From 74ba5ce55c3e389957e1fb2f41e2179f81ab7f17 Mon Sep 17 00:00:00 2001
From: Rigel Di Scala <zedr@zedr.com>
Date: Tue, 21 Dec 2021 11:24:06 +0100
Subject: [PATCH] Enable container survival after host reboot.

Also fix an embarassing oversight where the container
was still running as privileged!
---
 Makefile                                      |  2 +-
 roles/gitlab_runner/defaults/main.yml         |  2 +
 .../molecule/default/tests/gitlab_runner.yml  |  8 ++--
 .../molecule/default/tests/podman.yml         |  6 ++-
 .../molecule/default/tests/survive_reboot.yml | 17 ++++++++
 .../gitlab_runner/molecule/default/verify.yml |  3 ++
 roles/gitlab_runner/tasks/gitlab_runner.yml   | 28 +++++++-----
 roles/gitlab_runner/tasks/user.yml            | 43 +++++++++++++++++--
 8 files changed, 88 insertions(+), 21 deletions(-)
 create mode 100644 roles/gitlab_runner/molecule/default/tests/survive_reboot.yml

diff --git a/Makefile b/Makefile
index f9a2a7b..46f5040 100644
--- a/Makefile
+++ b/Makefile
@@ -2,7 +2,7 @@
 
 ENV=.env
 _PYTHON=python3
-PYTHON_VERSION=$(shell ${_PYTHON} -V | cut -d " " -f 2 | cut -c1-3)
+PYTHON_VERSION=$(shell ${_PYTHON} -V | cut -d " " -f 2 | cut -d "." -f1-2)
 SITE_PACKAGES=${ENV}/lib/python${PYTHON_VERSION}/site-packages
 PYTHON=${ENV}/bin/python3
 ANSIBLE=${ENV}/bin/ansible
diff --git a/roles/gitlab_runner/defaults/main.yml b/roles/gitlab_runner/defaults/main.yml
index 3f5de95..cf1dcdc 100644
--- a/roles/gitlab_runner/defaults/main.yml
+++ b/roles/gitlab_runner/defaults/main.yml
@@ -1,3 +1,5 @@
 ---
 runner_image: "docker.io/gitlab/gitlab-runner:latest"
 registry_host: "docker.io"
+podman_user: "gitlab-runner"
+podman_user_home: "/home/{{ podman_user}}"
diff --git a/roles/gitlab_runner/molecule/default/tests/gitlab_runner.yml b/roles/gitlab_runner/molecule/default/tests/gitlab_runner.yml
index 277fac8..4e886f4 100644
--- a/roles/gitlab_runner/molecule/default/tests/gitlab_runner.yml
+++ b/roles/gitlab_runner/molecule/default/tests/gitlab_runner.yml
@@ -12,8 +12,8 @@
       - volume_state.volumes[0]['Name'] == 'gitlab-runner-config'
 
 - name: "Read the TOML config file"
-  become: yes
-  become_user: "gitlab-runner"
+  become: true
+  become_user: "{{ podman_user }}"
   slurp:
     src: "{{ volume_state.volumes[0]['Mountpoint'] }}/config.toml"
   register: config_file
@@ -30,9 +30,9 @@
       - config_toml is regex("^# ANSIBLE MANAGED FILE")
       - config_toml is search("dr00ls")
 
-- name: "Get infos on container"
+- name: "Check container information"
   become: yes
-  become_user: "gitlab-runner"
+  become_user: "{{ podman_user }}"
   podman_container_info:
     name: "gitlab-runner"
   register: container_state
diff --git a/roles/gitlab_runner/molecule/default/tests/podman.yml b/roles/gitlab_runner/molecule/default/tests/podman.yml
index e4f501c..87dd1bb 100644
--- a/roles/gitlab_runner/molecule/default/tests/podman.yml
+++ b/roles/gitlab_runner/molecule/default/tests/podman.yml
@@ -9,8 +9,9 @@
       - services_state.ansible_facts.services['podman.service'].status == "enabled"
 
 - name: "Check the Podman socket"
+  become: true
   stat:
-    path: "/run/podman/podman.sock"
+    path: "/var/run/podman/podman.sock"
   register: podman_sock
 
 - name: "Check that the Podman socket file exists"
@@ -19,8 +20,9 @@
       - podman_sock.stat.exists is true
 
 - name: "Read the file ACL for the Podman socket"
+  become: true
   acl:
-    path: /var/run/podman/podman.sock
+    path: "/var/run/podman/podman.sock"
   register: acl_info
 
