search

lefilament / ansible

Ansible playbook
GNU Affero General Public License v3.0
5 stars 4 forks source link

Execution of docker_server_step2 failed at Retrieve subuid for dockremap #3

Closed nqb closed 3 years ago

nqb commented 3 years ago

Hello,

When running filament_playbook.yml against a host which is part of docker group, the role docker_server_step2 failed with following error:

TASK [docker_server_step2 : Retrieve subuid for dockremap] ********************************************************************************************************************************************************
fatal: [www]: FAILED! => changed=true 
  cmd:
  - grep
  - dockremap
  - /etc/subuid
[..]
  msg: non-zero return code
  rc: 1
[..]

All tasks related to this role depends on following conditional:

when: docker_no_namespace is not defined or not docker_no_namespace

This conditional is also used in docker-server role.

If I correctly understand userns-remap feature of Docker, "userns-remap": "default", should be enabled when you want to manage namespaces and docker_server_step2 role should run only when you want to manage namespaces. Currently, this is the opposite that occurs.

IMHO, conditional should be:

docker_namespace is defined
remi-filament commented 3 years ago

Thank you for reporting this issue @nqb I introduced variable docker_no_namespace for legacy for old installation of docker where namespaces where not used (otherwise I would have to recreate all volumes, containers, images, etc. in new namespace for these ones and I am not willing to take the risk for now). Therefore I only run these step2 if docker_no_namespace does not exist (meaning namespace are in use). I agree that this leads to double negation which is not ideal, however I would prefer not to care about this variable for new installations for which I always use namespaces, which is why I did it this way.

However I found an issue with running these steps, mainly in Check mode when variables were not defined so I added an extra check on dockremap_subuid_output.stdout is defined and dockremap_subgid_output.stdout is defined This should be fixed with dd54f180edac683bbf9029ef1a76eee6ef248630 Could you please check and let me know ?

nqb commented 3 years ago

Hello @remi-filament,

I understand your logic. In fact, you set docker_no_namespace: True in inventory for legacy installations in order to disable namespaces and to skip execution of docker_server_step2. Thanks for clarification.

It looks like I have to restart by hand my Docker daemon after first execution of docker_server role in order to get dockremap user in /etc/{subgid,subuid}. Certainly because role failed at some point and handler doesn't run. This is why I got an unexpected behavior.