313 lines
9.1 KiB
YAML
313 lines
9.1 KiB
YAML
---
|
|
|
|
- name: Get user information
|
|
user:
|
|
name: "{{ container_run_as_user }}"
|
|
check_mode: true
|
|
changed_when: false
|
|
register: user_info
|
|
|
|
- name: Fails if user "{{ container_run_as_user }}" doesn't exist
|
|
fail:
|
|
msg: User "{{ container_run_as_user }}" doesn't exist.
|
|
when: user_info.name is not defined
|
|
|
|
- name: prepare rootless stuff if needed
|
|
block:
|
|
- name: set systemd dir if user is not root
|
|
set_fact:
|
|
service_files_dir: "{{ user_info.home }}/.config/systemd/user"
|
|
systemd_scope: user
|
|
changed_when: false
|
|
|
|
- name: ensure systemd files directory exists if user not root
|
|
file:
|
|
path: "{{ service_files_dir }}"
|
|
state: directory
|
|
owner: "{{ container_run_as_user }}"
|
|
group: "{{ container_run_as_group }}"
|
|
|
|
when: container_run_as_user != "root"
|
|
|
|
- name: set systemd runtime dir
|
|
set_fact:
|
|
xdg_runtime_dir: "/run/user/{{ user_info.uid }}"
|
|
changed_when: false
|
|
|
|
- name: set systemd scope to system if needed
|
|
set_fact:
|
|
systemd_scope: system
|
|
service_files_dir: "{{ service_files_dir }}"
|
|
when: container_run_as_user == "root"
|
|
changed_when: false
|
|
|
|
- name: create local systemd directory
|
|
file:
|
|
group: root
|
|
mode: u=rwX,go=rX
|
|
owner: root
|
|
path: /usr/local/lib/systemd/system/
|
|
state: directory
|
|
become: true
|
|
when: container_run_as_user == "root" and service_files_dir == '/usr/local/lib/systemd/system'
|
|
|
|
|
|
- name: do tasks when "{{ service_name }}" state is "running"
|
|
block:
|
|
|
|
- name: Check for user namespace support in kernel
|
|
stat:
|
|
path: /proc/sys/kernel/unprivileged_userns_clone
|
|
register: unprivileged_userns_clone
|
|
changed_when: false
|
|
|
|
- name: Allow unprivileged users on Debian
|
|
sysctl:
|
|
name: kernel.unprivileged_userns_clone
|
|
value: '1'
|
|
state: present
|
|
sysctl_file: /etc/sysctl.d/userns.conf
|
|
sysctl_set: true
|
|
when:
|
|
- ansible_distribution == 'Debian'
|
|
- unprivileged_userns_clone.stat.exists
|
|
|
|
- name: Install rootless dependencies on Debian-based
|
|
package:
|
|
name: "{{ podman_dependencies_rootless }}"
|
|
state: present
|
|
when:
|
|
- ansible_os_family == 'Debian'
|
|
- container_run_as_user != 'root'
|
|
|
|
- name: ensure podman is installed
|
|
package:
|
|
name: podman
|
|
state: present
|
|
when: not skip_podman_install
|
|
|
|
- name: Check subuid & subgid
|
|
import_tasks: check_subid.yml
|
|
|
|
- name: Ensure empty internal variable _container_image_list
|
|
set_fact:
|
|
_container_image_list: []
|
|
changed_when: false
|
|
|
|
- name: Convert container_image_list to new form
|
|
set_fact:
|
|
_container_image_list: "{{ _container_image_list + [{'image': item}] }}"
|
|
with_items: "{{ container_image_list }}"
|
|
when: not (container_image_list | selectattr("image", "defined"))
|
|
changed_when: false
|
|
no_log: true
|
|
|
|
- name: Always use internal variable for container_image_list
|
|
set_fact:
|
|
_container_image_list: "{{ container_image_list }}"
|
|
when: _container_image_list | length == 0
|
|
changed_when: false
|
|
no_log: true
|
|
|
|
- name: running single container, ensure we have up to date container image
|
|
containers.podman.podman_image:
|
|
name: "{{ item.image }}"
|
|
force: true
|
|
username: "{{ item.user | default(container_image_user) | default(omit) }}"
|
|
password: "{{ item.password | default(container_image_password) | default(omit) }}"
|
|
notify: restart service
|
|
become: true
|
|
become_user: "{{ container_run_as_user }}"
|
|
when:
|
|
- _container_image_list | length == 1
|
|
- container_run_as_user == 'root'
|
|
- not (item.image | regex_search ('^localhost/.*'))
|
|
loop: "{{ _container_image_list }}"
|
|
no_log: true
|
|
|
|
- name: seems we use several container images, ensure all are up to date
|
|
containers.podman.podman_image:
|
|
name: "{{ item.image }}"
|
|
force: true
|
|
username: "{{ item.user | default(container_image_user) | default(omit) }}"
|
|
password: "{{ item.password | default(container_image_password) | default(omit) }}"
|
|
become: true
|
|
become_user: "{{ container_run_as_user }}"
|
|
when:
|
|
- _container_image_list | length > 1
|
|
- not (item.image | regex_search ('^localhost/.*'))
|
|
loop: "{{ _container_image_list }}"
|
|
no_log: true
|
|
|
|
- name: Include pod yaml templating
|
|
ansible.builtin.include_tasks: deploy_pod_yaml.yml
|
|
when:
|
|
- container_pod_yaml is defined
|
|
- container_pod_yaml_deploy
|
|
|
|
- name: if running pod, ensure configuration file exists
|
|
stat:
|
|
path: "{{ container_pod_yaml }}"
|
|
register: pod_file
|
|
when: container_pod_yaml is defined
|
|
|
|
- name: fail if pod configuration file is missing
|
|
fail:
|
|
msg: >
|
|
"Error: Asking to run pod, but pod definition yaml file is missing: "
|
|
"{{ container_pod_yaml }}"
|
|
when:
|
|
- container_pod_yaml is defined
|
|
- not pod_file.stat.exists
|
|
|
|
- name: Check if user is lingering
|
|
stat:
|
|
path: "/var/lib/systemd/linger/{{ container_run_as_user }}"
|
|
register: user_lingering
|
|
when: container_run_as_user != "root"
|
|
|
|
- name: Enable lingering is needed
|
|
command: "loginctl enable-linger {{ container_run_as_user }}"
|
|
when:
|
|
- container_run_as_user != "root"
|
|
- not user_lingering.stat.exists
|
|
|
|
- name: Ensure volume directories exist for {{ container_name }}
|
|
file:
|
|
path: "{{ item }}"
|
|
owner: "{{ container_dir_owner | default(container_run_as_user) }}"
|
|
group: "{{ container_dir_group | default(container_run_as_group) }}"
|
|
mode: "{{ container_dir_mode | default(omit) }}"
|
|
state: directory
|
|
become: true
|
|
loop: "{{ container_run_args | regex_findall('-v ([^:]*)') }}"
|
|
when:
|
|
- _container_image_list | length == 1
|
|
- container_run_args is defined and container_run_args | length > 0
|
|
- container_pod_yaml is undefined
|
|
|
|
- name: Create systemd service file for {{ container_name }}
|
|
template:
|
|
src: "{% if _container_image_list | length == 1 %}systemd-service-single.j2{% else %}systemd-service-pod.j2{% endif %}"
|
|
dest: "{{ service_files_dir }}/{{ service_name }}"
|
|
owner: "{{ service_files_owner }}"
|
|
group: "{{ service_files_group }}"
|
|
mode: "{{ service_files_mode }}"
