ansible: Properly set podman.socket group

The `ExecStartPre=` was a quick hack, but it goes against the declared system state and e.g. doesn't survive restarts of `podman.socket`. Declare that properly with a unit drop-in.
cockpit-project · Mar 13, 2024 · 956ff20 · 956ff20
1 parent 035107a
commit 956ff20
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/ansible/roles/tasks-systemd/tasks/main.yml b/ansible/roles/tasks-systemd/tasks/main.yml
@@ -40,6 +40,20 @@
       maxsockets=3
       cafile=/run/secrets/tasks/npm-registry.crt
 
+- name: Create podman.socket drop-in directory
+  file:
+    path: /etc/systemd/system/podman.socket.d
+    state: directory
+
+# idmapped mount would be better, but did not figure out how
+- name: Allow access to podman.socket to unprivileged container user
+  copy:
+    dest: /etc/systemd/system/podman.socket.d/container-access.conf
+    mode: 0644
+    content: |
+      [Socket]
+      SocketGroup=cockpituous
+
 - name: Create job-runner configuration
   copy:
     dest: /etc/job-runner.toml

diff --git a/tasks/install-service b/tasks/install-service
@@ -55,8 +55,6 @@ ExecStartPre=-/usr/bin/podman network rm cockpit-tasks-%i
 ExecStartPre=/usr/bin/chcon -R -l s0 \${TEST_CACHE}/images/
 ExecStartPre=/usr/bin/flock /tmp/cockpit-image-pull podman pull quay.io/cockpit/tasks
 ExecStartPre=/usr/bin/podman network create cockpit-tasks-%i
-# idmapped mount would be better, but did not figure out how
-ExecStartPre=/usr/bin/chgrp cockpituous %t/podman/podman.sock
 ExecStart=/usr/bin/podman run --name=cockpit-tasks-%i --hostname=${CONTAINER_HOSTNAME} \
     --device=/dev/kvm --network=cockpit-tasks-%i \
     --memory=24g --pids-limit=16384 --shm-size=1024m ${TMPVOL:-} \