Fix issue with the podman socket

This fixes a problem with the podman socket not being readable by the podman user ("gitlab-runner").
zedr · Jan 3, 2022 · 78f3ec3 · 78f3ec3
1 parent afedaa2
commit 78f3ec3
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 34 deletions.
diff --git a/roles/gitlab_runner/molecule/default/tests/podman.yml b/roles/gitlab_runner/molecule/default/tests/podman.yml
@@ -1,31 +1,23 @@
 ---
-- name: collect facts about system services
-  service_facts:
-  register: services_state
+- name: "Define some facts"
+  include_tasks:
+    file: "../../../tasks/facts.yml"
 
-- name: "Check the status of systemd service Podman"
-  assert:
-    that:
-      - services_state.ansible_facts.services['podman.service'].status == "enabled"
-
-- name: "Check the Podman socket"
-  become: true
-  stat:
-    path: "/var/run/podman/podman.sock"
-  register: podman_sock
-
-- name: "Check that the Podman socket file exists"
-  assert:
-    that:
-      - podman_sock.stat.exists is true
-
-- name: "Read the file ACL for the Podman socket"
+- name: >
+    Run a command that checks the state of the podman.socket service
+    for {{ podman_user }}
   become: true
-  acl:
-    path: "/var/run/podman/podman.sock"
-  register: acl_info
+  become_user: "{{ podman_user }}"
+  command:
+    cmd: "systemctl --user status podman.socket"
+  register: systemd_status_out
+  environment:
+    # Required for user execution - here we use the UID of the `podman_user`
+    XDG_RUNTIME_DIR: "/run/user/{{ podman_user_uid }}"
 
-- name: "Check that the ACL contains a RW permission for the gitlab-runner user"
+- name: >
+    Check that the user podman.socket systemd service is running and listening
+    for {{ podman_user}}
   assert:
     that:
-      - "{{ 'user:gitlab-runner:rw-' in acl_info.acl }}"
+      - "'Active: active (listening)' in systemd_status_out.stdout"
diff --git a/roles/gitlab_runner/tasks/facts.yml b/roles/gitlab_runner/tasks/facts.yml
@@ -0,0 +1,9 @@
+---
+- name: "Examine the database of users so we can extract the UID later"
+  getent:
+    database: "passwd"
+  register: getent_out
+
+- name: "Set the user UID fact"
+  set_fact:
+    podman_user_uid: "{{ getent_out['ansible_facts']['getent_passwd'][podman_user].1 }}"
diff --git a/roles/gitlab_runner/tasks/gitlab_runner.yml b/roles/gitlab_runner/tasks/gitlab_runner.yml
@@ -48,6 +48,9 @@
     generate_systemd:
       path: "{{ podman_user_home }}/.config/systemd/user"
       restart_policy: "on-failure"
+    volumes:
+      - "/run/user/{{ podman_user_uid }}/podman/podman.sock:/var/run/podman/podman.sock"
+      - "gitlab-runner-config:/etc/gitlab-runner"
 
 - name: "Enable Systemd for {{ item }}"
   become_user: "{{ podman_user }}"

diff --git a/roles/gitlab_runner/tasks/main.yml b/roles/gitlab_runner/tasks/main.yml
@@ -1,4 +1,10 @@
 ---
+- name: "Define some facts"
+  include_tasks:
+    file: "facts.yml"
+  tags:
+    - always
+
 - name: "Running User creation tasks on {{ ansible_host }}"
   include_tasks:
     file: "user.yml"

diff --git a/roles/gitlab_runner/tasks/podman.yml b/roles/gitlab_runner/tasks/podman.yml
@@ -18,15 +18,11 @@
 
 - name: "Enable Podman socket"
   become: yes
+  become_user: "{{ podman_user }}"
   systemd:
-    name: "podman"
+    name: "podman.socket"
     state: started
+    scope: user
     enabled: yes
-    daemon_reload: yes
-
-- name: "Set the ACL for the gitlab-runner user on the Podman socket file"
-  become: yes
-  acl:
-    path: /var/run/podman/podman.sock
-    entry: "user:gitlab-runner:rw"
-    state: present
+  environment:
+    XDG_RUNTIME_DIR: "/run/user/{{ podman_user_uid }}"