batou_ext.oci: Add support for podman

FC-37959 We mostly want this for healthchecks that must pass before the unit is actually active.
flyingcircusio · Nov 29, 2024 · d83ac63 · d83ac63
1 parent 1679d98
commit d83ac63
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 6 deletions.
diff --git a/CHANGES.d/20241129_131748_mb_FC_37959_podman.md b/CHANGES.d/20241129_131748_mb_FC_37959_podman.md
@@ -0,0 +1,13 @@
+- `batou_ext.oci.Container`: allow to use `podman` as backend instead of `docker`.
+  This also enables the following features:
+
+  * Rootless containers: by setting the `user` option to a different user. By default,
+    the service user of the deployment is used.
+
+  * Only mark services as `active` if the container is up. Which metric is used
+    for that can be configured using the `sd_notify` option:
+
+    * `container`: the `sd_notify(3)` call must be sent from inside the container.
+    * `healthy`: if the container's health check(s) are green.
+    * `conmon`: if the container is up (but not necessarily the service in it).
+    * `ignore`: just mark the unit as `active`.
diff --git a/src/batou_ext/oci.py b/src/batou_ext/oci.py
@@ -80,6 +80,10 @@ class Container(Component):
     image = Attribute(str)
     version: str = "latest"
     container_name = Attribute(str)
+    backend = Attribute(str, "docker")
+
+    sd_notify = Attribute(str, None)
+    user = Attribute(str, None)
 
     # Set up monitoring
     monitor: bool = True
@@ -95,7 +99,7 @@ class Container(Component):
     ports: dict = {}
     env: dict = {}
     depends_on: list = None
-    extra_options: list = None
+    extra_options: list = []
 
     # secrets
     registry_address = Attribute(Optional[str], None)
@@ -108,6 +112,11 @@ class Container(Component):
     }
 
     def configure(self):
+        if self.backend not in ["docker", "podman"]:
+            raise ValueError(
+                f"Unsupported backend '{self.backend}' for container '{self.container_name}' (allowed: docker, podman)!"
+            )
+
         if (
             self.registry_user or self.registry_password
         ) and not self.registry_address:
@@ -145,6 +154,25 @@ def configure(self):
         if self.docker_cmd:
             self._docker_cmd_list = shlex.split(self.docker_cmd)
 
+        if self.backend != "podman":
+            assert (
+                self.sd_notify is None
+            ), f"Container '{self.container_name}' runs with Docker, so the sd_notify option is not supported!"
+            assert (
+                self.user is None
+            ), f"Container '{self.container_name}' runs with Docker, so the user option is not supported!"
+        elif self.sd_notify is not None:
+            assert self.sd_notify in [
+                "container",
+                "conmon",
+                "healthy",
+                "ignore",
+            ], f"Container '{self.container_name}' set invalid value for 'sd_notify'. Allowed values: container, conmon, healthy, ignore!"
+            self.extra_options.append(f"--sdnotify={self.sd_notify}")
+
+        if self.backend == "podman" and self.user is None:
+            self.user = self.host.service_user
+
         if not self.depends_on:
             self.depends_on = []
 

diff --git a/src/batou_ext/resources/oci-template.nix b/src/batou_ext/resources/oci-template.nix
@@ -2,22 +2,26 @@
 {
   # {% if component.monitor %}
   flyingcircus = {
-    services.sensu-client.checks."docker-{{component.container_name}}" = {
+    services.sensu-client.checks."{{ component.backend }}-{{component.container_name}}" = {
       notification = "Status of container {{component.container_name}}";
       command = ''
-        if $(systemctl is-active --quiet docker-{{component.container_name}}); then
-          echo "docker container {{component.container_name}} is ok"
+        if $(systemctl is-active --quiet {{ component.backend }}-{{component.container_name}}); then
+          echo "{{ component.backend }} container {{component.container_name}} is ok"
         else
-          echo "docker container {{component.container_name}} is inactive"
+          echo "{{ component.backend }} container {{component.container_name}} is inactive"
           exit 2
         fi
       '';
     };
   };
   # {% endif %}
 
+  # {% if component.backend == "podman" %}
+  virtualisation.podman.enable = true;
+  # {% endif %}
+
   virtualisation.oci-containers = {
-    backend = "docker";
+    backend = "{{ component.backend }}";
     containers."{{component.container_name}}" = {
       # {% if component.entrypoint %}
       entrypoint = "{{component.entrypoint}}";
@@ -40,6 +44,9 @@
 
       extraOptions = [
         "--pull=always"
+        # {% if component.backend == "podman" %}
+        "--cidfile=/run/{{component.container_name}}/ctr-id"
+        # {% endif %}
         # {% for option in (component.extra_options or []) %}
         "{{option}}"
         # {% endfor %}
@@ -68,4 +75,13 @@
       ];
     };
   };
+
+  # {% if component.backend == "podman" %}
+  systemd.services.podman-lalala.serviceConfig = {
+    User = "{{ component.user }}";
+    RuntimeDirectory = "{{component.container_name}}";
+    Delegate = true;
+    NotifyAccess = "all";
+  };
+  # {% endif %}
 }