This post is part of a series about trying to setup a gitlab runner based on systemd-nspawn. I published the polished result as nspawn-runner on GitHub.
New goal: make it easier to configure and maintain chroots. For example, it
should be possible to maintain a rolling testing or sid chroot without the
need to manually log into it to run apt upgrade.
It should be also be easy to have multiple runners reasonably in sync by carrying around a few simple configuration files, representing the set of images available to the CI.
Ideally, those configuration files could simply be one ansible playbook per chroot. nspawn-runner could have a 'chroot-maintenance' command that runs all the playbooks on their corresponding chroots, and that would be all I need.
ansible and systemd-nspawn
ansible being inadequate as usual, it still does not have a nspawn or machinectl connector, even though the need is there, and one can find requests, pull requests, and implementation attempts by all sorts of people, including me.
However, I don't want to have nspawn-runner depend on random extra plugins.
There's a machinectl become plugin
available in ansible from buster-backports, but no matter how I read its
scant documentation, looked around the internet, and tried all sorts of things,
I couldn't manage to figure out what it is for.
This said, simply using systemd-nspawn instead of chroot is quite trivial:
use ansible_connection: chroot, set ansible_chroot_exe to this shellscript,
and it just works, with things properly mounted, internet access, correct
hostnames, and everything:
#!/bin/sh
chroot="$1"
shift
exec systemd-nspawn --console=pipe -qD "$chroot" -- "$@"
I guess that's a, uhm, plan, I guess?
Running playbooks
As an initial prototype, I made nspawn check the list of chroots in
/var/lib/nspawn-runner, and for each directory found there, check if there's
an equivalent .yaml or .yml file next to nspawn-runner.
For each chroot+playbook combination, it creates an inventory with the right
setup, including the custom chroot command, and runs ansible-playbook.
As a prototype it works. I assume once it will see usage there's going to be feedback and fine tuning; meanwhile, I have the beginning of some automated maintenance for the CI chroots.
Next step
It would be nice to also have nspawn-runner create the chroots from
configuration files if they are missing, so that a new runner can be deployed
with a minimal effort, and it will proceed to generate all the images required
in a single command.
For this, I'd like to find a clean way to store the chroot creation command inside the playbooks, to keep just one configuration file per chroot.
I'd also like to have it flexible enough to run debootstrap, as well as commands for different distributions.
Time will tell.
This is probably enough for study/design posts on my blog. Further updates will be in the issue tracker.