refactor: drop rootless support (#1)
All checks were successful
continuous-integration/drone/push Build is passing

Reviewed-on: #1
Co-authored-by: Robert Kaussow <mail@thegeeklab.de>
Co-committed-by: Robert Kaussow <mail@thegeeklab.de>
This commit is contained in:
Robert Kaussow 2023-07-28 21:59:01 +02:00 committed by Robert Kaussow
parent acc47fe0b2
commit 33dd4e8c30
15 changed files with 92 additions and 100 deletions

View File

@ -41,7 +41,7 @@ local PipelineLinting = {
}, },
}; };
local PipelineDeployment(scenario='rocky8') = { local PipelineDeployment(scenario='rocky9') = {
kind: 'pipeline', kind: 'pipeline',
name: 'testing-' + scenario, name: 'testing-' + scenario,
platform: { platform: {
@ -71,7 +71,7 @@ local PipelineDeployment(scenario='rocky8') = {
'linting', 'linting',
], ],
trigger: { trigger: {
ref: ['refs/heads/main', 'refs/tags/**'], ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'],
}, },
}; };
@ -115,7 +115,7 @@ local PipelineDocumentation = {
ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'], ref: ['refs/heads/main', 'refs/tags/**', 'refs/pull/**'],
}, },
depends_on: [ depends_on: [
'testing-rocky8', 'testing-rocky9',
], ],
}; };
@ -153,7 +153,7 @@ local PipelineNotification = {
[ [
PipelineLinting, PipelineLinting,
PipelineDeployment(scenario='rocky8'), PipelineDeployment(scenario='rocky9'),
PipelineDocumentation, PipelineDocumentation,
PipelineNotification, PipelineNotification,
] ]

View File

@ -36,7 +36,7 @@ trigger:
--- ---
kind: pipeline kind: pipeline
name: testing-rocky8 name: testing-rocky9
platform: platform:
os: linux os: linux
@ -53,7 +53,7 @@ steps:
- name: ansible-molecule - name: ansible-molecule
image: thegeeklab/molecule:4 image: thegeeklab/molecule:4
commands: commands:
- molecule test -s rocky8 - molecule test -s rocky9
environment: environment:
HCLOUD_TOKEN: HCLOUD_TOKEN:
from_secret: hcloud_token from_secret: hcloud_token
@ -62,6 +62,7 @@ trigger:
ref: ref:
- refs/heads/main - refs/heads/main
- refs/tags/** - refs/tags/**
- refs/pull/**
depends_on: depends_on:
- linting - linting
@ -107,7 +108,7 @@ trigger:
- refs/pull/** - refs/pull/**
depends_on: depends_on:
- testing-rocky8 - testing-rocky9
--- ---
kind: pipeline kind: pipeline
@ -147,6 +148,6 @@ depends_on:
--- ---
kind: signature kind: signature
hmac: 0a198d7d6b43b7f522c4ee73dc7464ff4b5dc379f9555b4b49ea5b3dd6e8c1cb hmac: 81536c79ea3dcf2f503450427b9aa5faeb29d613cb1da19b8605010295561341
... ...

View File

@ -7,4 +7,16 @@ podman_sebooleans:
podman_containers_logger: journald podman_containers_logger: journald
podman_engine_event_logger: journald podman_engine_event_logger: journald
podman_systemd_home_basedir: /var/lib/rootless podman_nsremap_range_start: 231072
podman_nsremap_range_length: 65536
# @var podman_registries:description: List of docker registries to auto login
# @var podman_registries:example: >
# podman_registries:
# - registry: myregistry.example.com (optional)
# username: docker
# password: secure
# reauthorize: False
# state: present
# @end
podman_registries: []

View File

@ -1 +1 @@
rocky8 rocky9

1
molecule/rocky9/default Symbolic link
View File

@ -0,0 +1 @@
default

View File

@ -9,8 +9,8 @@ dependency:
driver: driver:
name: delegated name: delegated
platforms: platforms:
- name: rocky8-podman - name: rocky9-podman
image: rocky-8 image: rocky-9
server_type: cx11 server_type: cx11
lint: | lint: |
/usr/local/bin/flake8 /usr/local/bin/flake8

View File

@ -8,13 +8,12 @@ testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
).get_hosts("all") ).get_hosts("all")
@pytest.mark.parametrize("package", ["podman", "crun", "slirp4netns"]) def test_podman_installed(host):
def test_podman_installed(host, package): assert host.package("podman").is_installed
assert host.package(package).is_installed
def test_podman_run(host): def test_podman_run(host):
cmd = host.run("/usr/bin/podman info") cmd = host.run("/usr/bin/podman info")
assert "cgroupVersion: v1" in cmd.stdout assert "cgroupVersion: v2" in cmd.stdout
assert cmd.succeeded assert cmd.succeeded

