From 07d283a6e20b8e559257c9694f7e36e155075014 Mon Sep 17 00:00:00 2001

From: Michele Baldessari <michele@acksyn.org>

Date: Sun, 22 Jul 2018 17:54:29 +0200

Subject: [PATCH] Initial podman support

Tested with the following container:

     podman container set: test_bundle [docker.io/sdelrio/docker-minimal-nginx]

       test_bundle-podman-0 (ocf::heartbeat:podman):        Started nodea

       test_bundle-podman-1 (ocf::heartbeat:podman):        Started nodeb

       test_bundle-podman-2 (ocf::heartbeat:podman):        Started nodec

Tested a couple of stop/start cycles successfully. Needs the

corresponding pacemaker support https://github.com/ClusterLabs/pacemaker/pull/1564

---

 doc/man/Makefile.am   |   1 +

 heartbeat/Makefile.am |   1 +

 heartbeat/podman      | 488 ++++++++++++++++++++++++++++++++++++++++++

 3 files changed, 490 insertions(+)

 create mode 100755 heartbeat/podman

diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am

index 145e5fd50..0bef88740 100644

--- a/doc/man/Makefile.am

+++ b/doc/man/Makefile.am

@@ -151,6 +151,7 @@ man_MANS	       = ocf_heartbeat_AoEtarget.7 \

                           ocf_heartbeat_pgagent.7 \

                           ocf_heartbeat_pgsql.7 \

                           ocf_heartbeat_pingd.7 \

+                          ocf_heartbeat_podman.7 \

                           ocf_heartbeat_portblock.7 \

                           ocf_heartbeat_postfix.7 \

                           ocf_heartbeat_pound.7 \

diff --git a/heartbeat/Makefile.am b/heartbeat/Makefile.am

index e7a3a4fac..993bff042 100644

--- a/heartbeat/Makefile.am

+++ b/heartbeat/Makefile.am

@@ -146,6 +146,7 @@ ocf_SCRIPTS	     =  AoEtarget		\

 			pgagent			\

 			pgsql			\

 			pingd			\

+			podman			\

 			portblock		\

 			postfix			\

 			pound			\

diff --git a/heartbeat/podman b/heartbeat/podman

new file mode 100755

index 000000000..88475f1df

--- /dev/null

+++ b/heartbeat/podman

@@ -0,0 +1,488 @@

+#!/bin/sh

+#

+# The podman HA resource agent creates and launches a podman container

+# based off a supplied podman image. Containers managed by this agent

+# are both created and removed upon the agent's start and stop actions.

+#

+# Copyright (c) 2014 David Vossel <davidvossel@gmail.com>

+#                    Michele Baldessari <michele@acksyn.org>

+#                    All Rights Reserved.

+#

+# This program is free software; you can redistribute it and/or modify

+# it under the terms of version 2 of the GNU General Public License as

+# published by the Free Software Foundation.

+#

+# This program is distributed in the hope that it would be useful, but

+# WITHOUT ANY WARRANTY; without even the implied warranty of

+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

+#

+# Further, this software is distributed without any warranty that it is

+# free of the rightful claim of any third person regarding infringement

+# or the like.  Any license provided herein, whether implied or

+# otherwise, applies only to this software file.  Patent licenses, if

+# any, provided herein do not apply to combinations of this program with

+# other software, or any other product whatsoever.

+#

+# You should have received a copy of the GNU General Public License

+# along with this program; if not, write the Free Software Foundation,

+# Inc., 59 Temple Place - Suite 330, Boston MA 02111-1307, USA.

+#

+

+#######################################################################

+# Initialization:

+

+: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat}

+. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs

+

+#######################################################################

+

+meta_data()

+{

+	cat <

+

+

+<resource-agent name="podman">

+<version>1.0</version>

+

+<longdesc lang="en">

+The podman HA resource agent creates and launches a podman container

+based off a supplied podman image. Containers managed by this agent

+are both created and removed upon the agent's start and stop actions.

