Add Podman support

Add podman and podman_sdk role for preparing machine
for Podman deployment of Openstack.

Signed-off-by: Ivan Halomi <i.halomi@partner.samsung.com>
Signed-off-by: Martin Hiner <m.hiner@partner.samsung.com>
Co-Authored-By: Michal Arbet <michal.arbet@ultimum.io>
Change-Id: Ie4b4c1cf8fe6e7ce41eaa703b423dedcb41e3afc

roles/baremetal/defaults/main.yml

@@ -34,3 +34,5 @@ git_http_proxy: ""
 git_https_proxy: ""
 
 node_config_directory: "/etc/kolla"
+
+container_engine: "{{ kolla_container_engine | default('docker') }}"

roles/baremetal/tasks/install.yml

@@ -35,4 +35,4 @@
     name: openstack.kolla.packages
 
 - import_role:
-    name: openstack.kolla.docker
+    name: openstack.kolla.{{ container_engine }}

roles/baremetal/tasks/post-install.yml

@@ -4,7 +4,7 @@
   when: create_kolla_user | bool
 
 - import_role:
-    name: openstack.kolla.docker_sdk
+    name: openstack.kolla.{{ container_engine }}_sdk
 
 - name: Ensure node_config_directory directory exists
   file:

roles/podman/defaults/main.yml

@@ -0,0 +1,19 @@
+---
+# APT cache TTL in seconds.
+apt_cache_valid_time: 3600
+
+# List of packages to install.
+podman_packages:
+  - "podman"
+
+# Podman config variables
+podman_storage_driver:
+podman_runtime_directory:
+
+# Podman can work with docker registries so it can stay this way
+# URL of private registry
+private_registry:
+private_registry_insecure: false
+
+# Path to a CA file for Docker registry
+private_registry_ca:

roles/podman/tasks/config.yml

@@ -0,0 +1,64 @@
+---
+- name: Ensure podman config directory exists
+  file:
+    path: /etc/containers/{{ item }}
+    state: directory
+    mode: 0755
+  become: True
+  with_items:
+    - "containers.conf.d"
+    - "registries.conf.d"
+    - "storage.conf.d"
+
+- name: Write registries config
+  become: True
+  vars:
+    registry: |
+      [[registry]]
+      location = "{{ private_registry }}"
+      insecure = {{ private_registry_insecure | bool }}
+  copy:
+    content: "{{ registry }}"
+    dest: /etc/containers/registries.conf.d/registries.conf
+    mode: 0644
+  when: private_registry is not none
+
+- name: Write storage config
+  become: True
+  vars:
+    config: |
+      {% if podman_storage_driver is not none %}
+      driver = {{ podman_storage_driver }}
+      {% endif %}
+      {% if podman_runtime_directory is not none %}
+      runroot = {{ podman_runtime_directory }}
+      {% endif %}
+  copy:
+    content: "{{ config }}"
+    dest: /etc/containers/storage.conf.d/storage.conf
+    mode: 0644
+  when: podman_storage_driver is not none or podman_runtime_directory is not none
+
+- name: Ensure the path for CA file for private registry exists
+  file:
+    path: "/etc/containers/certs.d/{{ private_registry }}"
+    owner: root
+    group: root
+    mode: 0700
+    state: directory
+  become: True
+  when:
+    - private_registry is not none
+    - private_registry_ca is not none
+
+- name: Ensure the CA file for private registry exists
+  copy:
+    src: "{{ private_registry_ca }}"
+    dest: "/etc/containers/certs.d/{{ private_registry }}/ca.crt"
+    owner: root
+    group: root
+    mode: 0600
+  become: True
+  when:
+    - private_registry is not none
+    - private_registry_ca is not none

roles/podman/tasks/install.yml

@@ -0,0 +1,41 @@
+---
+# Upgrading podman engine may cause containers to stop. Take a snapshot of the
+# running containers prior to a potential upgrade of Podman.
+- name: Check which containers are running
+  command: podman ps -f 'status=running' -q
+  become: true
+  # If Podman is not installed this command may exit non-zero.
+  failed_when: false
+  changed_when: false
+  register: running_containers
+
+- name: Install packages
+  package:
+    name: "{{ podman_packages | select | list }}"
+    cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}"
+    update_cache: true
+    state: present
+  become: True
+  register: podman_install_result
+
+# If any packages were updated, and any containers were running, wait for the
+# daemon to come up and start all previously running containers.
+
+- block:
+    - name: Wait for Podman to start
+      command: podman info
+      become: true
+      changed_when: false
+      register: result
+      until: result is success
+      retries: 6
+      delay: 10
+
+    - name: Ensure containers are running after Podman upgrade
+      command: "podman start {{ running_containers.stdout }}"
+      become: true
+      changed_when: true
+  when:
+    - podman_install_result.changed
+    - running_containers.rc == 0
+    - running_containers.stdout != ''

