From e720d245260b1e53ca6c3e324eb37a68d8fcb458 Mon Sep 17 00:00:00 2001 From: Christian Erb <48429764+c-erb@users.noreply.github.com> Date: Thu, 10 Feb 2022 17:32:29 +0100 Subject: [PATCH] Folder creation for volumes (containers) (#55) * Added folder creation for volumes (containers, not pods) First it checks if the folder already exists and if it does, it won't adjust any permissions. This helps if podman can't manage the permissions correctly. It allows for changing the owner and group in case it is needed to set a specific UID and GID. It also allows to change the mode. I added explanations for :U as well, which tells podman to change the permissions to the container user recuresively. This works if the service inside the container doesn't run with a different user than the container. --- README.md | 23 ++++++++++++----------- tasks/create_container_volume.yml | 16 ++++++++++++++++ tasks/main.yml | 8 ++++++++ 3 files changed, 36 insertions(+), 11 deletions(-) create mode 100644 tasks/create_container_volume.yml diff --git a/README.md b/README.md index 607c614..b49f376 100644 --- a/README.md +++ b/README.md @@ -19,11 +19,11 @@ What role does: and restarts container if image changed (not for pod yet) * creates systemd file for container or pod * creates kubernetes yaml for pod + * creates volume directories for containers if they do not exist. (for pod use DirectoryOrCreate) * set's container or pod to be always automatically restarted if container dies. * makes container or pod enter run state at system boot * adds or removes containers exposed ports to firewall. * It takes parameter for running rootless containers under given user - (I didn't test this with pod mode yet) For reference, see these two blogs about the role: * [Automate Podman Containers with Ansible 1/2](https://redhatnordicssa.github.io/ansible-podman-containers-1) @@ -72,8 +72,16 @@ note that some options apply only to other method. - ```container_cmd_args``` - Any command and arguments passed to podman-run after specifying the image name. Not used for pod. - ```container_run_as_user``` - Which user should systemd run container as. Defaults to root. -- ```container_run_as_group``` - Which grou should systemd run container as. +- ```container_run_as_group``` - Which group should systemd run container as. Defaults to root. +- ```container_dir_owner``` - Which owner should the volume dirs have. + Defaults to container_run_as_user. + If you use :U as a volume option podman will set the permissions for the user inside the container automatically. + Quote: The :U suffix tells Podman to use the correct host UID and GID based on the UID and GID within the container, to change recursively the owner and group of the source volume. Warning use with caution since this will modify the host filesystem. +- ```container_dir_group``` - Which group should the volume dirs have. + Defaults to container_run_as_group. +- ```container_dir_mode``` - Which permissions should the volume dirs have. + Defaults to '0755'. - ```container_state``` - container is installed and run if state is ```running```, and stopped and systemd file removed if ```absent``` - ```container_firewall_ports``` - list of ports you have exposed from container @@ -128,7 +136,7 @@ Root container: container_name: lighttpd container_run_args: >- --rm - -v /tmp/podman-container-systemd:/var/www/localhost/htdocs:Z + -v /tmp/podman-container-systemd:/var/www/localhost/htdocs:Z,U --label "io.containers.autoupdate=image" -p 8080:80 #container_state: absent @@ -148,13 +156,6 @@ Rootless container: name: rootless_user comment: I run sample container -- name: ensure directory - file: - name: /tmp/podman-container-systemd - owner: rootless_user - group: rootless_user - state: directory - - name: tests container vars: container_run_as_user: rootless_user @@ -164,7 +165,7 @@ Rootless container: container_name: lighttpd container_run_args: >- --rm - -v /tmp/podman-container-systemd:/var/www/localhost/htdocs:Z + -v /tmp/podman-container-systemd:/var/www/localhost/htdocs:Z,U -p 8080:80 #container_state: absent container_state: running diff --git a/tasks/create_container_volume.yml b/tasks/create_container_volume.yml new file mode 100644 index 0000000..7091fef --- /dev/null +++ b/tasks/create_container_volume.yml @@ -0,0 +1,16 @@ +--- +- name: Check if {{ item }} is existing + become: yes + ansible.builtin.stat: + path: "{{ item }}" + register: _container_folder + +- name: Create directory {{ item }} and set permissions + become: yes + ansible.builtin.file: + path: "{{ item }}" + owner: "{{ container_dir_owner|default(container_run_as_user) }}" + group: "{{ container_dir_group|default(container_run_as_group) }}" + mode: '{{ container_dir_mode|default(omit) }}' + state: directory + when: not (_container_folder.stat.isdir is defined and _container_folder.stat.isdir) diff --git a/tasks/main.yml b/tasks/main.yml index acf90aa..925f9ff 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -187,6 +187,14 @@ - container_run_as_user != "root" - not user_lingering.stat.exists + - name: "Ensure volume directories exist for {{ container_name }}" + ansible.builtin.include_tasks: create_container_volume.yml + loop: "{{ container_run_args | regex_findall('-v ([^:]*)') }}" + when: + - container_image_list is defined and container_image_list | length == 1 + - container_run_args is defined and container_run_args | length > 0 + - container_pod_yaml is undefined + - name: "create systemd service file for container: {{ container_name }}" template: src: systemd-service-single.j2