+</longdesc>

+<shortdesc lang="en">Podman container resource agent.</shortdesc>

+

+<parameters>

+<parameter name="image" required="1" unique="0">

+<longdesc lang="en">

+The podman image to base this container off of.

+</longdesc>

+<shortdesc lang="en">podman image</shortdesc>

+<content type="string"/>

+</parameter>

+

+<parameter name="name" required="0" unique="0">

+<longdesc lang="en">

+The name to give the created container. By default this will

+be that resource's instance name.

+</longdesc>

+<shortdesc lang="en">podman container name</shortdesc>

+<content type="string"/>

+</parameter>

+

+<parameter name="allow_pull" unique="0">

+<longdesc lang="en">

+Allow the image to be pulled from the configured podman registry when

+the image does not exist locally. NOTE, this can drastically increase

+the time required to start the container if the image repository is

+pulled over the network.

+</longdesc>

+<shortdesc lang="en">Allow pulling non-local images</shortdesc>

+<content type="boolean"/>

+</parameter>

+

+<parameter name="run_opts" required="0" unique="0">

+<longdesc lang="en">

+Add options to be appended to the 'podman run' command which is used

+when creating the container during the start action. This option allows

+users to do things such as setting a custom entry point and injecting

+environment variables into the newly created container. Note the '-d'

+option is supplied regardless of this value to force containers to run

+in the background.

+

+NOTE: Do not explicitly specify the --name argument in the run_opts. This

+agent will set --name using either the resource's instance or the name

+provided in the 'name' argument of this agent.

+

+</longdesc>

+<shortdesc lang="en">run options</shortdesc>

+<content type="string"/>

+</parameter>

+

+<parameter name="run_cmd" required="0" unique="0">

+<longdesc lang="en">

+Specify a command to launch within the container once

+it has initialized.

+</longdesc>

+<shortdesc lang="en">run command</shortdesc>

+<content type="string"/>

+</parameter>

+

+<parameter name="mount_points" required="0" unique="0">

+<longdesc lang="en">

+A comma separated list of directories that the container is expecting to use.

+The agent will ensure they exist by running 'mkdir -p'

+</longdesc>

+<shortdesc lang="en">Required mount points</shortdesc>

+<content type="string"/>

+</parameter>

+

+<parameter name="monitor_cmd" required="0" unique="0">

+<longdesc lang="en">

+Specify the full path of a command to launch within the container to check

+the health of the container. This command must return 0 to indicate that

+the container is healthy. A non-zero return code will indicate that the

+container has failed and should be recovered.

+

+If 'podman exec' is supported, it is used to execute the command. If not,

+nsenter is used.

+

+Note: Using this method for monitoring processes inside a container

+is not recommended, as containerd tries to track processes running

+inside the container and does not deal well with many short-lived

+processes being spawned. Ensure that your container monitors its

+own processes and terminates on fatal error rather than invoking

+a command from the outside.

+</longdesc>

+<shortdesc lang="en">monitor command</shortdesc>

+<content type="string"/>

+</parameter>

+

+<parameter name="force_kill" required="0" unique="0">

+<longdesc lang="en">

+Kill a container immediately rather than waiting for it to gracefully

+shutdown

+</longdesc>

+<shortdesc lang="en">force kill</shortdesc>

+<content type="boolean"/>

+</parameter>

+

+<parameter name="reuse" required="0" unique="0">

+<longdesc lang="en">

+Allow the container to be reused after stopping the container. By default

+containers are removed after stop. With the reuse option containers

+will persist after the container stops.

