Update to 2023-07-09 23:00

roles/nomad/defaults/main.yml

@@ -131,6 +131,17 @@ nomad_base_conf:
         enabled: False
       podman:
         enabled: False # Note on EL8, it cannot be used with docker as there are package conflicts, see https://bugs.centos.org/view.php?id=16892
+        volumes:
+          enabled: False
+        # socket_path: unix:///run/podman/podman.sock
+        recover_stopped: False
+        extra_labels:
+          - job_name
+          - task_group_name
+          - task_name
+          - namespace
+          - node_name
+          - node_id
       containerd-driver:
         enabled: False
         containerd_runtime: io.containerd.runc.v2

roles/nomad/tasks/conf.yml

@@ -111,58 +111,6 @@
   loop: "{{ nomad_backup_configs.stdout_lines }}"
   tags: nomad
 
-#- name: Deploy vault-agent config
-#  template: src=vault/agent.hcl.j2 dest={{ nomad_root_dir }}/vault/agent.hcl mode=640 owner=root group={{ nomad_user }}
-#  notify: restart nomad-vault-agent
-#  when: nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled
-#  tags: nomad
-#
-#- name: Deploy agent cert bundle template
-#  template: src=vault/agent_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/agent_bundle.pem.tpl owner=root group=root
-#  notify: restart nomad-vault-agent
-#  when: nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled
-#  tags: nomad
-#  
-#- name: Deploy cli cert bundle template
-#  template: src=vault/cli_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/cli_bundle.pem.tpl owner=root group=root
-#  notify: restart nomad-vault-agent
-#  when: (nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled) and nomad_conf.server.enabled
-#  tags: nomad
-#
-#- name: Deploy consul token template
-#  template: src=vault/consul_token.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/consul_token.tpl owner=root group=root
-#  notify: restart nomad-vault-agent
-#  when: (nomad_vault_agent.consul_token.enabled) and nomad_conf.server.enabled
-#  tags: nomad
-#
-#- fail: msg="Only one of token or approle should be configured"
-#  when:
-#    - nomad_vault_agent.auth.approle is defined
-#    - nomad_vault_agent.auth.token is defined
-#  tags: nomad
-#
-#- name: Setup AppRole auth
-#  block:
-#    - copy: content={{ nomad_vault_agent.auth.approle.role_id }} dest={{ nomad_root_dir }}/vault/role_id owner=root group={{ nomad_user }} mode=640
-#    - copy: content={{ nomad_vault_agent.auth.approle.secret_id }} dest={{ nomad_root_dir }}/vault/secret_id owner=root group={{ nomad_user }} mode=640
-#    - file: path={{ nomad_root_dir }}/vault/token state=absent
-#  when:
-#    - nomad_vault_agent.auth is defined
-#    - nomad_vault_agent.auth.approle is defined
-#    - nomad_vault_agent.auth.approle.role_id is defined
-#    - nomad_vault_agent.auth.approle.secret_id is defined
-#  tags: nomad
-#
-#- name: Setup Token auth
-#  block:
-#    - copy: content={{ nomad_vault_agent.auth.token }} dest={{ nomad_root_dir }}/vault/token owner=root group={{ nomad_user }} mode=640
-#    - file: path={{ nomad_root_dir }}/vault/role_id state=absent
-#    - file: path={{ nomad_root_dir }}/vault/secret_id state=absent
-#  when:
-#    - nomad_vault_agent.auth is defined
-#    - nomad_vault_agent.auth.token is defined
-#  tags: nomad
-
 - name: Set ACL on the TLS dir
   shell: |
     setfacl -R -b -k {{ nomad_root_dir }}/tls
@@ -208,3 +156,14 @@
 - name: Deploy Docker auth config
   template: src=docker_auth.json.j2 dest={{ nomad_root_dir }}/docker/auth.json owner={{ nomad_user }} group={{ nomad_user }} mode=600
   tags: nomad
+
+- name: Set userns for podman
+  lineinfile:
+    dest: /etc/{{ item }}
+    regexp: '^containers:.+'
+    line: 'containers:100000:65536'
+  loop:
+    - subuid
+    - subgid
+  when: nomad_conf.client.enabled and 'podman' in nomad_enabled_task_drivers
+  tags: nomad

roles/nomad/tasks/services.yml

@@ -19,10 +19,14 @@
     enabled: "{{ (nomad_conf.client.enabled and iptables_manage | default(True)) | ternary(True, False) }}"
   tags: nomad
 
-#- name: Handle nomad-vault-agent service
+- name: Handle podman service
-#  service:
+  systemd:
-#    name: nomad-vault-agent
+    name: podman.socket
-#    state: "{{ (nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled or nomad_vault_agent.consul_token.enabled) | ternary('started', 'stopped') }}"
+    state: started
-#    enabled: "{{ (nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled or nomad_vault_agent.consul_token.enabled) | ternary(True, False) }}"
+    enabled: True
-#  tags: nomad
+  when:
+    - nomad_conf.client.enabled
+    - nomad_conf.client.task_drivers.podman.enabled
+  tags: nomad
+
 

roles/nomad/templates/nomad.hcl.j2

@@ -133,6 +133,27 @@ plugin "docker" {
   }
 }
 
+{% if 'podman' in nomad_enabled_task_drivers %}
+plugin "podman-driver-podman" {
+  config {
+    recover_stopped = {{ nomad_conf.client.task_drivers.podman.recover_stopped | ternary('true', 'false') }}
+{% if nomad_conf.client.task_drivers.podman.socket_path is defined %}
+    socket_path = "{{ nomad_conf.client.task_drivers.podman.socket_path }}"
+{% endif %}
+{% if nomad_conf.client.task_drivers.podman.volumes.enabled %}
+    volumes {
+      enabled = true
+    }
+{% endif %}
+    extra_labels = [
+{% for label in nomad_conf.client.task_drivers.podman.extra_labels %}
+      "{{ label }}",
+{% endfor %}
+    ]
+  }
+}
+{% endif %}
+
 plugin "raw_exec" {
   config {
     enabled = {{ ('raw_exec' in nomad_enabled_task_drivers) | ternary('true', 'false') }}

roles/nomad/vars/RedHat.yml

@@ -6,6 +6,7 @@ nomad_packages:
   - unzip
   - acl
 
+# Note : there's no package for the Docker driver as it'll pull the docker role already
 nomad_task_driver_packages:
   java:
     - java-17-openjdk-headless

roles/wkhtmltopdf/defaults/main.yml

@@ -1,3 +1,3 @@
 ---
 
-wkhtmltopdf_version: 0.12.6-1
+wkhtmltopdf_version: 0.12.6.1-3