From d5bbb6ba8cb5aee17fa8ec1656863eef1c5d2859 Mon Sep 17 00:00:00 2001
From: "James E. Blair" <jim@acmegating.com>
Date: Wed, 7 Aug 2024 12:08:46 -0700
Subject: [PATCH] ensure-podman: add tasks to configure socket group

The podman socket is owned by root by default, so add a podman group
(like the docker group) to allow the zuul/ansible user to access it.

Also, add support for Ubuntu noble.

Change-Id: I653d9c313c69298da00b139a791a6177d37475cd
---
 roles/ensure-podman/README.rst                |  13 ++
 roles/ensure-podman/defaults/main.yaml        |   2 +
 roles/ensure-podman/tasks/Ubuntu-24.04.yaml   |  22 ++++
 roles/ensure-podman/tasks/main.yaml           |   4 +
 roles/ensure-podman/tasks/root-socket.yaml    |  43 +++++++
 .../templates/podman.socket.override.conf.j2  |   3 +
 zuul-tests.d/container-roles-jobs.yaml        | 112 ++++++++++++++++++
 7 files changed, 199 insertions(+)
 create mode 100644 roles/ensure-podman/tasks/Ubuntu-24.04.yaml
 create mode 100644 roles/ensure-podman/tasks/root-socket.yaml
 create mode 100644 roles/ensure-podman/templates/podman.socket.override.conf.j2

diff --git a/roles/ensure-podman/README.rst b/roles/ensure-podman/README.rst
index 99f577c0f..4448fabf6 100644
--- a/roles/ensure-podman/README.rst
+++ b/roles/ensure-podman/README.rst
@@ -6,3 +6,16 @@ Install podman container manager
    :default: false
 
