I’m currently in the process of evaluating AWX for managing our landscape. I’m particularly thrilled by the concept of remote execution nodes that connect to the backend via hop nodes. That works fine so far.
However, there’s a catch in our environment: I need to run receptor and ansible-runner in a containerized (Docker) environment. It doesn’t matter whether both components run in in one container or both run seperately and communicate with each other somehow. The hardest part might be that ansible-runner wants to run the execution environment in a podman container. So it might be an podman-in-docker scenario.
My questions are:
Is this achievable? Has anybody ever tried such a scenario?
Will I have to run podman inside docker? Or can the playbook also run alongside receptor in my docker container?
IIRC, there’s no magical way to run “podman-in-docker” even though they are (mostly) interchangeable tools. Would you run “docker-in-docker” or “podman-in-podman”? You can’t run containers inside other containers. While you can spawn containers from inside another container, they are technically still running off the host. So it doesn’t make a whole lot of sense to try and spawn podman containers from inside a docker container when that would require the host to be able to spawn podman containers in the first place. (and I don’t think you can install docker and podman side-by-side)
Podman is a hard requirement for receptor, and as a result, it is required for AWX’s hop/execution nodes. Additionally, it sounds like you’re trying to do this the hard way by manually trying to spin up receptor nodes that will integrate with AWX. Instead, AWX provides an install bundle for your instances. It uses the ansible.receptor.{podman,setup} roles to install all of the requirements, including podman.
Simply create an instance in your AWX UI, download and extract the install bundle somewhere that you have ansible installed, update the inventory.yml file with sufficient details to ssh to your node with become privileges, and run ansible-playbook install_receptor.yml -i inventory.yml
I’ve done this (download the bundle and install it using ansible). However, it is designed to be run against a physical or virtual machine. The platform I need to place an execution node at doesn’t allow for VMs, instead I’m bound to containers. I have no access to the host, but I’m free to design container(s) that run receptor and ansible-runner.
I definitely would prefer the easy way, though. If there was one.
What platform are you trying to run the containers in?
I haven’t tried it, but it might be possible to use the community.docker.docker connection plugin to point your install bundle’s inventory to a rootful container. Then when you run the playbook, it’ll configure the running container to meet requirements. It might utterly fail, but if it somehow succeeds, you could then commit the container image and go from there.
You could also check out this guide to ansible-runner and receptor. I’m not sure how much it will help, since it doesn’t specifically go over how AWX uses it other than a small mention.
I’m looking at that blog post and am unsurprised by all of the hullabaloo it took to make podman work nested under other podman/docker containers. (I actually have a use-case if this can enable podman builds in openshift)
Anyways, I wish you luck. From what I can tell on my own Execution Node, receptor runs as a systemd service on the host and uses ansible-runner to spin up automation-job pods. I would imagine you could start with quay.io/podman/stable as a base image, install ansible and run the install bundle against it locally. Would still need to expose the receptor port and probably a few other things, but it would certainly be interesting if you manage to build a more abstract and re-usable image (for multiple configurable nodes).
It works using this simple proof-of-concept approach:
FROM quay.io/podman/stable
RUN yum install -y python3-ansible-runner ansible slirp4netns
RUN curl -L https://github.com/ansible/receptor/releases/download/v1.4.8/receptor_1.4.8_linux_amd64.tar.gz | tar xvzf - -C /usr/bin
# directory has receptor.conf and all certificates from install bundle
ADD docker/receptor /etc/receptor
EXPOSE 27199
CMD /usr/bin/receptor --config /etc/receptor/receptor.conf
For the time being I have to start the container with --privileged, there’s some capability missing in the examples mentioned earlier (networking stuff?). Will figure that out at some point in time.
However, having a Docker container running receptor and ansible-runner in podman works.
In fact there was a PR to support containerlized installation through ansible.receptor collection, and I (and some maintainers) had confirmed that everything works as expected:
Sadly this PR was closed due to the removal of the branch which is targeted by the PR, but I believe this concept is still valid today.
Perhaps you can do the same by reviewing what is being changed in this PR. Maybe this task is the most important one:
@nak you can install that PR directly with ansible-galaxy collection install git+https://github.com/zkayyali812/receptor-collection.git,zk/containerized-receptor-deploy