+</longdesc>

+<shortdesc lang="en">reuse container</shortdesc>

+<content type="boolean"/>

+</parameter>

+</parameters>

+

+<actions>

+<action name="start"        timeout="90s" />

+<action name="stop"         timeout="90s" />

+<action name="monitor"      timeout="30s" interval="30s" depth="0" />

+<action name="meta-data"    timeout="5s" />

+<action name="validate-all"   timeout="30s" />

+</actions>

+</resource-agent>

+END

+}

+

+#######################################################################

+REQUIRE_IMAGE_PULL=0

+

+podman_usage()

+{

+	cat <

+usage: $0 {start|stop|monitor|validate-all|meta-data}

+

+Expects to have a fully populated OCF RA-compliant environment set.

+END

+}

+

+

+monitor_cmd_exec()

+{

+	local rc=$OCF_SUCCESS

+	local out

+

+	if [ -z "$OCF_RESKEY_monitor_cmd" ]; then

+		return $rc

+	fi

+

+	if podman exec --help >/dev/null 2>&1; then

+		out=$(podman exec ${CONTAINER} $OCF_RESKEY_monitor_cmd 2>&1)

+		rc=$?

+	else

+		out=$(echo "$OCF_RESKEY_monitor_cmd" | nsenter --target $(podman inspect --format {{.State.Pid}} ${CONTAINER}) --mount --uts --ipc --net --pid 2>&1)

+		rc=$?

+	fi

+

+	if [ $rc -eq 127 ]; then

+		ocf_log err "monitor cmd failed (rc=$rc), output: $out"

+		ocf_exit_reason "monitor_cmd, ${OCF_RESKEY_monitor_cmd} , not found within container."

+		# there is no recovering from this, exit immediately

+		exit $OCF_ERR_ARGS

+	elif [ $rc -ne 0 ]; then

+		ocf_exit_reason "monitor cmd failed (rc=$rc), output: $out"

+		rc=$OCF_ERR_GENERIC

+	else

+		ocf_log debug "monitor cmd passed: exit code = $rc"

+	fi

+

+	return $rc

+}

+

+container_exists()

+{

+	podman inspect --format {{.State.Running}} $CONTAINER | egrep '(true|false)' >/dev/null 2>&1

+}

+

+remove_container()

+{

+	if ocf_is_true "$OCF_RESKEY_reuse"; then

+		# never remove the container if we have reuse enabled.

+		return 0

+	fi

+

+	container_exists

+	if [ $? -ne 0 ]; then

+		# don't attempt to remove a container that doesn't exist

+		return 0

+	fi

+	ocf_log notice "Cleaning up inactive container, ${CONTAINER}."

+	ocf_run podman rm $CONTAINER

+}

+

+podman_simple_status()

+{

+	local val

+

+	container_exists

+	if [ $? -ne 0 ]; then

+		return $OCF_NOT_RUNNING

+	fi

+

+	# retrieve the 'Running' attribute for the container

+	val=$(podman inspect --format {{.State.Running}} $CONTAINER 2>/dev/null)

+	if [ $? -ne 0 ]; then

+		#not running as a result of container not being found

+		return $OCF_NOT_RUNNING

+	fi

+

+	if ocf_is_true "$val"; then

+		# container exists and is running

+		return $OCF_SUCCESS

+	fi

+

+	return $OCF_NOT_RUNNING

+}

+

+podman_monitor()

+{

+	local rc=0

+

+	podman_simple_status

+	rc=$?

+

+	if [ $rc -ne 0 ]; then

+		return $rc

+	fi

+

+	monitor_cmd_exec

+}

+

+podman_create_mounts() {

+	oldIFS="$IFS"

+	IFS=","

+	for directory in $OCF_RESKEY_mount_points; do

+		mkdir -p "$directory"

+	done

+	IFS="$oldIFS"

+}

+

+podman_start()

+{

+	podman_create_mounts

+	local run_opts="-d --name=${CONTAINER}"

+	# check to see if the container has already started

+	podman_simple_status

+	if [ $? -eq $OCF_SUCCESS ]; then

+		return $OCF_SUCCESS

+	fi

+

+	if [ -n "$OCF_RESKEY_run_opts" ]; then

+		run_opts="$run_opts $OCF_RESKEY_run_opts"