roles/podman/tasks/main.yml

@@ -0,0 +1,4 @@
+---
+- import_tasks: install.yml
+
+- import_tasks: config.yml

roles/podman_sdk/defaults/main.yml

@@ -0,0 +1,38 @@
+---
+# List of RPM/APT packages to install.
+podman_sdk_packages:
+  - "python3-setuptools"
+  - "python3-pip"
+  - "{% if ansible_facts.distribution_release == 'bookworm' and virtualenv is none %}python3-podman{% endif %}"
+
+# List of Python packages to install via Pip.
+# NOTE(kevko) podman 4.7.0 is built in debian as apt package, so..
+podman_sdk_pip_packages:
+  - "podman>=4.7.0"
+
+# APT cache TTL in seconds.
+apt_cache_valid_time: 3600
+
+# Version of python used to execute Ansible modules.
+host_python_version: "{{ ansible_facts.python.version.major }}.{{ ansible_facts.python.version.minor }}"
+
+# Path to a virtualenv in which to install python packages. If None, a
+# virtualenv will not be used.
+virtualenv:
+
+# Whether the virtualenv will inherit packages from the global site-packages
+# directory. This is typically required for modules such as yum and apt which
+# are not available on PyPI.
+virtualenv_site_packages: True
+
+create_kolla_user: False
+kolla_user: "kolla"
+
+# Owner of the virtualenv.
+podman_sdk_virtualenv_owner: "{{ kolla_user if create_kolla_user | bool else omit }}"
+
+# A pip constraints file to use when installing the Podman API bindings.
+podman_sdk_upper_constraints_file:
+
+podman_sdk_osbpo_apt_url: "http://osbpo.debian.net/debian"
+podman_sdk_osbpo_apt_repo: "deb [signed-by=/etc/apt/keyrings/osbpo.asc] {{ podman_sdk_osbpo_apt_url }} bookworm-bobcat-backports-nochange main"

roles/podman_sdk/tasks/main.yml

@@ -0,0 +1,70 @@
+---
+- name: Configure osbpo apt repository
+  block:
+    - name: Ensure apt sources list directory exists
+      file:
+        path: /etc/apt/sources.list.d
+        state: directory
+        recurse: yes
+      become: True
+
+    - name: Ensure apt keyrings directory exists
+      file:
+        path: /etc/apt/keyrings
+        state: directory
+        recurse: yes
+      become: True
+
+    - name: Install osbpo apt gpg key
+      template:
+        src: osbpo_pubkey.gpg.j2
+        dest: /etc/apt/keyrings/osbpo.asc
+        mode: "0644"
+      become: True
+
+    - name: Enable osbpo apt repository
+      apt_repository:
+        repo: "{{ podman_sdk_osbpo_apt_repo }}"
+        filename: osbpo
+      become: True
+  when:
+    - ansible_facts.os_family == 'Debian'
+    - virtualenv is none
+
+- name: Install packages
+  package:
+    name: "{{ podman_sdk_packages | select | list }}"
+    cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}"
+    update_cache: "{{ True if ansible_facts.os_family == 'Debian' else omit }}"
+    state: present
+  become: true
+
+- name: Install latest pip in the virtualenv
+  pip:
+    # NOTE(hrw) pip 19.3 is first version complaining about being run with Python 2
+    name: pip>19.3
+    virtualenv: "{{ virtualenv }}"
+    virtualenv_site_packages: "{{ virtualenv_site_packages }}"
+    virtualenv_command: "python{{ host_python_version }} -m venv"
+  become: true
+  become_user: "{{ podman_sdk_virtualenv_owner }}"
+  when: virtualenv is not none
+
+- name: Install podman SDK for python
+  pip:
+    name: "{{ podman_sdk_pip_packages }}"
+    executable: "{{ virtualenv is none | ternary('pip3', omit) }}"
+    extra_args: "{% if podman_sdk_upper_constraints_file %}-c {{ podman_sdk_upper_constraints_file }}{% endif %}"
+    virtualenv: "{{ virtualenv is none | ternary(omit, virtualenv) }}"
+    virtualenv_site_packages: "{{ virtualenv is none | ternary(omit, virtualenv_site_packages) }}"
+    virtualenv_command: "{{ virtualenv is none | ternary(omit, 'python' ~ host_python_version ~ ' -m venv') }}"
+  become: true
+  become_user: "{{ virtualenv is none | ternary(omit, podman_sdk_virtualenv_owner) }}"
+  when: not (ansible_facts.distribution_release == "bookworm" and virtualenv is none)
+
+- name: Start podman.socket
+  become: true
+  service:
+    name: podman.socket
+    state: started
+    enabled: yes

