Enable container survival after host reboot.

Also fix an embarassing oversight where the container
was still running as privileged!

Makefile

@@ -2,7 +2,7 @@
 
 ENV=.env
 _PYTHON=python3
-PYTHON_VERSION=$(shell ${_PYTHON} -V | cut -d " " -f 2 | cut -c1-3)
+PYTHON_VERSION=$(shell ${_PYTHON} -V | cut -d " " -f 2 | cut -d "." -f1-2)
 SITE_PACKAGES=${ENV}/lib/python${PYTHON_VERSION}/site-packages
 PYTHON=${ENV}/bin/python3
 ANSIBLE=${ENV}/bin/ansible

roles/gitlab_runner/defaults/main.yml

@@ -1,3 +1,5 @@
 ---
 runner_image: "docker.io/gitlab/gitlab-runner:latest"
 registry_host: "docker.io"
+podman_user: "gitlab-runner"
+podman_user_home: "/home/{{ podman_user}}"

roles/gitlab_runner/molecule/default/tests/gitlab_runner.yml

@@ -12,8 +12,8 @@
       - volume_state.volumes[0]['Name'] == 'gitlab-runner-config'
 
 - name: "Read the TOML config file"
-  become: yes
-  become_user: "gitlab-runner"
+  become: true
+  become_user: "{{ podman_user }}"
   slurp:
     src: "{{ volume_state.volumes[0]['Mountpoint'] }}/config.toml"
   register: config_file
@@ -30,9 +30,9 @@
       - config_toml is regex("^# ANSIBLE MANAGED FILE")
       - config_toml is search("dr00ls")
 
-- name: "Get infos on container"
+- name: "Check container information"
   become: yes
-  become_user: "gitlab-runner"
+  become_user: "{{ podman_user }}"
   podman_container_info:
     name: "gitlab-runner"
   register: container_state

roles/gitlab_runner/molecule/default/tests/podman.yml

@@ -9,8 +9,9 @@
       - services_state.ansible_facts.services['podman.service'].status == "enabled"
 
 - name: "Check the Podman socket"
+  become: true
   stat:
-    path: "/run/podman/podman.sock"
+    path: "/var/run/podman/podman.sock"
   register: podman_sock
 
 - name: "Check that the Podman socket file exists"
@@ -19,8 +20,9 @@
       - podman_sock.stat.exists is true
 
 - name: "Read the file ACL for the Podman socket"
+  become: true
   acl:
-    path: /var/run/podman/podman.sock
+    path: "/var/run/podman/podman.sock"
   register: acl_info
 
 - name: "Check that the ACL contains a RW permission for the gitlab-runner user"

roles/gitlab_runner/molecule/default/tests/survive_reboot.yml

@@ -0,0 +1,17 @@
+---
+- name: "Reboot the machine"
+  become: true
+  reboot:
+
+- name: "Check that the container is still running"
+  become: yes
+  become_user: "{{ podman_user }}"
+  podman_container_info:
+    name: "gitlab-runner"
+  register: container_state
+
+- name: "Check container state"
+  assert:
+    that:
+      - container_state.containers[0]['Name'] == 'gitlab-runner'
+      - container_state.containers[0]['State']['Status'] == 'running'

roles/gitlab_runner/molecule/default/verify.yml

@@ -8,3 +8,6 @@
     - include_tasks: "tests/user.yml"
     - include_tasks: "tests/podman.yml"
     - include_tasks: "tests/gitlab_runner.yml"
+    - include_tasks: "tests/survive_reboot.yml"
+  vars:
+    podman_user: "gitlab-runner"

roles/gitlab_runner/tasks/gitlab_runner.yml

@@ -1,7 +1,7 @@
 ---
 - name: "Create the gitlab_runner volume"
-  become: yes
-  become_user: "gitlab-runner"
+  become: true
+  become_user: "{{ podman_user }}"
   containers.podman.podman_volume:
     name: "gitlab-runner-config"
   register: volume_state
@@ -36,16 +36,22 @@
     - registry_host is defined
 
 - name: "Create the gitlab_runner container"
-  become: yes
-  become_user: "gitlab-runner"
+  become: true
+  become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: "gitlab-runner"
     state: started
-    restart_policy: always
     image: "{{ runner_image }}"
-    privileged: true
-    env:
-      DOCKER_HOST: "unix:///var/run/podman/podman.sock"
-    volumes:
-      - "/run/podman/podman.sock:/var/run/podman/podman.sock"
-      - "gitlab-runner-config:/etc/gitlab-runner"
+    privileged: false
+    generate_systemd:
+      path: "{{ podman_user_home }}/.config/systemd/user"
+      restart_policy: "on-failure"
+
+- name: "Enable Systemd for {{ item }}"
+  become_user: "{{ podman_user }}"
+  become: true
+  systemd:
+    enabled: true
+    scope: user
+    name: "container-gitlab-runner"
+    daemon_reload: true

roles/gitlab_runner/tasks/user.yml

@@ -2,11 +2,48 @@
 - name: "Create the local gitlab-runner group"
   become: yes
   group:
-    name: "gitlab-runner"
+    name: "{{ podman_user }}"
     state: "present"
+  register: user_out
 
 - name: "Create the local gitlab-runner user"
   become: yes
   user:
-    name: "gitlab-runner"
-    group: "gitlab-runner"
+    name: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+
+- name: "Create the local user '{{ podman_user }}'"
+  become: yes
+  user:
+    name: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+  register: user_out
+
+- set_fact:
+    podman_user_home: "{{ user_out['home'] }}"
+
+- name: "Create a tmp directory for ansible in {{ podman_user_home }}"
+  become_user: "{{ podman_user }}"
+  become: yes
+  file:
+    path: "{{ podman_user_home }}/.config/tmp"
+    state: directory
+    mode: 0760
+
+- name: "Create a systemd directory in {{ podman_user_home }}"
+  become_user: "{{ podman_user }}"
+  become: yes
+  file:
+    path: "{{ podman_user_home }}/.config/systemd/user"
+    state: directory
+    mode: 0760
+
+- name: "Check if lingering enabled for {{ podman_user }}"
+  stat:
+    path: "/var/lib/systemd/linger/{{ podman_user }}"
+  register: linger
+
+- name: "Enable linger for {{ podman_user }}"
+  become: true
+  command: "loginctl enable-linger {{ podman_user }}"
+  when: not linger.stat.exists