systemctl - start service register: service_file when: container_image_list is defined - name: ensure "{{ service_name }}" is enabled at boot, and systemd reloaded systemd: name: "{{ service_name }}" enabled: yes daemon_reload: yes - name: ensure "{{ service_name }}" is running service: name: "{{ service_name }}" state: started when: not service_file_before_template.stat.exists - name: "ensure {{ service_name }} is restarted due config change" debug: msg="config has changed:" changed_when: True notify: restart service when: - service_file_before_template.stat.exists - service_file.changed when: container_state == "running" - name: configure firewall if container_firewall_ports is defined block: - name: set firewall ports state to enabled when container state is running set_fact: fw_state: enabled when: container_state == "running" - name: set firewall ports state to disabled when container state is not running set_fact: fw_state: disabled when: container_state != "running" - name: ensure firewalld is installed tags: firewall package: name=firewalld state=installed - name: ensure firewall service is running tags: firewall service: name=firewalld state=started - name: ensure container's exposed ports firewall state tags: firewall firewalld: port: "{{ item }}" permanent: yes immediate: yes state: "{{ fw_state }}" with_items: "{{ container_firewall_ports }}" when: container_firewall_ports is defined - name: do cleanup stuff when container_state is "absent" block: - name: ensure "{{ service_name }}" is disabled at boot service: name: "{{ service_name }}" enabled: false when: - service_file_before_template.stat.exists - name: ensure "{{ service_name }}" is stopped service: name: "{{ service_name }}" state: stopped enabled: no when: - service_file_before_template.stat.exists - name: clean up systemd service file file: path: "{{ service_files_dir }}/{{ service_name }}" state: absent notify: reload systemctl - name: clean up pod configuration file file: path: "{{ container_pod_yaml }}" state: absent when: container_pod_yaml is defined when: container_state == "absent"