feat(podman): add role

Copied from Histalek <3 Based on b17a8f117b/roles/podman
2024-09-12 22:51:03 +02:00 · 2024-09-12 22:51:03 +02:00 · 7c136306d1
commit 7c136306d1
parent 61a9b1d6f4
6 changed files with 207 additions and 0 deletions
--- a/playbooks/podman.yml
+++ b/playbooks/podman.yml
@ -0,0 +1,7 @@
+- name: Install and configure podman.
+
+  hosts: podman
+
+  roles:
+    - role: podman
+      become: true
--- a/roles/podman/defaults/main.yml
+++ b/roles/podman/defaults/main.yml
@ -0,0 +1,23 @@
+podman_install_machine_packages: false
+
+## The following defaults should work on most systems.
+## They allocate the UIDs/GIDs 2147483647-4294967294 which is the upper half of UIDs/GIDs intended for
+## 'normal' users and don't conflict with special systemd UIDs/GIDs.
+## This is also incidentally the example given by the podman man page
+## (Ref.: https://docs.podman.io/en/latest/markdown/podman-run.1.html#userns-mode)
+# What should be the first allocated UID/GID available for usernamespaced containers
+podman_usernamespace_uid_start: 2147483647
+
+# What should be the amount of allocated UIDs/GIDs available for usernamespaced containers
+podman_usernamespace_uid_amount: 2147483648
+# If this is set the default podman network will be manually configured to enable dual stack.
+# This should not include the prefix-length, so the setting should end with "::"
+# NOTE: This needs the default network to be recreated. Rebooting works and so should stopping
+# all containers.
+# podman_default_network_ipv6_prefix: "fdfc:ace7:1f7c:4ff3::"
+
+# Podman allows to set a timezone (--tz flag) for each container. A default can be set
+# in any of the containers.conf config files.
+# If the following option is set it will be added to the system-wide /etc/containers/containers.conf
+# Has to be an IANA timezone or "local" (the latter matches the timezone of the host)
+# podman_default_timezone: "local" # "Europe/Berlin"
--- a/roles/podman/meta/main.yml
+++ b/roles/podman/meta/main.yml
@ -0,0 +1,22 @@
+galaxy_info:
+  author: histalek
+  description: Install podman via system package.
+
+  issue_tracker_url: https://git.histalek.de/histalek-de/infrastructure/-/issues
+
+  license: GPL-3.0-only
+
+  min_ansible_version: "2.10"
+
+  platforms:
+    - name: Fedora
+      versions:
+        - "38"
+        - "39"
+        - "40"
+
+  standalone: true
+
+  galaxy_tags: []
+
+dependencies: []
--- a/roles/podman/tasks/Fedora.yml
+++ b/roles/podman/tasks/Fedora.yml
@ -0,0 +1,123 @@
+- name: Ensure podman is installed.
+  ansible.builtin.package:
+    name:
+      - "podman"
+    state: "present"
+  become: true
+
+- name: Ensure needed packages for podman machine are installed.
+  ansible.builtin.package:
+    name:
+      - "qemu-system-x86-core"
+      - "qemu-img"
+      - "podman-gvproxy"
+    state: "present"
+  become: true
+  when: podman_install_machine_packages
+
+- name: Enable sebool container_manage_cgroup.
