-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve Podman provider #298
Conversation
45757ea
to
7fd95bb
Compare
Allow to add custom network configuration to the network bridge activated via podman provider. Signed-off-by: Alexander Bokovoy <[email protected]>
Use seccomp.json from FreeIPA Azure CI tests. It works well for both docker and podman, both root and rootless. Signed-off-by: Alexander Bokovoy <[email protected]>
Signed-off-by: Alexander Bokovoy <[email protected]>
seccomp.json that is usable for FreeIPA should be packaged. Signed-off-by: Alexander Bokovoy <[email protected]>
Ansible connection.podman.podman connection module uses ansible_host as a container ID to connect to. Use container ID instead of IP address which cannot be reached in rootless setup anyway. It makes `ansible -c podman -i metadata-inventory.yaml` usable in rootless podman setup because one cannot connect over IP addresses to the containers as the networking bridge is not visible from the host. Signed-off-by: Alexander Bokovoy <[email protected]>
@@ -29,6 +29,7 @@ class PodmanTransformer(Transformer): | |||
"images", | |||
"pubkey", | |||
"default_network", | |||
"network_options", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO I would remove this line, so the spec is optional, rather than required
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess that's ok then, as long as podman provisioner works when defining network options.
"--security-opt": "seccomp=src/mrack/data/seccomp.json" | ||
# Mount a temporary filesystems (tmpfs) into a container | ||
"--tmpfs": | ||
- "/tmp" | ||
- "/run" | ||
- "/run/lock" | ||
# Use /sys/fs/cgroup in container as read only volume | ||
"-v": | ||
- "/sys/fs/cgroup:/sys/fs/cgroup:ro" | ||
# Adding ipv6 support to network | ||
"--network": "enable_ipv6=true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This file is just a means for documentation and serves as an example. It doesn't affect execution. I would probably only remove the last line
Amending changes in #300 |
#300 merged |
I needed these changes to get FreeIPA topologies working with mrack podman provider.
You can see a sample configuration in https://github.com/abbra/freeipa-local-tests/, where I am able to set up two parallel IPA deployments in the same topology metadata and then establish trust between those IPA environments (using work-in-progress COPR).