From d55cf675eac457fd2a5c6cb6c2bcfec507ef8aa1 Mon Sep 17 00:00:00 2001 From: Asara Date: Sat, 26 Mar 2022 18:06:26 -0400 Subject: [PATCH] Fix up podman --- .../roles/nomad_client/files/containers.conf | 29 ++++++++++++++ ansible/roles/nomad_client/tasks/nomad.yml | 5 +++ ansible/roles/nomad_client/tasks/podman.yml | 39 +++++++++++++++++-- .../roles/nomad_client/templates/nomad.hcl.j2 | 2 +- 4 files changed, 71 insertions(+), 4 deletions(-) create mode 100644 ansible/roles/nomad_client/files/containers.conf diff --git a/ansible/roles/nomad_client/files/containers.conf b/ansible/roles/nomad_client/files/containers.conf new file mode 100644 index 0000000..26bc503 --- /dev/null +++ b/ansible/roles/nomad_client/files/containers.conf @@ -0,0 +1,29 @@ +[containers] +default_capabilities = [ + "CHOWN", + "DAC_OVERRIDE", + "FOWNER", + "FSETID", + "KILL", + "NET_BIND_SERVICE", + "SETFCAP", + "SETGID", + "SETPCAP", + "SETUID", + "SYS_CHROOT" +] + +default_sysctls = [ + "net.ipv4.ping_group_range=0 1", +] + +[engine] +runtime = "crun" +cgroup_manager = "cgroupfs" +events_logger = "journald" + +#[storage] +#driver = "overlay" +# +#[storage.options] +#mount_program = "/usr/bin/fuse-overlayfs" diff --git a/ansible/roles/nomad_client/tasks/nomad.yml b/ansible/roles/nomad_client/tasks/nomad.yml index c4e0c24..c8e354e 100644 --- a/ansible/roles/nomad_client/tasks/nomad.yml +++ b/ansible/roles/nomad_client/tasks/nomad.yml @@ -59,6 +59,11 @@ group: root notify: daemon_reload +- name: get podman from passwd + getent: + database: passwd + key: podman + - name: template nomad config template: src: templates/nomad.hcl.j2 diff --git a/ansible/roles/nomad_client/tasks/podman.yml b/ansible/roles/nomad_client/tasks/podman.yml index b558107..84561a3 100644 --- a/ansible/roles/nomad_client/tasks/podman.yml +++ b/ansible/roles/nomad_client/tasks/podman.yml @@ -15,6 +15,7 @@ - name: ensure podman is installed apt: name: + - catatonit - fuse-overlayfs - podman - slirp4netns @@ -22,18 +23,50 @@ state: present - name: ensure containers.conf is configured - file: + copy: src: containers.conf dest: /etc/containers/containers.conf owner: root group: root mode: 0644 +- name: Check if podman lingers + stat: path=/var/lib/systemd/linger/podman + register: linger + +- name: enable lingering for podman + command: loginctl enable-linger podman + when: not linger.stat.exists + - name: enable podman systemd: name: podman state: started - enabled: False - daemon_reload: True + enabled: True + scope: user changed_when: False + become: True + become_user: podman + +- name: check if subuid is configured + shell: grep podman /etc/subuid + register: subuid + changed_when: False + check_mode: False + failed_when: False + +- name: check if subgid is configured + shell: grep podman /etc/subgid + register: subgid + changed_when: False + check_mode: False + failed_when: False + +- name: configure subuid + shell: usermod --add-subuids 200000-201000 podman + when: subuid.rc != 0 + +- name: configure subgid + shell: usermod --add-subgids 200000-201000 podman + when: subgid.rc != 0 ... diff --git a/ansible/roles/nomad_client/templates/nomad.hcl.j2 b/ansible/roles/nomad_client/templates/nomad.hcl.j2 index 8f16081..24d749f 100644 --- a/ansible/roles/nomad_client/templates/nomad.hcl.j2 +++ b/ansible/roles/nomad_client/templates/nomad.hcl.j2 @@ -39,6 +39,6 @@ plugin_dir = "/opt/nomad_plugins" plugin "nomad-driver-podman" { enabled = true config { - socket_path = "unix:///run/user/1000/podman/podman.sock" + socket_path = "unix:///run/user/{{ getent_passwd.podman[1] }}/podman/podman.sock" } }