Add podman shell to nomad clients

2020-09-30 20:59:50 -04:00 · 2020-09-30 20:59:50 -04:00 · d0e3bd6c32
commit d0e3bd6c32
parent 02f28798fd
6 changed files with 143 additions and 71 deletions
--- a/ansible/group_vars/all/main.yml
+++ b/ansible/group_vars/all/main.yml
@ -57,4 +57,8 @@ vault_ca_cert_payload: |
 # nomad
 nomad_version: 0.12.3
 nomad_podman_driver_version: 0.1.0
 # podman
 podman_version: 2.0.6+dfsg1-1
 ...
--- a/ansible/roles/nomad_client/files/podman.socket
+++ b/ansible/roles/nomad_client/files/podman.socket
@ -0,0 +1,11 @@
 [Unit]
 Description=Podman API Socket
 Documentation=man:podman-system-service(1)
 [Socket]
 ListenStream=/run/podman/io.podman
 SocketMode=0660
 SocketGroup=podman
 [Install]
 WantedBy=sockets.target
--- a/ansible/roles/nomad_client/tasks/main.yml
+++ b/ansible/roles/nomad_client/tasks/main.yml
@ -1,73 +1,4 @@
 ---
- name: ensure nomad group
+- import_tasks: podman_prep.yml
-  group:
+- import_tasks: nomad.yml
    name: nomad
    state: present
    system: True
 - name: ensure nomad user
  user:
    name: nomad
    state: present
    group: nomad
    system: True
 - name: ensure nomad config dir
  file:
    path: /etc/nomad.d/
    state: directory
    owner: nomad
    group: nomad
    mode: 0755
 - name: ensure nomad data dir
  file:
    path: /opt/nomad
    state: directory
    owner: nomad
    group: nomad
    mode: 0755
 - name: check nomad version
  shell:
    cmd: "nomad --version | head -1 | cut -d'v' -f2"
  args:
    executable: /bin/bash
  changed_when: False
  register: installed_nomad_version
  check_mode: False
 - name: get nomad
  unarchive:
    src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
    dest: /usr/local/bin/
    mode: 0755
    owner: root
    group: root
    remote_src: True
  when: installed_nomad_version.stdout != nomad_version
 - name: copy nomad unit file
  copy:
    src: files/nomad.service
    dest: /etc/systemd/system/nomad.service
    mode: 0755
    owner: root
    group: root
  notify: daemon_reload
 - name: template nomad config
  template:
    src: templates/nomad.hcl.j2
    dest: /etc/nomad.d/nomad.hcl
    owner: root
    group: root
    mode: 0755
  notify: restart_nomad
 - name: ensure nomad is started and enabled
  systemd:
    name: nomad
    state: started
    enabled: True
 ...
--- a/ansible/roles/nomad_client/tasks/nomad.yml
+++ b/ansible/roles/nomad_client/tasks/nomad.yml
@ -0,0 +1,93 @@
 ---
 - name: ensure nomad group
  group:
    name: nomad
    state: present
    system: True
 - name: ensure nomad user
  user:
    name: nomad
    state: present
    group: nomad
    groups:
      - podman
    append: True
    system: True
 - name: ensure nomad config dir
  file:
    path: /etc/nomad.d/
    state: directory
    owner: nomad
    group: nomad
    mode: 0755
 - name: ensure nomad data dir
  file:
    path: /opt/nomad
    state: directory
    owner: nomad
    group: nomad
    mode: 0755
 - name: check nomad version
  shell:
    cmd: "nomad --version | head -1 | cut -d'v' -f2"
  args:
    executable: /bin/bash
  changed_when: False
  register: installed_nomad_version
  check_mode: False
 - name: get nomad
  unarchive:
    src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
    dest: /usr/local/bin/
    mode: 0755
    owner: root
    group: root
    remote_src: True
  when: installed_nomad_version.stdout != nomad_version
 - name: copy nomad unit file
  copy:
    src: files/nomad.service
    dest: /etc/systemd/system/nomad.service
    mode: 0755
    owner: root
    group: root
  notify: daemon_reload
 - name: template nomad config
  template:
    src: templates/nomad.hcl.j2
    dest: /etc/nomad.d/nomad.hcl
    owner: root
    group: root
    mode: 0755
  notify: restart_nomad
 - name: ensure nomad plugins dir
  file:
    path: /opt/nomad_plugins
    state: directory
    owner: nomad
    group: nomad
    mode: 0755
 - name: get nomad podman plugins
  unarchive:
    src: "https://releases.hashicorp.com/nomad-driver-podman/{{ nomad_podman_driver_version }}/nomad-driver-podman_{{ nomad_podman_driver_version }}_linux_amd64.zip"
    dest: /opt/nomad_plugins/
    mode: 0755
    owner: nomad
    group: nomad
    remote_src: True
 - name: ensure nomad is started and enabled
  systemd:
    name: nomad
    state: started
    enabled: True
 ...
--- a/ansible/roles/nomad_client/tasks/podman_prep.yml
+++ b/ansible/roles/nomad_client/tasks/podman_prep.yml
@ -0,0 +1,27 @@
 ---
 - name: ensure podman group
  group:
    name: podman
    state: present
    system: True
 - name: ensure podman user
  user:
    name: podman
    state: present
    group: podman
    system: True
 - name: ensure podman is installed
  apt:
    name: "podman={{ podman_version }}"
    state: present
 - name: ensure podman socket is configured
  copy:
    src: files/podman.socket
    dest: /etc/systemd/system/podman.socket
    owner: root
    group: root
    mode: 0755
 ...
--- a/ansible/roles/nomad_client/templates/nomad.hcl.j2
+++ b/ansible/roles/nomad_client/templates/nomad.hcl.j2
@ -8,3 +8,9 @@ client {
 consul {
  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-client'] }}"
 }
 plugin_dir = "/opt/nomad_plugins"
 plugin "nomad-driver-podman" {
  enabled   = true
 }