podman: переход на Podman, Minikube, локальные образы и док для новичков

- Molecule: драйвер delegated, коллекция containers.podman, create/destroy/verify на Podman - Makefile: все вызовы docker заменены на podman, сокет /run/podman/podman.sock - Сборка образов: podman build (без buildx), buildall/buildall-image — только локально без push - Ansible-controller: Podman в образе, docker-compose на podman compose, сокет Podman - K8s: Kind заменён на Minikube (драйвер podman), скрипты и Makefile обновлены - Пресеты: проверка локальных образов, без podman pull (registry запрещён) - Документация: docs/podman.md, docs/quickstart-for-dummies.md (роли, плейбук, линт, тесты, пресеты, инвентори) - README: ссылка на quickstart-for-dummies Made-with: Cursor
2026-03-11 19:59:47 +03:00
parent 23e1a6037b
commit 05881e8d74
16 changed files with 859 additions and 790 deletions
--- a/molecule/default/create.yml
+++ b/molecule/default/create.yml
@@ -10,8 +10,9 @@
    # Проверяем сначала в папке k8s, затем в основной папке presets
    preset_file: "{{ '/workspace/molecule/presets/k8s/' + preset_name + '.yml' if (preset_name in ['k8s-minimal', 'kubernetes', 'k8s-full'] or preset_name.startswith('k8s-')) else '/workspace/molecule/presets/' + preset_name + '.yml' }}"
    
-    # Fallback значения если preset файл не найден
+    # Fallback значения если preset файл не найден (Podman использует ту же сеть)
    docker_network: labnet
+    podman_network: "{{ docker_network }}"
    generated_inventory: "{{ molecule_ephemeral_directory }}/inventory/hosts.ini"
    images:
      alt9: "inecs/ansible-lab:alt9-latest"
@@ -89,20 +90,20 @@
        hosts: "{{ filtered_hosts | default(hosts) }}"

    # =============================================================================
-    # СЕТЕВОЕ ПОДКЛЮЧЕНИЕ
+    # СЕТЕВОЕ ПОДКЛЮЧЕНИЕ (Podman)
    # =============================================================================
    - name: Network setup
      debug:
        msg: |
          ================================================================================
-          НАСТРОЙКА СЕТИ
+          НАСТРОЙКА СЕТИ (Podman)
          ================================================================================
-          Network: {{ docker_network }}
+          Network: {{ podman_network | default(docker_network) }}
          ================================================================================

    - name: Ensure network exists
-      community.docker.docker_network:
-        name: "{{ docker_network }}"
+      containers.podman.podman_network:
+        name: "{{ podman_network | default(docker_network) }}"
        state: present

    # =============================================================================
@@ -117,39 +118,39 @@
          Count: {{ hosts | selectattr('type','undefined') | list | length }}
          ================================================================================

-    - name: Pull systemd images with correct platform
-      command: "docker pull --platform {{ ansible_architecture }} {{ images[item.family] }}"
+    # Только локальные образы (registry запрещён). Сборка: make buildall
+    - name: Проверка наличия локальных образов (Podman)
+      command: "podman image exists {{ images[item.family] }}"
      loop: "{{ hosts | selectattr('type','undefined') | list }}"
      loop_control: { label: "{{ item.name }}" }
      when: item.family is defined and images[item.family] is defined
-      register: pull_result
-      ignore_errors: yes
+      register: image_check
+      failed_when: false
+      changed_when: false

-    - name: Display pull results
-      debug:
-        msg: "Pulled {{ item.item.name }}: {{ 'OK' if (item.rc is defined and item.rc == 0) else 'SKIPPED (not available for this platform)' }}"
-      loop: "{{ pull_result.results | default([]) }}"
-      loop_control:
-        label: "{{ item.item.name }}"
+    - name: Остановка при отсутствии локальных образов
+      fail:
+        msg: |
+          Локальные образы не найдены (доступ к registry запрещён).
+          Выполните: make buildall
+          Отсутствуют образы: {{ image_check.results | default([]) | selectattr('rc', 'ne', 0) | map(attribute='item') | map(attribute='family') | list | join(', ') }}
+      when: image_check.results is defined and (image_check.results | selectattr('rc', 'ne', 0) | list | length > 0)

