kolla-ansible/ansible/module_utils/kolla_podman_worker.py
Martin Hiner e0fbbab3b1 Set KOLLA_SERVICE_NAME in Podman containers
Fixes issue in PodmanWorker where it didn't set KOLLA_SERVICE_NAME
environment variable when creating new container.
Additionally, two methods were moved from DockerWorker
to ContainerWorker as they are applicable to both engines.

Closes-Bug: #2078940
Change-Id: I273444fc828678d3c6803bce1bc8db1c5366b9b6
Signed-off-by: Martin Hiner <martin.hiner@tietoevry.com>
2024-09-05 11:54:07 +02:00

686 lines
24 KiB
Python

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from podman.errors import APIError
from podman import PodmanClient
import shlex
from ansible.module_utils.kolla_container_worker import COMPARE_CONFIG_CMD
from ansible.module_utils.kolla_container_worker import ContainerWorker
uri = "http+unix:/run/podman/podman.sock"
CONTAINER_PARAMS = [
'name', # string
'cap_add', # list
'cgroupns', # 'str',choices=['private', 'host']
'command', # array of strings -- docker string
# this part is hidden inside dimensions
'cpu_period', # int
'cpu_quota', # int
'cpuset_cpus', # str
'cpu_shares', # int
'cpuset_mems', # str
'kernel_memory', # int or string
'mem_limit', # (Union[int, str])
'mem_reservation', # (Union[int, str]): Memory soft limit.
'memswap_limit', # (Union[int, str]): Maximum amount of memory
# + swap a container is allowed to consume.
'ulimits', # List[Ulimit]
'blkio_weight', # int between 10 and 1000
'detach', # bool
'entrypoint', # string
'environment', # dict docker - environment - dictionary
'healthcheck', # same schema as docker -- healthcheck
'image', # string
'ipc_mode', # string only option is host
'labels', # dict
'netns', # dict
'network_options', # string - none,bridge,host,container:id,
# missing in docker but needs to be host
'pid_mode', # "string" host, private or ''
'privileged', # bool
'restart_policy', # set to none, handled by systemd
'remove', # bool
'restart_tries', # int doesn't matter done by systemd
'stop_timeout', # int
'tty', # bool
# volumes need to be parsed, see parse_volumes() for more info
'volumes', # array of dict
'volumes_from', # array of strings
]
class PodmanWorker(ContainerWorker):
def __init__(self, module) -> None:
super().__init__(module)
self.pc = PodmanClient(base_url=uri)
def prepare_container_args(self):
args = dict(
network_mode='host'
)
command = self.params.pop('command', '')
if command:
self.params['command'] = shlex.split(command)
# we have to transform volumes into mounts because podman-py
# functionality is broken
mounts = []
filtered_volumes = {}
volumes = self.params.get('volumes', [])
if volumes:
self.parse_volumes(volumes, mounts, filtered_volumes)
# we can delete original volumes so it won't raise error later
self.params.pop('volumes', None)
args['mounts'] = mounts
args['volumes'] = filtered_volumes
env = self._format_env_vars()
args['environment'] = {k: str(v) for k, v in env.items()}
self.params.pop('environment', None)
healthcheck = self.params.get('healthcheck')
if healthcheck:
healthcheck = self.parse_healthcheck(healthcheck)
self.params.pop('healthcheck', None)
if healthcheck:
args.update(healthcheck)
# getting dimensions into separate parameters
dimensions = self.params.get('dimensions')
if dimensions:
dimensions = self.parse_dimensions(dimensions)
args.update(dimensions)
# NOTE(m.hiner): currently unsupported by Podman API
# args['tmpfs'] = self.generate_tmpfs()
self.params.pop('tmpfs', None)
# NOTE(m.hiner): in case containers are not privileged,
# they need this capability
if not self.params.get('privileged', False):
args['cap_add'] = self.params.pop('cap_add', []) + ['AUDIT_WRITE']
# maybe can be done straight away,
# at first it was around 6 keys that's why it is this way
convert_keys = dict(
graceful_timeout='stop_timeout',
cgroupns_mode='cgroupns'
)
# remap differing args
for key_orig, key_new in convert_keys.items():
if key_orig in self.params:
value = self.params.get(key_orig, None)
if value is not None:
args[key_new] = value
# record remaining args
for key, value in self.params.items():
if key in CONTAINER_PARAMS and value is not None:
args[key] = value
args.pop('restart_policy', None) # handled by systemd
return args
# NOTE(i.halomi): Podman encounters issues parsing and setting
# permissions for a mix of volumes and binds when sent together.
# Therefore, we must parse them and set the permissions ourselves
# and send them to API separately.
def parse_volumes(self, volumes, mounts, filtered_volumes):
# we can ignore empty strings
volumes = [item for item in volumes if item.strip()]
for item in volumes:
# if it starts with / it is bind not volume
if item[0] == '/':
mode = None
try:
if item.count(':') == 2:
src, dest, mode = item.split(':')
else:
src, dest = item.split(':')
except ValueError:
self.module.fail_json(
msg="Wrong format of volume: {}".format(item),
failed=True
)
mount_item = dict(
source=src,
target=dest,
type='bind',
propagation='rprivate'
)
if mode == 'ro':
mount_item['read_only'] = True
if mode == 'shared':
mount_item['propagation'] = 'shared'
mounts.append(mount_item)
else:
try:
mode = 'rw'
if item.count(':') == 2:
src, dest, mode = item.split(':')
else:
src, dest = item.split(':')
except ValueError:
self.module.fail_json(
msg="Wrong format of volume: {}".format(item),
failed=True
)
if src == 'devpts':
mount_item = dict(
target=dest,
type='devpts'
)
mounts.append(mount_item)
else:
filtered_volumes[src] = dict(
bind=dest,
mode=mode
)
def parse_dimensions(self, dimensions):
dimensions = dimensions.copy()
supported = {'cpu_period', 'cpu_quota', 'cpu_shares',
'cpuset_cpus', 'cpuset_mems', 'mem_limit',
'mem_reservation', 'memswap_limit',
'kernel_memory', 'blkio_weight', 'ulimits'}
unsupported = set(dimensions) - supported
if unsupported:
self.module.exit_json(failed=True,
msg=repr("Unsupported dimensions"),
unsupported_dimensions=unsupported)
ulimits = dimensions.get('ulimits', {})
if ulimits:
# NOTE(m.hiner): default ulimits have to be filtered out because
# Podman would treat them as new ulimits and break the container
# as a result. Names are a copy of
# default_podman_dimensions_el9 in /ansible/group_vars/all.yml
for name in ['RLIMIT_NOFILE', 'RLIMIT_NPROC']:
ulimits.pop(name, None)
dimensions['ulimits'] = self.build_ulimits(ulimits)
return dimensions
def parse_healthcheck(self, healthcheck):
hc = super().parse_healthcheck(healthcheck)
# rename key to right format
if hc:
sp = hc['healthcheck'].pop('start_period', None)
if sp:
hc['healthcheck']['StartPeriod'] = sp
return hc
def prepare_image_args(self):
image, tag = self.parse_image()
args = dict(
repository=image,
tag=tag,
tls_verify=self.params.get('tls_verify', False),
stream=False
)
if self.params.get('auth_username', False):
args['auth_config'] = dict(
username=self.params.get('auth_username'),
password=self.params.get('auth_password', "")
)
if '/' not in image and self.params.get('auth_registry', False):
args['image'] = self.params['auth_registry'] + '/' + image
return args
def check_image(self):
try:
image = self.pc.images.get(self.params.get('image'))
return image.attrs
except APIError as e:
if e.status_code == 404:
return {}
else:
self.module.fail_json(
failed=True,
msg="Internal error: {}".format(
e.explanation
)
)
def check_volume(self):
try:
vol = self.pc.volumes.get(self.params.get('name'))
return vol.attrs
except APIError as e:
if e.status_code == 404:
return {}
def check_container(self):
name = self.params.get("name")
for cont in self.pc.containers.list(all=True):
cont.reload()
if name == cont.name:
return cont
def get_container_info(self):
container = self.check_container()
if not container:
return None
return container.attrs
