From 5715cdb046b039dbae470171bba581729057667c Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Wed, 3 Aug 2022 16:00:16 +0200
Subject: [PATCH] Update to 2022-08-03 16:00

---
 roles/cni_plugins/defaults/main.yml       | 11 +++++++
 roles/cni_plugins/tasks/archive_post.yml  | 14 +++++++++
 roles/cni_plugins/tasks/archive_pre.yml   | 14 +++++++++
 roles/cni_plugins/tasks/cleanup.yml       |  7 +++++
 roles/cni_plugins/tasks/directories.yml   | 13 +++++++++
 roles/cni_plugins/tasks/facts.yml         | 12 ++++++++
 roles/cni_plugins/tasks/install.yml       | 18 ++++++++++++
 roles/cni_plugins/tasks/main.yml          | 24 ++++++++++++++++
 roles/cni_plugins/tasks/write_version.yml |  5 ++++
 roles/nomad/defaults/main.yml             | 14 +++++++--
 roles/nomad/meta/main.yml                 |  2 ++
 roles/nomad/tasks/archive_pre.yml         | 15 ++++++++--
 roles/nomad/tasks/directories.yml         |  3 ++
 roles/nomad/tasks/facts.yml               |  5 ++--
 roles/nomad/tasks/install.yml             | 35 +++++++++++++++++++++++
 roles/nomad/templates/nomad.hcl.j2        | 10 +++++--
 roles/nomad/vars/RedHat-8.yml             |  5 ++++
 roles/nomad/vars/main.yml                 |  2 --
 18 files changed, 198 insertions(+), 11 deletions(-)
 create mode 100644 roles/cni_plugins/defaults/main.yml
 create mode 100644 roles/cni_plugins/tasks/archive_post.yml
 create mode 100644 roles/cni_plugins/tasks/archive_pre.yml
 create mode 100644 roles/cni_plugins/tasks/cleanup.yml
 create mode 100644 roles/cni_plugins/tasks/directories.yml
 create mode 100644 roles/cni_plugins/tasks/facts.yml
 create mode 100644 roles/cni_plugins/tasks/install.yml
 create mode 100644 roles/cni_plugins/tasks/main.yml
 create mode 100644 roles/cni_plugins/tasks/write_version.yml
 delete mode 100644 roles/nomad/vars/main.yml

