Fix up podman

2022-03-26 18:06:26 -04:00 · 2022-03-26 18:06:26 -04:00 · d55cf675ea
commit d55cf675ea
parent ecdcef3e02
4 changed files with 71 additions and 4 deletions
--- a/ansible/roles/nomad_client/files/containers.conf
+++ b/ansible/roles/nomad_client/files/containers.conf
@ -0,0 +1,29 @@
+[containers]
+default_capabilities = [
+    "CHOWN",
+    "DAC_OVERRIDE",
+    "FOWNER",
+    "FSETID",
+    "KILL",
+    "NET_BIND_SERVICE",
+    "SETFCAP",
+    "SETGID",
+    "SETPCAP",
+    "SETUID",
+    "SYS_CHROOT"
+]
+
+default_sysctls = [
+ "net.ipv4.ping_group_range=0 1",
+]
+
+[engine]
+runtime = "crun"
+cgroup_manager = "cgroupfs"
+events_logger = "journald"
+
+#[storage]
+#driver = "overlay"
+#
+#[storage.options]
+#mount_program = "/usr/bin/fuse-overlayfs"
--- a/ansible/roles/nomad_client/tasks/nomad.yml
+++ b/ansible/roles/nomad_client/tasks/nomad.yml
@ -59,6 +59,11 @@
    group: root
  notify: daemon_reload

+- name: get podman from passwd
+  getent:
+    database: passwd
+    key: podman
+
 - name: template nomad config
  template:
    src: templates/nomad.hcl.j2
--- a/ansible/roles/nomad_client/tasks/podman.yml
+++ b/ansible/roles/nomad_client/tasks/podman.yml
@ -15,6 +15,7 @@
 - name: ensure podman is installed
  apt:
    name:
+      - catatonit
      - fuse-overlayfs
      - podman
      - slirp4netns
@ -22,18 +23,50 @@
    state: present

 - name: ensure containers.conf is configured
-  file:
+  copy:
    src: containers.conf
    dest: /etc/containers/containers.conf
    owner: root
    group: root
    mode: 0644

+- name: Check if podman lingers
+  stat: path=/var/lib/systemd/linger/podman
+  register: linger
+
+- name: enable lingering for podman
+  command: loginctl enable-linger podman
+  when: not linger.stat.exists
+
 - name: enable podman
  systemd:
    name: podman
    state: started
-    enabled: False
-    daemon_reload: True
+    enabled: True
+    scope: user
  changed_when: False
+  become: True
+  become_user: podman
+
+- name: check if subuid is configured
+  shell: grep podman /etc/subuid
+  register: subuid
+  changed_when: False
+  check_mode: False
+  failed_when: False
+
+- name: check if subgid is configured
+  shell: grep podman /etc/subgid
+  register: subgid
+  changed_when: False
+  check_mode: False
+  failed_when: False
+
+- name: configure subuid
+  shell: usermod --add-subuids 200000-201000 podman
+  when: subuid.rc != 0
+
+- name: configure subgid
+  shell: usermod --add-subgids 200000-201000 podman
+  when: subgid.rc != 0
 ...
--- a/ansible/roles/nomad_client/templates/nomad.hcl.j2
+++ b/ansible/roles/nomad_client/templates/nomad.hcl.j2
@ -39,6 +39,6 @@ plugin_dir = "/opt/nomad_plugins"
 plugin "nomad-driver-podman" {
  enabled   = true
  config {
-    socket_path = "unix:///run/user/1000/podman/podman.sock"
+    socket_path = "unix:///run/user/{{ getent_passwd.podman[1] }}/podman/podman.sock"
  }
 }