New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run systemctl instead of podman when generating systemd units #585
base: master
Are you sure you want to change the base?
Conversation
This solves the problem of attempting to recreate a container/pod but failing to do so because systemd would do that for you. Basically, a race condition between this module and systemd, which pretty much always caused this module to lose. Signed-off-by: Nogweii <colin@evaryont.me>
e93507d
to
7f8e202
Compare
@sshnaidm if you could please allow the CI to run on this MR, I've been running this branch for a couple of weeks and it seems to work for me very well. |
Thanks @nogweii , sorry for late reply. |
Oh, I forgot to update the PR description. My bad. Just edited it, but here is the summary: When managing the containers with systemd (via the generated files from podman) stopping the container in order to recreate it with different configuration will not last. Specifically, when you enable the |
Because the execution of the The module executes The problem is more apparent when using "named" containers (
What @nogweii is proposing if I understood correctly is that when the |
I still object to using |
Well, but this is the way I get you point, don't get me wrong. I do however think that the configured software should win an argument on how its used rather than the orchestration tool that's configuring it. Managing the container lifecycle using I don't think I added much to the discussion here, but maybe we can agree that the configured subject ( |
Taking a look at the source code for how That parameter will cause podman to stop and delete the container. It's the same as running the commands individually, so the race condition between systemd and the module still exists. (It's probably a smaller window as we don't have to wait for a whole new process to be spun up a couple of times, but we're talking about milliseconds of difference. Not really that much.) |
@nogweii I think I might found the workaround. For managing the race condition we can add - name: Create an Authentik container
containers.podman.podman_container:
name: authentik
image: "{{ authentik_container_image }}:{{ authentik_container_tag }}"
image_strict: yes
state: started
command: server
generate_systemd:
path: /etc/systemd/system/
restart_policy: always
time: 120
restart_sec: 5
new: true
requires:
- postgresql.service
- redis.service
after:
- postgresql.service
- redis.service
env_file: /etc/default/container-authentik
volume:
- /srv/containers/authentik/blueprints:/blueprints/aethernet
restart_policy: "no" # letting systemd handle this
- name: Systemd reload
systemd:
daemon_reload: yes
scope: user |
In addition to prevent race condition between state: started
command: server
systemd_reload: true
generate_systemd:
path: /etc/systemd/system/
restart_policy: always |
It would be great if this PR is being considered for merging as right now I always have to manually stop the container via Edit: I cannot apply the restart_sec workaround as Ubuntu 22.04 LTS does have an too old Podman version in their repos and still it would be a workaround instead of the right solution. |
Start and stop containers with
systemctl
instead ofpodman
when a user is generating the systemd unit for the container.This prevents an annoying behavior that occurs with the following example task:
This example task works perfectly fine when creating the container, but if want to update the tag it misbehaves. The resulting container, at the end of the run, is not updated. This is because of the following sequence of events:
containers.podman.podman_container
module (here on, "ansible") queries podman for the running container information. Determines the image needs to be changed.podman stop
.podman rm
as well) and then recreated with the updated configuration. Ansible thinks everything is good, so it continues on.container-authentik
in this example) has "failed", and will recreate it.podman generate systemd
but that scans the running container, which was constantly being remade by systemd and is not the latest tag. So this step effectively becomes a no-op.Sometimes, steps 3 & 4 above are swapped, in which case the module does fail because it attempts to create a container with a name that already exists, and podman (correctly) complains.
This is all due to the fact that this module is attempting to stop & start containers directly when I've configured them to be managed by a different service management daemon (systemd). Since we're already systemd-aware, it makes sense to me to teach the module how to properly behave in that scenario.