 - name: "Check that the ACL contains a RW permission for the gitlab-runner user"
diff --git a/roles/gitlab_runner/molecule/default/tests/survive_reboot.yml b/roles/gitlab_runner/molecule/default/tests/survive_reboot.yml
new file mode 100644
index 0000000..ff377a9
--- /dev/null
+++ b/roles/gitlab_runner/molecule/default/tests/survive_reboot.yml
@@ -0,0 +1,17 @@
+---
+- name: "Reboot the machine"
+  become: true
+  reboot:
+
+- name: "Check that the container is still running"
+  become: yes
+  become_user: "{{ podman_user }}"
+  podman_container_info:
+    name: "gitlab-runner"
+  register: container_state
+
+- name: "Check container state"
+  assert:
+    that:
+      - container_state.containers[0]['Name'] == 'gitlab-runner'
+      - container_state.containers[0]['State']['Status'] == 'running'
diff --git a/roles/gitlab_runner/molecule/default/verify.yml b/roles/gitlab_runner/molecule/default/verify.yml
index 96e8766..e752232 100644
--- a/roles/gitlab_runner/molecule/default/verify.yml
+++ b/roles/gitlab_runner/molecule/default/verify.yml
@@ -8,3 +8,6 @@
     - include_tasks: "tests/user.yml"
     - include_tasks: "tests/podman.yml"
     - include_tasks: "tests/gitlab_runner.yml"
+    - include_tasks: "tests/survive_reboot.yml"
+  vars:
+    podman_user: "gitlab-runner"
diff --git a/roles/gitlab_runner/tasks/gitlab_runner.yml b/roles/gitlab_runner/tasks/gitlab_runner.yml
index bf85f33..e52536a 100644
--- a/roles/gitlab_runner/tasks/gitlab_runner.yml
+++ b/roles/gitlab_runner/tasks/gitlab_runner.yml
@@ -1,7 +1,7 @@
 ---
 - name: "Create the gitlab_runner volume"
-  become: yes
-  become_user: "gitlab-runner"
+  become: true
+  become_user: "{{ podman_user }}"
   containers.podman.podman_volume:
     name: "gitlab-runner-config"
   register: volume_state
@@ -36,16 +36,22 @@
     - registry_host is defined
 
 - name: "Create the gitlab_runner container"
-  become: yes
-  become_user: "gitlab-runner"
+  become: true
+  become_user: "{{ podman_user }}"
   containers.podman.podman_container:
     name: "gitlab-runner"
     state: started
-    restart_policy: always
     image: "{{ runner_image }}"
-    privileged: true
-    env:
-      DOCKER_HOST: "unix:///var/run/podman/podman.sock"
-    volumes:
-      - "/run/podman/podman.sock:/var/run/podman/podman.sock"
-      - "gitlab-runner-config:/etc/gitlab-runner"
+    privileged: false
+    generate_systemd:
+      path: "{{ podman_user_home }}/.config/systemd/user"
+      restart_policy: "on-failure"
+
+- name: "Enable Systemd for {{ item }}"
+  become_user: "{{ podman_user }}"
+  become: true
+  systemd:
+    enabled: true
+    scope: user
+    name: "container-gitlab-runner"
+    daemon_reload: true
diff --git a/roles/gitlab_runner/tasks/user.yml b/roles/gitlab_runner/tasks/user.yml
index 30f5930..1b851b2 100644
--- a/roles/gitlab_runner/tasks/user.yml
+++ b/roles/gitlab_runner/tasks/user.yml
@@ -2,11 +2,48 @@
 - name: "Create the local gitlab-runner group"
   become: yes
   group:
-    name: "gitlab-runner"
+    name: "{{ podman_user }}"
     state: "present"
+  register: user_out
 
 - name: "Create the local gitlab-runner user"
   become: yes
   user:
-    name: "gitlab-runner"
-    group: "gitlab-runner"
+    name: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+
+- name: "Create the local user '{{ podman_user }}'"
+  become: yes
+  user:
+    name: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+  register: user_out
+
+- set_fact:
+    podman_user_home: "{{ user_out['home'] }}"
+
+- name: "Create a tmp directory for ansible in {{ podman_user_home }}"
+  become_user: "{{ podman_user }}"
+  become: yes
+  file:
+    path: "{{ podman_user_home }}/.config/tmp"
+    state: directory
+    mode: 0760
+
+- name: "Create a systemd directory in {{ podman_user_home }}"
+  become_user: "{{ podman_user }}"
+  become: yes
+  file:
+    path: "{{ podman_user_home }}/.config/systemd/user"
+    state: directory
+    mode: 0760
+
+- name: "Check if lingering enabled for {{ podman_user }}"
+  stat:
+    path: "/var/lib/systemd/linger/{{ podman_user }}"
+  register: linger
+
+- name: "Enable linger for {{ podman_user }}"
+  become: true
+  command: "loginctl enable-linger {{ podman_user }}"
+  when: not linger.stat.exists