Do not use docker_container module

Using `docker_container` with a `cap_drop` argument requires
Ansible >=2.7.

We want to support older versions too (2.4), so we either need to
stop invoking it with `cap_drop` (insecure), or just stop using
the module altogether.

Since it was suffering from other bugs too (not deleting containers
on failure), we've decided to remove `docker_container` usage completely.
This commit is contained in:
Slavi Pantaleev 2019-02-25 10:42:27 +02:00
parent 639fc0bb5c
commit 433780384e
2 changed files with 34 additions and 38 deletions

View File

@ -64,27 +64,22 @@
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
become: false become: false
# If the actual migration command (below) fails, it will leave a container behind. # We don't use the `docker_container` module, because using it with `cap_drop` requires
# Starting it again later will relaunch that one, which may or may not work. # a very recent version, which is not available for a lot of people yet.
# To ensure we're starting from a clean state, ensure any such leftovers are removed. #
- name: Cleanup any old leftover migration container # Also, some old `docker_container` versions were buggy and would leave containers behind
docker_container: # on failure, which we had to work around to allow retries (by re-running the playbook).
name: matrix-synapse-migrate - name: Import SQLite database into Postgres
state: absent command: |
docker run
- name: Importing SQLite database into Postgres --rm
docker_container: --name=matrix-synapse-migrate
name: matrix-synapse-migrate --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
image: "{{ matrix_synapse_docker_image }}" --cap-drop=ALL
detach: no --network={{ matrix_docker_network }}
cleanup: yes --entrypoint=python
entrypoint: /usr/local/bin/python -v {{ matrix_synapse_config_dir_path }}:/data
command: "/usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml" -v {{ matrix_synapse_run_path }}:/matrix-run
user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" -v {{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro
cap_drop: ['all'] {{ matrix_synapse_docker_image }}
volumes: /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml
- "{{ matrix_synapse_config_dir_path }}:/data"
- "{{ matrix_synapse_run_path }}:/matrix-run"
- "{{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro"
networks:
- name: "{{ matrix_docker_network }}"

View File

@ -29,21 +29,22 @@
# We do this mostly so that the keys would get generated. # We do this mostly so that the keys would get generated.
# We'll replace the rest of the configuration with our own templates below. # We'll replace the rest of the configuration with our own templates below.
#
# We don't use the `docker_container` module, because using it with `cap_drop` requires
# a very recent version, which is not available for a lot of people yet.
- name: Generate initial Matrix config - name: Generate initial Matrix config
docker_container: command: |
name: matrix-config docker run
image: "{{ matrix_synapse_docker_image }}" --rm
detach: no --name=matrix-config
cleanup: yes --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
command: generate --cap-drop=ALL
env: -v {{ matrix_synapse_config_dir_path }}:/data
SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml" -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}" -e SYNAPSE_SERVER_NAME={{ hostname_matrix }}
SYNAPSE_REPORT_STATS: "no" -e SYNAPSE_REPORT_STATS=no
user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}" {{ matrix_synapse_docker_image }}
cap_drop: ['all'] generate
volumes:
- "{{ matrix_synapse_config_dir_path }}:/data"
when: "not matrix_synapse_config_stat.stat.exists" when: "not matrix_synapse_config_stat.stat.exists"
- name: Ensure Matrix homeserver config installed - name: Ensure Matrix homeserver config installed