ensure-podman: add tasks to configure socket group
The podman socket is owned by root by default, so add a podman group (like the docker group) to allow the zuul/ansible user to access it. Also, add support for Ubuntu noble. Change-Id: I653d9c313c69298da00b139a791a6177d37475cd
This commit is contained in:
James E. Blair
parent
854bb38424
commit
d5bbb6ba8c
@ -6,3 +6,16 @@ Install podman container manager
|
||||
:default: false
|
||||
|
||||
Used to enable validation of podman engine.
|
||||
|
||||
.. zuul:rolevar:: ensure_podman_socket
|
||||
:default: false
|
||||
|
||||
Enabling this will cause the role to configure a group and add the
|
||||
user to it in order to have access to the root-owned system-level
|
||||
compatability socket.
|
||||
|
||||
.. zuul:rolevar:: ensure_podman_group
|
||||
:default: podman
|
||||
|
||||
Only used if `ensure_podman_socket` is set. Configures the group
|
||||
name to use.
|
||||
|
||||
@ -1 +1,3 @@
|
||||
ensure_podman_validate: false
|
||||
ensure_podman_socket: false
|
||||
ensure_podman_group: podman
|
||||
|
||||
22
roles/ensure-podman/tasks/Ubuntu-24.04.yaml
Normal file
22
roles/ensure-podman/tasks/Ubuntu-24.04.yaml
Normal file
@ -0,0 +1,22 @@
|
||||
- name: Install podman
|
||||
package:
|
||||
name:
|
||||
- podman
|
||||
- uidmap
|
||||
- slirp4netns
|
||||
- fuse-overlayfs
|
||||
- containernetworking-plugins
|
||||
# This enables container network dns resolution:
|
||||
- golang-github-containernetworking-plugin-dnsname
|
||||
state: present
|
||||
become: yes
|
||||
- name: Create containers config dir
|
||||
file:
|
||||
path: '{{ ansible_user_dir }}/.config/containers'
|
||||
state: directory
|
||||
- name: Force cgroup manager to cgroupfs for Ubuntu
|
||||
copy:
|
||||
content: |
|
||||
[engine]
|
||||
cgroup_manager = "cgroupfs"
|
||||
dest: '{{ ansible_user_dir }}/.config/containers/containers.conf'
|
||||
@ -26,3 +26,7 @@
|
||||
podman info
|
||||
podman ps
|
||||
changed_when: false
|
||||
|
||||
- name: Set up docker compatability socket
|
||||
when: ensure_podman_socket
|
||||
include_tasks: "root-socket.yaml"
|
||||
|
||||
43
roles/ensure-podman/tasks/root-socket.yaml
Normal file
43
roles/ensure-podman/tasks/root-socket.yaml
Normal file
@ -0,0 +1,43 @@
|
||||
# We have a podman group, like the docker group, for controlling
|
||||
# access to the root-owned podman service.
|
||||
- name: Ensure "podman" group exists
|
||||
become: true
|
||||
group:
|
||||
name: "{{ ensure_podman_group }}"
|
||||
state: present
|
||||
|
||||
- name: Add user to podman group
|
||||
become: true
|
||||
user:
|
||||
name: "{{ ansible_user }}"
|
||||
groups:
|
||||
- "{{ ensure_podman_group }}"
|
||||
append: yes
|
||||
|
||||
- name: Ensure systemd config directory exists
|
||||
become: true
|
||||
file:
|
||||
path: /etc/systemd/system/podman.socket.d
|
||||
state: directory
|
||||
|
||||
- name: Add podman socket override config
|
||||
become: true
|
||||
template:
|
||||
src: podman.socket.override.conf.j2
|
||||
dest: /etc/systemd/system/podman.socket.d/override.conf
|
||||
|
||||
- name: Reset ssh connection to pick up podman group
|
||||
meta: reset_connection
|
||||
|
||||
- name: Assure podman.socket service is running
|
||||
become: true
|
||||
service:
|
||||
name: podman.socket
|
||||
enabled: yes
|
||||
state: started
|
||||
|
||||
- name: Correct group ownership on podman sock
|
||||
become: true
|
||||
file:
|
||||
path: /run/podman/podman.sock
|
||||
group: "{{ ensure_podman_group }}"
|
||||
@ -0,0 +1,3 @@
|
||||
[Socket]
|
||||
SocketGroup={{ ensure_podman_group }}
|
||||
|
||||
@ -459,6 +459,110 @@
|
||||
run: test-playbooks/ensure-podman/main.yaml
|
||||
vars:
|
||||
ensure_podman_validate: true
|
||||
tags:
|
||||
- debuntu-platforms
|
||||
- exclude-ubuntu-focal
|
||||
|
||||
- job:
|
||||
name: zuul-jobs-test-ensure-podman-debian-bookworm
|
||||
description: Test the ensure-podman role on debian-bookworm
|
||||
parent: zuul-jobs-test-ensure-podman
|
||||
tags: auto-generated
|
||||
nodeset:
|
||||
nodes:
|
||||
- name: debian-bookworm
|
||||
label: debian-bookworm
|
||||
|
||||
- job:
|
||||
name: zuul-jobs-test-ensure-podman-debian-bullseye
|
||||
description: Test the ensure-podman role on debian-bullseye
|
||||
parent: zuul-jobs-test-ensure-podman
|
||||
tags: auto-generated
|
||||
nodeset:
|
||||
nodes:
|
||||
- name: debian-bullseye
|
||||
label: debian-bullseye
|
||||
|
||||
- job:
|
||||
name: zuul-jobs-test-ensure-podman-ubuntu-jammy
|
||||
description: Test the ensure-podman role on ubuntu-jammy
|
||||
parent: zuul-jobs-test-ensure-podman
|
||||
tags: auto-generated
|
||||
nodeset:
|
||||
nodes:
|
||||
- name: ubuntu-jammy
|
||||
label: ubuntu-jammy
|
||||
|
||||
- job:
|
||||
name: zuul-jobs-test-ensure-podman-ubuntu-noble
|
||||
description: Test the ensure-podman role on ubuntu-noble
|
||||
parent: zuul-jobs-test-ensure-podman
|
||||
tags: auto-generated
|
||||
nodeset:
|
||||
nodes:
|
||||
- name: ubuntu-noble
|
||||
label: ubuntu-noble
|
||||
|
||||
- job:
|
||||
name: zuul-jobs-test-ensure-podman-socket
|
||||
description: |
|
||||
Test the ensure-podman role with the socket option
|
||||
|
||||
This job tests the ensure-podman role. It is not meant to be
|
||||
used directly but rather run on changes to roles in the
|
||||
zuul-jobs repo.
