openstack
/
tripleo-ansible
Code Issues Proposed changes

Merge "[TRAIN-Only] Allow configuration of the default podman network" into stable/train

This commit is contained in:
Zuul 2021-01-14 19:03:49 +00:00 committed by Gerrit Code Review
parent 96acf31f00 a01366b8a9
commit 93c0b4c4c1
7 changed files with 236 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
releasenotes/notes/podman-cni-configurable-6d810fabcbd1da87.yaml Normal file
View File

@ -0,0 +1,9 @@
---
features:
- |
A new variable named `tripleo_podman_default_network_config` has been added
to be able to configure the default network used by podman.
The network configue needs to be a json (or yaml) representation of a
cni network configuration.
NOTE: The network is not applied if it's already running which is
indicated by the existance of a cni-podman0 interface.

1
tripleo_ansible/roles/tripleo-podman/defaults/main.yml
View File

@ -26,3 +26,4 @@ tripleo_podman_purge_packages: "{{ _tripleo_podman_purge_packages | default([])
tripleo_podman_tls_verify: true
tripleo_podman_debug: false
tripleo_podman_buildah_login: false
tripleo_podman_default_network_config: {}

26
tripleo_ansible/roles/tripleo-podman/molecule/install/playbook.yml
View File

@ -17,9 +17,35 @@
- name: Converge
hosts: all
vars:
tripleo_podman_default_network_config:
cniVersion: 0.4.0
name: podman
plugins:
- type: bridge
bridge: cni-podman0
isGateway: true
ipMasq: true
hairpinMode: true
ipam:
type: host-local
routes:
- dst: 0.0.0.0/0
ranges:
- - subnet: 10.255.255.0/24
gateway: 10.255.255.1
- type: portmap
capabilities:
portMappings: true
- type: firewall
- type: tuning
tasks:
- name: Run install
include_role:
name: tripleo-podman
tasks_from: tripleo_podman_install.yml
vars_from: "redhat.yml"
# https://bugs.launchpad.net/bugs/1889510
- name: Test podman network ls
become: true
command: podman network ls

50
tripleo_ansible/roles/tripleo-podman/molecule/login/molecule.yml Normal file
View File

@ -0,0 +1,50 @@
---
driver:
name: delegated
options:
managed: false
login_cmd_template: >-
ssh
-o UserKnownHostsFile=/dev/null
-o StrictHostKeyChecking=no
-o Compression=no
-o TCPKeepAlive=yes
-o VerifyHostKeyDNS=no
-o ForwardX11=no
-o ForwardAgent=no
{instance}
ansible_connection_options:
ansible_connection: ssh
log: true
platforms:
- name: instance
provisioner:
name: ansible
config_options:
defaults:
fact_caching: jsonfile
fact_caching_connection: /tmp/molecule/facts
inventory:
hosts:
all:
hosts:
instance:
ansible_host: localhost
log: true
env:
ANSIBLE_STDOUT_CALLBACK: yaml
ANSIBLE_ROLES_PATH: "${ANSIBLE_ROLES_PATH}:${HOME}/zuul-jobs/roles"
ANSIBLE_LIBRARY: "${ANSIBLE_LIBRARY:-/usr/share/ansible/plugins/modules}"
ANSIBLE_FILTER_PLUGINS: "${ANSIBLE_FILTER_PLUGINS:-/usr/share/ansible/plugins/filter}"
scenario:
test_sequence:
- prepare
- converge
- check
verifier:
name: testinfra

32
tripleo_ansible/roles/tripleo-podman/molecule/login/playbook.yml Normal file
View File

@ -0,0 +1,32 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Converge
hosts: all
vars:
tripleo_podman_buildah_login: true
tripleo_podman_tls_verify: false
tripleo_container_registry_logins:
localhost:5000:
testuser: testpassword
tasks:
- include_role:
name: tripleo-podman
tasks_from: tripleo_podman_login.yml
- include_role:
name: tripleo-podman
tasks_from: tripleo_podman_buildah_login.yml

107
tripleo_ansible/roles/tripleo-podman/molecule/login/prepare.yml Normal file
View File

@ -0,0 +1,107 @@
---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
- name: Prepare
hosts: all
gather_facts: true
vars:
tripleo_podman_default_network_config:
cniVersion: 0.4.0
name: podman
plugins:
- type: bridge
bridge: cni-podman0
isGateway: true
ipMasq: true
hairpinMode: true
ipam:
type: host-local
routes:
- dst: 0.0.0.0/0
ranges:
- - subnet: 10.255.255.0/24
gateway: 10.255.255.1
- type: portmap
capabilities:
portMappings: true
- type: firewall
- type: tuning
pre_tasks:
- name: set basic user fact
set_fact:
ansible_user: "{{ lookup('env', 'USER') }}"
when:
- ansible_user is undefined
- name: set basic home fact
set_fact:
ansible_user_dir: "{{ lookup('env', 'HOME') }}"
when:
- ansible_user_dir is undefined
roles:
- role: test_deps
tasks:
- name: Disable SELinux
become: true
selinux:
state: disabled
- name: Ensure registry doesn't exist
podman_container:
name: registry
state: absent
- name: Pull ubuntu image
podman_image:
name: ubuntu
tag: 16.04
- name: Create auth directory
file:
state: directory
path: "{{ ansible_user_dir }}/auth"
- name: Create registry
shell: |-
podman tag ubuntu:16.04 localhost:5000/my-ubuntu
podman run --entrypoint htpasswd registry:2.7.0 -Bbn testuser testpassword > {{ ansible_user_dir }}/auth/htpasswd
args:
executable: /bin/bash
- name: Create registry
podman_container:
name: registry
image: "registry:2.7.0"
restart_policy: always
detach: true
ports:
- "5000:5000"
volume:
- "{{ ansible_user_dir }}/auth:/auth"
env:
REGISTRY_AUTH: "htpasswd"
REGISTRY_AUTH_HTPASSWD_REALM: "Registry Realm"
REGISTRY_AUTH_HTPASSWD_PATH: "/auth/htpasswd"
- name: Run install
include_role:
name: tripleo-podman
tasks_from: tripleo_podman_install.yml
vars_from: "redhat.yml"

29
tripleo_ansible/roles/tripleo-podman/tasks/tripleo_podman_install.yml
View File

@ -26,30 +26,23 @@
name: "{{ tripleo_podman_packages }}"
state: latest
- name: Check for cni0 interface
command: ip link show cni0
changed_when: false
failed_when: false
register: cni0_interface
- name: Delete cni0 interface
- name: Delete legacy cni0 interface (podman < 1.6)
command: ip link delete cni0
when:
- cni0_interface.rc is defined
- cni0_interface.rc == 0
- '"cni0" in ansible_interfaces'
- name: Check if 87-podman-bridge.conflist exists
stat:
path: /etc/cni/net.d/87-podman-bridge.conflist
register: podman_bridge_config
- name: Remove default cni config for cni0 if exists
# don't update the network config if the network is already running
# meaning cni-podman0 is running somewhere
- name: Update default network configuration if possible
copy:
dest: /etc/cni/net.d/87-podman-bridge.conflist
content: ''
force: true
content: "{{ tripleo_podman_default_network_config | to_json }}"
mode: '0644'
owner: root
group: root
when:
- podman_bridge_config.stat.exists | bool
- '"cni-podman0" not in ansible_interfaces'
- name: configure insecure registries /etc/containers/registries.conf
ini_file: