From bda3581294c8f29eda598522c331a4c009243884 Mon Sep 17 00:00:00 2001 From: Dimitri Savineau Date: Mon, 14 Sep 2020 20:13:13 -0400 Subject: [PATCH] container: add optional http(s) proxy option When using a http(s) proxy with either docker or podman we can rely on the HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables. But with ansible, even if those variables are defined in a source file then they aren't loaded during the container pull/login tasks. This implements the http(s) proxy support with docker/podman. Both implementations are different: 1/ docker doesn't rely en the environment variables with the CLI. Thos are needed by the docker daemon via systemd. 2/ podman uses the environment variables so we need to add them to the login/pull tasks. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1876692 Signed-off-by: Dimitri Savineau --- group_vars/all.yml.sample | 3 ++ group_vars/rhcs.yml.sample | 3 ++ .../tasks/fetch_image.yml | 4 ++ .../ceph-container-common/tasks/registry.yml | 6 ++- .../tasks/pre_requisites/prerequisites.yml | 52 ++++++++++++++++--- .../templates/docker-proxy.conf.j2 | 8 +++ roles/ceph-defaults/defaults/main.yml | 3 ++ 7 files changed, 71 insertions(+), 8 deletions(-) create mode 100644 roles/ceph-container-engine/templates/docker-proxy.conf.j2 diff --git a/group_vars/all.yml.sample b/group_vars/all.yml.sample index 030550b90..ff30b7247 100644 --- a/group_vars/all.yml.sample +++ b/group_vars/all.yml.sample @@ -591,6 +591,9 @@ dummy: #ceph_docker_registry_auth: false #ceph_docker_registry_username: #ceph_docker_registry_password: +#ceph_docker_http_proxy: +#ceph_docker_https_proxy: +#ceph_docker_no_proxy: "localhost,127.0.0.1" ## Client only docker image - defaults to {{ ceph_docker_image }} #ceph_client_docker_image: "{{ ceph_docker_image }}" #ceph_client_docker_image_tag: "{{ ceph_docker_image_tag }}" diff --git a/group_vars/rhcs.yml.sample b/group_vars/rhcs.yml.sample index 760a4347c..e742e356e 100644 --- a/group_vars/rhcs.yml.sample +++ b/group_vars/rhcs.yml.sample @@ -591,6 +591,9 @@ ceph_docker_registry: "registry.redhat.io" ceph_docker_registry_auth: true #ceph_docker_registry_username: #ceph_docker_registry_password: +#ceph_docker_http_proxy: +#ceph_docker_https_proxy: +#ceph_docker_no_proxy: "localhost,127.0.0.1" ## Client only docker image - defaults to {{ ceph_docker_image }} #ceph_client_docker_image: "{{ ceph_docker_image }}" #ceph_client_docker_image_tag: "{{ ceph_docker_image_tag }}" diff --git a/roles/ceph-container-common/tasks/fetch_image.yml b/roles/ceph-container-common/tasks/fetch_image.yml index 8ae615037..20bbb206f 100644 --- a/roles/ceph-container-common/tasks/fetch_image.yml +++ b/roles/ceph-container-common/tasks/fetch_image.yml @@ -204,6 +204,10 @@ retries: "{{ docker_pull_retry }}" delay: 10 when: (ceph_docker_dev_image is undefined or not ceph_docker_dev_image | bool) + environment: + HTTP_PROXY: "{{ ceph_docker_http_proxy | default('') }}" + HTTPS_PROXY: "{{ ceph_docker_https_proxy | default('') }}" + NO_PROXY: "{{ ceph_docker_no_proxy }}" - name: "inspecting {{ ceph_docker_registry }}/{{ ceph_docker_image }}:{{ ceph_docker_image_tag }} image after pulling" command: "{{ container_binary }} inspect {{ ceph_docker_registry }}/{{ ceph_docker_image }}:{{ ceph_docker_image_tag }}" diff --git a/roles/ceph-container-common/tasks/registry.yml b/roles/ceph-container-common/tasks/registry.yml index 56cb42edc..4479c5291 100644 --- a/roles/ceph-container-common/tasks/registry.yml +++ b/roles/ceph-container-common/tasks/registry.yml @@ -2,4 +2,8 @@ - name: container registry authentication command: '{{ container_binary }} login -u {{ ceph_docker_registry_username }} -p {{ ceph_docker_registry_password }} {{ ceph_docker_registry }}' changed_when: false - no_log: true \ No newline at end of file + no_log: true + environment: + HTTP_PROXY: "{{ ceph_docker_http_proxy | default('') }}" + HTTPS_PROXY: "{{ ceph_docker_https_proxy | default('') }}" + NO_PROXY: "{{ ceph_docker_no_proxy }}" \ No newline at end of file diff --git a/roles/ceph-container-engine/tasks/pre_requisites/prerequisites.yml b/roles/ceph-container-engine/tasks/pre_requisites/prerequisites.yml index 7e9ea87e3..5ed0127e7 100644 --- a/roles/ceph-container-engine/tasks/pre_requisites/prerequisites.yml +++ b/roles/ceph-container-engine/tasks/pre_requisites/prerequisites.yml @@ -39,11 +39,49 @@ tags: with_pkg when: inventory_hostname in groups.get(osd_group_name, []) -- name: start container service - service: - name: '{{ container_service_name }}' - state: started - enabled: yes - tags: - with_pkg +- name: extra configuration for docker when: container_service_name == 'docker' + block: + - name: create the systemd docker override directory + file: + path: /etc/systemd/system/docker.service.d + state: directory + when: ceph_docker_http_proxy is defined or ceph_docker_https_proxy is defined + + - name: create the systemd docker override file + template: + src: docker-proxy.conf.j2 + dest: /etc/systemd/system/docker.service.d/proxy.conf + mode: 0600 + owner: root + group: root + register: proxy_created + when: ceph_docker_http_proxy is defined or ceph_docker_https_proxy is defined + + - name: remove docker proxy configuration + file: + path: /etc/systemd/system/docker.service.d/proxy.conf + state: absent + register: proxy_removed + when: + - ceph_docker_http_proxy is not defined + - ceph_docker_https_proxy is not defined + + # using xxx.changed here instead of an ansible handler because we need to + # have an immediate effect and not wait the end of the play. + # using flush_handlers via the meta action plugin isn't enough too because + # it flushes all handlers and not only the one notified in this role. + - name: restart docker + systemd: + name: "{{ container_service_name }}" + state: restarted + daemon_reload: yes + when: proxy_created.changed | bool or proxy_removed.changed | bool + + - name: start container service + service: + name: '{{ container_service_name }}' + state: started + enabled: yes + tags: + with_pkg diff --git a/roles/ceph-container-engine/templates/docker-proxy.conf.j2 b/roles/ceph-container-engine/templates/docker-proxy.conf.j2 new file mode 100644 index 000000000..22a1cd8fe --- /dev/null +++ b/roles/ceph-container-engine/templates/docker-proxy.conf.j2 @@ -0,0 +1,8 @@ +[Service] +{% if ceph_docker_http_proxy is defined %} +Environment="HTTP_PROXY={{ ceph_docker_http_proxy }}" +{% endif %} +{% if ceph_docker_https_proxy is defined %} +Environment="HTTPS_PROXY={{ ceph_docker_https_proxy }}" +{% endif %} +Environment="NO_PROXY={{ ceph_docker_no_proxy }}" diff --git a/roles/ceph-defaults/defaults/main.yml b/roles/ceph-defaults/defaults/main.yml index f91023172..647b1882a 100644 --- a/roles/ceph-defaults/defaults/main.yml +++ b/roles/ceph-defaults/defaults/main.yml @@ -583,6 +583,9 @@ ceph_docker_registry: docker.io ceph_docker_registry_auth: false #ceph_docker_registry_username: #ceph_docker_registry_password: +#ceph_docker_http_proxy: +#ceph_docker_https_proxy: +ceph_docker_no_proxy: "localhost,127.0.0.1" ## Client only docker image - defaults to {{ ceph_docker_image }} ceph_client_docker_image: "{{ ceph_docker_image }}" ceph_client_docker_image_tag: "{{ ceph_docker_image_tag }}"