search

containers / ansible-podman-collections

Repository for Ansible content that can include playbooks, roles, modules, and plugins for use with the Podman tool
GNU General Public License v3.0
252 stars 137 forks source link

rootless always want to change the env #788

Closed SvenVD closed 1 week ago

SvenVD commented 2 weeks ago

Every run a change is detected and the rootless container is restarted

A variant of https://github.com/containers/ansible-podman-collections/issues/686

--- before
+++ after
@@ -1 +1 @@
-env - None
+env -
--- before
+++ after
@@ -1 +1 @@
-env - None
+env -

changed: [hostnamedomain.local] => changed=true
  actions:
  - recreated hostname_containerapp
  - started hostname_containerapp
  container:
    AppArmorProfile: ''
    Args:
    - /containerapp/containerapp
    BoundingCaps:
    - CAP_CHOWN
    - CAP_DAC_OVERRIDE
    - CAP_FOWNER
    - CAP_FSETID
    - CAP_KILL
    - CAP_NET_BIND_SERVICE
    - CAP_NET_RAW
    - CAP_SETFCAP
    - CAP_SETGID
    - CAP_SETPCAP
    - CAP_SETUID
    - CAP_SYS_CHROOT
    Config:
      Annotations:
        io.container.manager: libpod
        org.opencontainers.image.stopSignal: '15'
      AttachStderr: false
      AttachStdin: false
      AttachStdout: false
      Cmd: null
      CreateCommand:
      - podman
      - container
      - create
      - --name
      - hostname_containerapp
      - --ipc
      - private
      - --hostname
      - hostname_containerapp
      - --volume
      - /dev/shm/containerappxxx:/cache:Z
      - --volume
      - /home/containerapp/mount:/mount:ro
      - --volume
      - /home/containerapp/containerappconfig:/config:Z
      - --volume
      - /dev/shm/containerappconfig_xxx:/config/xxx:Z
      - --userns
      - keep-id
      - --publish
      - 8999:8999/tcp
      - docker.io/containerapp/containerapp:latest
      Domainname: ''
      Entrypoint: /containerapp/containerapp
      Env:
      - PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
      - TERM=xterm
      - HEALTHCHECK_URL=http://localhost:8999/health
      - LANG=en_US.UTF-8
      - containerapp_CONFIG_DIR=/config/config
      - containerapp_DATA_DIR=/config
      - containerapp_CACHE_DIR=/cache
      - LC_ALL=en_US.UTF-8
      - containerapp_LOG_DIR=/config/log
      - LANGUAGE=en_US:en
      - MALLOC_TRIM_THRESHOLD_=131072
      - NVIDIA_DRIVER_CAPABILITIES=compute,video,utility
      - DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1
      - container=podman
      - containerapp_XXXXXX=/usr/lib/containerapp-xxxxxx/xxxxx
      - containerapp_WEB_DIR=/containerapp/containerapp-web
      - NVIDIA_VISIBLE_DEVICES=all
      - HOSTNAME=hostname_containerapp
      - HOME=/
      Healthcheck:
        Interval: 30000000000
        Retries: 3
        StartPeriod: 10000000000
        Test:
        - CMD-SHELL
        - curl -Lk -fsS "${HEALTHCHECK_URL}" || exit 1
        Timeout: 30000000000
      HealthcheckOnFailureAction: none
      Hostname: hostname_containerapp
      Image: docker.io/containerapp/containerapp:latest
      Labels: null
      OnBuild: null
      OpenStdin: false
      Passwd: true
      StdinOnce: false
      StopSignal: 15
      StopTimeout: 10
      Timeout: 0
      Tty: false
      Umask: '0022'
      User: 3112:3112
      Volumes: null
      WorkingDir: /
      sdNotifyMode: container
    ConmonPidFile: /tmp/containers-user-3112/containers/overlay-containers/96c508bcd5eda3640fc1e53b0d256c1cf6685e33a77bc7b1a7cd992629b8639c/userdata/conmon.pid
    Created: '2024-06-19T01:18:24.668183168+02:00'
    Dependencies: []
    Driver: overlay
    EffectiveCaps: null
    ExecIDs: []
    GraphDriver:
      Data:
        LowerDir: /home/containerapp/.local/share/containers/storage/overlay/01258119ab10d8072cdf2db5f6f68a86a1c62a369ac39457b419977460d50be7/diff:/home/containerapp/.local/share/containers/storage/overlay/829158b546b5d1e6bc559598f6b9d7f287bf97bc733ccebc2e3bc7a4dac65f5a/diff:/home/containerapp/.local/share/containers/storage/overlay/6abb09f7bafd87fcb06edf186919479b444811ae311bfbc19bff52726f445ac4/diff:/home/containerapp/.local/share/containers/storage/overlay/282adc203ad55c5a2685e1ea9a5e70a737716122a9a8a305b7dd435de0fbb445/diff:/home/containerapp/.local/share/containers/storage/overlay/1b6fd3ad4ce602924fffb84437331a255e2a9463531a1bd92a15e9e3c4d11523/diff