    - name: Start systemd nodes
-      community.docker.docker_container:
+      containers.podman.podman_container:
        name: "{{ item.name }}"
        image: "{{ images[item.family] }}"
-        networks:
-          - name: "{{ docker_network }}"
+        network: "{{ podman_network | default(docker_network) }}"
        privileged: "{{ systemd_defaults.privileged }}"
        command: "{{ '/bin/bash -c \"while true; do sleep 30; done\"' if item.family in ['alt10', 'alt9'] else systemd_defaults.command }}"
-        volumes: "{{ systemd_defaults.volumes | default([]) + (item.volumes | default([])) + ['/Users/inecs/PycharmProjects/DevOpsLab/vault:/workspace/vault:ro', '/Users/inecs/PycharmProjects/DevOpsLab/files:/workspace/files:ro', '/Users/inecs/PycharmProjects/DevOpsLab/roles:/workspace/roles:ro'] }}"
+        volume: "{{ systemd_defaults.volumes | default([]) + (item.volumes | default([])) + ['/workspace/vault:/workspace/vault:ro', '/workspace/files:/workspace/files:ro', '/workspace/roles:/workspace/roles:ro'] }}"
        tmpfs: "{{ systemd_defaults.tmpfs | default([]) }}"
-        capabilities: "{{ systemd_defaults.capabilities | default([]) }}"
-        published_ports: "{{ item.publish | default([]) }}"
+        cap_add: "{{ systemd_defaults.capabilities | default([]) }}"
+        ports: "{{ item.publish | default([]) }}"
        env: "{{ item.env | default({}) }}"
-        # Специальные настройки для Astra Linux и RedOS
-        security_opts: "{{ ['seccomp=unconfined', 'apparmor=unconfined'] if item.family in ['astra', 'redos'] else [] }}"
-        platform: "{{ item.docker_platform | default(item.platform) | default(omit) }}"
+        security_opt: "{{ ['seccomp=unconfined', 'apparmor=unconfined'] if item.family in ['astra', 'redos'] else [] }}"
        state: started
-        restart_policy: unless-stopped
+        restart_policy: "unless-stopped"
      loop: "{{ hosts | selectattr('type','undefined') | list }}"
      loop_control: { label: "{{ item.name }}" }
      when: item.family is defined and images[item.family] is defined
@@ -160,75 +161,44 @@
        seconds: 10
      when: hosts | length > 0

-    # Проверка готовности контейнеров
+    # Проверка готовности контейнеров (Podman)
    - name: Wait for containers to be running
-      community.docker.docker_container_info:
-        name: "{{ item.name }}"
+      command: "podman inspect --format '{{ '{{' }}.State.Running{{ '}}' }}' {{ item.name }}"
      register: container_info
      loop: "{{ hosts | selectattr('type','undefined') | list }}"
      loop_control: { label: "{{ item.name }}" }
      when: item.family is defined and images[item.family] is defined
      retries: 10
      delay: 5
-      until: container_info.container.State.Running | default(false)
+      until: container_info.stdout == 'true'


