From 72b647326417ecf7e056cda625bda55cc4d9db16 Mon Sep 17 00:00:00 2001 From: David Galloway Date: Wed, 2 Dec 2020 17:46:25 -0500 Subject: [PATCH] Move container tasks to separate role I would've liked to keep all this in common but there's a chicken and egg situation. docker and/or podman get installed during the testnode role. The testnode role can only be run after the common role. The testnode role is also where some repos are added. So we need to install docker/podman and configure it after the testnodes role runs. Since we also want to be able to configure docker/podman on other systems, I couldn't put these tasks in the testnode role. Signed-off-by: David Galloway --- cephlab.yml | 3 ++ container-host.yml | 13 +++++ roles/common/README.rst | 19 ------- roles/common/tasks/container_mirror.yml | 25 --------- roles/common/tasks/main.yml | 54 ------------------- roles/common/vars/centos_7.yml | 2 - roles/common/vars/centos_8.yml | 2 - roles/common/vars/redhat_7.yml | 2 - roles/common/vars/redhat_8.yml | 2 - roles/container-host/README.rst | 26 +++++++++ roles/container-host/meta/main.yml | 3 ++ .../container-host/tasks/container_mirror.yml | 54 +++++++++++++++++++ roles/container-host/tasks/main.yml | 46 ++++++++++++++++ roles/container-host/vars/apt_systems.yml | 3 ++ roles/container-host/vars/empty.yml | 1 + roles/container-host/vars/yum_systems.yml | 4 ++ 16 files changed, 153 insertions(+), 106 deletions(-) create mode 100644 container-host.yml delete mode 100644 roles/common/tasks/container_mirror.yml delete mode 100644 roles/common/vars/centos_7.yml create mode 100644 roles/container-host/README.rst create mode 100644 roles/container-host/meta/main.yml create mode 100644 roles/container-host/tasks/container_mirror.yml create mode 100644 roles/container-host/tasks/main.yml create mode 100644 roles/container-host/vars/apt_systems.yml create mode 100644 roles/container-host/vars/empty.yml create mode 100644 roles/container-host/vars/yum_systems.yml diff --git a/cephlab.yml b/cephlab.yml index bf297e3..0cb6884 100644 --- a/cephlab.yml +++ b/cephlab.yml @@ -10,6 +10,9 @@ # if this node is in the testnode group, configure it - import_playbook: testnodes.yml +# a number of different groups get docker/podman installed and configured +- import_playbook: container-host.yml + # if this node is in the pcp group, configure it #- import_playbook: pcp.yml diff --git a/container-host.yml b/container-host.yml new file mode 100644 index 0000000..3dd84fb --- /dev/null +++ b/container-host.yml @@ -0,0 +1,13 @@ +--- +- hosts: + - testnodes + - senta + - vossi + roles: + - secrets + - container-host + tags: + - container + - container-mirror + strategy: free + become: true diff --git a/roles/common/README.rst b/roles/common/README.rst index 382d8ee..d6b80bc 100644 --- a/roles/common/README.rst +++ b/roles/common/README.rst @@ -79,22 +79,6 @@ tasks OS-agnostic. They variables are mostly self-explanatory and defined in - nagios-nrpe-server - nagios-plugins-basic -The following variables are used to optionally configure a dockerhub mirror CA -certificate. The role will use `/etc/containers/certs.d` if it detects `podman` -and `/etc/docker/certs.d` if it does not detect `podman` but detects `docker`:: - - # Defined in all.yml in secrets repo - container_mirror: docker-mirror.front.sepia.ceph.com:5000 - - # Defined in all.yml in secrets repo - container_mirror_cert: | - -----BEGIN CERTIFICATE----- - ... - -----END CERTIFICATE----- - - # Defined in roles/common/vars/$distro_$version.yml or determined in roles/common/tasks/main.yml - container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}" - Tags ++++ @@ -117,9 +101,6 @@ nagios applicable). ``monitoring-scripts`` is also always run with this tag since NRPE isn't very useful without them. -container-mirror - Put a (probably self-signed) certificate in place for an internal dockerhub mirror. - To Do +++++ diff --git a/roles/common/tasks/container_mirror.yml b/roles/common/tasks/container_mirror.yml deleted file mode 100644 index 87c7826..0000000 --- a/roles/common/tasks/container_mirror.