From 53d34d4b8905e616139c3165f02c9af00ce67cb0 Mon Sep 17 00:00:00 2001 From: Rich Megginson Date: Mon, 24 Jul 2023 13:33:21 -0600 Subject: [PATCH] feat: allow not pulling images, continue if pull fails Feature: Add `podman_pull_image` - if `false`, do not pull the image before trying to use it. Add `podman_continue_if_pull_fails` - continue with the role if the image pull fails. Reason: The managed node might be isolated and unable to pull images. The managed node might be pre-built with images already present. Users need to have more control about what happens in these situations. Result: User can control when/how images are pulled by units. Signed-off-by: Rich Megginson --- README.md | 29 ++++++++++++++++++++++++++++ defaults/main.yml | 11 +++++++++++ tasks/create_update_kube_spec.yml | 4 ++++ tasks/create_update_quadlet_spec.yml | 4 ++++ tasks/handle_kube_spec.yml | 8 +++++++- tasks/handle_quadlet_spec.yml | 8 +++++++- 6 files changed, 62 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a7ebafa8..c708331e 100644 --- a/README.md +++ b/README.md @@ -68,6 +68,13 @@ except for the following: * `activate_systemd_unit` - Whether or not to activate the systemd unit when it is created. If you do not specify this, then the global default `podman_activate_systemd_unit` will be used, which is `true` by default. +* `pull_image` - Ensure the image is pulled before use. If you do not specify + this, then the global default `podman_pull_image` will be used, which is + `true` by default. +* `continue_if_pull_fails` - If pulling the image, and the pull fails, do not + treat this as a fatal error, and continue with the role. If you do not + specify this, then the global default `podman_continue_if_pull_fails` will be + used, which is `false` by default. * `kube_file_src` - This is the name of a file on the controller node which will be copied to `kube_file` on the managed node. This is a file in Kubernetes YAML format. Do not specify this if you specify `kube_file_content`. @@ -274,6 +281,28 @@ specify per-container scope with `systemd_unit_scope` in `podman_kube_specs`. By default, rootless containers will use `user` and root containers will use `system`. +### podman_activate_systemd_units + +Activate each systemd unit as soon as it is created. The default is `true`. +You can also do this on a per-unit basis by using `activate_systemd_units` in +the spec for each unit. For example, if you are deploying several specs, and you +only want the last one in the list to activate which will trigger the others to +activate via dependencies, then set `activate_systemd_unit: false` for each one +except the last one uses `activate_systemd_unit: true` + +### podman_pull_image + +Ensure that each image mentioned in a kube or quadlet spec is present by pulling +the image before it is used. The default is `true`. Use `false` if the managed +node already has the correct version, or is not able to pull images. You can also +specify this on a per-unit basis with `pull_image`. + +### podman_continue_if_pull_fails + +If the image pull attempt fails, do not treat this as a fatal error, and continue +with the role run. The default is `false` - a pull attempt failure is a fatal +error. You can set this on a per-unit basis with `continue_if_pull_fails`. + ### podman_containers_conf These are the containers.conf(5) settings, provided as a `dict`. These settings diff --git a/defaults/main.yml b/defaults/main.yml index 999cea1d..bb44e487 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -93,3 +93,14 @@ podman_secrets: [] # then set `activate_systemd_unit: false` for each one # except the last one uses `activate_systemd_unit: true` podman_activate_systemd_unit: true + +# Ensure images used are present +# Look at the specs, and pull images that are specified there +# You can also do this on a per-spec basis using pull_images +podman_pull_image: true + +# Continue if the image pull fails +# If pulling the image fails, do not fail the role - continue +# running the role. +# You can do this on a per-spec basis using continue_if_pull_fails +podman_continue_if_pull_fails: false diff --git a/tasks/create_update_kube_spec.yml b/tasks/create_update_kube_spec.yml index 2e96af1a..fca64981 100644 --- a/tasks/create_update_kube_spec.yml +++ b/tasks/create_update_kube_spec.yml @@ -46,6 +46,10 @@ username: "{{ container_image_user | default(omit) }}" password: "{{ container_image_password | default(omit) }}" register: __podman_image_updated + when: __podman_pull_image | bool + failed_when: + - __podman_image_updated is failed + - not __podman_continue_if_pull_fails environment: XDG_RUNTIME_DIR: "{{ __podman_xdg_runtime_dir }}" become: "{{ __podman_rootless | ternary(true, omit) }}" diff --git a/tasks/create_update_quadlet_spec.yml b/tasks/create_update_quadlet_spec.yml index 443f9dbf..f76f232c 100644 --- a/tasks/create_update_quadlet_spec.yml +++ b/tasks/create_update_quadlet_spec.yml @@ -30,6 +30,10 @@ username: "{{ container_image_user | default(omit) }}" password: "{{ container_image_password | default(omit) }}" register: __podman_image_updated + when: __podman_pull_image | bool + failed_when: + - __podman_image_updated is failed + - not __podman_continue_if_pull_fails environment: XDG_RUNTIME_DIR: "{{ __podman_xdg_runtime_dir }}" become: "{{ __podman_rootless | ternary(true, omit) }}" diff --git a/tasks/handle_kube_spec.yml b/tasks/handle_kube_spec.yml index c34d4612..b2324f7f 100644 --- a/tasks/handle_kube_spec.yml +++ b/tasks/handle_kube_spec.yml @@ -28,7 +28,8 @@ else none }}" vars: __del_params: "^(kube_file_src|kube_file_content|run_as_user|run_as_group|\ - systemd_unit_scope|activate_systemd_unit)$" + systemd_unit_scope|activate_systemd_unit|pull_image|\ + continue_if_pull_fails)$" - name: Set per-container variables part 1 set_fact: @@ -47,6 +48,11 @@ __podman_kube_spec_item['systemd_unit_scope'] | d(podman_systemd_unit_scope) }}" __podman_state: "{{ __state }}" + __podman_pull_image: "{{ __podman_kube_spec_item['pull_image'] | + d(podman_pull_image) }}" + __podman_continue_if_pull_fails: "{{ + __podman_kube_spec_item['continue_if_pull_fails'] | + d(podman_continue_if_pull_fails) }}" vars: __state: "{{ ((__podman_kube_spec_item['state'] | d('')) == 'absent') | ternary('absent', 'created') }}" diff --git a/tasks/handle_quadlet_spec.yml b/tasks/handle_quadlet_spec.yml index 468cef1a..4a6a206d 100644 --- a/tasks/handle_quadlet_spec.yml +++ b/tasks/handle_quadlet_spec.yml @@ -34,7 +34,8 @@ else none }}" vars: __del_params: "^(file_src|file_content|file|run_as_user|run_as_group|\ - systemd_unit_scope|name|type|state|activate_systemd_unit|template_src)$" + systemd_unit_scope|name|type|state|activate_systemd_unit|template_src\ + pull_image|continue_if_pull_fails)$" - name: Fail if no quadlet spec is given fail: @@ -56,6 +57,11 @@ __podman_quadlet_spec_item['systemd_unit_scope'] | d(podman_systemd_unit_scope) }}" __podman_state: "{{ __state }}" + __podman_pull_image: "{{ __podman_quadlet_spec_item['pull_image'] | + d(podman_pull_image) }}" + __podman_continue_if_pull_fails: "{{ + __podman_quadlet_spec_item['continue_if_pull_fails'] | + d(podman_continue_if_pull_fails) }}" vars: __state: "{{ ((__podman_quadlet_spec_item['state'] | d('')) == 'absent') | ternary('absent', 'created') }}"