4.9 KiB
Executable File
What is this demo?
An Ansible playbook that will create a Fedora Core OS (FCOS) based virtual machine on Proxmox to host containers, the resultant containerised application stack is a web based evernote/wiki like application called Bookstack.
FCOS is designed to run in cloud or a bare-metal farm environment where network services such as DHCP / DNS exist. This demo aimed to illustrate that FCOS can be assigned a static IP and could be used as the bootstrap component of a system from code.
By default every boot starts as if there had been a fresh install aside from the changes made by the original boot configuration, for this demo the behavior has been changed to allow for persistent disk writes in $HOME and /var as it is hosting a wiki.
What is Fedora Core OS?
FCOS is the successor to CoreOS, a minimal operating system designed to be run in idempotent compute systems, it is minimal and designed solely to run containers via Docker and now Podman. Unlike traditional operating systems the operating system is set secure out of the box, does not (easily) offer any package management, is self updating and is crucially designed to be blown away and spun up as a component in PaaS. Typically it has been used for Docker Swarm and Kubernetes.
FCOS has stepped away from cloud-init and introduced its own version of boot time configuration named ignition whilst introducing a tool set for users to validate the ignition configuration, a clear sign that Redhat are looking for wide spread adoption. Whilst ignition offers less flexibility for boot time configuration than cloud-init, it does guide users to use Systemd in creative ways to configure the run time environment, this is much more powerful reusable than would be expected.
Redhat acquired CoreOS to offer a no/low-ops foundation for Openshift. At the same time Redhat is forging a path away from Docker for container management and has chosen to invest in Podman.
Podman is very familiar in operation to Docker for users but is early in its development, it offers many security enhancements and the ability to group containers into pods using Kubernetes pod container integration. It should be stated that Kubernetes does not yet manage containers through Podman but Docker and CRI-O.
Why not demo in the cloud?
IMHO Ansible is the wrong tool to provision in the cloud (but can be the right tool for cloud instance configuration), the heavy lifting is performed by the ignition configuration, ARM, Cloudformation or Terrafrom could replace any need for Ansible in this demo.
Proxmox by virtue of its API and QEMU hypervisor underpinnings with an exposed Linux OS is extensible and easy to script, it serves to showcase using Ansible to bootstrap an app stack.
What is in the playbook?
- Retrieving large binary files from the internet, using two Ansible URL modules for download and error checking.
- Uploading large binary files to a host with error checking, making use of in-line inventory (edit/override the groupvars and run, no inventory required).
- Provisioning a virtual machine to use the new Fedora Core OS (CoreOS successor) using the Proxmox Ansible module.
The proxmox_node_provision play is the fun part of the playbook, demoing an API call to Proxmox and using the proxmox_kvm module. The next step is to render an ignition configuration that controls the flow of starting containers using Systemd and Podman.
Systemd is used to demo timers and Podman job dependency, then acquire and start container images.
Podman is used to demo running heterogeneous containers in a single non root pod (to illustrate the difference from Docker) with intra-container networking isolated from the host/public and expose services only to the hosts loopback.
Traefik is used to demo the use of an HTTPS ingress controller (reverse proxy with bells and whistles) running on the hosts network adapter exposing ports <1024 to the app stack pod listening on the hosts loopback. Traefik is typically used where the Docker or Kubernetes API offer a mechanism for service discovery and dynamic configuration of URL routing, but it can still be statically configured and run as a container retaining all the features of an HTTP proxy and a classic layer 4 loadbalancer for all of your faux cloud needs.
How to run
Edit groupvars/all for Proxmox credentials and network attributes
ansible-playbook site.yml
Why is my host... ?
Rebooting 5+ minutes after first boot ?
FCOS by default will reboot whenever a new image is available, it is designed to run in a redundant farm, we are using an older version. This behavior can be changed with a Systemd update to a config file.
Asking for to trust an SSL certificate after every boot ?
Traefik has no SSL certificate set, it auto generated an untrusted placeholder certificate on init, this can be changed in Systemd by not deleting the container as a pre-execute task or by supplying a certificate chain.