feat: add support for quadlet, secrets #78
Conversation
richm
force-pushed
the
quadlet
branch
2 times, most recently
from
64dd7df
to
594bc7e
Compare
|
[citest] |
1 similar comment
|
[citest] |
| @@ -8,6 +8,10 @@ run `podman` containers. | |||
| ## Requirements | |||
|
|
|||
| The role requires podman version 4.2 or later. | |||
| The role requires podman version 4.4 or later for quadlet support and secret | |||
| support. | |||
| The role requires podman version 4.5 or later for support for using healthchecks | |||
|
[citest] |
|
[citest] |
|
@vrothberg @ygalblum the quadlet demo is not working on EL8 - looks like podman there was recently updated to podman-3:4.5.1-5.module+el8.9.0+19106+3ac0000c.x86_64 - EL9 works fine with podman-2:4.5.1-4.el9.x86_64 all other pod logs/journalctl look fine I'm willing to chalk this up to a bug that snuck into the podman update in EL8 that is hopefully known and will be fixed shortly |
|
@richm a bug with a reproducer would be great. Thank you! |
README.md
Outdated
| from the file name given in `file`, `file_src`, or `template_src`. | ||
|
|
||
| By default, the files will be copied to or created in | ||
| `/etc/containers/systemd/$name.$type` on the managed node. You can provide a |
There was a problem hiding this comment.
This path is correct for root. However, for users the location is $HOME/.config/containers/systemd/
tasks/create_update_quadlet_spec.yml
Outdated
| - name: Check if user is lingering | ||
| stat: | ||
| path: "/var/lib/systemd/linger/{{ __podman_user }}" | ||
| register: __podman_user_lingering | ||
| when: __podman_rootless | bool | ||
|
|
||
| - name: Enable lingering if needed | ||
| command: loginctl enable-linger {{ __podman_user }} | ||
| when: | ||
| - __podman_rootless | bool | ||
| - not __podman_user_lingering.stat.exists | ||
| changed_when: true |
There was a problem hiding this comment.
Consider replacing into one step:
| - name: Check if user is lingering | |
| stat: | |
| path: "/var/lib/systemd/linger/{{ __podman_user }}" | |
| register: __podman_user_lingering | |
| when: __podman_rootless | bool | |
| - name: Enable lingering if needed | |
| command: loginctl enable-linger {{ __podman_user }} | |
| when: | |
| - __podman_rootless | bool | |
| - not __podman_user_lingering.stat.exists | |
| changed_when: true | |
| - name: Enable lingering for ansible_user | |
| ansible.builtin.command: loginctl enable-linger {{ __podman_user }} | |
| args: | |
| creates: '/var/lib/systemd/linger/{{ __podman_user }}' | |
| when: __podman_rootless | bool |
tasks/create_update_quadlet_spec.yml
Outdated
| owner: "{{ __podman_user }}" | ||
| group: "{{ __podman_group }}" | ||
| mode: "0755" | ||
| when: not __podman_quadlet_file is none |
There was a problem hiding this comment.
What if it's an empty string (like you check in the following cases)?
In addition, can't you just do when: __podman_quadlet_file? AFAIK this covers all the false cases (none, empty string)
There was a problem hiding this comment.
I changed all of these. I believe we had to use the in [none, ""] form with older versions of ansible and/or jinja. I think we don't need to use this anymore.
There was a problem hiding this comment.
So, there is a bit of a wrinkle - if you use when: __some_string_valued_variable, you will get the "bare variable" warning - https://github.com/redhat-cop/automation-good-practices/tree/main/coding_style#ansible-guidelines - the recommendation is to use when: __some_string_valued_variable | bool - this works fine if the variable is empty or none - however, when it is a non-zero length string, when: __some_string_valued_variable | bool will evaluate to false because it is doing some sort of string-to-bool conversion - so you must use when: __some_string_valued_variable | length > 0 to check for a non-empty string.
tasks/create_update_quadlet_spec.yml
Outdated
| or __podman_template_file is changed | ||
| - __podman_activate_systemd_unit | bool | ||
|
|
||
| - name: Enable service # noqa no-handler |
There was a problem hiding this comment.
Currently, you cannot enable services generated by Quadlet. The reason is that since the systemd unit file is a generated one, systemd considers it as transient and therefore does not allow enabling it.
There was a problem hiding this comment.
ok - I commented this out so we can remember to revisit if/when enable service is supported
| @@ -0,0 +1,13 @@ | |||
| --- | |||
| # Primarily for testing unreleased versions | |||
| - name: Enable podman copr on EL | |||
There was a problem hiding this comment.
Did you consider using community.general.copr instead of command?
There was a problem hiding this comment.
