From 07d283a6e20b8e559257c9694f7e36e155075014 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Sun, 22 Jul 2018 17:54:29 +0200 Subject: [PATCH] Initial podman support Tested with the following container: podman container set: test_bundle [docker.io/sdelrio/docker-minimal-nginx] test_bundle-podman-0 (ocf::heartbeat:podman): Started nodea test_bundle-podman-1 (ocf::heartbeat:podman): Started nodeb test_bundle-podman-2 (ocf::heartbeat:podman): Started nodec Tested a couple of stop/start cycles successfully. Needs the corresponding pacemaker support https://github.com/ClusterLabs/pacemaker/pull/1564 --- doc/man/Makefile.am | 1 + heartbeat/Makefile.am | 1 + heartbeat/podman | 488 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 490 insertions(+) create mode 100755 heartbeat/podman diff --git a/doc/man/Makefile.am b/doc/man/Makefile.am index 145e5fd50..0bef88740 100644 --- a/doc/man/Makefile.am +++ b/doc/man/Makefile.am @@ -151,6 +151,7 @@ man_MANS = ocf_heartbeat_AoEtarget.7 \ ocf_heartbeat_pgagent.7 \ ocf_heartbeat_pgsql.7 \ ocf_heartbeat_pingd.7 \ + ocf_heartbeat_podman.7 \ ocf_heartbeat_portblock.7 \ ocf_heartbeat_postfix.7 \ ocf_heartbeat_pound.7 \ diff --git a/heartbeat/Makefile.am b/heartbeat/Makefile.am index e7a3a4fac..993bff042 100644 --- a/heartbeat/Makefile.am +++ b/heartbeat/Makefile.am @@ -146,6 +146,7 @@ ocf_SCRIPTS = AoEtarget \ pgagent \ pgsql \ pingd \ + podman \ portblock \ postfix \ pound \ diff --git a/heartbeat/podman b/heartbeat/podman new file mode 100755 index 000000000..88475f1df --- /dev/null +++ b/heartbeat/podman @@ -0,0 +1,488 @@ +#!/bin/sh +# +# The podman HA resource agent creates and launches a podman container +# based off a supplied podman image. Containers managed by this agent +# are both created and removed upon the agent's start and stop actions. +# +# Copyright (c) 2014 David Vossel +# Michele Baldessari +# All Rights Reserved. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of version 2 of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# +# Further, this software is distributed without any warranty that it is +# free of the rightful claim of any third person regarding infringement +# or the like. Any license provided herein, whether implied or +# otherwise, applies only to this software file. Patent licenses, if +# any, provided herein do not apply to combinations of this program with +# other software, or any other product whatsoever. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 59 Temple Place - Suite 330, Boston MA 02111-1307, USA. +# + +####################################################################### +# Initialization: + +: ${OCF_FUNCTIONS_DIR=${OCF_ROOT}/lib/heartbeat} +. ${OCF_FUNCTIONS_DIR}/ocf-shellfuncs + +####################################################################### + +meta_data() +{ + cat < + + +1.0 + + +The podman HA resource agent creates and launches a podman container +based off a supplied podman image. Containers managed by this agent +are both created and removed upon the agent's start and stop actions. + +Podman container resource agent. + + + + +The podman image to base this container off of. + +podman image + + + + + +The name to give the created container. By default this will +be that resource's instance name. + +podman container name + + + + + +Allow the image to be pulled from the configured podman registry when +the image does not exist locally. NOTE, this can drastically increase +the time required to start the container if the image repository is +pulled over the network. + +Allow pulling non-local images + + + + + +Add options to be appended to the 'podman run' command which is used +when creating the container during the start action. This option allows +users to do things such as setting a custom entry point and injecting +environment variables into the newly created container. Note the '-d' +option is supplied regardless of this value to force containers to run +in the background. + +NOTE: Do not explicitly specify the --name argument in the run_opts. This +agent will set --name using either the resource's instance or the name +provided in the 'name' argument of this agent. + + +run options + + + + + +Specify a command to launch within the container once +it has initialized. + +run command + + + + + +A comma separated list of directories that the container is expecting to use. +The agent will ensure they exist by running 'mkdir -p' + +Required