    Used to enable validation of podman engine.
+
+.. zuul:rolevar:: ensure_podman_socket
+   :default: false
+
+   Enabling this will cause the role to configure a group and add the
+   user to it in order to have access to the root-owned system-level
+   compatability socket.
+
+.. zuul:rolevar:: ensure_podman_group
+   :default: podman
+
+   Only used if `ensure_podman_socket` is set.  Configures the group
+   name to use.
diff --git a/roles/ensure-podman/defaults/main.yaml b/roles/ensure-podman/defaults/main.yaml
index 7990f35b5..c8a6bca62 100644
--- a/roles/ensure-podman/defaults/main.yaml
+++ b/roles/ensure-podman/defaults/main.yaml
@@ -1 +1,3 @@
 ensure_podman_validate: false
+ensure_podman_socket: false
+ensure_podman_group: podman
diff --git a/roles/ensure-podman/tasks/Ubuntu-24.04.yaml b/roles/ensure-podman/tasks/Ubuntu-24.04.yaml
new file mode 100644
index 000000000..139177579
--- /dev/null
+++ b/roles/ensure-podman/tasks/Ubuntu-24.04.yaml
@@ -0,0 +1,22 @@
+- name: Install podman
+  package:
+    name:
+      - podman
+      - uidmap
+      - slirp4netns
+      - fuse-overlayfs
+      - containernetworking-plugins
+      # This enables container network dns resolution:
+      - golang-github-containernetworking-plugin-dnsname
+    state: present
+  become: yes
+- name: Create containers config dir
+  file:
+    path: '{{ ansible_user_dir }}/.config/containers'
+    state: directory
+- name: Force cgroup manager to cgroupfs for Ubuntu
+  copy:
+    content: |
+      [engine]
+      cgroup_manager = "cgroupfs"
+    dest: '{{ ansible_user_dir }}/.config/containers/containers.conf'
diff --git a/roles/ensure-podman/tasks/main.yaml b/roles/ensure-podman/tasks/main.yaml
index 739a3403f..0871f1d03 100644
--- a/roles/ensure-podman/tasks/main.yaml
+++ b/roles/ensure-podman/tasks/main.yaml
@@ -26,3 +26,7 @@
     podman info
     podman ps
   changed_when: false
+
+- name: Set up docker compatability socket
+  when: ensure_podman_socket
+  include_tasks: "root-socket.yaml"
diff --git a/roles/ensure-podman/tasks/root-socket.yaml b/roles/ensure-podman/tasks/root-socket.yaml
new file mode 100644
index 000000000..ce8bf5e3f
--- /dev/null
+++ b/roles/ensure-podman/tasks/root-socket.yaml
@@ -0,0 +1,43 @@
+# We have a podman group, like the docker group, for controlling
+# access to the root-owned podman service.
+- name: Ensure "podman" group exists
+  become: true
+  group:
+    name: "{{ ensure_podman_group }}"
+    state: present
+
+- name: Add user to podman group
+  become: true
+  user:
+    name: "{{ ansible_user }}"
+    groups:
+      - "{{ ensure_podman_group }}"
+    append: yes
+
+- name: Ensure systemd config directory exists
+  become: true
+  file:
+    path: /etc/systemd/system/podman.socket.d
+    state: directory
+
+- name: Add podman socket override config
+  become: true
+  template:
+    src: podman.socket.override.conf.j2
+    dest: /etc/systemd/system/podman.socket.d/override.conf
+
+- name: Reset ssh connection to pick up podman group
+  meta: reset_connection
+
+- name: Assure podman.socket service is running
+  become: true
+  service:
+    name: podman.socket
+    enabled: yes
+    state: started
+
+- name: Correct group ownership on podman sock
+  become: true
+  file:
+    path: /run/podman/podman.sock
+    group: "{{ ensure_podman_group }}"
diff --git a/roles/ensure-podman/templates/podman.socket.override.conf.j2 b/roles/ensure-podman/templates/podman.socket.override.conf.j2
new file mode 100644
index 000000000..e70a6d6e6
--- /dev/null
+++ b/roles/ensure-podman/templates/podman.socket.override.conf.j2
@@ -0,0 +1,3 @@
+[Socket]
+SocketGroup={{ ensure_podman_group }}
+
diff --git a/zuul-tests.d/container-roles-jobs.yaml b/zuul-tests.d/container-roles-jobs.yaml
index 55bc0cf00..617002344 100644
--- a/zuul-tests.d/container-roles-jobs.yaml
+++ b/zuul-tests.d/container-roles-jobs.yaml
@@ -459,6 +459,110 @@
     run: test-playbooks/ensure-podman/main.yaml
     vars:
       ensure_podman_validate: true
+    tags:
+      - debuntu-platforms
+      - exclude-ubuntu-focal
+
+- job:
+    name: zuul-jobs-test-ensure-podman-debian-bookworm
+    description: Test the ensure-podman role on debian-bookworm
+    parent: zuul-jobs-test-ensure-podman
+    tags: auto-generated
+    nodeset:
+      nodes:
+        - name: debian-bookworm
+          label: debian-bookworm
+
+- job:
+    name: zuul-jobs-test-ensure-podman-debian-bullseye
+    description: Test the ensure-podman role on debian-bullseye
+    parent: zuul-jobs-test-ensure-podman
+    tags: auto-generated
+    nodeset:
+      nodes:
+        - name: debian-bullseye
+          label: debian-bullseye
+
+- job:
+    name: zuul-jobs-test-ensure-podman-ubuntu-jammy
+    description: Test the ensure-podman role on ubuntu-jammy
+    parent: zuul-jobs-test-ensure-podman
+    tags: auto-generated
+    nodeset:
+      nodes:
+        - name: ubuntu-jammy
+          label: ubuntu-jammy
+
+- job:
+    name: zuul-jobs-test-ensure-podman-ubuntu-noble
+    description: Test the ensure-podman role on ubuntu-noble
+    parent: zuul-jobs-test-ensure-podman
+    tags: auto-generated
+    nodeset:
+      nodes:
+        - name: ubuntu-noble
+          label: ubuntu-noble
+
+- job:
+    name: zuul-jobs-test-ensure-podman-socket
+    description: |
+      Test the ensure-podman role with the socket option
+
+      This job tests the ensure-podman role.  It is not meant to be
+      used directly but rather run on changes to roles in the
+      zuul-jobs repo.
+    abstract: true
+    files:
+      - roles/ensure-podman/.*
+      - roles/ensure-package-repositories/.*
+      - test-playbooks/ensure-podman/.*
+    run: test-playbooks/ensure-podman/main.yaml
+    vars:
+      ensure_podman_validate: true
+      ensure_podman_socket: true
+    tags:
+      - debuntu-platforms
+      - exclude-ubuntu-focal
+
+- job:
+    name: zuul-jobs-test-ensure-podman-socket-debian-bookworm
+    description: Test the ensure-podman role with the socket option on debian-bookworm
+    parent: zuul-jobs-test-ensure-podman-socket
+    tags: auto-generated
+    nodeset:
+      nodes:
+        - name: debian-bookworm
+          label: debian-bookworm
+
+- job:
+    name: zuul-jobs-test-ensure-podman-socket-debian-bullseye
+    description: Test the ensure-podman role with the socket option on debian-bullseye
+    parent: zuul-jobs-test-ensure-podman-socket
+    tags: auto-generated
+    nodeset:
+      nodes:
+        - name: debian-bullseye
+          label: debian-bullseye
+
+- job:
+    name: zuul-jobs-test-ensure-podman-socket-ubuntu-jammy
+    description: Test the ensure-podman role with the socket option on ubuntu-jammy
+    parent: zuul-jobs-test-ensure-podman-socket
+    tags: auto-generated
+    nodeset:
+      nodes:
+        - name: ubuntu-jammy
+          label: ubuntu-jammy
+
+- job:
+    name: zuul-jobs-test-ensure-podman-socket-ubuntu-noble
+    description: Test the ensure-podman role with the socket option on ubuntu-noble
+    parent: zuul-jobs-test-ensure-podman-socket
+    tags: auto-generated
+    nodeset:
+      nodes:
+        - name: ubuntu-noble
+          label: ubuntu-noble
 
 - job:
     name: zuul-jobs-test-ensure-skopeo
@@ -567,6 +671,14 @@
         - zuul-jobs-test-ensure-kubernetes-crio-ubuntu-jammy
         - zuul-jobs-test-ensure-kubernetes-microk8s-ubuntu-jammy
         - zuul-jobs-test-ensure-kubernetes-microk8s-debian-bookworm
+        - zuul-jobs-test-ensure-podman-debian-bookworm
+        - zuul-jobs-test-ensure-podman-debian-bullseye
+        - zuul-jobs-test-ensure-podman-ubuntu-jammy
+        - zuul-jobs-test-ensure-podman-ubuntu-noble
+        - zuul-jobs-test-ensure-podman-socket-debian-bookworm
+        - zuul-jobs-test-ensure-podman-socket-debian-bullseye
+        - zuul-jobs-test-ensure-podman-socket-ubuntu-jammy
+        - zuul-jobs-test-ensure-podman-socket-ubuntu-noble
         - zuul-jobs-test-ensure-skopeo-debian-bookworm
         - zuul-jobs-test-ensure-skopeo-debian-bullseye
         - zuul-jobs-test-ensure-skopeo-ubuntu-focal