From 33dd4e8c30db8e91c6202e91c8db7e79f94b3cd6 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Fri, 28 Jul 2023 21:59:01 +0200 Subject: [PATCH] refactor: drop rootless support (#1) Reviewed-on: https://gitea.rknet.org/ansible/xoxys.podman/pulls/1 Co-authored-by: Robert Kaussow Co-committed-by: Robert Kaussow --- .drone.jsonnet | 8 +- .drone.yml | 9 ++- defaults/main.yml | 14 +++- molecule/default | 2 +- molecule/{rocky8 => rocky9}/converge.yml | 0 molecule/{rocky8 => rocky9}/create.yml | 0 molecule/rocky9/default | 1 + molecule/{rocky8 => rocky9}/destroy.yml | 0 molecule/{rocky8 => rocky9}/molecule.yml | 4 +- molecule/{rocky8 => rocky9}/prepare.yml | 0 .../{rocky8 => rocky9}/tests/test_default.py | 7 +- tasks/main.yml | 61 ++++++++++++++- tasks/setup.yml | 76 ------------------- templates/etc/containers/containers.conf.j2 | 6 +- templates/etc/containers/storage.conf.j2 | 4 +- 15 files changed, 92 insertions(+), 100 deletions(-) rename molecule/{rocky8 => rocky9}/converge.yml (100%) rename molecule/{rocky8 => rocky9}/create.yml (100%) create mode 120000 molecule/rocky9/default rename molecule/{rocky8 => rocky9}/destroy.yml (100%) rename molecule/{rocky8 => rocky9}/molecule.yml (91%) rename molecule/{rocky8 => rocky9}/prepare.yml (100%) rename molecule/{rocky8 => rocky9}/tests/test_default.py (58%) delete mode 100644 tasks/setup.yml diff --git a/.drone.jsonnet b/.drone.jsonnet index b58970d..226614e 100644 --- a/.drone.jsonnet +++ b/.drone.jsonnet @@ -41,7 +41,7 @@ local PipelineLinting = { }, }; -local PipelineDeployment(scenario='rocky8') = { +local PipelineDeployment(scenario='rocky9') = { kind: 'pipeline', name: 'testing-' + scenario, platform: { @@ -71,7 +71,7 @@ local PipelineDeployment(scenario='rocky8') = { 'linting', ], trigger: { - ref: ['refs/heads/main', 'refs/tags/**'], + ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'], }, }; @@ -115,7 +115,7 @@ local PipelineDocumentation = { ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'], }, depends_on: [ - 'testing-rocky8', + 'testing-rocky9', ], }; @@ -153,7 +153,7 @@ local PipelineNotification = { [ PipelineLinting, - PipelineDeployment(scenario='rocky8'), + PipelineDeployment(scenario='rocky9'), PipelineDocumentation, PipelineNotification, ] diff --git a/.drone.yml b/.drone.yml index ab5cbeb..dbd0dbe 100644 --- a/.drone.yml +++ b/.drone.yml @@ -36,7 +36,7 @@ trigger: --- kind: pipeline -name: testing-rocky8 +name: testing-rocky9 platform: os: linux @@ -53,7 +53,7 @@ steps: - name: ansible-molecule image: thegeeklab/molecule:4 commands: - - molecule test -s rocky8 + - molecule test -s rocky9 environment: HCLOUD_TOKEN: from_secret: hcloud_token @@ -62,6 +62,7 @@ trigger: ref: - refs/heads/main - refs/tags/** + - refs/pull/** depends_on: - linting @@ -107,7 +108,7 @@ trigger: - refs/pull/** depends_on: - - testing-rocky8 + - testing-rocky9 --- kind: pipeline @@ -147,6 +148,6 @@ depends_on: --- kind: signature -hmac: 0a198d7d6b43b7f522c4ee73dc7464ff4b5dc379f9555b4b49ea5b3dd6e8c1cb +hmac: 81536c79ea3dcf2f503450427b9aa5faeb29d613cb1da19b8605010295561341 ... diff --git a/defaults/main.yml b/defaults/main.yml index 3f05091..fb93c41 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,4 +7,16 @@ podman_sebooleans: podman_containers_logger: journald podman_engine_event_logger: journald -podman_systemd_home_basedir: /var/lib/rootless +podman_nsremap_range_start: 231072 +podman_nsremap_range_length: 65536 + +# @var podman_registries:description: List of docker registries to auto login +# @var podman_registries:example: > +# podman_registries: +# - registry: myregistry.example.com (optional) +# username: docker +# password: secure +# reauthorize: False +# state: present +# @end +podman_registries: [] diff --git a/molecule/default b/molecule/default index 62ea184..afa9fc6 120000 --- a/molecule/default +++ b/molecule/default @@ -1 +1 @@ -rocky8 \ No newline at end of file +rocky9 \ No newline at end of file diff --git a/molecule/rocky8/converge.yml b/molecule/rocky9/converge.yml similarity index 100% rename from molecule/rocky8/converge.yml rename to molecule/rocky9/converge.yml diff --git a/molecule/rocky8/create.yml b/molecule/rocky9/create.yml similarity index 100% rename from molecule/rocky8/create.yml rename to molecule/rocky9/create.yml diff --git a/molecule/rocky9/default b/molecule/rocky9/default new file mode 120000 index 0000000..331d858 --- /dev/null +++ b/molecule/rocky9/default @@ -0,0 +1 @@ +default \ No newline at end of file diff --git a/molecule/rocky8/destroy.yml b/molecule/rocky9/destroy.yml similarity index 100% rename from molecule/rocky8/destroy.yml rename to molecule/rocky9/destroy.yml diff --git a/molecule/rocky8/molecule.yml b/molecule/rocky9/molecule.yml similarity index 91% rename from molecule/rocky8/molecule.yml rename to molecule/rocky9/molecule.yml index 0d085dd..73cfed1 100644 --- a/molecule/rocky8/molecule.yml +++ b/molecule/rocky9/molecule.yml @@ -9,8 +9,8 @@ dependency: driver: name: delegated platforms: - - name: rocky8-podman - image: rocky-8 + - name: rocky9-podman + image: rocky-9 server_type: cx11 lint: | /usr/local/bin/flake8 diff --git a/molecule/rocky8/prepare.yml b/molecule/rocky9/prepare.yml similarity index 100% rename from molecule/rocky8/prepare.yml rename to molecule/rocky9/prepare.yml diff --git a/molecule/rocky8/tests/test_default.py b/molecule/rocky9/tests/test_default.py similarity index 58% rename from molecule/rocky8/tests/test_default.py rename to molecule/rocky9/tests/test_default.py index dc268a3..b35a03b 100644 --- a/molecule/rocky8/tests/test_default.py +++ b/molecule/rocky9/tests/test_default.py @@ -8,13 +8,12 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( ).get_hosts("all") -@pytest.mark.parametrize("package", ["podman", "crun", "slirp4netns"]) -def test_podman_installed(host, package): - assert host.package(package).is_installed +def test_podman_installed(host): + assert host.package("podman").is_installed def test_podman_run(host): cmd = host.run("/usr/bin/podman info") - assert "cgroupVersion: v1" in cmd.stdout + assert "cgroupVersion: v2" in cmd.stdout assert cmd.succeeded diff --git a/tasks/main.yml b/tasks/main.yml index 1f69f7a..bd9810e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,2 +1,61 @@ --- -- include_tasks: setup.yml +- block: + - name: Ensure required packages are installed + package: + name: "{{ item }}" + state: "present" + loop: + - podman + - container-selinux + - bash-completion + + - name: Install Podman bash-completion + command: + cmd: "podman completion bash -f /etc/bash_completion.d/podman" + creates: "/etc/bash_completion.d/podman" + + - name: Deploy container configuration + template: + src: etc/containers/containers.conf.j2 + dest: /etc/containers/containers.conf + owner: root + group: root + mode: 0644 + + - name: Deploy storage configuration + template: + src: etc/containers/storage.conf.j2 + dest: /etc/containers/storage.conf + owner: root + group: root + mode: 0644 + + - name: Set SELinux booleans + seboolean: + name: "{{ item.name }}" + state: "{{ item.state | bool }}" + persistent: "{{ item.persistent | default(True) | bool }}" + loop: "{{ podman_sebooleans }}" + loop_control: + label: "{{ item.name }}: {{ item.state | bool }}" + + - name: Configure namespace id range + lineinfile: + dest: "{{ item }}" + regexp: "^containers:" + line: "containers:{{ podman_nsremap_range_start }}:{{ podman_nsremap_range_length }}" + loop: + - /etc/subuid + - /etc/subgid + + - name: Handle registry logins + containers.podman.podman_login: + registry: "{{ item.url | default(omit) }}" + username: "{{ item.username }}" + password: "{{ item.password }}" + state: '{{ item.state | default("present") }}' + loop: "{{ podman_registries }}" + loop_control: + label: "{{ item.url }}" + become: True + become_user: root diff --git a/tasks/setup.yml b/tasks/setup.yml deleted file mode 100644 index 5200370..0000000 --- a/tasks/setup.yml +++ /dev/null @@ -1,76 +0,0 @@ ---- -- block: - - name: Ensure required packages are installed - package: - name: "{{ item }}" - state: "present" - loop: - - podman - - slirp4netns - - fuse-overlayfs - - crun - - container-selinux - - bash-completion - - - name: Install Podman bash-completion - command: - cmd: "podman completion bash -f /etc/bash_completion.d/podman" - creates: "/etc/bash_completion.d/podman" - - - name: Deploy container configuration - template: - src: etc/containers/containers.conf.j2 - dest: /etc/containers/containers.conf - owner: root - group: root - mode: 0644 - - - name: Deploy storage configuration - template: - src: etc/containers/storage.conf.j2 - dest: /etc/containers/storage.conf - owner: root - group: root - mode: 0644 - - - name: Set SELinux booleans - seboolean: - name: "{{ item.name }}" - state: "{{ item.state | bool }}" - persistent: "{{ item.persistent | default(True) | bool }}" - loop: "{{ podman_sebooleans }}" - loop_control: - label: "{{ item.name }}: {{ item.state | bool }}" - - - name: Create journal log dir - file: - path: /var/log/journal - state: directory - owner: root - group: systemd-journal - mode: 02755 - - - name: Create home basedir for systemd users - file: - path: "{{ podman_systemd_home_basedir }}" - state: directory - owner: root - group: root - mode: 0755 - register: __podman_home_basedir - become: True - become_user: root - -- block: - - name: Set SELinux context for home basedir - command: semanage fcontext -a -e /home "{{ podman_systemd_home_basedir }}" - register: __podman_home_fcontext - failed_when: - - __podman_home_fcontext.rc != 0 - - "'already exists' not in __podman_home_fcontext.stderr" - - - name: Apply new SELinux file context to filesystem - command: restorecon -R "{{ podman_systemd_home_basedir }}" - when: __podman_home_basedir.changed - become: True - become_user: root diff --git a/templates/etc/containers/containers.conf.j2 b/templates/etc/containers/containers.conf.j2 index f0b9dcb..2038eaa 100644 --- a/templates/etc/containers/containers.conf.j2 +++ b/templates/etc/containers/containers.conf.j2 @@ -1,6 +1,5 @@ #jinja2: lstrip_blocks: True {{ ansible_managed | comment }} - # The containers configuration file specifies all of the available configuration # command-line options/flags for container engine tools like Podman & Buildah, # but in a TOML format that can be easily modified and versioned. @@ -19,7 +18,6 @@ [containers] default_capabilities = [ - "NET_RAW", "CHOWN", "DAC_OVERRIDE", "FOWNER", @@ -30,7 +28,6 @@ default_capabilities = [ "SETGID", "SETPCAP", "SETUID", - "SYS_CHROOT" ] default_sysctls = [ @@ -38,7 +35,7 @@ default_sysctls = [ ] log_driver = "{{ podman_containers_logger }}" -rootless_networking = "slirp4netns" +userns = "auto" [secrets] @@ -48,7 +45,6 @@ rootless_networking = "slirp4netns" [engine] events_logger = "{{ podman_engine_event_logger }}" -infra_image = "registry.access.redhat.com/ubi8/pause" runtime = "crun" [engine.runtimes] diff --git a/templates/etc/containers/storage.conf.j2 b/templates/etc/containers/storage.conf.j2 index 3759374..71bb530 100644 --- a/templates/etc/containers/storage.conf.j2 +++ b/templates/etc/containers/storage.conf.j2 @@ -7,14 +7,14 @@ driver = "overlay" runroot = "/run/containers/storage" graphroot = "/var/lib/containers/storage" -rootless_storage_path = "$HOME/.local/share/containers/storage" [storage.options] additionalimagestores = [ ] +pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""} + [storage.options.overlay] -mount_program = "/usr/bin/fuse-overlayfs" mountopt = "nodev,metacopy=on" [storage.options.thinpool]