+  ansible.posix.seboolean:
+    name: container_manage_cgroup
+    state: true
+    persistent: true
+  become: true
+
+- name: Ensure 'containers' system user exists
+  ansible.builtin.user:
+    name: "containers"
+    comment: "system user which holds subuids/subgids used by podman for rootful usernamespaced containers"
+    create_home: false
+    password: "*"
+    state: present
+    system: true
+  become: true
+
+- name: Ensure the 'containers' user has subuids/subgids configured
+  ansible.builtin.lineinfile:
+    path: "{{ item.path }}"
+    regexp: "^containers:[0-9]+:[0-9]+$"
+    line: "containers:{{ podman_usernamespace_uid_start }}:{{ podman_usernamespace_uid_amount }}"
+  loop:
+    - path: "/etc/subuid"
+    - path: "/etc/subgid"
+  become: true
+
+- name: Setup default container timezone
+  when: podman_default_timezone is defined
+  block:
+    - name: Ensure timezone is set in containers.conf
+      community.general.ini_file:
+        path: /etc/containers/containers.conf
+        backup: true
+        create: true
+        state: present
+        mode: "0644"
+        owner: root
+        group: root
+        option: tz
+        section: containers
+        value: "'{{ podman_default_timezone }}'"
+      register: podman_updated_containers_conf
+      become: true
+    - name: Validate containers.conf
+      ansible.builtin.command:
+        cmd: podman info
+      changed_when: false
+      become: true
+  rescue:
+    # This is needed if there was no containers.conf to begin with.
+    # In that case there would be no backup file and the bad containers.conf would stay behind
+    # even after the `copy` module below.
+    - name: Remove bad containers.conf
+      ansible.builtin.file:
+        path: "/etc/containers/containers.conf"
+        state: absent
+      become: true
+      when: podman_updated_containers_conf is changed # noqa: no-handler
+    - name: Restore backup file
+      ansible.builtin.copy:
+        remote_src: true
+        dest: /etc/containers/containers.conf
+        src: "{{ podman_updated_containers_conf.backup_file }}"
+        mode: "0644"
+        owner: root
+        group: root
+      become: true
+      when: podman_updated_containers_conf is changed # noqa: no-handler
+    - name: Containers.conf could not be validated after setting default timezone
+      ansible.builtin.debug:
+        msg: Please make sure that `podman_default_timezone` is either an IANA timezone or 'local'
+  always:
+    - name: Remove backup file
+      ansible.builtin.file:
+        path: "{{ podman_updated_containers_conf.backup_file }}"
+        state: absent
+      become: true
+      when: podman_updated_containers_conf is changed # noqa: no-handler
+
+- name: Ensure default network configuration exists
+  when: podman_default_network_ipv6_prefix is defined
+  block:
+    - name: Ensure default network config directory exists
+      ansible.builtin.file:
+        path: "/etc/containers/networks"
+        state: directory
+        owner: root
+        group: root
+        mode: "0755"
+      become: true
+    - name: Ensure default network config file exists
+      ansible.builtin.template:
+        src: "podman-network.json.j2"
+        dest: "/etc/containers/networks/podman.json"
+        owner: root
+        group: root
+        mode: "0600"
+      become: true
+
+- name: Ensure podman auto update is enabled
+  ansible.builtin.systemd:
+    name: podman-auto-update.timer
+    enabled: true
+    state: started
+  become: true
--- a/roles/podman/tasks/main.yml
+++ b/roles/podman/tasks/main.yml
@ -0,0 +1,9 @@
+- name: Select tasks for detected distribution
+  ansible.builtin.include_tasks: "{{ distro_file }}"
+  with_first_found:
+    - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
+    - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ ansible_distribution }}.yml"
+    - "{{ ansible_os_family }}.yml"
+  loop_control:
+    loop_var: distro_file
--- a/roles/podman/templates/podman-network.json.j2
+++ b/roles/podman/templates/podman-network.json.j2
@ -0,0 +1,23 @@
+{
+     "name": "podman",
+     "id": "2f259bab93aaaaa2542ba43ef33eb990d0999ee1b9924b557b7be53c0b7a1bb9",
+     "driver": "bridge",
+     "network_interface": "podman0",
+     "created": "2023-09-17T00:00:00.0Z",
+     "subnets": [
+          {
+               "subnet": "10.88.0.0/16",
+               "gateway": "10.88.0.1"
+          },
+          {
+               "subnet": "{{ podman_default_network_ipv6_prefix }}/64",
+               "gateway": "{{ podman_default_network_ipv6_prefix }}1"
+          }
+     ],
+     "ipv6_enabled": true,
+     "internal": false,
+     "dns_enabled": false,
+     "ipam_options": {
+          "driver": "host-local"
+     }
+}