|
||||
abstract: true
|
||||
files:
|
||||
- roles/ensure-podman/.*
|
||||
- roles/ensure-package-repositories/.*
|
||||
- test-playbooks/ensure-podman/.*
|
||||
run: test-playbooks/ensure-podman/main.yaml
|
||||
vars:
|
||||
ensure_podman_validate: true
|
||||
ensure_podman_socket: true
|
||||
tags:
|
||||
- debuntu-platforms
|
||||
- exclude-ubuntu-focal
|
||||
|
||||
- job:
|
||||
name: zuul-jobs-test-ensure-podman-socket-debian-bookworm
|
||||
description: Test the ensure-podman role with the socket option on debian-bookworm
|
||||
parent: zuul-jobs-test-ensure-podman-socket
|
||||
tags: auto-generated
|
||||
nodeset:
|
||||
nodes:
|
||||
- name: debian-bookworm
|
||||
label: debian-bookworm
|
||||
|
||||
- job:
|
||||
name: zuul-jobs-test-ensure-podman-socket-debian-bullseye
|
||||
description: Test the ensure-podman role with the socket option on debian-bullseye
|
||||
parent: zuul-jobs-test-ensure-podman-socket
|
||||
tags: auto-generated
|
||||
nodeset:
|
||||
nodes:
|
||||
- name: debian-bullseye
|
||||
label: debian-bullseye
|
||||
|
||||
- job:
|
||||
name: zuul-jobs-test-ensure-podman-socket-ubuntu-jammy
|
||||
description: Test the ensure-podman role with the socket option on ubuntu-jammy
|
||||
parent: zuul-jobs-test-ensure-podman-socket
|
||||
tags: auto-generated
|
||||
nodeset:
|
||||
nodes:
|
||||
- name: ubuntu-jammy
|
||||
label: ubuntu-jammy
|
||||
|
||||
- job:
|
||||
name: zuul-jobs-test-ensure-podman-socket-ubuntu-noble
|
||||
description: Test the ensure-podman role with the socket option on ubuntu-noble
|
||||
parent: zuul-jobs-test-ensure-podman-socket
|
||||
tags: auto-generated
|
||||
nodeset:
|
||||
nodes:
|
||||
- name: ubuntu-noble
|
||||
label: ubuntu-noble
|
||||
|
||||
- job:
|
||||
name: zuul-jobs-test-ensure-skopeo
|
||||
@ -567,6 +671,14 @@
|
||||
- zuul-jobs-test-ensure-kubernetes-crio-ubuntu-jammy
|
||||
- zuul-jobs-test-ensure-kubernetes-microk8s-ubuntu-jammy
|
||||
- zuul-jobs-test-ensure-kubernetes-microk8s-debian-bookworm
|
||||
- zuul-jobs-test-ensure-podman-debian-bookworm
|
||||
- zuul-jobs-test-ensure-podman-debian-bullseye
|
||||
- zuul-jobs-test-ensure-podman-ubuntu-jammy
|
||||
- zuul-jobs-test-ensure-podman-ubuntu-noble
|
||||
- zuul-jobs-test-ensure-podman-socket-debian-bookworm
|
||||
- zuul-jobs-test-ensure-podman-socket-debian-bullseye
|
||||
- zuul-jobs-test-ensure-podman-socket-ubuntu-jammy
|
||||
- zuul-jobs-test-ensure-podman-socket-ubuntu-noble
|
||||
- zuul-jobs-test-ensure-skopeo-debian-bookworm
|
||||
- zuul-jobs-test-ensure-skopeo-debian-bullseye
|
||||
- zuul-jobs-test-ensure-skopeo-ubuntu-focal
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user