run foreman in a container #1164
Conversation
evgeni
force-pushed
the
frankontainer
branch
15 times, most recently
from
3eea753
to
bc4dea6
Compare
manifests/service.pp
Outdated
| 'AddCapability' => ['CAP_DAC_OVERRIDE', 'CAP_IPC_OWNER'], | ||
| 'Network' => 'host', | ||
| 'HostName' => $foreman::servername, | ||
| 'Notify' => true, |
There was a problem hiding this comment.
sd_notify from the container, super nice.
manifests/service.pp
Outdated
| 'Image' => 'quay.io/evgeni/foreman-rpm:latest', | ||
| 'Volume' => ['/etc/foreman/:/etc/foreman/'], | ||
| 'AddCapability' => ['CAP_DAC_OVERRIDE', 'CAP_IPC_OWNER'], | ||
| 'Network' => 'host', |
There was a problem hiding this comment.
using Network=host so that we don't need any private networks, fiddling with v6 subnets or exposing ports.
manifests/service.pp
Outdated
| container_entry => { | ||
| 'Image' => 'quay.io/evgeni/foreman-rpm:latest', | ||
| 'Volume' => ['/etc/foreman/:/etc/foreman/'], | ||
| 'AddCapability' => ['CAP_DAC_OVERRIDE', 'CAP_IPC_OWNER'], |
There was a problem hiding this comment.
the foreman user inside the container might have a different UID than outside, fucking up file access :/
(I am not sure this is overall a good idea, but here we are for now)
There was a problem hiding this comment.
Feels like a nasty hack that we need to resolve prior to going production with this.
| @@ -153,7 +155,13 @@ | |||
| } | |||
|
|
|||
| if $foreman::apache { | |||
| $listen_socket = '/run/foreman.sock' | |||
| if $foreman::deployment_mode == 'container' { | |||
| $listen_socket = 'localhost:3000/' | |||
There was a problem hiding this comment.
This one was tricky. Apache (or foreman::config::apache) doesn't add a trailing slash to the backend, which then tries to access things like http://localhost:3000users/login, obviously failing
There was a problem hiding this comment.
You can use systemd socket activation with podman containers. I've used that myself with gunicorn to avoid needing to deal with a firewall (and instead deal with SELinux). Any reason you don't use that now?
See https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md#socket-activation-of-containers for more info.
There was a problem hiding this comment.
Oh cool. I didn't try that (yet), but I also think that the above is a legit bug in our current deployment if for some reason users do not want sockets.
also lol @ "and instead deal with SELinux" ;)
There was a problem hiding this comment.
Quite possible that there's a bug there
| db_host => 'localhost', | ||
| db_manage_rake => false, |
There was a problem hiding this comment.
I wonder if these two could be made more "dynamic"?
There was a problem hiding this comment.
What do you mean? That db_manage_rake would be undef by default and the deployment mode determines the value?
There was a problem hiding this comment.
yeah, same for host (there is not really a socket in the container)
evgeni
force-pushed
the
frankontainer
branch
5 times, most recently
from
191f411
to
ea31bc3
Compare
No description provided.