-
Notifications
You must be signed in to change notification settings - Fork 44
/
Copy pathmain.yml
364 lines (312 loc) · 10.8 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
---
- name: prepare rootless stuff if needed
block:
- name: get user information
user:
name: "{{ container_run_as_user }}"
check_mode: true
register: user_info
- name: set systemd dir if user is not root
set_fact:
service_files_dir: "{{ user_info.home }}/.config/systemd/user"
systemd_scope: user
changed_when: false
- name: ensure systemd files directory exists if user not root
file:
path: "{{ service_files_dir }}"
state: directory
owner: "{{ container_run_as_user }}"
group: "{{ container_run_as_group }}"
when: container_run_as_user != "root"
- name: "Find uid of user"
command: "id -u {{ container_run_as_user }}"
register: container_run_as_uid
check_mode: false # Run even in check mode, to avoid fail with --check.
changed_when: false
- name: set systemd runtime dir
set_fact:
xdg_runtime_dir: "/run/user/{{ container_run_as_uid.stdout }}"
changed_when: false
- name: set systemd scope to system if needed
set_fact:
systemd_scope: system
service_files_dir: "{{ service_files_dir }}"
xdg_runtime_dir: "/run/user/{{ container_run_as_uid.stdout }}"
when: container_run_as_user == "root"
changed_when: false
- name: create local systemd directory
file:
group: root
mode: u=rwX,go=rX
owner: root
path: /usr/local/lib/systemd/system/
state: directory
become: true
when: container_run_as_user == "root" and service_files_dir == '/usr/local/lib/systemd/system'
- name: check if service file exists already
stat:
path: "{{ service_files_dir }}/{{ service_name }}"
register: service_file_before_template
- name: do tasks when "{{ service_name }}" state is "running"
block:
- name: Check for user namespace support in kernel
stat:
path: /proc/sys/kernel/unprivileged_userns_clone
register: unprivileged_userns_clone
changed_when: false
- name: Allow unprivileged users on Debian
sysctl:
name: kernel.unprivileged_userns_clone
value: '1'
state: present
sysctl_file: /etc/sysctl.d/userns.conf
sysctl_set: true
when:
- ansible_distribution == 'Debian'
- unprivileged_userns_clone.stat.exists
- name: Install rootless dependencies on Debian-based
package:
name: "{{ podman_dependencies_rootless }}"
state: present
when:
- ansible_os_family == 'Debian'
- container_run_as_user != 'root'
- name: ensure podman is installed
package:
name: podman
state: present
when: not skip_podman_install
- name: check user exists
user:
name: "{{ container_run_as_user }}"
- name: Check subuid & subgid
import_tasks: check_subid.yml
- name: running single container, get image Id if it exists and we are root
# XXX podman doesn't work through sudo for non root users,
# so skip preload if user
# https://github.com/containers/libpod/issues/5570
# command: podman inspect -f {{.Id}} "{{ container_image }}"
command: "podman image inspect -f '{{ '{{' }}.Id{{ '}}' }}' {{ item }}"
changed_when: false
register: pre_pull_id
ignore_errors: true
when:
- container_image_list is defined
- container_image_list | length == 1
- container_run_as_user == 'root'
with_items: "{{ container_image_list }}"
- name: running single container, ensure we have up to date container image
containers.podman.podman_image:
name: "{{ item }}"
force: true
username: "{{ container_image_user | default(omit) }}"
password: "{{ container_image_password | default(omit) }}"
notify: restart service
become: true
become_user: "{{ container_run_as_user }}"
when:
- container_image_list is defined
- container_image_list | length == 1
- container_run_as_user == 'root'
with_items: "{{ container_image_list }}"
- name: running single container, get image Id if it exists
command:
"podman image inspect -f '{{ '{{' }}.Id{{ '}}' }}' {{ item }}"
changed_when: false
become: true
become_user: "{{ container_run_as_user }}"
register: post_pull_id
ignore_errors: true
when:
- container_image_list is defined
- container_image_list | length == 1
- container_run_as_user == 'root'
with_items: "{{ container_image_list }}"
- name: seems we use several container images, ensure all are up to date
containers.podman.podman_image:
name: "{{ item }}"
force: true
username: "{{ container_image_user | default(omit) }}"
password: "{{ container_image_password | default(omit) }}"
become: true
become_user: "{{ container_run_as_user }}"
when: container_image_list is defined and container_image_list | length > 1
with_items: "{{ container_image_list }}"
- name: Include pod yaml templating
ansible.builtin.include_tasks: deploy_pod_yaml.yml
when:
- container_pod_yaml is defined
- container_pod_yaml_deploy
- name: if running pod, ensure configuration file exists
stat:
path: "{{ container_pod_yaml }}"
register: pod_file
when: container_pod_yaml is defined
- name: fail if pod configuration file is missing
fail:
msg: >
"Error: Asking to run pod, but pod definition yaml file is missing: "
"{{ container_pod_yaml }}"
when:
- container_pod_yaml is defined
- not pod_file.stat.exists
- name: Check if user is lingering
stat:
path: "/var/lib/systemd/linger/{{ container_run_as_user }}"
register: user_lingering
when: container_run_as_user != "root"
- name: Enable lingering is needed
command: "loginctl enable-linger {{ container_run_as_user }}"
when:
- container_run_as_user != "root"
- not user_lingering.stat.exists
- name: "Ensure volume directories exist for {{ container_name }}"
ansible.builtin.include_tasks: create_container_volume.yml
loop: "{{ container_run_args | regex_findall('-v ([^:]*)') }}"
when:
- container_image_list is defined and container_image_list | length == 1
- container_run_args is defined and container_run_args | length > 0
- container_pod_yaml is undefined
- name: "create systemd service file for container: {{ container_name }}"
template:
src: systemd-service-single.j2
dest: "{{ service_files_dir }}/{{ service_name }}"
owner: root
group: root
mode: 0644
become: true
become_user: "{{ container_run_as_user }}"
notify:
- reload systemctl
- start service
- enable service
register: service_file
when: container_image_list is defined and container_image_list | length == 1
- name: "create systemd service file for pod: {{ container_name }}"
template:
src: systemd-service-pod.j2
dest: "{{ service_files_dir }}/{{ service_name }}"
owner: root
group: root
mode: 0644
notify:
- reload systemctl
- start service
- enable service
register: service_file
when: container_image_list is defined and container_image_list | length > 1
- name: "ensure {{ service_name }} is restarted due config change"
debug: msg="config has changed:"
changed_when: true
notify: restart service
when:
- service_file_before_template.stat.exists
- service_file.changed
- name: ensure auto update is running for images
become: true
become_user: "{{ container_run_as_user }}"
environment:
XDG_RUNTIME_DIR: "{{ xdg_runtime_dir }}"
systemd:
name: podman-auto-update.timer
daemon_reload: true
scope: "{{ systemd_scope }}"
state: started
enabled: true
when: container_state == "running"
- name: configure firewall if container_firewall_ports is defined
block:
- name: set firewall ports state to enabled when container state is running
set_fact:
fw_state: enabled
when: container_state == "running"
- name: disable firewall ports state when container state is not running
set_fact:
fw_state: disabled
when: container_state != "running"
- name: ensure firewalld is installed
tags: firewall
package: name=firewalld state=present
become: true
when: ansible_pkg_mgr != "atomic_container"
- name: ensure firewalld is installed (on fedora-iot)
tags: firewall
command: >-
rpm-ostree install --idempotent --unchanged-exit-77
--allow-inactive firewalld
register: ostree
failed_when: not ( ostree.rc == 77 or ostree.rc == 0 )
changed_when: ostree.rc != 77
when: ansible_pkg_mgr == "atomic_container"
- name: reboot if new stuff was installed
reboot:
reboot_timeout: 300
when:
- ansible_pkg_mgr == "atomic_container"
- ostree.rc != 77
- name: ensure firewall service is running
tags: firewall
service: name=firewalld state=started
- name: ensure container's exposed ports firewall state
tags: firewall
ansible.posix.firewalld:
port: "{{ item }}"
permanent: true
immediate: true
state: "{{ fw_state }}"
become: true
with_items: "{{ container_firewall_ports }}"
- name: Force all notified handlers to run at this point
meta: flush_handlers
when: container_firewall_ports is defined
- name: do cleanup stuff when container_state is "absent"
block:
- name: ensure "{{ service_name }}" is disabled at boot
become: true
become_user: "{{ container_run_as_user }}"
# become_method: machinectl
environment:
XDG_RUNTIME_DIR: "{{ xdg_runtime_dir }}"
systemd:
name: "{{ service_name }}"
enabled: false
scope: "{{ systemd_scope }}"
when:
- service_file_before_template.stat.exists
- name: ensure "{{ service_name }}" is stopped
become: true
become_user: "{{ container_run_as_user }}"
# become_method: machinectl
environment:
XDG_RUNTIME_DIR: "{{ xdg_runtime_dir }}"
systemd:
name: "{{ service_name }}"
state: stopped
enabled: false
scope: "{{ systemd_scope }}"
when:
- service_file_before_template.stat.exists
- name: clean up systemd service file
file:
path: "{{ service_files_dir }}/{{ service_name }}"
state: absent
become: true
notify: reload systemctl
- name: Force all notified handlers to run at this point
meta: flush_handlers
- name: Check if user is lingering
stat:
path: "/var/lib/systemd/linger/{{ container_run_as_user }}"
register: user_lingering
when: container_run_as_user != "root"
- name: Disable lingering (are we sure we want to do this always?)
command: "loginctl disable-linger {{ container_run_as_user }}"
when:
- container_run_as_user != "root"
- user_lingering.stat.exists
- name: clean up pod configuration file
file:
path: "{{ container_pod_yaml }}"
state: absent
when: container_pod_yaml is defined
when: container_state == "absent"