View File

@ -1,2 +1,61 @@
--- ---
- include_tasks: setup.yml - block:
- name: Ensure required packages are installed
package:
name: "{{ item }}"
state: "present"
loop:
- podman
- container-selinux
- bash-completion
- name: Install Podman bash-completion
command:
cmd: "podman completion bash -f /etc/bash_completion.d/podman"
creates: "/etc/bash_completion.d/podman"
- name: Deploy container configuration
template:
src: etc/containers/containers.conf.j2
dest: /etc/containers/containers.conf
owner: root
group: root
mode: 0644
- name: Deploy storage configuration
template:
src: etc/containers/storage.conf.j2
dest: /etc/containers/storage.conf
owner: root
group: root
mode: 0644
- name: Set SELinux booleans
seboolean:
name: "{{ item.name }}"
state: "{{ item.state | bool }}"
persistent: "{{ item.persistent | default(True) | bool }}"
loop: "{{ podman_sebooleans }}"
loop_control:
label: "{{ item.name }}: {{ item.state | bool }}"
- name: Configure namespace id range
lineinfile:
dest: "{{ item }}"
regexp: "^containers:"
line: "containers:{{ podman_nsremap_range_start }}:{{ podman_nsremap_range_length }}"
loop:
- /etc/subuid
- /etc/subgid
- name: Handle registry logins
containers.podman.podman_login:
registry: "{{ item.url | default(omit) }}"
username: "{{ item.username }}"
password: "{{ item.password }}"
state: '{{ item.state | default("present") }}'
loop: "{{ podman_registries }}"
loop_control:
label: "{{ item.url }}"
become: True
become_user: root

View File

@ -1,76 +0,0 @@
---
- block:
- name: Ensure required packages are installed
package:
name: "{{ item }}"
state: "present"
loop:
- podman
- slirp4netns
- fuse-overlayfs
- crun
- container-selinux
- bash-completion
- name: Install Podman bash-completion
command:
cmd: "podman completion bash -f /etc/bash_completion.d/podman"
creates: "/etc/bash_completion.d/podman"
- name: Deploy container configuration
template:
src: etc/containers/containers.conf.j2
dest: /etc/containers/containers.conf
owner: root
group: root
mode: 0644
- name: Deploy storage configuration
template:
src: etc/containers/storage.conf.j2
dest: /etc/containers/storage.conf
owner: root
group: root
mode: 0644
- name: Set SELinux booleans
seboolean:
name: "{{ item.name }}"
state: "{{ item.state | bool }}"
persistent: "{{ item.persistent | default(True) | bool }}"
loop: "{{ podman_sebooleans }}"
loop_control:
label: "{{ item.name }}: {{ item.state | bool }}"
- name: Create journal log dir
file:
path: /var/log/journal
state: directory
owner: root
group: systemd-journal
mode: 02755
- name: Create home basedir for systemd users
file:
path: "{{ podman_systemd_home_basedir }}"
state: directory
owner: root
group: root
mode: 0755
register: __podman_home_basedir
become: True
become_user: root
- block:
- name: Set SELinux context for home basedir
command: semanage fcontext -a -e /home "{{ podman_systemd_home_basedir }}"
register: __podman_home_fcontext
failed_when:
- __podman_home_fcontext.rc != 0
- "'already exists' not in __podman_home_fcontext.stderr"
- name: Apply new SELinux file context to filesystem
command: restorecon -R "{{ podman_systemd_home_basedir }}"
when: __podman_home_basedir.changed
become: True
become_user: root

View File

@ -1,6 +1,5 @@
#jinja2: lstrip_blocks: True #jinja2: lstrip_blocks: True
{{ ansible_managed | comment }} {{ ansible_managed | comment }}
# The containers configuration file specifies all of the available configuration # The containers configuration file specifies all of the available configuration
# command-line options/flags for container engine tools like Podman & Buildah, # command-line options/flags for container engine tools like Podman & Buildah,
# but in a TOML format that can be easily modified and versioned. # but in a TOML format that can be easily modified and versioned.
@ -19,7 +18,6 @@
[containers] [containers]
default_capabilities = [ default_capabilities = [
"NET_RAW",
"CHOWN", "CHOWN",
"DAC_OVERRIDE", "DAC_OVERRIDE",
"FOWNER", "FOWNER",
@ -30,7 +28,6 @@ default_capabilities = [
"SETGID", "SETGID",
"SETPCAP", "SETPCAP",
"SETUID", "SETUID",
"SYS_CHROOT"
] ]
default_sysctls = [ default_sysctls = [
@ -38,7 +35,7 @@ default_sysctls = [
] ]
log_driver = "{{ podman_containers_logger }}" log_driver = "{{ podman_containers_logger }}"
rootless_networking = "slirp4netns" userns = "auto"
[secrets] [secrets]
@ -48,7 +45,6 @@ rootless_networking = "slirp4netns"
[engine] [engine]
events_logger = "{{ podman_engine_event_logger }}" events_logger = "{{ podman_engine_event_logger }}"
infra_image = "registry.access.redhat.com/ubi8/pause"
runtime = "crun" runtime = "crun"
[engine.runtimes] [engine.runtimes]

View File

@ -7,14 +7,14 @@ driver = "overlay"
runroot = "/run/containers/storage" runroot = "/run/containers/storage"
graphroot = "/var/lib/containers/storage" graphroot = "/var/lib/containers/storage"
rootless_storage_path = "$HOME/.local/share/containers/storage"
[storage.options] [storage.options]
additionalimagestores = [ additionalimagestores = [
] ]
pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""}
[storage.options.overlay] [storage.options.overlay]
mount_program = "/usr/bin/fuse-overlayfs"
mountopt = "nodev,metacopy=on" mountopt = "nodev,metacopy=on"
[storage.options.thinpool] [storage.options.thinpool]