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -# Note that these tasks only put the CA certificate in place. -# podman/docker installation is still handled in the testnodes repo because -# we don't want podman/docker installed everywhere but we do want this cert -# everywhere just in case. -# For example we might not want docker/podman installed on infrahost01 but -# we definitely need this cert installed on testnodes and infrahost0{2..5}. -- name: Include encrypted variables - include_vars: "{{ item }}" - with_first_found: - - "{{ secrets_path }}/all.yml" - - empty.yml - no_log: true - tags: - - vars - -- name: "Create {{ container_mirror_cert_path }}" - file: - path: "{{ container_mirror_cert_path }}" - state: directory - -- name: "Copy {{ container_mirror }} self-signed cert" - copy: - dest: "{{ container_mirror_cert_path }}/docker-mirror.crt" - content: "{{ container_mirror_cert }}" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index b8a65bf..3b62098 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -13,7 +13,6 @@ - vars # We need these vars for the entitlements tag to work - entitlements - - container-mirror # configure things specific to yum systems - import_tasks: yum_systems.yml @@ -61,56 +60,3 @@ (selinux_status is defined and selinux_status.stdout != "Disabled") tags: - nagios - -# We check for podman first because it was released after docker. -# If we find podman, we should use its certs path. -# Just because `docker` exists doesn't mean we're not using podman. -- name: Check for podman - command: podman --version - register: check_for_podman - ignore_errors: true - when: - - container_mirror_cert_path is not defined - - container_mirror is defined - - container_mirror_cert is defined - tags: - - container-mirror - -- set_fact: - container_mirror_cert_path: "/etc/containers/certs.d/{{ container_mirror }}" - when: - - check_for_podman is success - - container_mirror is defined - - container_mirror_cert is defined - tags: - - container-mirror - -- name: Check for docker - command: docker --version - register: check_for_docker - ignore_errors: true - when: - - container_mirror_cert_path is not defined - - check_for_podman is not success - - container_mirror is defined - - container_mirror_cert is defined - tags: - - container-mirror - -- set_fact: - container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}" - when: - - check_for_docker is success - - check_for_podman is not success - - container_mirror is defined - - container_mirror_cert is defined - tags: - - container-mirror - -- import_tasks: container_mirror.yml - when: - - container_mirror is defined - - container_mirror_cert is defined - - container_mirror_cert_path is defined - tags: - - container-mirror diff --git a/roles/common/vars/centos_7.yml b/roles/common/vars/centos_7.yml deleted file mode 100644 index 8a1216b..0000000 --- a/roles/common/vars/centos_7.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}" diff --git a/roles/common/vars/centos_8.yml b/roles/common/vars/centos_8.yml index 81abb64..9af7db3 100644 --- a/roles/common/vars/centos_8.yml +++ b/roles/common/vars/centos_8.yml @@ -2,5 +2,3 @@ nrpe_selinux_packages: - python3-libsemanage - python3-policycoreutils - -container_mirror_cert_path: "/etc/containers/certs.d/{{ container_mirror }}" diff --git a/roles/common/vars/redhat_7.yml b/roles/common/vars/redhat_7.yml index cad9fcd..a3855f1 100644 --- a/roles/common/vars/redhat_7.yml +++ b/roles/common/vars/redhat_7.yml @@ -4,5 +4,3 @@ rhsm_repos: - rhel-7-server-optional-rpms - rhel-7-server-extras-rpms - rhel-ha-for-rhel-7-server-rpms - -container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}" diff --git a/roles/common/vars/redhat_8.yml b/roles/common/vars/redhat_8.yml index dcbc52b..534fd20 100644 --- a/roles/common/vars/redhat_8.yml +++ b/roles/common/vars/redhat_8.yml @@ -6,5 +6,3 @@ rhsm_repos: nrpe_selinux_packages: - python3-libsemanage - python3-policycoreutils - -container_mirror_cert_path: "/etc/containers/certs.d/{{ container_mirror }}" diff --git a/roles/container-host/README.rst b/roles/container-host/README.rst new file mode 100644 index 0000000..bea5240 --- /dev/null +++ b/roles/container-host/README.rst @@ -0,0 +1,26 @@ +container-host +============== + +The container-host role will: + +- Install ``docker`` or ``podman`` +- Configure a local ``docker.io`` mirror if configured + +Variables ++++++++++ + +``container_packages: []`` is the list of container packages to install. We default to podman on RedHat based distros and docker.io on Debian-based distros. + +The following variables are used to optionally configure a docker.io mirror CA certificate. The role will use ``/etc/containers/certs.d`` if ``podman`` is installed and ``/etc/docker/certs.d`` if ``docker`` is installed.:: + + # Defined in all.yml in secrets repo + container_mirror: docker-mirror.front.sepia.ceph.com:5000 + + # Defined in all.yml in secrets repo + container_mirror_cert: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- + + # Automatically determined in roles/container-host/tasks/main.yml + container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}" diff --git a/roles/container-host/meta/main.yml b/roles/container-host/meta/main.yml new file mode 100644 index 0000000..313fd69 --- /dev/null +++ b/roles/container-host/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: secrets diff --git a/roles/container-host/tasks/container_mirror.yml b/roles/container-host/tasks/container_mirror.yml new file mode 100644 index 0000000..5f2a003 --- /dev/null +++ b/roles/container-host/tasks/container_mirror.yml @@ -0,0 +1,54 @@ +--- +- name: "Create {{ container_mirror_cert_path }}" + file: + path: "{{ container_mirror_cert_path }}" + state: directory + +- name: "Copy {{ container_mirror }} self-signed cert" + copy: + dest: "{{ container_mirror_cert_path }}/docker-mirror.crt" + content: "{{ container_mirror_cert }}" + +- name: Install registries-conf-ctl + pip: + name: git+https://github.com/sebastian-philipp/registries-conf-ctl + state: latest + +# Why is this even necessary? I couldn't figure this out. I'd pip install but the command was not found in the next task. Tried '--user', umask: 0022, shell and command modules. +- name: Find registries-conf-ctl + stat: + path: /usr/bin/registries-conf-ctl + register: usr_bin_rcc + +- name: Find registries-conf-ctl again + stat: + path: /usr/local/bin/registries-conf-ctl + register: usr_local_bin_rcc + +- set_fact: + rcc_path: /usr/bin/registries-conf-ctl + when: usr_bin_rcc.stat.exists + +- set_fact: + rcc_path: /usr/local/bin/registries-conf-ctl + when: usr_local_bin_rcc.stat.exists + +- name: "Check for docker's daemon.json" + stat: + path: "{{ container_service_conf }}" + when: + - "'docker.io' in container_packages" + - "'podman' not in container_packages" + register: container_conf + +- name: "Create {{ container_service_conf }} if necessary" + copy: + dest: "{{ container_service_conf }}" + content: "{}" + when: + - "'docker.io' in container_packages" + - "'podman' not in container_packages" + - container_conf.stat.exists == False + +- name: Add local docker.io registry mirror + command: "{{ rcc_path }} add-mirror docker.io {{ container_mirror }}" diff --git a/roles/container-host/tasks/main.yml b/roles/container-host/tasks/main.yml new file mode 100644 index 0000000..aac2ad6 --- /dev/null +++ b/roles/container-host/tasks/main.yml @@ -0,0 +1,46 @@ +--- +- set_fact: + package_manager: apt + when: ansible_os_family == "Debian" + +- set_fact: + package_manager: yum + when: ansible_os_family == "RedHat" + +- name: Including distro specific variables + include_vars: "{{ item }}" + with_first_found: + - "{{ ansible_distribution | lower }}_{{ ansible_distribution_major_version }}.yml" + - "{{ package_manager }}_systems.yml" + - empty.yml + +- name: Install container packages + package: + name: "{{ container_packages }}" + state: latest + when: container_packages|length > 0 + +- set_fact: + container_mirror_cert_path: "/etc/containers/certs.d/{{ container_mirror }}" + container_service_conf: "/etc/containers/registries.conf" + when: + - "'podman' in container_packages" + tags: + - container-mirror + +- set_fact: + container_mirror_cert_path: "/etc/docker/certs.d/{{ container_mirror }}" + container_service_conf: "/etc/docker/daemon.json" + when: + - "'docker.io' in container_packages" + - "'podman' not in container_packages" + tags: + - container-mirror + +- import_tasks: container_mirror.yml + when: + - container_mirror is defined + - container_mirror_cert is defined + - container_mirror_cert_path is defined + tags: + - container-mirror diff --git a/roles/container-host/vars/apt_systems.yml b/roles/container-host/vars/apt_systems.yml new file mode 100644 index 0000000..3c25aed --- /dev/null +++ b/roles/container-host/vars/apt_systems.yml @@ -0,0 +1,3 @@ +--- +container_packages: + - docker.io diff --git a/roles/container-host/vars/empty.yml b/roles/container-host/vars/empty.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/roles/container-host/vars/empty.yml @@ -0,0 +1 @@ +--- diff --git a/roles/container-host/vars/yum_systems.yml b/roles/container-host/vars/yum_systems.yml new file mode 100644 index 0000000..f6a6b7e --- /dev/null +++ b/roles/container-host/vars/yum_systems.yml @@ -0,0 +1,4 @@ +--- +container_packages: + - podman + - podman-docker -- 2.39.5