    # =============================================================================
-    # DIND NODES - Создание контейнеров Docker-in-Docker
+    # POoD NODES - Создание контейнеров Podman-out-of-Podman (сокет Podman)
    # =============================================================================
-    - name: DinD nodes setup
+    - name: POoD nodes setup
      debug:
        msg: |
          ================================================================================
-          DIND NODES - Создание контейнеров Docker-in-Docker
-          ================================================================================
-          Count: {{ hosts | selectattr('type','defined') | selectattr('type','equalto','dind') | list | length }}
-          ================================================================================
-
-    - name: Start DinD nodes (docker:27-dind)
-      community.docker.docker_container:
-        name: "{{ item.name }}"
-        image: "docker:27-dind"
-        networks:
-          - name: "{{ docker_network }}"
-        privileged: true
-        env:
-          DOCKER_TLS_CERTDIR: ""
-        published_ports: "{{ item.publish | default([]) }}"
-        volumes: "{{ (item.volumes | default([])) + [item.name + '-docker:/var/lib/docker'] }}"
-        state: started
-        restart_policy: unless-stopped
-      loop: "{{ hosts | selectattr('type','defined') | selectattr('type','equalto','dind') | list }}"
-      loop_control: { label: "{{ item.name }}" }
-
-    # =============================================================================
-    # DOOD NODES - Создание контейнеров Docker-out-of-Docker
-    # =============================================================================
-    - name: DOoD nodes setup
-      debug:
-        msg: |
-          ================================================================================
-          DOOD NODES - Создание контейнеров Docker-out-of-Docker
+          POoD NODES - Контейнеры с монтированием сокета Podman
          ================================================================================
          Count: {{ hosts | selectattr('type','defined') | selectattr('type','equalto','dood') | list | length }}
          ================================================================================

-    - name: Start DOoD nodes (systemd + docker.sock mount)
-      community.docker.docker_container:
+    - name: Start POoD nodes (systemd + podman.sock mount)
+      containers.podman.podman_container:
        name: "{{ item.name }}"
        image: "{{ images[item.family] }}"
-        networks:
-          - name: "{{ docker_network }}"
+        network: "{{ podman_network | default(docker_network) }}"
        privileged: "{{ systemd_defaults.privileged }}"
        command: "{{ systemd_defaults.command }}"
-        volumes: "{{ (systemd_defaults.volumes | default([])) + ['/var/run/docker.sock:/var/run/docker.sock'] + (item.volumes | default([])) + ['/Users/inecs/PycharmProjects/DevOpsLab/vault:/workspace/vault:ro', '/Users/inecs/PycharmProjects/DevOpsLab/files:/workspace/files:ro', '/Users/inecs/PycharmProjects/DevOpsLab/roles:/workspace/roles:ro'] }}"
+        volume: "{{ (systemd_defaults.volumes | default([])) + ['/run/podman/podman.sock:/run/podman/podman.sock'] + (item.volumes | default([])) + ['/workspace/vault:/workspace/vault:ro', '/workspace/files:/workspace/files:ro', '/workspace/roles:/workspace/roles:ro'] }}"
        tmpfs: "{{ systemd_defaults.tmpfs | default([]) }}"
-        capabilities: "{{ systemd_defaults.capabilities | default([]) }}"
-        published_ports: "{{ item.publish | default([]) }}"
-        env: "{{ item.env | default({}) }}"
-        platform: "{{ item.docker_platform | default(item.platform) | default(omit) }}"
+        cap_add: "{{ systemd_defaults.capabilities | default([]) }}"
+        ports: "{{ item.publish | default([]) }}"
+        env: "{{ (item.env | default({})) | combine({'CONTAINER_HOST': 'unix:///run/podman/podman.sock'}) }}"
        state: started
-        restart_policy: unless-stopped
+        restart_policy: "unless-stopped"
      loop: "{{ hosts | selectattr('type','defined') | selectattr('type','equalto','dood') | list }}"
      loop_control: { label: "{{ item.name }}" }
      when: item.family is defined and images[item.family] is defined
@@ -264,7 +234,7 @@
      set_fact:
        inv_content: |
          [all:vars]
-          ansible_connection=community.docker.docker
+          ansible_connection=containers.podman.podman
          ansible_remote_tmp=/tmp/.ansible-tmp

          {% for group, members in (groups_map | dictsort) %}