I would prefer to keep external dependencies to the absolute minimum - it is problematic for downstream productization, especially unsupported community collections like community.general - also, this code is strictly for developer testing - not something that an end user should ever use, and will not be supported
| - podman_version is version("4.4", "<") | ||
| - podman_fail_if_too_old | d(true) | ||
|
|
||
| - name: Podman package version must be 4.4 or later for quadlet, secrets |
There was a problem hiding this comment.
Assuming I'm not misreading the when clause here, it is the same as the previous one. Now, since the previous one is a fail then the flow will never reach this stage. So, if you want the second one to happen, you should reorder them.
Another suggestion is to combine them using block so that you can write the when clause only once.
There was a problem hiding this comment.
What I'm trying to do here is - if podman_fail_if_too_old is True, then the role will fail if podman is "too old". This is the default case, and one that production users will hit if they try to use newer features with an older version of podman. If podman_fail_if_too_old is False, then I want to just skip the rest of the play - this is useful for testing purposes, not something a production user would or should ever use.
|
|
||
| - name: Check systemd | ||
| # noqa command-instead-of-module | ||
| shell: set -euo pipefail; systemctl list-units | grep quadlet |
There was a problem hiding this comment.
Quadlet is a generator executed by systemd, it is not a unit and therefore this check actually fails.
This also raises the question of what it the purpose of of these steps if failed_when is set to false
There was a problem hiding this comment.
Quadlet is a generator executed by systemd, it is not a unit and therefore this check actually fails.
Hmm - well it does print something.
This also raises the question of what it the purpose of of these steps if
failed_whenis set tofalse
This isn't really an assertion test - it's really so I can see what's going on - I guess I should convert this into a "real" test, or just get rid of it, once the quadlet stuff is working and reviewed.
| changed_when: false | ||
| when: __web_status is success | ||
|
|
||
| - name: Show errors |
There was a problem hiding this comment.
Consider combining into block in order to check when only once
|
[citest] |
1 similar comment
|
[citest] |
|
@ygalblum looks like installing |
|
LGTM for the code. |
I cannot comment on whenever RHEL 8 is supposed to install it by default or not. I think fedora had a recommends before we switched to netavark. Also I have no idea what adding |
I am proposing that this will be the default for runtime - any user using this role will have
The problem is that the RHEL8 package I am currently not worried about supporting platforms other than RedHat OS family, but if we do decide to support those platforms, we can easily do that, and have different packages for different distro/version combinations. |
|
Can you make it conditional on a podman command output I think it is worth to file a bz against RHEL 8 and ask for a recommends on |
Do we ask RHEL customer who want to use podman + quadlet to do this? If so, then I can add this to the role. If not, then I don't think the role should do this, it should be handled by a podman package dependency?
Why a recommends instead of a requires?
I guess what I am asking is - is this a bug in the podman packaging on RHEL8? It seems like it to me, unless we are going to tell our RHEL8 podman users that they must first install |
That seems like a fair expectation to me. |
|
DNS is always optional, podman will work fine without it. This has nothing to do with quadlet features at all. The quadlet example uses names to communicate that's all, a normal podman container may wish to do the same. I agree that this is a problem out of scope for this role. Either RHEL 8 says we install it by default or not. I don't see why this role specially has to enable that so that is way I suggest to create a bz were we can have this discussion. |
|
[citest] |
1 similar comment
|
[citest] |
|
[citest] |
richm
force-pushed
the
quadlet
branch
3 times, most recently
from
fd15f7f
to
19c05d7
Compare
|
ETA for this? We'd hoped to have it delivered for July 17 if possible. |
Feature: Add support for quadlets. User can pass in quadlet units using `podman_quadlet_units`. Add support for secrets. User can pass in Ansible Vault encrypted secrets using `podman_secrets`. Reason: quadlets are the new way to implement applications in podman that use systemd services. quadlets allow you to specify everything you need to run your application - containers, services, volumes, networks, and more - using simple, systemd style unit files. Secrets such as passwords, tokens, keys, etc. are an important part of application configuration, so the role now allows those to be specified. Result: Users can deploy entire, complex applications using the podman system role using quadlet units.
Feature: Add support for quadlets. User can pass in quadlet units using
podman_quadlet_units. Add support for secrets. User can pass inAnsible Vault encrypted secrets using
podman_secrets.Reason: quadlets are the new way to implement applications in podman that
use systemd services. quadlets allow you to specify everything you need
to run your application - containers, services, volumes, networks, and
more - using simple, systemd style unit files. Secrets such as passwords,
tokens, keys, etc. are an important part of application configuration, so
the role now allows those to be specified.
Result: Users can deploy entire, complex applications using the podman
system role using quadlet units.