Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable varlink socket #1

Closed
volfco opened this issue Aug 15, 2020 · 3 comments · Fixed by #19
Closed

Enable varlink socket #1

volfco opened this issue Aug 15, 2020 · 3 comments · Fixed by #19

Comments

@volfco
Copy link

volfco commented Aug 15, 2020

Podman exposes a varlink socket that can be enabled as a service.

https://podman.io/blogs/2019/01/16/podman-varlink.html

I'm thinking it could be it's own class, invoked like this:

podman::varlink:
    enabled: true
    socket: /run/podman/io.podman

Also- thanks for this module
@volfco volfco mentioned this issue Aug 15, 2020
Closed
@southalc
Copy link
Owner

Thanks for the feedback. I'll admit that I'm unfamiliar with the varlink interface, so I did some reading. It's unclear to me whether the varlink socket supports rootless containers. If so, does it require each user to run a separate instance/socket? The documentation I can find is unclear. I can do some testing to verify the behavior if I'm unable to get more clarity.

Managing podman objects from varlink seems to conflict with the premise of management from Puppet, although a valid use case might be to simply use Puppet to setup podman packages and the varlink service for other management tools. Is that what you had in mind, or are there something else I'm missing?

Also FYI, I found a thread that indicates the varlink interface will be replaced in the future.
containers/python-podman#16 (comment)

@volfco
Copy link
Author

volfco commented Aug 18, 2020

I think it supports rootless containers. I'm not 100% sure, as I don't understand the magic behind systemd's socket ... management? I would assume so.

The main goal here is that i'm using this module to configure podman for Nomad, which will then do the spawning of containers. I'm using both. Puppet managed containers using your module, and then nomad doing it's own thing. I don't see it being a conflict. With puppet modules I assume that anything the program is reasonably expected to do can be managed via puppet.

I need to make another issue for management of docker config file (~/.docker/config.json) so I can manage repository configuration

@optiz0r
Copy link
Contributor

optiz0r commented Dec 7, 2020

FWIW, I got nomad+podman v1 working with varlink, however I don't think it supports rootless containers in podman v1. The additional config in my own site_podman wrapper class which includes the podman class from this module for varlink was:

        group {
            'podman':
                ensure  => present,
                system  => true,
                members => $users;
        }

        package {
            'libvarlink-util':
                ensure => installed;
        }

        systemd::tmpfile {
            'podman.conf':
                content => 'd /run/podman 0750 root podman',
                require => [
                    Package['libvarlink-util'],
                    Group['podman'],
                ];
        }

        systemd::dropin_file {
            'nomad.conf':
                ensure  => present,
                unit    => 'io.podman.socket',
                content => epp('site_podman/podman-socket-nomad.conf.epp'),
                require => Group['podman'],
                before  => Service['io.podman.socket'];
        }

        service {
            'io.podman.socket':
                ensure  => running,
                enable  => true,
                require => Class['systemd::tmpfiles'];
        }

Where the template file modules/site_podman/templates/podman-socket-nomad.conf.epp' contains:

[Socket]
ListenStream=/run/podman/io.podman
SocketMode=0660
SocketGroup=podman

However this interface is deprecated in podman v2 and replaced with a rest api via the podman.socket system service. Support for podman v2's rest api landed in the master branch of nomad-driver-podman a week or so ago, and can be used to start containers from nomad, but also not in rootless mode. (For rootless mode, I think the driver will need to setup a user namespace, which it currently does not do; the relevant code for this is commented out in the driver). I did also get nomad+podman v2 (from kubic repositories) to start up a container after jumping through some additional hoops:

  • Reconfiguring the system to using cgroup v2
  • Building my own copy of crun (not provided by OS), and stealing the build-time dependencies from elsewhere
  • Configuring podman to use cgroupfs rather than systemd to manage the cgroup hierarchy for the container, since my version of systemd is too old
  • Enabling the podman.socket system service provided by the podman v2 package

silug added a commit to silug/puppet-podman that referenced this issue Aug 4, 2021
@silug
Manage the API socket
9dd2edb 
Fixes southalc#1
@silug silug mentioned this issue Aug 12, 2021
Merged
southalc pushed a commit that referenced this issue Aug 18, 2021
@dannygoulder
selboolean requires package to be installed first (#1)
ba67507 
On some systems the container-selinux package might not already be installed.

The podman packages pull this in, but the selboolean won't exist until that's done.

This change ensures that the selboolean resource is applied _after_ the package is installed.
@abotelho-cbn abotelho-cbn mentioned this issue Aug 26, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Manage the API socket silug/puppet-podman
Add varlink socket
3 participants
@volfco @optiz0r @southalc