diff --git a/roles/cni_plugins/defaults/main.yml b/roles/cni_plugins/defaults/main.yml
new file mode 100644
index 0000000..7f6287d
--- /dev/null
+++ b/roles/cni_plugins/defaults/main.yml
@@ -0,0 +1,11 @@
+---
+
+# Version of the CNI plugins to install
+cni_version: 1.1.1
+# Archive where the pre compiled bin archive will be downloaded
+cni_archive_url: https://github.com/containernetworking/plugins/releases/download/v{{ cni_version }}/cni-plugins-linux-amd64-v{{ cni_version }}.tgz
+# Expected checksum of the archive
+cni_archive_sha256: b275772da4026d2161bf8a8b41ed4786754c8a93ebfb6564006d5da7f23831e5
+
+# Where the plugins will be installed (binaries will be extracted in a /bin sub-directory)
+cni_root_dir: /opt/cni
diff --git a/roles/cni_plugins/tasks/archive_post.yml b/roles/cni_plugins/tasks/archive_post.yml
new file mode 100644
index 0000000..c9bea2e
--- /dev/null
+++ b/roles/cni_plugins/tasks/archive_post.yml
@@ -0,0 +1,14 @@
+---
+
+- name: Compress previous version
+  command: tar cf {{ cni_root_dir }}/archives/{{ cni_current_version }}.tar.zst ./ --use-compress-program=zstd
+  args:
+    chdir: "{{ cni_root_dir }}/archives/{{ cni_current_version }}"
+    warn: False
+  environment:
+    ZSTD_CLEVEL: 10
+  tags: cni
+
+- name: Remove archive dir
+  file: path={{ cni_root_dir }}/archives/{{ cni_current_version }} state=absent
+  tags: cni
diff --git a/roles/cni_plugins/tasks/archive_pre.yml b/roles/cni_plugins/tasks/archive_pre.yml
new file mode 100644
index 0000000..d4f9db3
--- /dev/null
+++ b/roles/cni_plugins/tasks/archive_pre.yml
@@ -0,0 +1,14 @@
+---
+
+- name: Create the archive dir
+  file: path={{ cni_root_dir }}/archives/{{ cni_current_version }} state=directory
+  tags: cni
+
+- name: Archive current version
+  synchronize:
+    src: "{{ cni_root_dir }}/bin"
+    dest: "{{ cni_root_dir }}/archives/{{ cni_current_version }}/"
+    compress: False
+    delete: True
+  delegate_to: "{{ inventory_hostname }}"
+  tags: cni
diff --git a/roles/cni_plugins/tasks/cleanup.yml b/roles/cni_plugins/tasks/cleanup.yml
new file mode 100644
index 0000000..e18c7a5
--- /dev/null
+++ b/roles/cni_plugins/tasks/cleanup.yml
@@ -0,0 +1,7 @@
+---
+
+- name: Remove tmp and obsolete files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ cni_root_dir }}/tmp/cni-plugins-linux-amd64-v1.1.1.tgz"
+  tags: cni
diff --git a/roles/cni_plugins/tasks/directories.yml b/roles/cni_plugins/tasks/directories.yml
new file mode 100644
index 0000000..851d424
--- /dev/null
+++ b/roles/cni_plugins/tasks/directories.yml
@@ -0,0 +1,13 @@
+---
+
+- name: Create directories
+  file: path={{ item.dir }} state=directory mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: "{{ cni_root_dir }}"
+    - dir: "{{ cni_root_dir }}/bin"
+    - dir: "{{ cni_root_dir }}/archives"
+    - dir: "{{ cni_root_dir }}/meta"
+      mode: 700
+    - dir: "{{ cni_root_dir }}/tmp"
+      mode: 700
+  tags: cni
diff --git a/roles/cni_plugins/tasks/facts.yml b/roles/cni_plugins/tasks/facts.yml
new file mode 100644
index 0000000..75c1e35
--- /dev/null
+++ b/roles/cni_plugins/tasks/facts.yml
@@ -0,0 +1,12 @@
+---
+
+# Detect installed version (if any)
+- block:
+    - import_tasks: ../includes/webapps_set_install_mode.yml
+      vars:
+        - root_dir: "{{ cni_root_dir }}"
+        - version: "{{ cni_version }}"
+    - set_fact: cni_install_mode={{ install_mode }}
+    - set_fact: cni_current_version={{ current_version | default('') }}
+  tags: cni
+
diff --git a/roles/cni_plugins/tasks/install.yml b/roles/cni_plugins/tasks/install.yml
new file mode 100644
index 0000000..c770337
--- /dev/null
+++ b/roles/cni_plugins/tasks/install.yml
@@ -0,0 +1,18 @@
+---
+
+- when: cni_install_mode != 'none'
+  block:
+
+    - name: Download the CNI plugins
+      get_url:
+        url: "{{ cni_archive_url }}"
+        dest: "{{ cni_root_dir }}/tmp"
+        checksum: sha256:{{ cni_archive_sha256 }}
+
+    - name: Extract archive
+      unarchive:
+        src: "{{ cni_root_dir }}/tmp/cni-plugins-linux-amd64-v{{ cni_version }}.tgz"
+        dest: "{{ cni_root_dir }}/bin/"
+        remote_src: True
+
+  tags: cni
diff --git a/roles/cni_plugins/tasks/main.yml b/roles/cni_plugins/tasks/main.yml
new file mode 100644
index 0000000..f7e85f4
--- /dev/null
+++ b/roles/cni_plugins/tasks/main.yml
@@ -0,0 +1,24 @@
+---
+
+- include_tasks: directories.yml
+  tags: always
+
+- include_tasks: facts.yml
+  tags: always
+
+- include_tasks: archive_pre.yml
+  when: cni_install_mode == 'upgrade'
+  tags: always
+
+- include_tasks: install.yml
+  tags: always
+
+- include_tasks: write_version.yml
+  tags: always
+
+- include_tasks: archive_post.yml
+  when: cni_install_mode == 'upgrade'
+  tags: always
+
+- include_tasks: cleanup.yml
+  tags: always
diff --git a/roles/cni_plugins/tasks/write_version.yml b/roles/cni_plugins/tasks/write_version.yml
new file mode 100644
index 0000000..de3090c
--- /dev/null
+++ b/roles/cni_plugins/tasks/write_version.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Write installed version
+  copy: content={{ cni_version }} dest={{ cni_root_dir }}/meta/ansible_version
+  tags: cni
diff --git a/roles/nomad/defaults/main.yml b/roles/nomad/defaults/main.yml
index 908b954..758cde5 100644
--- a/roles/nomad/defaults/main.yml
+++ b/roles/nomad/defaults/main.yml
@@ -7,6 +7,13 @@ nomad_archive_url: https://releases.hashicorp.com/nomad/{{ nomad_version }}/noma
 # Expected sha256 of the archive
 nomad_archive_sha256: fc6b3800935c621633d98148ea30737ab8ac1f698020f45b28b07ac61fbf4a96
 