mount points + + + + + +Specify the full path of a command to launch within the container to check +the health of the container. This command must return 0 to indicate that +the container is healthy. A non-zero return code will indicate that the +container has failed and should be recovered. + +If 'podman exec' is supported, it is used to execute the command. If not, +nsenter is used. + +Note: Using this method for monitoring processes inside a container +is not recommended, as containerd tries to track processes running +inside the container and does not deal well with many short-lived +processes being spawned. Ensure that your container monitors its +own processes and terminates on fatal error rather than invoking +a command from the outside. + +monitor command + + + + + +Kill a container immediately rather than waiting for it to gracefully +shutdown + +force kill + + + + + +Allow the container to be reused after stopping the container. By default +containers are removed after stop. With the reuse option containers +will persist after the container stops. + +reuse container + + + + + + + + + + + + +END +} + +####################################################################### +REQUIRE_IMAGE_PULL=0 + +podman_usage() +{ + cat </dev/null 2>&1; then + out=$(podman exec ${CONTAINER} $OCF_RESKEY_monitor_cmd 2>&1) + rc=$? + else + out=$(echo "$OCF_RESKEY_monitor_cmd" | nsenter --target $(podman inspect --format {{.State.Pid}} ${CONTAINER}) --mount --uts --ipc --net --pid 2>&1) + rc=$? + fi + + if [ $rc -eq 127 ]; then + ocf_log err "monitor cmd failed (rc=$rc), output: $out" + ocf_exit_reason "monitor_cmd, ${OCF_RESKEY_monitor_cmd} , not found within container." + # there is no recovering from this, exit immediately + exit $OCF_ERR_ARGS + elif [ $rc -ne 0 ]; then + ocf_exit_reason "monitor cmd failed (rc=$rc), output: $out" + rc=$OCF_ERR_GENERIC + else + ocf_log debug "monitor cmd passed: exit code = $rc" + fi + + return $rc +} + +container_exists() +{ + podman inspect --format {{.State.Running}} $CONTAINER | egrep '(true|false)' >/dev/null 2>&1 +} + +remove_container() +{ + if ocf_is_true "$OCF_RESKEY_reuse"; then + # never remove the container if we have reuse enabled. + return 0 + fi + + container_exists + if [ $? -ne 0 ]; then + # don't attempt to remove a container that doesn't exist + return 0 + fi + ocf_log notice "Cleaning up inactive container, ${CONTAINER}." + ocf_run podman rm $CONTAINER +} + +podman_simple_status() +{ + local val + + container_exists + if [ $? -ne 0 ]; then + return $OCF_NOT_RUNNING + fi + + # retrieve the 'Running' attribute for the container + val=$(podman inspect --format {{.State.Running}} $CONTAINER 2>/dev/null) + if [ $? -ne 0 ]; then + #not running as a result of container not being found + return $OCF_NOT_RUNNING + fi + + if ocf_is_true "$val"; then + # container exists and is running + return $OCF_SUCCESS + fi + + return $OCF_NOT_RUNNING +} + +podman_monitor() +{ + local rc=0 + + podman_simple_status + rc=$? + + if [ $rc -ne 0 ]; then + return $rc + fi + + monitor_cmd_exec +} + +podman_create_mounts() { + oldIFS="$IFS" + IFS="," + for directory in $OCF_RESKEY_mount_points; do + mkdir -p "$directory" + done + IFS="$oldIFS" +} + +podman_start() +{ + podman_create_mounts + local run_opts="-d --name=${CONTAINER}" + # check to see if the container has already started + podman_simple_status + if [ $? -eq $OCF_SUCCESS ]; then + return $OCF_SUCCESS + fi + + if [ -n "$OCF_RESKEY_run_opts" ]; then + run_opts="$run_opts $OCF_RESKEY_run_opts" + fi + + if [ $REQUIRE_IMAGE_PULL -eq 1 ]; then + ocf_log notice "Beginning pull of image, ${OCF_RESKEY_image}" + podman pull "${OCF_RESKEY_image}" + if [ $? -ne 0 ]; then + ocf_exit_reason "failed to pull image ${OCF_RESKEY_image}" + return $OCF_ERR_GENERIC + fi + fi + + if ocf_is_true "$OCF_RESKEY_reuse" && container_exists; then + ocf_log info "starting existing container $CONTAINER." + ocf_run podman start $CONTAINER + else + # make sure any previous container matching our container name is cleaned up first. + # we already know at this point it wouldn't be running + remove_container + ocf_log info "running container $CONTAINER for the first time" + ocf_run podman run $run_opts $OCF_RESKEY_image $OCF_RESKEY_run_cmd + fi + + if [ $? -ne 0 ]; then + ocf_exit_reason "podman failed to launch container" + return $OCF_ERR_GENERIC + fi + + + # wait for monitor to pass before declaring