roles/podman_sdk/templates/osbpo_pubkey.gpg.j2

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF3QL7wBEAC0HwatykCC6Yldv2Pn+GRIed/qtzYJNIUjapD+U96nO1SW/RCs
+5/SoJ87BWj/HjjwH9VW+WzCxBQDbXtzDpAIuZMovALZ7Q/XvgrQGk+3oIlVzjDK1
+x8CH+Ers/aTFCZPBQyCcWOl4btombnpmOgyY5fMBz4X2mtxnxNqyF2zjVxZ8pgFP
+tGpDaF5RhQasdOHgfx5VEVYCAk0IHxuAgkFd93GDvg5TY6/BgHnEnQR0iORCBTaM
+AQHY3cr5M7r4DYIKl+Sk4B8C++jVIY9L3pyeJmIhSzToweNNNPJTExLNIBBDZWEq
+Qv/WCZRtudxI8G95bdCiaUSm+ieJIMGhMFM5NKXincNzS7Pm7xD/rgANPYtuxrhR
+Qd8S8NXD/fGWQwJB9o8jjE6TPwrX3zymyHAECxiY33Vwmgghyg27KwQ1dFCxBlH6
+tRqjIly1lZVPd4EDJkuKbowN59b2230aLhAwi7r+DXUn9DSHRm/8s/gagy1XewW3
+ZHA2aWZITrkGnXGOJRtbUhwcrwaLUnRx7zm4T12Mtky7jHphNXGTBaMW4/EnAtEj
+MlKoECuNUjJml7km2pzOHRoNF+UpLK2bytflRl++qeDG2BEEC3SIZzIy2qPB68wl
+cjdAPE1rRHJKZ4WsBoHfemXgy86YbWMRCvdL7W/uTlNJnzABAQO1Gbv36wARAQAB
+tClBdXRvZ2VuZXJhdGVkIGtleSA8cm9vdEBvc2Jwby5kZWJpYW4ubmV0PokCTgQT
+AQgAOBYhBA+46N0ZSY/skLJeXlYFarL+5O7LBQJd0C+8AhsvBQsJCAcDBRUKCQgL
+BRYCAwEAAh4BAheAAAoJEFYFarL+5O7LcP0P/1oEbCtuMjO3nraOpUoYaS81hHwa
+FSpAOoOMaR0a1ZRl3T83nDlYsPEU9oWpd8HiRbJelc3ZjXODU9XzmgXdhuGK3vZd
+jJmYKmSJ/Dr7d+PCTO1ZmvOgVXyYJcJlIw+6WHg+/dtFC6uhiJKSYS71BudjFqLB
+mcJ4vwe2ttRF5HG3XiUlfi5bVDYt/9vANA+h966leiXE0zFx89eWuGl8kxhJ8YI1
+yv2WybskbTQAnOzWij3qeoF9OhKeXjWANalu0PTgal5zFL1Ar9n+JQlZVRXnYOx8
+u4FVyt4NvUy4T7RhQeL8UsXBlVwH694+L9Y7T8p0jV4vZ7UvCR5zY+uGFSo6b7V1
+DDn6uIaHaFt0DdndjQxhgP2kHyNB3f9tQrbVYxNR6XpsA5qHZVysSOqDGFE2V47H
+4EiH0cyMJkAHQzGgPJa9DiMgNKI1luRkBgVsr79BbgoeOlKqpJ3bI2ViiTO/xDEr
+mNVraGOCBYMTXYzR5xIQU9ob3ksD0ZX7jaeRdJpucbnWfHs0iZF/uC1H9Xl/LXbi
+EMPRlhLlBsafsAb3xfiv8Uo7ULJ3Mc7bPiRtUO5nx1kS30m3yJlGv8dAYISn84h3
+ts8N/5toE4NMsxqp47LX059LLaI2Fo2J7B+mhaYSVrgr2YNPRUu/62amB0AAZ44O
+QxSClHlCzZqFu0KT
+=kjjV
+-----END PGP PUBLIC KEY BLOCK-----