+# List of plugins to install
+nomad_plugins:
+  podman:
+    version: 0.4.0
+    archive_url: https://releases.hashicorp.com/nomad-driver-podman/0.4.0/nomad-driver-podman_0.4.0_linux_amd64.zip
+    sha256: f905f9c38db8cec1542b92f69233488d5bf94e30fe9a0fae9ac03b30c1e2cfea
+
 # Root dir where Nomad will be installed
 nomad_root_dir: /opt/nomad
 
@@ -62,8 +69,7 @@ nomad_base_conf:
     #   cni: macvlan,ipvlan
     meta: {}
 
-    # List of enabled drivers, and their options. Valid ones are
-    # exec, raw_exec, docker, java.
+    # List of enabled drivers, and their options.
     task_drivers:
       exec:
         enabled: True
@@ -74,6 +80,10 @@ nomad_base_conf:
         enabled: False
       java:
         enabled: False
+      qemu:
+        enabled: False
+      podman:
+        enabled: False # Note on EL8, it cannot be used with docker as there are package conflicts, see https://bugs.centos.org/view.php?id=16892
 
   # Server related settings
   server:
diff --git a/roles/nomad/meta/main.yml b/roles/nomad/meta/main.yml
index 8a1f9c4..5b9771d 100644
--- a/roles/nomad/meta/main.yml
+++ b/roles/nomad/meta/main.yml
@@ -3,3 +3,5 @@
 dependencies:
   - role: docker
     when: nomad_conf.client.enabled and nomad_conf.client.task_drivers.docker.enabled
+  - role: cni_plugins
+    when: nomad_conf.client.enabled
diff --git a/roles/nomad/tasks/archive_pre.yml b/roles/nomad/tasks/archive_pre.yml
index 314a1bb..27c9dfb 100644
--- a/roles/nomad/tasks/archive_pre.yml
+++ b/roles/nomad/tasks/archive_pre.yml
@@ -4,7 +4,18 @@
   file: path={{ nomad_root_dir }}/archives/{{ nomad_current_version }} state=directory
   tags: nomad
 
-- name: Backup previous version
-  copy: src={{ nomad_root_dir }}/bin/nomad dest={{ nomad_root_dir }}/archives/{{ nomad_current_version }}/ remote_src=True
+- name: Snapshot nomad data
+  command: "{{ nomad_root_dir }}/bin/nomad operator save {{ nomad_root_dir }}/archives/{{ nomad_current_version }}/nomad.snap"
+  tags: nomad
+
+- name: Backup previous version
+  synchronize:
+    src: "{{ item }}"
+    dest: "{{ nomad_root_dir }}/archives/{{ nomad_current_version }}/"
+    compress: False
+  delegate_to: "{{ inventory_hostname }}"
+  loop:
+    - bin
+    - plugins
   tags: nomad
 
diff --git a/roles/nomad/tasks/directories.yml b/roles/nomad/tasks/directories.yml
index 1a9612e..98229ab 100644
--- a/roles/nomad/tasks/directories.yml
+++ b/roles/nomad/tasks/directories.yml
@@ -26,6 +26,9 @@
     - dir: data
       owner: "{{ nomad_user }}"
       group: "{{ nomad_user }}"
+    - dir: plugins
+      owner: "{{ nomad_user }}"
+      group: "{{ nomad_user }}"
     - dir: etc
       owner: root
       group: "{{ nomad_user }}"
diff --git a/roles/nomad/tasks/facts.yml b/roles/nomad/tasks/facts.yml
index 9969835..8977d67 100644
--- a/roles/nomad/tasks/facts.yml
+++ b/roles/nomad/tasks/facts.yml
@@ -33,9 +33,8 @@
 - when: nomad_bin.stat.exists and nomad_current_version != nomad_version
   set_fact: nomad_install_mode='upgrade'
 
