e0fbbab3b1
Fixes issue in PodmanWorker where it didn't set KOLLA_SERVICE_NAME environment variable when creating new container. Additionally, two methods were moved from DockerWorker to ContainerWorker as they are applicable to both engines. Closes-Bug: #2078940 Change-Id: I273444fc828678d3c6803bce1bc8db1c5366b9b6 Signed-off-by: Martin Hiner <martin.hiner@tietoevry.com>
686 lines
24 KiB
Python
686 lines
24 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
from podman.errors import APIError
|
|
from podman import PodmanClient
|
|
|
|
import shlex
|
|
|
|
from ansible.module_utils.kolla_container_worker import COMPARE_CONFIG_CMD
|
|
from ansible.module_utils.kolla_container_worker import ContainerWorker
|
|
|
|
uri = "http+unix:/run/podman/podman.sock"
|
|
|
|
CONTAINER_PARAMS = [
|
|
'name', # string
|
|
'cap_add', # list
|
|
'cgroupns', # 'str',choices=['private', 'host']
|
|
'command', # array of strings -- docker string
|
|
|
|
# this part is hidden inside dimensions
|
|
'cpu_period', # int
|
|
'cpu_quota', # int
|
|
'cpuset_cpus', # str
|
|
'cpu_shares', # int
|
|
'cpuset_mems', # str
|
|
'kernel_memory', # int or string
|
|
'mem_limit', # (Union[int, str])
|
|
'mem_reservation', # (Union[int, str]): Memory soft limit.
|
|
'memswap_limit', # (Union[int, str]): Maximum amount of memory
|
|
# + swap a container is allowed to consume.
|
|
'ulimits', # List[Ulimit]
|
|
'blkio_weight', # int between 10 and 1000
|
|
|
|
|
|
'detach', # bool
|
|
'entrypoint', # string
|
|
'environment', # dict docker - environment - dictionary
|
|
'healthcheck', # same schema as docker -- healthcheck
|
|
'image', # string
|
|
'ipc_mode', # string only option is host
|
|
|
|
'labels', # dict
|
|
'netns', # dict
|
|
'network_options', # string - none,bridge,host,container:id,
|
|
# missing in docker but needs to be host
|
|
'pid_mode', # "string" host, private or ''
|
|
'privileged', # bool
|
|
'restart_policy', # set to none, handled by systemd
|
|
'remove', # bool
|
|
'restart_tries', # int doesn't matter done by systemd
|
|
'stop_timeout', # int
|
|
'tty', # bool
|
|
# volumes need to be parsed, see parse_volumes() for more info
|
|
'volumes', # array of dict
|
|
'volumes_from', # array of strings
|
|
]
|
|
|
|
|
|
class PodmanWorker(ContainerWorker):
|
|
|
|
def __init__(self, module) -> None:
|
|
super().__init__(module)
|
|
|
|
self.pc = PodmanClient(base_url=uri)
|
|
|
|
def prepare_container_args(self):
|
|
args = dict(
|
|
network_mode='host'
|
|
)
|
|
|
|
command = self.params.pop('command', '')
|
|
if command:
|
|
self.params['command'] = shlex.split(command)
|
|
|
|
# we have to transform volumes into mounts because podman-py
|
|
# functionality is broken
|
|
mounts = []
|
|
filtered_volumes = {}
|
|
volumes = self.params.get('volumes', [])
|
|
if volumes:
|
|
self.parse_volumes(volumes, mounts, filtered_volumes)
|
|
# we can delete original volumes so it won't raise error later
|
|
self.params.pop('volumes', None)
|
|
|
|
args['mounts'] = mounts
|
|
args['volumes'] = filtered_volumes
|
|
|
|
env = self._format_env_vars()
|
|
args['environment'] = {k: str(v) for k, v in env.items()}
|
|
self.params.pop('environment', None)
|
|
|
|
healthcheck = self.params.get('healthcheck')
|
|
if healthcheck:
|
|
healthcheck = self.parse_healthcheck(healthcheck)
|
|
self.params.pop('healthcheck', None)
|
|
if healthcheck:
|
|
args.update(healthcheck)
|
|
|
|
# getting dimensions into separate parameters
|
|
dimensions = self.params.get('dimensions')
|
|
if dimensions:
|
|
dimensions = self.parse_dimensions(dimensions)
|
|
args.update(dimensions)
|
|
|
|
# NOTE(m.hiner): currently unsupported by Podman API
|
|
# args['tmpfs'] = self.generate_tmpfs()
|
|
self.params.pop('tmpfs', None)
|
|
|
|
# NOTE(m.hiner): in case containers are not privileged,
|
|
# they need this capability
|
|
if not self.params.get('privileged', False):
|
|
args['cap_add'] = self.params.pop('cap_add', []) + ['AUDIT_WRITE']
|
|
|
|
# maybe can be done straight away,
|
|
# at first it was around 6 keys that's why it is this way
|
|
convert_keys = dict(
|
|
graceful_timeout='stop_timeout',
|
|
cgroupns_mode='cgroupns'
|
|
)
|
|
|
|
# remap differing args
|
|
for key_orig, key_new in convert_keys.items():
|
|
if key_orig in self.params:
|
|
value = self.params.get(key_orig, None)
|
|
|
|
if value is not None:
|
|
args[key_new] = value
|
|
|
|
# record remaining args
|
|
for key, value in self.params.items():
|
|
if key in CONTAINER_PARAMS and value is not None:
|
|
args[key] = value
|
|
|
|
args.pop('restart_policy', None) # handled by systemd
|
|
|
|
return args
|
|
|
|
# NOTE(i.halomi): Podman encounters issues parsing and setting
|
|
# permissions for a mix of volumes and binds when sent together.
|
|
# Therefore, we must parse them and set the permissions ourselves
|
|
# and send them to API separately.
|
|
def parse_volumes(self, volumes, mounts, filtered_volumes):
|
|
# we can ignore empty strings
|
|
volumes = [item for item in volumes if item.strip()]
|
|
|
|
for item in volumes:
|
|
# if it starts with / it is bind not volume
|
|
if item[0] == '/':
|
|
mode = None
|
|
try:
|
|
if item.count(':') == 2:
|
|
src, dest, mode = item.split(':')
|
|
else:
|
|
src, dest = item.split(':')
|
|
except ValueError:
|
|
self.module.fail_json(
|
|
msg="Wrong format of volume: {}".format(item),
|
|
failed=True
|
|
)
|
|
|
|
mount_item = dict(
|
|
source=src,
|
|
target=dest,
|
|
type='bind',
|
|
propagation='rprivate'
|
|
)
|
|
if mode == 'ro':
|
|
mount_item['read_only'] = True
|
|
if mode == 'shared':
|
|
mount_item['propagation'] = 'shared'
|
|
mounts.append(mount_item)
|
|
else:
|
|
try:
|
|
mode = 'rw'
|
|
if item.count(':') == 2:
|
|
src, dest, mode = item.split(':')
|
|
else:
|
|
src, dest = item.split(':')
|
|
except ValueError:
|
|
self.module.fail_json(
|
|
msg="Wrong format of volume: {}".format(item),
|
|
failed=True
|
|
)
|
|
if src == 'devpts':
|
|
mount_item = dict(
|
|
target=dest,
|
|
type='devpts'
|
|
)
|
|
mounts.append(mount_item)
|
|
else:
|
|
filtered_volumes[src] = dict(
|
|
bind=dest,
|
|
mode=mode
|
|
)
|
|
|
|
def parse_dimensions(self, dimensions):
|
|
dimensions = dimensions.copy()
|
|
|
|
supported = {'cpu_period', 'cpu_quota', 'cpu_shares',
|
|
'cpuset_cpus', 'cpuset_mems', 'mem_limit',
|
|
'mem_reservation', 'memswap_limit',
|
|
'kernel_memory', 'blkio_weight', 'ulimits'}
|
|