|
|
become: true
|
|
notify:
|
|
- reload systemctl
|
|
- restart service
|
|
register: service_file
|
|
|
|
- name: ensure auto update is running for images
|
|
become: true
|
|
become_user: "{{ container_run_as_user }}"
|
|
environment:
|
|
XDG_RUNTIME_DIR: "{{ xdg_runtime_dir }}"
|
|
systemd:
|
|
name: podman-auto-update.timer
|
|
daemon_reload: true
|
|
scope: "{{ systemd_scope }}"
|
|
state: started
|
|
enabled: true
|
|
|
|
when: container_state == "running"
|
|
|
|
- name: configure firewall if container_firewall_ports is defined
|
|
block:
|
|
|
|
- name: ensure firewalld is installed
|
|
tags: firewall
|
|
package: name=firewalld state=present
|
|
become: true
|
|
when: ansible_pkg_mgr != "atomic_container"
|
|
|
|
- name: Ensure firewalld is installed (rpm-ostree)
|
|
when: ansible_pkg_mgr == "atomic_container"
|
|
block:
|
|
- name: Ensure firewalld is installed (rpm-ostree)
|
|
tags: firewall
|
|
community.general.rpm_ostree_pkg:
|
|
name: firewalld
|
|
become: true
|
|
register: ostree
|
|
|
|
- name: Reboot if firewalld was installed
|
|
reboot:
|
|
reboot_timeout: 300
|
|
become: true
|
|
when: ostree is changed
|
|
|
|
- name: Ensure firewall service is running
|
|
tags: firewall
|
|
service:
|
|
name: firewalld
|
|
state: started
|
|
become: true
|
|
|
|
- name: Ensure container's exposed ports firewall state
|
|
tags: firewall
|
|
ansible.posix.firewalld:
|
|
port: "{{ item }}"
|
|
permanent: true
|
|
immediate: true
|
|
state: "{% if container_state == 'running' %}enabled{% else %}disabled{% endif %}"
|
|
become: true
|
|
with_items: "{{ container_firewall_ports }}"
|
|
|
|
when: container_firewall_ports is defined
|
|
|
|
|
|
- name: do cleanup stuff when container_state is "absent"
|
|
block:
|
|
|
|
- name: Check if service file exists
|
|
stat:
|
|
path: "{{ service_files_dir }}/{{ service_name }}"
|
|
register: service_file
|
|
|
|
|
|
- name: Ensure "{{ service_name }}" is stopped and disabled at boot
|
|
become: true
|
|
become_user: "{{ container_run_as_user }}"
|
|
# become_method: machinectl
|
|
environment:
|
|
XDG_RUNTIME_DIR: "{{ xdg_runtime_dir }}"
|
|
systemd:
|
|
name: "{{ service_name }}"
|
|
state: stopped
|
|
enabled: false
|
|
scope: "{{ systemd_scope }}"
|
|
when:
|
|
- service_file.stat.exists
|
|
|
|
- name: clean up systemd service file
|
|
file:
|
|
path: "{{ service_files_dir }}/{{ service_name }}"
|
|
state: absent
|
|
become: true
|
|
notify: reload systemctl
|
|
|
|
- name: Check if user is lingering
|
|
stat:
|
|
path: "/var/lib/systemd/linger/{{ container_run_as_user }}"
|
|
register: user_lingering
|
|
when: container_run_as_user != "root"
|
|
|
|
- name: Disable lingering (are we sure we want to do this always?)
|
|
command: "loginctl disable-linger {{ container_run_as_user }}"
|
|
when:
|
|
- container_run_as_user != "root"
|
|
- user_lingering.stat.exists
|
|
|
|
- name: clean up pod configuration file
|
|
file:
|
|
path: "{{ container_pod_yaml }}"
|
|
state: absent
|
|
when: container_pod_yaml is defined
|
|
|
|
when: container_state == "absent"
|
|
|
|
- name: Force all notified handlers to run at this point
|
|
meta: flush_handlers
|