        UpperDir: /home/containerapp/.local/share/containers/storage/overlay/4791bf561648533b8b50d8440ee2ccebe840dd8b182d5dfefbf5bf0bf674df98/diff
        WorkDir: /home/containerapp/.local/share/containers/storage/overlay/4791bf561648533b8b50d8440ee2ccebe840dd8b182d5dfefbf5bf0bf674df98/work
      Name: overlay
    HostConfig:
      AutoRemove: false
      Binds:
      - /home/containerapp/mount:/mount:ro,rprivate,rbind
      - /home/containerapp/containerappconfig:/config:rw,rprivate,rbind
      - /dev/shm/containerappconfig_xxx:/config/xxx:rw,rprivate,nosuid,nodev,rbind
      - /dev/shm/containerappxxx:/cache:rw,rprivate,nosuid,nodev,rbind
      BlkioDeviceReadBps: null
      BlkioDeviceReadIOps: null
      BlkioDeviceWriteBps: null
      BlkioDeviceWriteIOps: null
      BlkioWeight: 0
      BlkioWeightDevice: null
      CapAdd: []
      CapDrop: []
      Cgroup: ''
      CgroupConf: null
      CgroupManager: cgroupfs
      CgroupMode: host
      CgroupParent: ''
      Cgroups: default
      ConsoleSize:
      - 0
      - 0
      ContainerIDFile: ''
      CpuCount: 0
      CpuPercent: 0
      CpuPeriod: 0
      CpuQuota: 0
      CpuRealtimePeriod: 0
      CpuRealtimeRuntime: 0
      CpuShares: 0
      CpusetCpus: ''
      CpusetMems: ''
      Devices: []
      DiskQuota: 0
      Dns: []
      DnsOptions: []
      DnsSearch: []
      ExtraHosts: []
      GroupAdd: []
      IDMappings:
        GidMap:
        - 0:1:3112
        - '3112:0:1'
        - 3113:3113:62424
        UidMap:
        - 0:1:3112
        - '3112:0:1'
        - 3113:3113:62424
      IOMaximumBandwidth: 0
      IOMaximumIOps: 0
      IpcMode: private
      Isolation: ''
      KernelMemory: 0
      Links: null
      LogConfig:
        Config: null
        Path: /home/containerapp/.local/share/containers/storage/overlay-containers/96c508bcd5eda3640fc1e53b0d256c1cf6685e33a77bc7b1a7cd992629b8639c/userdata/ctr.log
        Size: 0B
        Tag: ''
        Type: k8s-file
      Memory: 0
      MemoryReservation: 0
      MemorySwap: 0
      MemorySwappiness: 0
      NanoCpus: 0
      NetworkMode: slirp4netns
      OomKillDisable: false
      OomScoreAdj: 0
      PidMode: private
      PidsLimit: 0
      PortBindings:
        8999/tcp:
        - HostIp: ''
          HostPort: '8999'
      Privileged: false
      PublishAllPorts: false
      ReadonlyRootfs: false
      RestartPolicy:
        MaximumRetryCount: 0
        Name: ''
      Runtime: oci
      SecurityOpt: []
      ShmSize: 65536000
      Tmpfs: {}
      UTSMode: private
      Ulimits:
      - Hard: 262144
        Name: RLIMIT_NOFILE
        Soft: 262144
      - Hard: 38718
        Name: RLIMIT_NPROC
        Soft: 38718
      UsernsMode: private
      VolumeDriver: ''
      VolumesFrom: null
    HostnamePath: /tmp/containers-user-3112/containers/overlay-containers/96c508bcd5eda3640fc1e53b0d256c1cf6685e33a77bc7b1a7cd992629b8639c/userdata/hostname
    HostsPath: /tmp/containers-user-3112/containers/overlay-containers/96c508bcd5eda3640fc1e53b0d256c1cf6685e33a77bc7b1a7cd992629b8639c/userdata/hosts
    Id: 96c508bcd5eda3640fc1e53b0d256c1cf6685e33a77bc7b1a7cd992629b8639c
    Image: 544d674913bc396256f62e1540b88bfa0ed49714b941007c658e04018dea36da
    ImageDigest: sha256:41fc4f9a51f638930bf16eace81acacbafaf26436d0efc0b0edd9447cb134a2c
    ImageName: docker.io/containerapp/containerapp:latest
    IsInfra: false
    IsService: false
    KubeExitCodePropagation: invalid
    MountLabel: system_u:object_r:container_file_t:s0:c107,c161
    Mounts:
    - Destination: /mount
      Driver: ''
      Mode: ''
      Options:
      - rbind
      Propagation: rprivate
      RW: false
      Source: /home/containerapp/mount
      Type: bind
    - Destination: /config
      Driver: ''
      Mode: ''
      Options:
      - rbind
      Propagation: rprivate
      RW: true
      Source: /home/containerapp/containerappconfig
      Type: bind
    - Destination: /config/xxx
      Driver: ''
      Mode: ''
      Options:
      - nosuid
      - nodev
      - rbind
      Propagation: rprivate
      RW: true
      Source: /dev/shm/containerappconfig_xxx
      Type: bind
    - Destination: /cache
      Driver: ''
      Mode: ''
      Options:
      - nosuid
      - nodev
      - rbind
      Propagation: rprivate
      RW: true
      Source: /dev/shm/containerappxxx
      Type: bind
    Name: hostname_containerapp
    Namespace: ''
    NetworkSettings:
      Bridge: ''
      EndpointID: ''
      Gateway: ''
      GlobalIPv6Address: ''
      GlobalIPv6PrefixLen: 0
      HairpinMode: false
      IPAddress: ''
      IPPrefixLen: 0
      IPv6Gateway: ''
      LinkLocalIPv6Address: ''
      LinkLocalIPv6PrefixLen: 0
      MacAddress: ''
      Networks:
        slirp4netns:
          DriverOpts: null
          EndpointID: ''
          Gateway: ''
          GlobalIPv6Address: ''
          GlobalIPv6PrefixLen: 0
          IPAMConfig: null
          IPAddress: ''
          IPPrefixLen: 0
          IPv6Gateway: ''
          Links: null
          MacAddress: ''
          NetworkID: slirp4netns
      Ports:
        8999/tcp:
        - HostIp: ''
          HostPort: '8999'
      SandboxID: ''
      SandboxKey: ''
    OCIConfigPath: /home/containerapp/.local/share/containers/storage/overlay-containers/96c508bcd5eda3640fc1e53b0d256c1cf6685e33a77bc7b1a7cd992629b8639c/userdata/config.json
    OCIRuntime: runc
    Path: /containerapp/containerapp
    PidFile: /tmp/containers-user-3112/containers/overlay-containers/96c508bcd5eda3640fc1e53b0d256c1cf6685e33a77bc7b1a7cd992629b8639c/userdata/pidfile
    Pod: ''
    ProcessLabel: system_u:system_r:container_t:s0:c107,c161
    ResolvConfPath: /tmp/containers-user-3112/containers/overlay-containers/96c508bcd5eda3640fc1e53b0d256c1cf6685e33a77bc7b1a7cd992629b8639c/userdata/resolv.conf
    RestartCount: 0
    Rootfs: ''
    State:
      CheckpointedAt: '0001-01-01T00:00:00Z'
      Dead: false
      Error: 'can only stop created or running containers. 96c508bcd5eda3640fc1e53b0d256c1cf6685e33a77bc7b1a7cd992629b8639c is in state created: container state improper'
      ExitCode: 143
      FinishedAt: '2024-06-19T01:18:25.638592+02:00'
      Health:
        FailingStreak: 0
        Log:
        - End: '2024-06-19T01:18:25.630797385+02:00'
          ExitCode: 1
          Output: 'curl: (7) Failed to connect to localhost port 8999: Connection refused'
          Start: '2024-06-19T01:18:25.486566037+02:00'
        Status: starting
      OOMKilled: false
      OciVersion: 1.1.0-rc.3
      Paused: false
      Pid: 0
      Restarting: false
      RestoredAt: '0001-01-01T00:00:00Z'
      Running: false
      StartedAt: '2024-06-19T01:18:25.415654576+02:00'
      Status: exited
    StaticDir: /home/containerapp/.local/share/containers/storage/overlay-containers/96c508bcd5eda3640fc1e53b0d256c1cf6685e33a77bc7b1a7cd992629b8639c/userdata
    lockNumber: 0
  diff:
    after: |-
      env -
    before: |-
      env - None
  invocation:
    module_args:
      annotation: null
      arch: null
      attach: null
      authfile: null
      blkio_weight: null
      blkio_weight_device: null
      cap_add: null
      cap_drop: null
      cgroup_conf: null
      cgroup_parent: null
      cgroupns: null
      cgroups: null
      chrootdirs: null
      cidfile: null
      cmd_args: null
      command: null
      conmon_pidfile: null
      cpu_period: null
      cpu_quota: null
      cpu_rt_period: null
      cpu_rt_runtime: null
      cpu_shares: null
      cpus: null
      cpuset_cpus: null
      cpuset_mems: null
      debug: false
      decryption_key: null
      delete_depend: null
      delete_time: null
      delete_volumes: null
      detach: true
      detach_keys: null
      device: null
      device_cgroup_rule: null
      device_read_bps: null
      device_read_iops: null
      device_write_bps: null
      device_write_iops: null
      dns: null
      dns_option: null
      dns_search: null
      entrypoint: null
      env: {}
      env_file: null
      env_host: null
      env_merge: null
      etc_hosts: null
      executable: podman
      expose: null
      force_delete: true
      force_restart: false
      generate_systemd:
        names: true
        path: /home/containerapp/.config/systemd/user
        restart_policy: on-failure
        time: 120
      gidmap: null
      global_args: []
      gpus: null
      group_add: null
      group_entry: null
      health_startup_cmd: null
      health_startup_interval: null
      health_startup_retries: null
      health_startup_success: null
      health_startup_timeout: null
      healthcheck: null
      healthcheck_failure_action: null
      healthcheck_interval: null
      healthcheck_retries: null
      healthcheck_start_period: null
      healthcheck_timeout: null
      hooks_dir: null
      hostname: hostname_containerapp
      hostuser: null
      http_proxy: null
      image: docker.io/containerapp/containerapp:latest
      image_strict: false
      image_volume: null
      init: null
      init_ctr: null
      init_path: null
      interactive: null
      ip: null
      ip6: null
      ipc: private
      kernel_memory: null
      label: null
      label_file: null
      log_driver: null
      log_level: null
      log_opt: null
      mac_address: null
      memory: null
      memory_reservation: null
      memory_swap: null
      memory_swappiness: null
      mount: null
      name: hostname_containerapp
      network: null
      network_aliases: null
      no_healthcheck: null
      no_hosts: null
      oom_kill_disable: null
      oom_score_adj: null
      os: null
      passwd: null
      passwd_entry: null
      personality: null
      pid: null
      pid_file: null
      pids_limit: null
      platform: null
      pod: null
      pod_id_file: null
      podman_args:
      - --ipc private
      ports:
      - 8999:8999/tcp
      preserve_fd: null
      preserve_fds: null
      privileged: null
      publish:
      - 8999:8999/tcp
      publish_all: null
      pull: null
      quadlet_dir: null
      quadlet_filename: null
      quadlet_options: null
      rdt_class: null
      read_only: null
      read_only_tmpfs: null
      recreate: false
      requires: null
      restart_policy: null
      restart_time: null
      retry: null
      retry_delay: null
      rm: null
      rmi: null
      rootfs: null
      sdnotify: null
      seccomp_policy: null
      secrets: null
      security_opt: null
      shm_size: null
      shm_size_systemd: null
      sig_proxy: null
      state: present
      stop_signal: null
      stop_time: null
      stop_timeout: null
      subgidname: null
      subuidname: null
      sysctl: null
      systemd: null
      timeout: null
      timezone: null
      tls_verify: null
      tmpfs: null
      tty: null
      uidmap: null
      ulimit: null
      umask: null
      unsetenv: null
      unsetenv_all: null
      user: null
      userns: keep-id
      uts: null
      variant: null
      volume:
      - /dev/shm/containerappxxx:/cache:Z
      - /home/containerapp/mount:/mount:ro
      - /home/containerapp/containerappconfig:/config:Z
      - /dev/shm/containerappconfig_xxx:/config/xxx:Z
      volumes_from: null
      workdir: null
  podman_actions:
  - podman stop hostname_containerapp
  - podman rm --force hostname_containerapp
  - podman create --name hostname_containerapp --ipc private --hostname hostname_containerapp --volume /dev/shm/containerappxxx:/cache:Z --volume /home/containerapp/mount:/mount:ro --volume /home/containerapp/containerappconfig:/config:Z --volume /dev/shm/containerappconfig_xxx:/config/xxx:Z --userns keep-id --publish 8999:8999/tcp docker.io/containerapp/containerapp:latest
  - podman start hostname_containerapp
  podman_quadlet: |-
    [Container]
    ContainerName=hostname_containerapp
    Environment={}
    HostName=hostname_containerapp
    Image=docker.io/containerapp/containerapp:latest
    PublishPort=8999:8999/tcp
    UserNS=keep-id
    Volume=/dev/shm/containerappxxx:/cache:Z
    Volume=/home/containerapp/mount:/mount:ro
    Volume=/home/containerapp/containerappconfig:/config:Z
    Volume=/dev/shm/containerappconfig_xxx:/config/xxx:Z
    PodmanArgs=--ipc private
  podman_systemd:
    container-hostname_containerapp: |-
      # container-hostname_containerapp.service
      # autogenerated by Podman 4.6.1
      # Wed Jun 19 01:18:25 CEST 2024

      [Unit]
      Description=Podman container-hostname_containerapp.service
      Documentation=man:podman-generate-systemd(1)
      Wants=network-online.target
      After=network-online.target
      RequiresMountsFor=/tmp/containers-user-3112/containers

      [Service]
      Environment=PODMAN_SYSTEMD_UNIT=%n
      Restart=on-failure
      TimeoutStopSec=180
      ExecStart=/usr/bin/podman start hostname_containerapp
      ExecStop=/usr/bin/podman stop  \
              -t 120 hostname_containerapp
      ExecStopPost=/usr/bin/podman stop  \
              -t 120 hostname_containerapp
      PIDFile=/tmp/containers-user-3112/containers/overlay-containers/96c508bcd5eda3640fc1e53b0d256c1cf6685e33a77bc7b1a7cd992629b8639c/userdata/conmon.pid
      Type=forking

      [Install]
      WantedBy=default.target
  stderr: ''
  stderr_lines: <omitted>
  stdout: |-
    hostname_containerapp
  stdout_lines: <omitted>
 ansible-galaxy collection list

# /root/.ansible/collections/ansible_collections
Collection               Version
------------------------ -------
ansible.posix            1.5.4
ansible.utils            5.0.0
community.general        9.1.0
containers.podman        1.15.2

# /usr/share/ansible/collections/ansible_collections
Collection               Version
------------------------ -------
redhat.rhel_system_roles 1.23.0

rpm -q ansible-core
ansible-core-2.16.3-2.el8.x86_64
sshnaidm commented 2 weeks ago

@SvenVD can you please paste a task you run? And would be great to see a log with running -vvvv

sshnaidm commented 2 weeks ago

If I'm right and you set explicitly env: {} in task, then it explains this behavior. But I don't understand why to set env: {} and what is the reasoning behind this.

SvenVD commented 1 week ago

The task is

- name: podman_rootless | Configure and download {{ podman_rootless_container_image }} container to run under user  {{ podman_rootless_user }}
  containers.podman.podman_container:
    name: "{{ podman_rootless_hostname }}"
    image: "{{ podman_rootless_container_image }}"
    #We will start it with the generated systemd file
    state: present
    ipc: "private"
    #We do not need to force recreating all the time
    #recreate: yes
    ports: "{{ podman_rootless_ports }}"
    hostname: "{{ podman_rootless_hostname }}"
    env: "{{ podman_rootless_env }}"
    volume: "{{ podman_rootless_volume }}"
    userns: "{{ podman_rootless_userns }}"
    #https://docs.podman.io/en/latest/markdown/podman-generate-systemd.1.html
    generate_systemd:
      path: /home/{{ podman_rootless_user }}/.config/systemd/user
      restart_policy: on-failure
      time: 120
      names: true
  become_user: "{{ podman_rootless_user }}"
  register: podman_rootless_configure_and_download_result

and it and other tasks in the role gets called by

- name: app_containerx | manage container
  include_role:
    name: podman
    tasks_from: rootless_container
  vars: 
    podman_rootless_user: "user"
    ... and so on

podman_rootless_env is optional in the latter and not passed in this example, but in defaults/main.yml we set it to podman_rootless_env: {} if it is not overwritten by the include_role vars.

sshnaidm commented 1 week ago

In these cases it's better to use env: "{{ podman_rootless_env | default(omit, true) }}" And this setting will be omitted when you pass empty value - [], '', {}