unsupported = set(dimensions) - supported
|
|
if unsupported:
|
|
self.module.exit_json(failed=True,
|
|
msg=repr("Unsupported dimensions"),
|
|
unsupported_dimensions=unsupported)
|
|
|
|
ulimits = dimensions.get('ulimits', {})
|
|
if ulimits:
|
|
# NOTE(m.hiner): default ulimits have to be filtered out because
|
|
# Podman would treat them as new ulimits and break the container
|
|
# as a result. Names are a copy of
|
|
# default_podman_dimensions_el9 in /ansible/group_vars/all.yml
|
|
for name in ['RLIMIT_NOFILE', 'RLIMIT_NPROC']:
|
|
ulimits.pop(name, None)
|
|
|
|
dimensions['ulimits'] = self.build_ulimits(ulimits)
|
|
|
|
return dimensions
|
|
|
|
def parse_healthcheck(self, healthcheck):
|
|
hc = super().parse_healthcheck(healthcheck)
|
|
|
|
# rename key to right format
|
|
if hc:
|
|
sp = hc['healthcheck'].pop('start_period', None)
|
|
if sp:
|
|
hc['healthcheck']['StartPeriod'] = sp
|
|
|
|
return hc
|
|
|
|
def prepare_image_args(self):
|
|
image, tag = self.parse_image()
|
|
|
|
args = dict(
|
|
repository=image,
|
|
tag=tag,
|
|
tls_verify=self.params.get('tls_verify', False),
|
|
stream=False
|
|
)
|
|
|
|
if self.params.get('auth_username', False):
|
|
args['auth_config'] = dict(
|
|
username=self.params.get('auth_username'),
|
|
password=self.params.get('auth_password', "")
|
|
)
|
|
|
|
if '/' not in image and self.params.get('auth_registry', False):
|
|
args['image'] = self.params['auth_registry'] + '/' + image
|
|
return args
|
|
|
|
def check_image(self):
|
|
try:
|
|
image = self.pc.images.get(self.params.get('image'))
|
|
return image.attrs
|
|
except APIError as e:
|
|
if e.status_code == 404:
|
|
return {}
|
|
else:
|
|
self.module.fail_json(
|
|
failed=True,
|
|
msg="Internal error: {}".format(
|
|
e.explanation
|
|
)
|
|
)
|
|
|
|
def check_volume(self):
|
|
try:
|
|
vol = self.pc.volumes.get(self.params.get('name'))
|
|
return vol.attrs
|
|
except APIError as e:
|
|
if e.status_code == 404:
|
|
return {}
|
|
|
|
def check_container(self):
|
|
name = self.params.get("name")
|
|
for cont in self.pc.containers.list(all=True):
|
|
cont.reload()
|
|
if name == cont.name:
|
|
return cont
|
|
|
|
def get_container_info(self):
|
|
container = self.check_container()
|
|
if not container:
|
|
return None
|
|
|
|
return container.attrs
|
|
|
|
def compare_container(self):
|
|
container = self.check_container()
|
|
if (not container or
|
|
self.check_container_differs() or
|
|
self.compare_config() or
|
|
self.systemd.check_unit_change()):
|
|
self.changed = True
|
|
return self.changed
|
|
|
|
def compare_pid_mode(self, container_info):
|
|
new_pid_mode = self.params.get('pid_mode') or self.params.get('pid')
|
|
current_pid_mode = container_info['HostConfig'].get('PidMode')
|
|
|
|
if not current_pid_mode:
|
|
current_pid_mode = None
|
|
|
|
# podman default pid_mode
|
|
if new_pid_mode is None and current_pid_mode == 'private':
|
|
return False
|
|
|
|
if new_pid_mode != current_pid_mode:
|
|
return True
|
|
|
|
def compare_image(self, container_info=None):
|
|
def parse_tag(tag):
|
|
splits = tag.rsplit('/', 1)
|
|
return splits[-1]
|
|
|
|
container_info = container_info or self.get_container_info()
|
|
if not container_info:
|
|
return True
|
|
|
|
new_image = self.check_image()
|
|
current_image = container_info['Image']
|
|
if not new_image:
|
|
return True
|
|
if new_image['Id'] != current_image:
|
|
return True
|
|
# compare name:tag
|
|
elif (parse_tag(self.params.get('image')) !=
|
|
parse_tag(container_info['Config']['Image'])):
|
|
return True
|
|
|
|
def compare_volumes(self, container_info):
|
|
def check_slash(string):
|
|
if not string:
|
|
return string
|
|
if string[-1] != '/':
|
|
return string + '/'
|
|
else:
|
|
return string
|
|
|
|
raw_volumes, binds = self.generate_volumes()
|
|
raw_vols, current_binds = self.generate_volumes(
|
|
container_info['HostConfig'].get('Binds'))
|
|
|
|
current_vols = [check_slash(vol) for vol in raw_vols if vol]
|
|
volumes = [check_slash(vol) for vol in raw_volumes if vol]
|
|
|
|
if not volumes:
|
|
volumes = list()
|
|
if not current_vols:
|
|
current_vols = list()
|
|
if not current_binds:
|
|
current_binds = list()
|
|
|
|
volumes.sort()
|
|
current_vols.sort()
|
|
|
|
if set(volumes).symmetric_difference(set(current_vols)):
|
|
return True
|
|
|
|
new_binds = list()
|
|
new_current_binds = list()
|
|
if binds:
|
|
for k, v in binds.items():
|
|
k = check_slash(k)
|
|
v['bind'] = check_slash(v['bind'])
|
|
new_binds.append(
|
|
"{}:{}:{}".format(k, v['bind'], v['mode']))
|
|
|
|
if current_binds:
|
|
for k, v in current_binds.items():
|
|
k = check_slash(k)
|
|
v['bind'] = check_slash(v['bind'])
|
|
if 'ro' in v['mode']:
|
|
v['mode'] = 'ro'
|
|
else:
|
|
v['mode'] = 'rw'
|
|
new_current_binds.append(
|
|
"{}:{}:{}".format(k, v['bind'], v['mode'][0:2]))
|
|
|
|
new_binds.sort()
|
|
new_current_binds.sort()
|
|
|
|
if set(new_binds).symmetric_difference(set(new_current_binds)):
|
|
return True
|
|
|
|
def compare_dimensions(self, container_info):
|
|
new_dimensions = self.params.get('dimensions')
|
|
|
|
# NOTE(mgoddard): The names used by Docker/Podman are inconsistent
|
|
# between configuration of a container's resources and
|
|
# the resources in container_info['HostConfig'].
|
|
# This provides a mapping between the two.
|
|
dimension_map = {
|
|
'mem_limit': 'Memory', 'mem_reservation': 'MemoryReservation',
|
|
'memswap_limit': 'MemorySwap', 'cpu_period': 'CpuPeriod',
|
|
'cpu_quota': 'CpuQuota', 'cpu_shares': 'CpuShares',
|
|
'cpuset_cpus': 'CpusetCpus', 'cpuset_mems': 'CpusetMems',
|
|
'kernel_memory': 'KernelMemory', 'blkio_weight': 'BlkioWeight',
|
|
'ulimits': 'Ulimits'}
|
|
unsupported = set(new_dimensions.keys()) - \
|
|
set(dimension_map.keys())
|
|
if unsupported:
|
|
self.module.exit_json(
|
|
failed=True, msg=repr("Unsupported dimensions"),
|
|
unsupported_dimensions=unsupported)
|
|
current_dimensions = container_info['HostConfig']
|
|
for key1, key2 in dimension_map.items():
|
|
# NOTE(mgoddard): If a resource has been explicitly requested,
|
|
# check for a match. Otherwise, ensure it is set to the default.
|
|
if key1 in new_dimensions:
|
|
if key1 == 'ulimits':
|
|
if self.compare_ulimits(new_dimensions[key1],
|
|
current_dimensions[key2]):
|
|
return True
|
|
elif new_dimensions[key1] != current_dimensions[key2]:
|
|
return True
|
|
elif current_dimensions[key2]:
|
|
# The default values of all (except ulimits) currently
|
|
# supported resources are '' or 0 - both falsey.
|
|
return True
|
|
|
|
def compare_config(self):
|
|
try:
|
|
container = self.pc.containers.get(self.params['name'])
|
|
container.reload()
|
|
if container.status != 'running':
|
|
return True
|
|
|
|
rc, raw_output = container.exec_run(COMPARE_CONFIG_CMD,
|
|
user='root')
|
|
# APIError means either container doesn't exist or exec command
|
|
# failed, which means that container is in bad state and we can
|
|
# expect that config is stale so we return True and recreate container
|
|
except APIError as e:
|
|
if e.is_client_error():
|
|
return True
|
|
else:
|
|
raise
|
|
# Exit codes:
|
|
# 0: not changed
|
|
# 1: changed
|
|
# else: error
|
|
if rc == 0:
|
|
return False
|
|
elif rc == 1:
|
|
return True
|
|
else:
|
|
raise Exception('Failed to compare container configuration: '
|
|
'ExitCode: %s Message: %s' %
|
|
(rc, raw_output.decode('utf-8')))
|
|
|
|
def pull_image(self):
|
|
args = self.prepare_image_args()
|
|
old_image = self.check_image()
|
|
|
|
try:
|
|
image = self.pc.images.pull(**args)
|
|
|
|
if image.attrs == {}:
|
|
self.module.fail_json(
|
|
msg="The requested image does not exist: {}".format(
|
|
self.params['image']),
|
|
failed=True
|
|
)
|
|
self.changed = old_image != image.attrs
|
|
except APIError as e:
|
|
self.module.fail_json(
|
|
msg="Unknown error message: {}".format(
|
|
str(e)),
|
|
failed=True
|
|
)
|
|
|
|
def remove_container(self):
|
|
self.changed |= self.systemd.remove_unit_file()
|
|
container = self.check_container()
|
|
if container:
|
|
try:
|
|
container.remove(force=True)
|
|
except APIError:
|
|
if self.check_container():
|
|
raise
|
|
|
|
def build_ulimits(self, ulimits):
|
|
ulimits_opt = []
|
|
for key, value in ulimits.items():
|
|
soft = value.get('soft')
|
|
hard = value.get('hard')
|
|
# Converted to simple dictionary instead of Ulimit type
|
|
ulimits_opt.append(dict(Name=key,
|
|
Soft=soft,
|
|
Hard=hard))
|
|
return ulimits_opt
|
|
|
|
def create_container(self):
|
|
args = self.prepare_container_args()
|
|
container = self.pc.containers.create(**args)
|
|
if container.attrs == {}:
|
|
data = container.to_dict()
|
|
self.module.fail_json(failed=True, msg="Creation failed", **data)
|
|
else:
|
|
self.changed |= self.systemd.create_unit_file()
|
|
return container
|
|
|
|
def recreate_or_restart_container(self):
|
|
strategy = self.params.get(
|
|
'environment', dict()).get('KOLLA_CONFIG_STRATEGY')
|
|
|
|
container = self.get_container_info()
|
|
if not container:
|
|
self.start_container()
|
|
return
|
|
|
|
if strategy == 'COPY_ONCE' or self.check_container_differs():
|
|
self.ensure_image()
|
|
|
|
self.stop_container()
|
|
self.remove_container()
|
|
self.start_container()
|
|
|
|
elif strategy == 'COPY_ALWAYS':
|
|
self.restart_container()
|
|
|
|
def start_container(self):
|
|
self.ensure_image()
|
|
|
|
container = self.check_container()
|
|
if container and self.check_container_differs():
|
|
self.stop_container()
|
|
self.remove_container()
|
|
container = self.check_container()
|
|
|
|
if not container:
|
|
self.create_container()
|
|
container = self.check_container()
|
|
|
|
if container.status != 'running':
|
|
self.changed = True
|
|
if self.params.get('restart_policy') == 'oneshot':
|
|
container = self.check_container()
|
|
container.start()
|
|
else:
|
|