def compare_container(self):
container = self.check_container()
if (not container or
self.check_container_differs() or
self.compare_config() or
self.systemd.check_unit_change()):
self.changed = True
return self.changed
def compare_pid_mode(self, container_info):
new_pid_mode = self.params.get('pid_mode') or self.params.get('pid')
current_pid_mode = container_info['HostConfig'].get('PidMode')
if not current_pid_mode:
current_pid_mode = None
# podman default pid_mode
if new_pid_mode is None and current_pid_mode == 'private':
return False
if new_pid_mode != current_pid_mode:
return True
def compare_image(self, container_info=None):
def parse_tag(tag):
splits = tag.rsplit('/', 1)
return splits[-1]
container_info = container_info or self.get_container_info()
if not container_info:
return True
new_image = self.check_image()
current_image = container_info['Image']
if not new_image:
return True
if new_image['Id'] != current_image:
return True
# compare name:tag
elif (parse_tag(self.params.get('image')) !=
parse_tag(container_info['Config']['Image'])):
return True
def compare_volumes(self, container_info):
def check_slash(string):
if not string:
return string
if string[-1] != '/':
return string + '/'
else:
return string
raw_volumes, binds = self.generate_volumes()
raw_vols, current_binds = self.generate_volumes(
container_info['HostConfig'].get('Binds'))
current_vols = [check_slash(vol) for vol in raw_vols if vol]
volumes = [check_slash(vol) for vol in raw_volumes if vol]
if not volumes:
volumes = list()
if not current_vols:
current_vols = list()
if not current_binds:
current_binds = list()
volumes.sort()
current_vols.sort()
if set(volumes).symmetric_difference(set(current_vols)):
return True
new_binds = list()
new_current_binds = list()
if binds:
for k, v in binds.items():
k = check_slash(k)
v['bind'] = check_slash(v['bind'])
new_binds.append(
"{}:{}:{}".format(k, v['bind'], v['mode']))
if current_binds:
for k, v in current_binds.items():
k = check_slash(k)
v['bind'] = check_slash(v['bind'])
if 'ro' in v['mode']:
v['mode'] = 'ro'
else:
v['mode'] = 'rw'
new_current_binds.append(
"{}:{}:{}".format(k, v['bind'], v['mode'][0:2]))
new_binds.sort()
new_current_binds.sort()
if set(new_binds).symmetric_difference(set(new_current_binds)):
return True
def compare_dimensions(self, container_info):
new_dimensions = self.params.get('dimensions')
# NOTE(mgoddard): The names used by Docker/Podman are inconsistent
# between configuration of a container's resources and
# the resources in container_info['HostConfig'].
# This provides a mapping between the two.
dimension_map = {
'mem_limit': 'Memory', 'mem_reservation': 'MemoryReservation',
'memswap_limit': 'MemorySwap', 'cpu_period': 'CpuPeriod',
'cpu_quota': 'CpuQuota', 'cpu_shares': 'CpuShares',
'cpuset_cpus': 'CpusetCpus', 'cpuset_mems': 'CpusetMems',
'kernel_memory': 'KernelMemory', 'blkio_weight': 'BlkioWeight',
'ulimits': 'Ulimits'}
unsupported = set(new_dimensions.keys()) - \
set(dimension_map.keys())
if unsupported:
self.module.exit_json(
failed=True, msg=repr("Unsupported dimensions"),
unsupported_dimensions=unsupported)
current_dimensions = container_info['HostConfig']
for key1, key2 in dimension_map.items():
# NOTE(mgoddard): If a resource has been explicitly requested,
# check for a match. Otherwise, ensure it is set to the default.
if key1 in new_dimensions:
if key1 == 'ulimits':
if self.compare_ulimits(new_dimensions[key1],
current_dimensions[key2]):
return True
elif new_dimensions[key1] != current_dimensions[key2]:
return True
elif current_dimensions[key2]:
# The default values of all (except ulimits) currently
# supported resources are '' or 0 - both falsey.
return True
def compare_config(self):
try:
container = self.pc.containers.get(self.params['name'])
container.reload()
if container.status != 'running':
return True
rc, raw_output = container.exec_run(COMPARE_CONFIG_CMD,
user='root')
# APIError means either container doesn't exist or exec command
# failed, which means that container is in bad state and we can
# expect that config is stale so we return True and recreate container
except APIError as e:
if e.is_client_error():
return True
else:
raise
# Exit codes:
# 0: not changed
# 1: changed
# else: error
if rc == 0:
return False
elif rc == 1:
return True
else:
raise Exception('Failed to compare container configuration: '
'ExitCode: %s Message: %s' %
(rc, raw_output.decode('utf-8')))
def pull_image(self):
args = self.prepare_image_args()
old_image = self.check_image()
try:
image = self.pc.images.pull(**args)
if image.attrs == {}:
self.module.fail_json(
msg="The requested image does not exist: {}".format(
self.params['image']),
failed=True
)
self.changed = old_image != image.attrs
except APIError as e:
self.module.fail_json(
msg="Unknown error message: {}".format(
str(e)),
failed=True
)
def remove_container(self):
self.changed |= self.systemd.remove_unit_file()
container = self.check_container()
if container:
try:
container.remove(force=True)
except APIError:
if self.check_container():
raise
def build_ulimits(self, ulimits):
ulimits_opt = []
for key, value in ulimits.items():
soft = value.get('soft')
hard = value.get('hard')
# Converted to simple dictionary instead of Ulimit type
ulimits_opt.append(dict(Name=key,
Soft=soft,
Hard=hard))
return ulimits_opt
def create_container(self):
args = self.prepare_container_args()
container = self.pc.containers.create(**args)
if container.attrs == {}:
data = container.to_dict()
self.module.fail_json(failed=True, msg="Creation failed", **data)
else:
self.changed |= self.systemd.create_unit_file()
return container
def recreate_or_restart_container(self):
strategy = self.params.get(
'environment', dict()).get('KOLLA_CONFIG_STRATEGY')
container = self.get_container_info()
if not container:
self.start_container()
return
if strategy == 'COPY_ONCE' or self.check_container_differs():
self.ensure_image()
self.stop_container()
self.remove_container()
self.start_container()
elif strategy == 'COPY_ALWAYS':
self.restart_container()
def start_container(self):
self.ensure_image()
container = self.check_container()
if container and self.check_container_differs():
self.stop_container()
self.remove_container()
container = self.check_container()
if not container:
self.create_container()
container = self.check_container()
if container.status != 'running':
self.changed = True
if self.params.get('restart_policy') == 'oneshot':
container = self.check_container()
container.start()
else:
self.systemd.create_unit_file()
if not self.systemd.start():
self.module.fail_json(
changed=True,
msg="Container timed out",
**self.check_container().attrs)
if not self.params.get('detach'):
container = self.check_container()
rc = container.wait()
stdout = [line.decode() for line in container.logs(stdout=True,
stderr=False)]
stderr = [line.decode() for line in container.logs(stdout=False,
stderr=True)]
self.result['rc'] = rc
self.result['stdout'] = "\n".join(stdout) if len(stdout) else ""
self.result['stderr'] = "\n".join(stderr) if len(stderr) else ""
if self.params.get('remove_on_exit'):
self.stop_container()
self.remove_container()
if rc != 0:
self.module.fail_json(
changed=True,
msg="Container exited with non-zero return code %s" % rc,
**self.result
)
def stop_container(self):
name = self.params.get('name')
graceful_timeout = self.params.get('graceful_timeout')
if not graceful_timeout:
graceful_timeout = 10
container = self.check_container()
if not container:
ignore_missing = self.params.get('ignore_missing')
if not ignore_missing:
self.module.fail_json(
msg="No such container: {} to stop".format(name))
elif not (container.status == 'exited' or
container.status == 'stopped'):
self.changed = True
if self.params.get('restart_policy') != 'oneshot':
self.systemd.create_unit_file()
self.systemd.stop()
else:
container.stop(timeout=str(graceful_timeout))
def stop_and_remove_container(self):
container = self.check_container()
if container:
self.stop_container()
self.remove_container()
def restart_container(self):
container = self.check_container()
if not container:
self.module.fail_json(
msg="No such container: {}".format(self.params.get('name'))
)
else:
self.changed = True
self.systemd.create_unit_file()
if not self.systemd.restart():
self.module.fail_json(
changed=True,
msg="Container timed out",
**container.attrs)
def create_volume(self):
if not self.check_volume():
self.changed = True
args = dict(
name=self.params.get('name'),
driver='local'
)
vol = self.pc.volumes.create(**args)
self.result = vol.attrs
def remove_volume(self):
if self.check_volume():
self.changed = True
try:
self.pc.volumes.remove(self.params.get('name'))
except APIError as e:
if e.status_code == 409:
self.module.fail_json(
failed=True,
msg="Volume named '{}' is currently in-use".format(
self.params.get('name')
)
)
else:
self.module.fail_json(
failed=True,
msg="Internal error: {}".format(
e.explanation
)
)
raise
def remove_image(self):
if self.check_image():
image = self.pc.images.get(self.params['image'])
self.changed = True
try:
image.remove()
except APIError as e:
if e.status_code == 409:
self.module.fail_json(
failed=True,
msg="Image '{}' is currently in-use".format(
self.params.get('image')
)
)
else:
self.module.fail_json(
failed=True,
msg="Internal error: {}".format(
str(e)
)
)
raise
def ensure_image(self):
if not self.check_image():
self.pull_image()