Improve Podman provider #298
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
abbra
force-pushed
the
podman-freeipa
branch
3 times, most recently
from
45757ea to
7fd95bb
Compare
Allow to add custom network configuration to the network bridge activated via podman provider. Signed-off-by: Alexander Bokovoy <[email protected]>
Use seccomp.json from FreeIPA Azure CI tests. It works well for both docker and podman, both root and rootless. Signed-off-by: Alexander Bokovoy <[email protected]>
Signed-off-by: Alexander Bokovoy <[email protected]>
seccomp.json that is usable for FreeIPA should be packaged. Signed-off-by: Alexander Bokovoy <[email protected]>
Ansible connection.podman.podman connection module uses ansible_host as a container ID to connect to. Use container ID instead of IP address which cannot be reached in rootless setup anyway. It makes `ansible -c podman -i metadata-inventory.yaml` usable in rootless podman setup because one cannot connect over IP addresses to the containers as the networking bridge is not visible from the host. Signed-off-by: Alexander Bokovoy <[email protected]>
dav-pascual
requested changes
Oct 16, 2024
| @@ -29,6 +29,7 @@ class PodmanTransformer(Transformer): | |||
| "images", | |||
| "pubkey", | |||
| "default_network", | |||
| "network_options", | |||
There was a problem hiding this comment.
IMO I would remove this line, so the spec is optional, rather than required
There was a problem hiding this comment.
I guess that's ok then, as long as podman provisioner works when defining network options.
Comment on lines
-24
to
-34
| "--security-opt": "seccomp=src/mrack/data/seccomp.json" | ||
| # Mount a temporary filesystems (tmpfs) into a container | ||
| "--tmpfs": | ||
| - "/tmp" | ||
| - "/run" | ||
| - "/run/lock" | ||
| # Use /sys/fs/cgroup in container as read only volume | ||
| "-v": | ||
| - "/sys/fs/cgroup:/sys/fs/cgroup:ro" | ||
| # Adding ipv6 support to network | ||
| "--network": "enable_ipv6=true" |
There was a problem hiding this comment.
This file is just a means for documentation and serves as an example. It doesn't affect execution. I would probably only remove the last line
Merged
|
Amending changes in #300 |
|
#300 merged |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I needed these changes to get FreeIPA topologies working with mrack podman provider.
You can see a sample configuration in https://github.com/abbra/freeipa-local-tests/, where I am able to set up two parallel IPA deployments in the same topology metadata and then establish trust between those IPA environments (using work-in-progress COPR).