From: Tom Hughes Date: Tue, 31 Jan 2023 21:37:10 +0000 (+0000) Subject: Add support for podman services X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/62d2dd6209eddec292fa35c2ce4a387c6450d6f7?ds=sidebyside Add support for podman services --- diff --git a/cookbooks/podman/metadata.rb b/cookbooks/podman/metadata.rb new file mode 100644 index 000000000..e1039e85d --- /dev/null +++ b/cookbooks/podman/metadata.rb @@ -0,0 +1,9 @@ +name "podman" +maintainer "OpenStreetMap Administrators" +maintainer_email "admins@openstreetmap.org" +license "Apache-2.0" +description "Installs and configures podman" + +version "1.0.0" +supports "ubuntu" +depends "systemd" diff --git a/cookbooks/podman/recipes/default.rb b/cookbooks/podman/recipes/default.rb new file mode 100644 index 000000000..dc7b495e1 --- /dev/null +++ b/cookbooks/podman/recipes/default.rb @@ -0,0 +1,46 @@ +# +# Cookbook:: podman +# Recipe:: default +# +# Copyright:: 2023, OpenStreetMap Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +package %w[ + podman + slirp4netns + uidmap +] + +ruby_block "subuid-containers" do + block do + File.open("/etc/subuid", "a") do |file| + file.puts("containers:2147483647:2147483648") + end + end + not_if "grep -q '^containers:' /etc/subuid" +end + +ruby_block "subgid-containers" do + block do + File.open("/etc/subgid", "a") do |file| + file.puts("containers:2147483647:2147483648") + end + end + not_if "grep -q '^containers:' /etc/subgid" +end + +service "podman-auto-update.timer" do + action [:enable, :start] +end diff --git a/cookbooks/podman/resources/service.rb b/cookbooks/podman/resources/service.rb new file mode 100644 index 000000000..3f3e8054c --- /dev/null +++ b/cookbooks/podman/resources/service.rb @@ -0,0 +1,65 @@ +# +# Cookbook:: podman +# Resource:: podman_service +# +# Copyright:: 2023, OpenStreetMap Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +unified_mode true + +default_action :create + +property :service, String, :name_property => true +property :description, String, :required => true +property :image, String, :required => true +property :ports, Hash + +action :create do + systemd_service new_resource.service do + description new_resource.description + type "notify" + notify_access "all" + environment "PODMAN_SYSTEMD_UNIT" => "%n" + exec_start_pre "/bin/rm --force %t/%n.ctr-id" + exec_start "/usr/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon --userns=auto --label=io.containers.autoupdate=registry --network=slirp4netns #{publish_options} --rm --sdnotify=conmon --detach --replace --name=%N #{new_resource.image}" + exec_stop "/usr/bin/podman stop --ignore --time=10 --cidfile=%t/%n.ctr-id" + exec_stop_post "/usr/bin/podman rm --force --ignore --cidfile=%t/%n.ctr-id" + timeout_stop_sec 70 + restart "on-failure" + end + + service new_resource.service do + action [:enable, :start] + subscribes :restart, "systemd_service[#{new_resource.service}]" + end +end + +action :delete do + service new_resource.service do + action [:disable, :stop] + end + + systemd_service new_resource.service do + action :delete + end +end + +action_class do + def publish_options + new_resource.ports.collect do |host, guest| + "--publish=127.0.0.1:#{host}:#{guest}" + end.join(" ") + end +end diff --git a/cookbooks/systemd/resources/service.rb b/cookbooks/systemd/resources/service.rb index 9a2c69fa8..35655dc7a 100644 --- a/cookbooks/systemd/resources/service.rb +++ b/cookbooks/systemd/resources/service.rb @@ -32,6 +32,7 @@ property :wants, [String, Array] property :requires, [String, Array] property :joins_namespace_of, [String, Array] property :type, String, :is => %w[simple forking oneshot dbus notify idle] +property :notify_access, String, :is => %w[none main exec all] property :limit_nofile, Integer property :limit_as, [Integer, String] property :limit_cpu, [Integer, String] @@ -48,6 +49,7 @@ property :exec_start_pre, [String, Array] property :exec_start, [String, Array] property :exec_start_post, [String, Array] property :exec_stop, [String, Array] +property :exec_stop_post, [String, Array] property :exec_reload, String property :runtime_directory, String property :runtime_directory_mode, Integer diff --git a/cookbooks/systemd/templates/default/service.erb b/cookbooks/systemd/templates/default/service.erb index a106b001b..a4ff29fa9 100644 --- a/cookbooks/systemd/templates/default/service.erb +++ b/cookbooks/systemd/templates/default/service.erb @@ -30,6 +30,9 @@ JoinsNamespaceOf=<%= Array(@joins_namespace_of).join(" ") %> <% if @type -%> Type=<%= @type %> <% end -%> +<% if @notify_access -%> +NotifyAccess=<%= @notify_access %> +<% end -%> <% if @limit_nofile -%> LimitNOFILE=<%= @limit_nofile %> <% end -%> @@ -98,6 +101,14 @@ ExecStop= ExecStop=<%= exec_stop %> <% end -%> <% end -%> +<% if @exec_stop_post -%> +<% if @dropin -%> +ExecStopPost= +<% end -%> +<% Array(@exec_stop_post).each do |exec_stop_post| -%> +ExecStopPost=<%= exec_stop_post %> +<% end -%> +<% end -%> <% if @exec_reload -%> <% if @dropin -%> ExecReload=