-- debug: msg={{ nomad_conf.client.task_drivers | dict2items }}
-  tags: nomad
-
 - name: Build a list of enabled task drivers
   set_fact: nomad_enabled_task_drivers={{ nomad_conf.client.task_drivers | dict2items | selectattr('value.enabled', 'equalto', True) | map(attribute='key') }}
   tags: nomad
+
+
diff --git a/roles/nomad/tasks/install.yml b/roles/nomad/tasks/install.yml
index ff36642..c450729 100644
--- a/roles/nomad/tasks/install.yml
+++ b/roles/nomad/tasks/install.yml
@@ -15,6 +15,14 @@
   notify: restart nomad
   tags: nomad
 
+- when: nomad_install_mode == 'upgrade'
+  name: Clear plugin dir on upgrades
+  file: path={{ nomad_root_dir }}/plugins state={{ item }} owner={{ nomad_user }} group={{ nomad_user }}
+  loop:
+    - absent
+    - directory
+  tags: nomad
+
 - when: nomad_install_mode != 'none'
   block:
     - name: Download nomad
@@ -35,10 +43,37 @@
         dest: "{{ nomad_root_dir }}/bin/nomad"
         remote_src: True
         mode: 755
+      notify: restart nomad
 
     - name: Link in /usr/local/bin
       file: src={{ nomad_root_dir }}/bin/nomad dest=/usr/local/bin/nomad state=link force=True
 
+    - name: Download plugins
+      get_url:
+        url: "{{ nomad_plugins[item].archive_url }}"
+        dest: "{{ nomad_root_dir }}/tmp"
+        checksum: sha256:{{ nomad_plugins[item].sha256 }}
+      register: nomad_plugin_dl
+      loop: "{{ nomad_plugins.keys() | list }}"
+
+    - name: Extract nomad plugins
+      unarchive:
+        src: "{{ item.dest }}"
+        dest: "{{ nomad_root_dir }}/plugins/"
+        remote_src: True
+      loop: "{{ nomad_plugin_dl.results }}"
+      notify: restart nomad
+
+  tags: nomad
+
+# Nomad looks for the qemu-system-x86_64 bin in $PATH
+# so it needs to be available for Nomad to detect it
+- name: Link qemu-kvm to qemu-system-x86_64
+  file:
+    src: /usr/libexec/qemu-kvm
+    dest: /usr/local/bin/qemu-system-x86_64
+    state: link
+  when: nomad_conf.client.enabled and 'qemu' in nomad_enabled_task_drivers
   tags: nomad
 
 - name: Install bash completion support
diff --git a/roles/nomad/templates/nomad.hcl.j2 b/roles/nomad/templates/nomad.hcl.j2
index 31b120c..4db3eee 100644
--- a/roles/nomad/templates/nomad.hcl.j2
+++ b/roles/nomad/templates/nomad.hcl.j2
@@ -1,4 +1,5 @@
 data_dir = "{{ nomad_root_dir }}/data"
+plugin_dir = "{{ nomad_root_dir }}/plugins"
 log_level = "{{ nomad_conf.log_level }}"
 bind_addr = "0.0.0.0"
 
@@ -41,8 +42,9 @@ server {
   }
 }
 
+{% if nomad_conf.client.enabled %}
 client {
-  enabled = {{ nomad_conf.client.enabled | ternary('true', 'false') }}
+  enabled = true
   servers = [
 {% for server in nomad_servers %}
     "{{ server }}",
@@ -96,7 +98,11 @@ plugin "raw_exec" {
 }
 {% endif %}
 {% endif %}
-
+{% else %}
+client {
+  enabled = false
+}
+{% endif %}
 ui {
   enabled = {{ nomad_conf.ui.enabled | ternary('true', 'false') }}
 {% if nomad_conf.ui.consul_ui is defined %}
diff --git a/roles/nomad/vars/RedHat-8.yml b/roles/nomad/vars/RedHat-8.yml
index 286e715..a609b0f 100644
--- a/roles/nomad/vars/RedHat-8.yml
+++ b/roles/nomad/vars/RedHat-8.yml
@@ -3,3 +3,8 @@
 nomad_task_driver_packages:
   java:
     - java-17-openjdk-headless
+  qemu:
+    - qemu-kvm
+  podman:
+    - podman
+    - podman-docker
diff --git a/roles/nomad/vars/main.yml b/roles/nomad/vars/main.yml
deleted file mode 100644
index cd21505..0000000
--- a/roles/nomad/vars/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-