From f45f7d25e0e2de7162244d01e7713396952dc933 Mon Sep 17 00:00:00 2001 From: uumas Date: Fri, 3 Feb 2023 05:15:39 +0200 Subject: [PATCH] container: rework bind mount directory permissions, move from volume syntax to mount syntax, add single file template volumes --- roles/container/tasks/database.yml | 3 ++ roles/container/tasks/main.yml | 11 +------- roles/container/tasks/volumes.yml | 45 +++++++++++++++++++++--------- 3 files changed, 36 insertions(+), 23 deletions(-) diff --git a/roles/container/tasks/database.yml b/roles/container/tasks/database.yml index 01e09fc..7b26ee1 100644 --- a/roles/container/tasks/database.yml +++ b/roles/container/tasks/database.yml @@ -8,6 +8,7 @@ POSTGRES_PASSWORD: "{{ database_passwords[docker_service_name] }}" db_container_data: /var/lib/postgresql/data when: docker_database == 'postgres' + - name: Set mariadb container vars set_fact: db_container_image: mariadb:10 @@ -20,11 +21,13 @@ db_container_data: /var/lib/mysql db_image_port: 3306 when: docker_database == 'mariadb' + - name: Set mongo container vars set_fact: db_container_image: 'mongo:latest' db_container_data: /data/db when: docker_database == 'mongo' + - name: Set db published ports var set_fact: db_published_ports: ["127.0.0.1:{{ ports[docker_service_name].db }}:{{ db_image_port }}"] diff --git a/roles/container/tasks/main.yml b/roles/container/tasks/main.yml index 034f748..fcd44b6 100644 --- a/roles/container/tasks/main.yml +++ b/roles/container/tasks/main.yml @@ -57,8 +57,7 @@ name: "{{ docker_service_name }}" image: "{{ container_image.image.Id }}" user: "{{ docker_user | default(omit) }}" - pull: "{{ dockerfile is not defined }}" - volumes: "{{ docker_volume_definition }}" + mounts: "{{ docker_volume_definition }}" published_ports: "{{ container_published_ports + docker_published_ports }}" labels: "{{ traefik_labels | default(omit) }}" env: "{{ docker_env | combine(docker_additional_env) }}" @@ -68,11 +67,3 @@ networks: "{{ container_networks | default(omit) }}" log_driver: local register: container_out - -- name: "Reset bind mount directory permissions" - file: - path: "{{ docker_mounts_dir }}/{{ item.name }}" - state: directory - mode: 0750 - when: "docker_volume_type == 'bind' and item.name is defined" - loop: "{{ final_docker_volumes }}" diff --git a/roles/container/tasks/volumes.yml b/roles/container/tasks/volumes.yml index 784df99..3cd2a8d 100644 --- a/roles/container/tasks/volumes.yml +++ b/roles/container/tasks/volumes.yml @@ -1,7 +1,9 @@ --- -- name: Bind mounts - when: "docker_volume_type == 'bind'" +- name: Create directories and put files in them + when: + - docker_volumes | length > 0 + - (docker_volume_type == 'bind') or (docker_volumes | selectattr('template', 'defined') | list | length > 0) block: - name: Create directory /opt/{{ docker_service + '/' + docker_service_suffix }} file: @@ -25,31 +27,48 @@ file: path: "{{ docker_mounts_dir }}" state: directory - mode: 0755 + owner: "{{ user.uid | default(omit) }}" + group: "{{ user.group | default(omit) }}" + mode: 0700 + - name: Define mounts directory owner + set_fact: + mount_owner: "{{ user.uid if docker_host_user else image_user | default('') }}" + mount_group: "{{ user.group if docker_host_user else '' }}" - name: "Create docker bind mount directories for {{ docker_service_name }}" file: path: "{{ docker_mounts_dir }}/{{ item.name }}" state: directory - owner: "{{ user.uid if item.set_owner is not defined or item.set_owner else omit | default(omit) }}" - group: "{{ user.group if item.set_group is not defined or item.set_group else omit | default(omit) }}" - mode: 0750 + owner: "{{ mount_owner if (item.set_owner is not defined or item.set_owner) and mount_owner | length > 0 else omit }}" + group: "{{ mount_group if (item.set_group is not defined or item.set_group) and mount_group | length > 0 else omit }}" when: item.name is defined loop: "{{ docker_volumes }}" - name: Set docker_volume_definition for named binds set_fact: - docker_volume_definition: "{{ docker_volume_definition + [docker_mounts_dir + '/' + item.name + ':' + item.path] }}" + docker_volume_definition: "{{ docker_volume_definition + [{'source': docker_mounts_dir + '/' + item.name, 'target': item.path, 'type': 'bind'}] }}" when: item.name is defined loop: "{{ docker_volumes }}" -- name: Set docker_volume_definition for src binds - set_fact: - docker_volume_definition: "{{ docker_volume_definition + [item.src + ':' + item.path] }}" - when: item.src is defined - loop: "{{ final_docker_volumes }}" + - name: Template docker template mounts for {{ docker_service_name }} + template: + src: "{{ item.template }}.j2" + dest: "{{ docker_mounts_dir }}/{{ item.template }}" + when: item.template is defined + loop: "{{ docker_volumes }}" + - name: Set docker_volume_definition for template mounts + set_fact: + docker_volume_definition: "{{ docker_volume_definition + [{'source': docker_mounts_dir + '/' + item.template, 'target': item.path, 'read_only': true}] }}" + when: item.template is defined + loop: "{{ docker_volumes }}" - name: Set docker_volume_definition for named volumes set_fact: - docker_volume_definition: "{{ docker_volume_definition + [item.name + ':' + item.path] }}" + docker_volume_definition: "{{ docker_volume_definition + [{'source': docker_service_name + '_' + item.name, 'target': item.path}] }}" when: docker_volume_type == 'named' and item.name is defined loop: "{{ final_docker_volumes }}" + +- name: Set docker_volume_definition for src binds + set_fact: + docker_volume_definition: "{{ docker_volume_definition + [{'source': item.src, 'target': item.path}] }}" + when: item.src is defined + loop: "{{ final_docker_volumes }}"