Add podman shell to nomad clients

2020-09-30 20:59:50 -04:00 · 2020-09-30 20:59:50 -04:00 · d0e3bd6c32
commit d0e3bd6c32
parent 02f28798fd
6 changed files with 143 additions and 71 deletions
--- a/ansible/group_vars/all/main.yml
+++ b/ansible/group_vars/all/main.yml
@ -57,4 +57,8 @@ vault_ca_cert_payload: |

 # nomad
 nomad_version: 0.12.3
+nomad_podman_driver_version: 0.1.0
+
+# podman
+podman_version: 2.0.6+dfsg1-1
 ...
--- a/ansible/roles/nomad_client/files/podman.socket
+++ b/ansible/roles/nomad_client/files/podman.socket
@ -0,0 +1,11 @@
+[Unit]
+Description=Podman API Socket
+Documentation=man:podman-system-service(1)
+
+[Socket]
+ListenStream=/run/podman/io.podman
+SocketMode=0660
+SocketGroup=podman
+
+[Install]
+WantedBy=sockets.target
--- a/ansible/roles/nomad_client/tasks/main.yml
+++ b/ansible/roles/nomad_client/tasks/main.yml
@ -1,73 +1,4 @@
 ---
- name: ensure nomad group
-  group:
-    name: nomad
-    state: present
-    system: True
-
- name: ensure nomad user
-  user:
-    name: nomad
-    state: present
-    group: nomad
-    system: True
-
- name: ensure nomad config dir
-  file:
-    path: /etc/nomad.d/
-    state: directory
-    owner: nomad
-    group: nomad
-    mode: 0755
-
- name: ensure nomad data dir
-  file:
-    path: /opt/nomad
-    state: directory
-    owner: nomad
-    group: nomad
-    mode: 0755
-
- name: check nomad version
-  shell:
-    cmd: "nomad --version | head -1 | cut -d'v' -f2"
-  args:
-    executable: /bin/bash
-  changed_when: False
-  register: installed_nomad_version
-  check_mode: False
-
- name: get nomad
-  unarchive:
-    src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
-    dest: /usr/local/bin/
-    mode: 0755
-    owner: root
-    group: root
-    remote_src: True
-  when: installed_nomad_version.stdout != nomad_version
-
- name: copy nomad unit file
-  copy:
-    src: files/nomad.service
-    dest: /etc/systemd/system/nomad.service
-    mode: 0755
-    owner: root
-    group: root
-  notify: daemon_reload
-
- name: template nomad config
-  template:
-    src: templates/nomad.hcl.j2
-    dest: /etc/nomad.d/nomad.hcl
-    owner: root
-    group: root
-    mode: 0755
-  notify: restart_nomad
-
- name: ensure nomad is started and enabled
-  systemd:
-    name: nomad
-    state: started
-    enabled: True
+- import_tasks: podman_prep.yml
+- import_tasks: nomad.yml
 ...
--- a/ansible/roles/nomad_client/tasks/nomad.yml
+++ b/ansible/roles/nomad_client/tasks/nomad.yml
@ -0,0 +1,93 @@
+---
+- name: ensure nomad group
+  group:
+    name: nomad
+    state: present
+    system: True
+
+- name: ensure nomad user
+  user:
+    name: nomad
+    state: present
+    group: nomad
+    groups:
+      - podman
+    append: True
+    system: True
+
+- name: ensure nomad config dir
+  file:
+    path: /etc/nomad.d/
+    state: directory
+    owner: nomad
+    group: nomad
+    mode: 0755
+
+- name: ensure nomad data dir
+  file:
+    path: /opt/nomad
+    state: directory
+    owner: nomad
+    group: nomad
+    mode: 0755
+
+- name: check nomad version
+  shell:
+    cmd: "nomad --version | head -1 | cut -d'v' -f2"
+  args:
+    executable: /bin/bash
+  changed_when: False
+  register: installed_nomad_version
+  check_mode: False
+
+- name: get nomad
+  unarchive:
+    src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
+    dest: /usr/local/bin/
+    mode: 0755
+    owner: root
+    group: root
+    remote_src: True
+  when: installed_nomad_version.stdout != nomad_version
+
+- name: copy nomad unit file
+  copy:
+    src: files/nomad.service
+    dest: /etc/systemd/system/nomad.service
+    mode: 0755
+    owner: root
+    group: root
+  notify: daemon_reload
+
+- name: template nomad config
+  template:
+    src: templates/nomad.hcl.j2
+    dest: /etc/nomad.d/nomad.hcl
+    owner: root
+    group: root
+    mode: 0755
+  notify: restart_nomad
+
+- name: ensure nomad plugins dir
+  file:
+    path: /opt/nomad_plugins
+    state: directory
+    owner: nomad
+    group: nomad
+    mode: 0755
+
+- name: get nomad podman plugins
+  unarchive:
+    src: "https://releases.hashicorp.com/nomad-driver-podman/{{ nomad_podman_driver_version }}/nomad-driver-podman_{{ nomad_podman_driver_version }}_linux_amd64.zip"
+    dest: /opt/nomad_plugins/
+    mode: 0755
+    owner: nomad
+    group: nomad
+    remote_src: True
+
+- name: ensure nomad is started and enabled
+  systemd:
+    name: nomad
+    state: started
+    enabled: True
+...
--- a/ansible/roles/nomad_client/tasks/podman_prep.yml
+++ b/ansible/roles/nomad_client/tasks/podman_prep.yml
@ -0,0 +1,27 @@
+---
+- name: ensure podman group
+  group:
+    name: podman
+    state: present
+    system: True
+
+- name: ensure podman user
+  user:
+    name: podman
+    state: present
+    group: podman
+    system: True
+
+- name: ensure podman is installed
+  apt:
+    name: "podman={{ podman_version }}"
+    state: present
+
+- name: ensure podman socket is configured
+  copy:
+    src: files/podman.socket
+    dest: /etc/systemd/system/podman.socket
+    owner: root
+    group: root
+    mode: 0755
+...
--- a/ansible/roles/nomad_client/templates/nomad.hcl.j2
+++ b/ansible/roles/nomad_client/templates/nomad.hcl.j2
@ -8,3 +8,9 @@ client {
 consul {
  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-client'] }}"
 }
+
+plugin_dir = "/opt/nomad_plugins"
+
+plugin "nomad-driver-podman" {
+  enabled   = true
+}