From fc71a46e67294c25464621a7c0cbcdb8c5444a12 Mon Sep 17 00:00:00 2001
From: Will Szumski <will@stackhpc.com>
Date: Tue, 5 Mar 2024 16:48:32 +0000
Subject: [PATCH] Add feature to use binary version of crun

This is to workaround issues in the package shipped by the OS[1].

[1] https://github.com/containers/crun/issues/1308

Closes-Bug: #2056210
Change-Id: I16f83d7e9cc127ce6997a85097d1517ce54fbefc
---
 roles/podman/defaults/main.yml |  3 +++
 roles/podman/tasks/config.yml  | 21 +++++++++++++++++++++
 roles/podman/tasks/install.yml | 21 +++++++++++++++++++++
 3 files changed, 45 insertions(+)

diff --git a/roles/podman/defaults/main.yml b/roles/podman/defaults/main.yml
index d183d2e..6d7548b 100644
--- a/roles/podman/defaults/main.yml
+++ b/roles/podman/defaults/main.yml
@@ -6,6 +6,9 @@ apt_cache_valid_time: 3600
 podman_packages:
   - "podman"
 
+podman_enable_binary_crun: "{{ ansible_facts.distribution == 'Ubuntu' and ansible_facts.distribution_version == '22.04' }}"
+podman_binary_crun_url: "https://github.com/containers/crun/releases/download/1.14.4/crun-1.14.4-linux-amd64"
+
 # Podman config variables
 podman_storage_driver:
 podman_runtime_directory:
diff --git a/roles/podman/tasks/config.yml b/roles/podman/tasks/config.yml
index 8c96d58..91f0762 100644
--- a/roles/podman/tasks/config.yml
+++ b/roles/podman/tasks/config.yml
@@ -75,3 +75,24 @@
   when:
     - podman_registry is not none
     - podman_registry_ca is not none
+
+- name: Template containers.conf to use crun binary
+  # NOTE(wszumski): Workaround for known issue with crun when running via systemd, see:
+  # https://github.com/containers/crun/issues/1308
+  vars:
+    runtime: |-
+      [engine.runtimes]
+      crun = ["/opt/bin/crun"]
+  copy:
+    dest: /etc/containers/containers.conf.d/runtime.conf
+    content: "{{ runtime }}"
+    mode: '0644'
+  become: true
+  when: podman_enable_binary_crun | bool
+
+- name: Ensure containters.conf crun customisation is removed
+  file:
+    path: /etc/containers/containers.conf.d/runtime.conf
+    state: absent
+  become: true
+  when: not podman_enable_binary_crun | bool
diff --git a/roles/podman/tasks/install.yml b/roles/podman/tasks/install.yml
index be82fc1..09ff51a 100644
--- a/roles/podman/tasks/install.yml
+++ b/roles/podman/tasks/install.yml
@@ -18,6 +18,27 @@
   become: True
   register: podman_install_result
 
+- block:
+    - name: Ensure /opt/bin exists
+      file:
+        path: /opt/bin
+        state: directory
+        owner: root
+        group: root
+        mode: 0777
+      become: true
+
+    - name: Download crun binary
+      # NOTE(wszumski): Workaround for known issue with crun when running via systemd, see:
+      # https://github.com/containers/crun/issues/1308
+      ansible.builtin.get_url:
+        url: "{{ podman_binary_crun_url }}"
+        dest: /opt/bin/crun
+        mode: '0755'
+      become: true
+
+  when: podman_enable_binary_crun | bool
+
 # If any packages were updated, and any containers were running, wait for the
 # daemon to come up and start all previously running containers.