self.systemd.create_unit_file()
|
|
if not self.systemd.start():
|
|
self.module.fail_json(
|
|
changed=True,
|
|
msg="Container timed out",
|
|
**self.check_container().attrs)
|
|
|
|
if not self.params.get('detach'):
|
|
container = self.check_container()
|
|
rc = container.wait()
|
|
|
|
stdout = [line.decode() for line in container.logs(stdout=True,
|
|
stderr=False)]
|
|
stderr = [line.decode() for line in container.logs(stdout=False,
|
|
stderr=True)]
|
|
|
|
self.result['rc'] = rc
|
|
self.result['stdout'] = "\n".join(stdout) if len(stdout) else ""
|
|
self.result['stderr'] = "\n".join(stderr) if len(stderr) else ""
|
|
|
|
if self.params.get('remove_on_exit'):
|
|
self.stop_container()
|
|
self.remove_container()
|
|
if rc != 0:
|
|
self.module.fail_json(
|
|
changed=True,
|
|
msg="Container exited with non-zero return code %s" % rc,
|
|
**self.result
|
|
)
|
|
|
|
def stop_container(self):
|
|
name = self.params.get('name')
|
|
graceful_timeout = self.params.get('graceful_timeout')
|
|
if not graceful_timeout:
|
|
graceful_timeout = 10
|
|
container = self.check_container()
|
|
if not container:
|
|
ignore_missing = self.params.get('ignore_missing')
|
|
if not ignore_missing:
|
|
self.module.fail_json(
|
|
msg="No such container: {} to stop".format(name))
|
|
elif not (container.status == 'exited' or
|
|
container.status == 'stopped'):
|
|
self.changed = True
|
|
if self.params.get('restart_policy') != 'oneshot':
|
|
self.systemd.create_unit_file()
|
|
self.systemd.stop()
|
|
else:
|
|
container.stop(timeout=str(graceful_timeout))
|
|
|
|
def stop_and_remove_container(self):
|
|
container = self.check_container()
|
|
|
|
if container:
|
|
self.stop_container()
|
|
self.remove_container()
|
|
|
|
def restart_container(self):
|
|
container = self.check_container()
|
|
|
|
if not container:
|
|
self.module.fail_json(
|
|
msg="No such container: {}".format(self.params.get('name'))
|
|
)
|
|
else:
|
|
self.changed = True
|
|
self.systemd.create_unit_file()
|
|
|
|
if not self.systemd.restart():
|
|
self.module.fail_json(
|
|
changed=True,
|
|
msg="Container timed out",
|
|
**container.attrs)
|
|
|
|
def create_volume(self):
|
|
if not self.check_volume():
|
|
self.changed = True
|
|
args = dict(
|
|
name=self.params.get('name'),
|
|
driver='local'
|
|
)
|
|
|
|
vol = self.pc.volumes.create(**args)
|
|
self.result = vol.attrs
|
|
|
|
def remove_volume(self):
|
|
if self.check_volume():
|
|
self.changed = True
|
|
try:
|
|
self.pc.volumes.remove(self.params.get('name'))
|
|
except APIError as e:
|
|
if e.status_code == 409:
|
|
self.module.fail_json(
|
|
failed=True,
|
|
msg="Volume named '{}' is currently in-use".format(
|
|
self.params.get('name')
|
|
)
|
|
)
|
|
else:
|
|
self.module.fail_json(
|
|
failed=True,
|
|
msg="Internal error: {}".format(
|
|
e.explanation
|
|
)
|
|
)
|
|
raise
|
|
|
|
def remove_image(self):
|
|
if self.check_image():
|
|
image = self.pc.images.get(self.params['image'])
|
|
self.changed = True
|
|
try:
|
|
image.remove()
|
|
except APIError as e:
|
|
if e.status_code == 409:
|
|
self.module.fail_json(
|
|
failed=True,
|
|
msg="Image '{}' is currently in-use".format(
|
|
self.params.get('image')
|
|
)
|
|
)
|
|
else:
|
|
self.module.fail_json(
|
|
failed=True,
|
|
msg="Internal error: {}".format(
|
|
str(e)
|
|
)
|
|
)
|
|
raise
|
|
|
|
def ensure_image(self):
|
|
if not self.check_image():
|
|
self.pull_image()
|