that the container is started + while true; do + podman_simple_status + if [ $? -ne $OCF_SUCCESS ]; then + ocf_exit_reason "Newly created podman container exited after start" + return $OCF_ERR_GENERIC + fi + + monitor_cmd_exec + if [ $? -eq $OCF_SUCCESS ]; then + ocf_log notice "Container $CONTAINER started successfully" + return $OCF_SUCCESS + fi + + ocf_exit_reason "waiting on monitor_cmd to pass after start" + sleep 1 + done +} + +podman_stop() +{ + local timeout=60 + podman_simple_status + if [ $? -eq $OCF_NOT_RUNNING ]; then + remove_container + return $OCF_SUCCESS + fi + + if [ -n "$OCF_RESKEY_CRM_meta_timeout" ]; then + timeout=$((($OCF_RESKEY_CRM_meta_timeout/1000) -10 )) + if [ $timeout -lt 10 ]; then + timeout=10 + fi + fi + + if ocf_is_true "$OCF_RESKEY_force_kill"; then + ocf_run podman kill $CONTAINER + else + ocf_log debug "waiting $timeout second[s] before killing container" + ocf_run podman stop -t=$timeout $CONTAINER + fi + + if [ $? -ne 0 ]; then + ocf_exit_reason "Failed to stop container, ${CONTAINER}, based on image, ${OCF_RESKEY_image}." + return $OCF_ERR_GENERIC + fi + + remove_container + if [ $? -ne 0 ]; then + ocf_exit_reason "Failed to remove stopped container, ${CONTAINER}, based on image, ${OCF_RESKEY_image}." + return $OCF_ERR_GENERIC + fi + + return $OCF_SUCCESS +} + +image_exists() +{ + # if no tag was specified, use default "latest" + local COLON_FOUND=0 + local SLASH_FOUND=0 + local SERVER_NAME="" + local IMAGE_NAME="${OCF_RESKEY_image}" + local IMAGE_TAG="latest" + + SLASH_FOUND="$(echo "${OCF_RESKEY_image}" | grep -o '/' | grep -c .)" + + if [ ${SLASH_FOUND} -ge 1 ]; then + SERVER_NAME="$(echo ${IMAGE_NAME} | cut -d / -f 1-${SLASH_FOUND})" + IMAGE_NAME="$(echo ${IMAGE_NAME} | awk -F'/' '{print $NF}')" + fi + + COLON_FOUND="$(echo "${IMAGE_NAME}" | grep -o ':' | grep -c .)" + if [ ${COLON_FOUND} -ge 1 ]; then + IMAGE_TAG="$(echo ${IMAGE_NAME} | awk -F':' '{print $NF}')" + IMAGE_NAME="$(echo ${IMAGE_NAME} | cut -d : -f 1-${COLON_FOUND})" + fi + + # IMAGE_NAME might be following formats: + # - image + # - repository:port/image + # - docker.io/image (some distro will display "docker.io/" as prefix) + podman images | awk '{print $1 ":" $2}' | egrep -q -s "^(docker.io\/|${SERVER_NAME}\/)?${IMAGE_NAME}:${IMAGE_TAG}\$" + if [ $? -eq 0 ]; then + # image found + return 0 + fi + + if ocf_is_true "$OCF_RESKEY_allow_pull"; then + REQUIRE_IMAGE_PULL=1 + ocf_log notice "Image (${OCF_RESKEY_image}) does not exist locally but will be pulled during start" + return 0 + fi + # image not found. + return 1 +} + +podman_validate() +{ + check_binary podman + if [ -z "$OCF_RESKEY_image" ]; then + ocf_exit_reason "'image' option is required" + exit $OCF_ERR_CONFIGURED + fi + + if [ -n "$OCF_RESKEY_monitor_cmd" ]; then + podman exec --help >/dev/null 2>&1 + if [ ! $? ]; then + ocf_log info "checking for nsenter, which is required when 'monitor_cmd' is specified" + check_binary nsenter + fi + fi + + image_exists + if [ $? -ne 0 ]; then + ocf_exit_reason "base image, ${OCF_RESKEY_image}, could not be found." + exit $OCF_ERR_CONFIGURED + fi + + return $OCF_SUCCESS +} + +# TODO : +# When a user starts plural clones in a node in globally-unique, a user cannot appoint plural name parameters. +# When a user appoints reuse, the resource agent cannot connect plural clones with a container. + +if ocf_is_true "$OCF_RESKEY_CRM_meta_globally_unique"; then + if [ -n "$OCF_RESKEY_name" ]; then + if [ -n "$OCF_RESKEY_CRM_meta_clone_node_max" ] && [ "$OCF_RESKEY_CRM_meta_clone_node_max" -ne 1 ] + then + ocf_exit_reason "Cannot make plural clones from the same name parameter." + exit $OCF_ERR_CONFIGURED + fi + if [ -n "$OCF_RESKEY_CRM_meta_master_node_max" ] && [ "$OCF_RESKEY_CRM_meta_master_node_max" -ne 1 ] + then + ocf_exit_reason "Cannot make plural master from the same name parameter." + exit $OCF_ERR_CONFIGURED + fi + fi + : ${OCF_RESKEY_name=`echo ${OCF_RESOURCE_INSTANCE} | tr ':' '-'`} +else + : ${OCF_RESKEY_name=${OCF_RESOURCE_INSTANCE}} +fi + +CONTAINER=$OCF_RESKEY_name + +case $__OCF_ACTION in +meta-data) meta_data + exit $OCF_SUCCESS;; +start) + podman_validate + podman_start;; +stop) podman_stop;; +monitor) podman_monitor;; +validate-all) podman_validate;; +usage|help) podman_usage + exit $OCF_SUCCESS + ;; +*) podman_usage + exit $OCF_ERR_UNIMPLEMENTED + ;; +esac +rc=$? +ocf_log debug "${OCF_RESOURCE_INSTANCE} $__OCF_ACTION : $rc" +exit $rc