+	fi

+

+	if [ $REQUIRE_IMAGE_PULL -eq 1 ]; then

+		ocf_log notice "Beginning pull of image, ${OCF_RESKEY_image}"

+		podman pull "${OCF_RESKEY_image}"

+		if [ $? -ne 0 ]; then

+			ocf_exit_reason "failed to pull image ${OCF_RESKEY_image}"

+			return $OCF_ERR_GENERIC

+		fi

+	fi

+

+	if ocf_is_true "$OCF_RESKEY_reuse" && container_exists; then

+		ocf_log info "starting existing container $CONTAINER."

+		ocf_run podman start $CONTAINER

+	else

+		# make sure any previous container matching our container name is cleaned up first.

+		# we already know at this point it wouldn't be running

+		remove_container

+		ocf_log info "running container $CONTAINER for the first time"

+		ocf_run podman run $run_opts $OCF_RESKEY_image $OCF_RESKEY_run_cmd

+	fi

+

+	if [ $? -ne 0 ]; then

+		ocf_exit_reason "podman failed to launch container"

+		return $OCF_ERR_GENERIC

+	fi

+

+

+	# wait for monitor to pass before declaring that the container is started

+	while true; do

+		podman_simple_status

+		if [ $? -ne $OCF_SUCCESS ]; then

+			ocf_exit_reason "Newly created podman container exited after start"

+			return $OCF_ERR_GENERIC

+		fi

+

+		monitor_cmd_exec

+		if [ $? -eq $OCF_SUCCESS ]; then

+			ocf_log notice "Container $CONTAINER  started successfully"

+			return $OCF_SUCCESS

+		fi

+

+		ocf_exit_reason "waiting on monitor_cmd to pass after start"

+		sleep 1

+	done

+}

+

+podman_stop()

+{

+	local timeout=60

+	podman_simple_status

+	if [ $? -eq  $OCF_NOT_RUNNING ]; then

+		remove_container

+		return $OCF_SUCCESS

+	fi

+

+	if [ -n "$OCF_RESKEY_CRM_meta_timeout" ]; then

+		timeout=$((($OCF_RESKEY_CRM_meta_timeout/1000) -10 ))

+		if [ $timeout -lt 10 ]; then

+			timeout=10

+		fi

+	fi

+

+	if ocf_is_true "$OCF_RESKEY_force_kill"; then

+		ocf_run podman kill $CONTAINER

+	else

+		ocf_log debug "waiting $timeout second[s] before killing container"

+		ocf_run podman stop -t=$timeout $CONTAINER

+	fi

+

+	if [ $? -ne 0 ]; then

+		ocf_exit_reason "Failed to stop container, ${CONTAINER}, based on image, ${OCF_RESKEY_image}."

+		return $OCF_ERR_GENERIC

+	fi

+

+	remove_container

+	if [ $? -ne 0 ]; then

+		ocf_exit_reason "Failed to remove stopped container, ${CONTAINER}, based on image, ${OCF_RESKEY_image}."

+		return $OCF_ERR_GENERIC

+	fi

+

+	return $OCF_SUCCESS

+}

+

+image_exists()

+{

+	# if no tag was specified, use default "latest"

+	local COLON_FOUND=0

+	local SLASH_FOUND=0

+	local SERVER_NAME=""

+	local IMAGE_NAME="${OCF_RESKEY_image}"

+	local IMAGE_TAG="latest"

+

+	SLASH_FOUND="$(echo "${OCF_RESKEY_image}" | grep -o '/' | grep -c .)"

+

+	if [ ${SLASH_FOUND} -ge 1 ]; then

+		SERVER_NAME="$(echo ${IMAGE_NAME} | cut -d / -f 1-${SLASH_FOUND})"

+		IMAGE_NAME="$(echo ${IMAGE_NAME} | awk -F'/' '{print $NF}')"

+	fi

+

+	COLON_FOUND="$(echo "${IMAGE_NAME}" | grep -o ':' | grep -c .)"

+	if [ ${COLON_FOUND} -ge 1 ]; then

+		IMAGE_TAG="$(echo ${IMAGE_NAME} | awk -F':' '{print $NF}')"

+		IMAGE_NAME="$(echo ${IMAGE_NAME} | cut -d : -f 1-${COLON_FOUND})"

+	fi

+

+	# IMAGE_NAME might be following formats:

+	# - image

+	# - repository:port/image

+	# - docker.io/image (some distro will display "docker.io/" as prefix)

+	podman images | awk '{print $1 ":" $2}' | egrep -q -s "^(docker.io\/|${SERVER_NAME}\/)?${IMAGE_NAME}:${IMAGE_TAG}\$"

+	if [ $? -eq 0 ]; then

+		# image found

+		return 0

+	fi

+

+	if ocf_is_true "$OCF_RESKEY_allow_pull"; then

+		REQUIRE_IMAGE_PULL=1

+		ocf_log notice "Image (${OCF_RESKEY_image}) does not exist locally but will be pulled during start"

+		return 0

+	fi

+	# image not found.

+	return 1

+}

+

+podman_validate()

+{

+	check_binary podman

+	if [ -z "$OCF_RESKEY_image" ]; then

+		ocf_exit_reason "'image' option is required"

+		exit $OCF_ERR_CONFIGURED

+	fi

+

+	if [ -n "$OCF_RESKEY_monitor_cmd" ]; then

+		podman exec --help >/dev/null 2>&1

+		if [ ! $? ]; then

+			ocf_log info "checking for nsenter, which is required when 'monitor_cmd' is specified"

+			check_binary nsenter

+		fi

+	fi

+

+	image_exists

+	if [ $? -ne 0 ]; then

+		ocf_exit_reason "base image, ${OCF_RESKEY_image}, could not be found."

+		exit $OCF_ERR_CONFIGURED

+	fi

+

+	return $OCF_SUCCESS

+}

+

+# TODO :

+# When a user starts plural clones in a node in globally-unique, a user cannot appoint plural name parameters.

+# When a user appoints reuse, the resource agent cannot connect plural clones with a container.

+

+if ocf_is_true "$OCF_RESKEY_CRM_meta_globally_unique"; then

+	if [ -n "$OCF_RESKEY_name" ]; then

+		if [ -n "$OCF_RESKEY_CRM_meta_clone_node_max" ] && [ "$OCF_RESKEY_CRM_meta_clone_node_max" -ne 1 ]

+		then

+			ocf_exit_reason "Cannot make plural clones from the same name parameter."

+			exit $OCF_ERR_CONFIGURED

+		fi

+		if [ -n "$OCF_RESKEY_CRM_meta_master_node_max" ] && [ "$OCF_RESKEY_CRM_meta_master_node_max" -ne 1 ]

+		then

+			ocf_exit_reason "Cannot make plural master from the same name parameter."

+			exit $OCF_ERR_CONFIGURED

+		fi

+	fi

+	: ${OCF_RESKEY_name=`echo ${OCF_RESOURCE_INSTANCE} | tr ':' '-'`}

+else

+	: ${OCF_RESKEY_name=${OCF_RESOURCE_INSTANCE}}

+fi

+

+CONTAINER=$OCF_RESKEY_name

+

+case $__OCF_ACTION in

+meta-data) meta_data

+		exit $OCF_SUCCESS;;

+start)

+	podman_validate

+	podman_start;;

+stop)		podman_stop;;

+monitor)	podman_monitor;;

+validate-all)	podman_validate;;

+usage|help)	podman_usage

+		exit $OCF_SUCCESS

+		;;

+*)		podman_usage

+		exit $OCF_ERR_UNIMPLEMENTED

+		;;

+esac

+rc=$?

+ocf_log debug "${OCF_RESOURCE_INSTANCE} $__OCF_ACTION : $rc"

+exit $rc